A method and apparatus is disclosed for improving the security of computer networks
by providing a means operating passively on the network for detecting, reporting
and responding to intruders. The system is comprised of a plurality of intruder
sensor client computers and associated event correlation engines. Resident in the
memory of the client computer and operating in the background is a Tactical Internet
Device Protection (TIDP) component consisting of a passive intruder detector and
a security Management Information Base (MIB). The passive intruder detector component
of the TIDP passively monitors operations performed on the client computer and
emits a Simple Network Management Protocol (SNMP) trap to an event correlation
engine when it identifies a suspected intruder. The event correlation engine, through
the use of a behavior model loaded in its memory, determines whether the user's
activities are innocent or those of a perspective intruder. When the event correlation
engine is unable to classify a user based on a single trap message, it can request
historical information from the security MIB, a database of the operating history
of the client computer including a chronology of the illegal operations performed
on the client. Once the event correlation engine determines that an intruder is
located at an associated client workstation, it generates a status message and
transmits the message to all of its subscribers, informing them of the presence
and location of a suspected intruder.
