The present application is directed to a host-based IDS on an HP-UX intrusion detection system that enhances local host-level security within the network. It should be understood that the present invention is also usable on, for example, Eglinux, solaris, aix windows 2000 operating systems. It does this by automatically monitoring each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If successful, such intrusions could lead to the loss of availability of key systems or could compromise system integrity.
RELATED APPLICATION
The present application claims priority of U.S. Provisional Application Ser. No. 60/210,922, filed Jun. 12, 2000, entitled "SYSTEM AND METHOD FOR HOST AND NETWORK BASED INTRUSION DETECTION AND RESPONSE", the disclosure of which is incorporated by reference herein in its entirety.
The present application is related to patent application entitled "SYSTEM AND METHOD FOR HOST AND NETWORK BASED INTRUSION DETECTION AND RESPONSE" and assigned to the instant assignee and filed on even date herewith and is hereby incorporated by reference into this specification in its entirety.
An alert transmission apparatus for a policy-based intrusion detection and response has a central policy server (CPS) and an intrusion detection and response system (IDRS). In the CPS, a policy management tool generates security policy information and then stores the generated security policy information in a policy repository. A COPS-IDR server sends the information to the IDRS and an IDMEF-XML-type alert transmission message to a high-level module. An IDMEF-XML message parsing and translation module stores a parsed and translated IDMEF-XML-type alert transmission message in an alert DB or provides the message to an alert viewer. In the IDRS, a COPS-IDR client generates the IDMEF-XML-type alert transmission message and provides the message to the CPS. An intrusion detection module detects an intrusion. An intrusion response module responds to the intrusion. An IDMEF-XML message building module generates an IDMEF-XML alert message and provides the message to the COPS-IDR client.
Provided is an in-context security advisor that unifies computer system security, and generally improves computer system security by proactively and reactively monitoring for changes to security settings made by users and programs. By operating in real time, advice comprising meaningful feedback is given for any intrusion, thus giving a user the proper context about the consequences of changes to security settings that negatively affect the level of protection on computer systems, and allowing automated correction. Files can also be monitored, e.g., to prevent certain files from being remotely accessed or transmitted. The security advisor may adjust its operation based on user preferences, policy information, and via a connection to a remote source such as a backend server. The security advisor can also output security-related information, such as to a log and/or to components that evaluate the overall health of the machine.
The present invention is used to monitor a user specified set of files for successful attempts to change the content. Templates are used to monitor user specified directories (with exclusion rules) for successful attempts to change the content or the addition/deletion of files.
When a mail server 31 and a mail server 32 are in a failover state, switches 21, 22 select communication paths E, F. A temporary save server 50 stores email received from a mail reception server 10 during the failover in a disk storage 60, and after the completion of the failover, transmits to a mail server (e.g., mail server 32) that has been switched to function as a primary system an email stored in disk storage 60 and a write request for a disk storage 40. Mail server 32, upon receiving an email and a write request from temporary save server 50, stores the received email to disk storage 40 to update stored content.
Systems and methods for denying access to a data processing system by an intruder are provided. Input/output (I/O) on the intruder's connection may be taken over and responses mimicking a local terminal session passed back. On an attempted reconnect by the intruder, the user name and password used by the intruder to access the system may be captured. The password may then be changed on the edge system and the intruder's terminal session disconnected, or alternatively, continue to log the intruder's activity.
