I lllll llllllll II llllll lllll lllll lllll lllll lllll lllll lllll 111111111111111111111111111111111
`
`US 20030110392Al
`
`(19) United States
`(12) Patent Application Publication
`Aucsmith et al.
`
`(10) Pub. No.: US 2003/0110392 Al
`Jun. 12, 2003
`( 43) Pub. Date:
`
`(54) DETECTING INTRUSIONS
`
`Publication Classification
`
`(76)
`
`Inventors: David W. Aucsmith, Portland, OR
`(US); John W. Richardson, Portland,
`OR (US)
`
`Int. CI.7 ....................................................... H04L 9/00
`(51)
`(52) U.S. Cl. .............................................................. 713/200
`
`Correspondence Address:
`FISH & RICHARDSON, PC
`4350 LA JOLLA VILLAGE DRIVE
`SUITE 500
`SAN DIEGO, CA 92122 (US)
`
`(21)
`
`Appl. No.:
`
`10/010,743
`
`(22)
`
`Filed:
`
`Dec. 6, 2001
`
`(57)
`
`ABSTRACT
`
`Detecting intrusions includes detecting a possible security
`problem at a client location, transmitting notice of the
`possible security problem across a network in real time to a
`home location remotely located from the client location,
`determining at the home location an anomaly based on at
`least the possible security problem, and transmitting notice
`of the anomaly in real time to the client location.
`
`r 200
`
`202
`
`204
`
`Client =uns agen~
`
`Informa::.io:i_ a.:::-rives at client
`
`206
`
`Agent decect
`known anoma:;__y?
`
`No
`
`208
`
`I
`Ye.s
`
`212 ~
`
`210
`
`Agent repon:s aroomaly to server
`
`214
`
`Se:cver deterrr.ine
`actual anomaly?
`
`No-
`
`Server logs
`anomaly
`
`)
`
`216
`
`Yes
`
`r- 218
`
`~
`
`220
`
`Server logs actual anomaly
`
`222 ~
`
`Server sends int~usion update to clients
`
`224
`
`Server modifies settings at clien""C 1 S firewall
`
`.
`226~
`Server atte::n.pts to add~ess anomaly
`
`228
`
`Server sends remedy update to clients
`
`230
`
`Server follows up on intruder
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 1
`
`

`
`'"""'
`>
`'"""' 8
`'"""'
`c
`@
`N c
`'Jl
`d
`
`N
`\C
`
`O'I
`
`'"""' 0 .....,
`~ .....
`'Jl =(cid:173)~
`8
`N c
`'"""' ~N
`~ = ?
`.... 0 =
`O' -....
`~
`.... 0 =
`~ "Cl -....
`~ = .....
`~ .....
`""C
`
`~ .....
`
`I")
`
`~ .....
`
`I")
`
`120
`
`~at:_)
`==1. )
`
`Network
`
`Corporate
`
`110
`
`114
`
`Firewall
`
`1
`
`FIG.
`
`118
`
`Center
`
`Operations
`
`Network
`
`101
`
`1" c(wdeL
`
`•
`• •
`
`106(1)
`
`102(N-1)
`
`\.
`
`100 I
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 2
`
`

`
`Patent Application Publication
`
`Jun. 12, 2003 Sheet 2 of 6
`
`US 2003/0110392 Al
`
`[200
`
`202
`
`204
`
`Client runs agent
`
`Information arrives at
`
`206
`
`Agent detect
`known anomaly?
`
`Yes
`
`No
`
`212
`
`208
`
`210
`
`Agent reports anomaly to server
`
`2:'..4
`
`Server determine
`actual anomaly?
`
`No
`
`Server logs
`anomaly
`
`216
`
`Yes
`
`End
`
`218
`
`220
`
`Server logs actual anomaly
`
`222
`
`224 I
`
`Server sends intrusion update to clients
`
`Server modifies settings at client's firewall
`
`226
`
`228
`
`Server attempts to acidress anomaly
`
`Server sends remedy update to clients
`
`230
`
`Server follows up on intruder
`
`FIG. 2
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 3
`
`

`
`'"""
`>
`'""" 8
`'"""
`c
`@
`N c
`'Jl
`d
`
`N
`\C
`
`O'I
`0 .....,
`~
`
`~ .....
`'Jl =(cid:173)~
`8
`N c
`'""" ~N
`~ = ?
`.... 0 =
`O' -....
`~
`.... 0 =
`~ "Cl -....
`~ = .....
`~ .....
`""C
`
`~ .....
`
`I")
`
`~ .....
`
`I")
`
`3
`
`FIG.
`
`324
`
`Interface
`Local User
`
`316
`
`Coordinator
`
`Local
`
`'
`
`'
`
`' \ ..
`
`'
`'
`
`Trojan
`
`Process
`
`Process
`
`Process
`
`330
`
`Firewall
`
`Detection
`Intrusion
`
`308 --
`
`310---, Core
`
`312
`
`302 -
`
`'1r+-~+-~~~~~~~~~~~~~~~~~
`
`Scanner
`
`322
`
`Vulnerability
`
`300
`
`[
`
`Enhancements
`
`Substrate
`Management
`
`Network
`
`326
`
`306
`
`Recorder
`'l'raf f ic
`
`Packager
`Evidence
`
`318
`
`304
`
`320
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 4
`
`

`
`'"""'
`>
`'"""' 8
`'"""'
`c
`@
`N c
`'Jl
`d
`
`N
`\C
`
`O'I
`0 .....,
`.i;;..
`~ .....
`'Jl =-~
`
`~
`
`N c c
`'"""' ~N
`~ = ?
`.... 0 =
`O' -....
`~
`.... 0 =
`~ "Cl -....
`~ = .....
`~ .....
`""C
`
`~ .....
`
`I")
`
`~ .....
`
`I")
`
`Network
`Private
`Virtual
`
`114
`
`Detector
`Anomaly
`
`416
`
`4
`
`FIG.
`
`Program
`Control
`
`420
`
`Log
`
`Database
`
`Database
`
`4 04
`
`412~
`
`Recorder
`
`Packet
`
`Firewall
`
`Filter
`Packet
`
`1Application 1-----1
`
`Monitor
`
`
`
`1,
`
`108
`
`402
`
`406
`
`410
`
`Client
`
`Application
`
`• • •
`
`102
`
`414(Y)
`
`414 (Y-1)
`
`Application
`
`414 (1)
`
`[400
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 5
`
`

`
`~ .....
`'Jl =(cid:173)~
`8
`N c
`'"""' N
`~ = ?
`~ .... 0 =
`§. -....
`~ .... 0 =
`"Cl -....
`> "Cl
`~ = .....
`~
`""C
`
`I")
`
`""C
`
`I")
`
`'"""'
`>
`'"""' 8
`'"""'
`8 c
`N c
`'Jl
`d
`
`N
`\C
`
`O'I
`0 .....,
`(Ji
`
`~
`
`NOC
`
`Protect
`
`552
`
`504
`
`506
`
`542
`
`Trails
`Audit
`
`Analysis
`
`Trend
`
`FIG. 5
`
`550
`
`Platform
`Management
`
`Network
`
`548
`
`Updates
`Software
`
`514
`
`s, Demo
`rtal,
`
`Ga~:---
`
`510
`
`View
`
`Customer Web
`
`512
`
`Connectivity
`
`Customer
`
`'
`
`Suppor~/,/
`Customer
`
`........ --
`
`;,../'
`
`Database
`
`Master
`
`......... --
`System
`Expert
`
`Handlers
`
`Alert
`
`Neighborhood
`
`Inoculate
`
`__ ,. __ ......
`
`,.,,."
`
`.......... >;;-
`
`'
`
`'
`
`J-----.1_
`
`',,
`
`',
`
`,,, ............ --
`
`Management
`
`54 6 -\ :perations
`
`and
`
`Management
`Customer
`
`508
`
`54 4 ---, ~ulnerabili ty
`
`~ " Tracking
`
`------
`
`Workbench /---------------
`
`I Response
`Alert-,_
`
`--,
`
`Analyst
`
`516
`
`522
`
`520
`
`518
`
`Database
`
`Trend
`
`Detection
`
`Anomaly
`
`528
`
`Workbench
`Wide-View
`
`524 ~
`
`f 500
`
`526
`
`Fingerprinting
`
`Bad Guy
`
`Statistics
`
`Theory
`
`Complexity
`
`Immune
`Human
`
`536
`
`Wide View
`
`534
`
`532 -,
`
`530
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 6
`
`

`
`Patent Application Publication
`
`Jun. 12, 2003 Sheet 6 of 6
`
`US 2003/0110392 Al
`
`[
`
`600
`
`602
`
`Client installs new application
`
`604
`
`606
`
`Client notifies server of new application
`
`Server updates security configuration
`
`608
`
`Server sends updated security configuration to client
`
`FIG. 6
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 7
`
`

`
`US 2003/0110392 Al
`
`Jun. 12,2003
`
`1
`
`DETECTING INTRUSIONS
`
`BACKGROUND
`
`[0001] This invention relates to detecting intrusions.
`
`[0002] An entity may make resources such as applications,
`collections of data, programs, and other similar resources
`available over a network. Security measures may exist to
`protect the resources against unauthorized network access,
`but illicit attempts to access the resources may still be made.
`The entity may set up an intrusion detection system to help
`discover such attempts and actual security breaches.
`
`[0003] Generally, an intrusion detection system gathers
`information flowing between the network and the entity
`providing the resources and analyzes the information for
`possible security problems. Such analysis can include evalu(cid:173)
`ating compliance with system policies, detecting access to
`resources by parties having gained unauthorized or other(cid:173)
`wise impermissible access to the resources from inside or
`outside the entity (e.g., by providing false identification
`information, by bypassing security measures such as fire(cid:173)
`walls and password checks, by hacking in to the entity, etc.),
`detecting the addition of malicious files (e.g., viruses, Trojan
`horses, etc.), evaluating typical access patterns for unusual
`activity, and performing other security-related operations.
`
`DESCRIPTION OF DRAWINGS
`
`[0004] FIG. 1 is a block diagram of an embodiment of a
`network configuration.
`
`[0005] FIG. 2 is a flowchart showing an embodiment of a
`process of detecting intrusions.
`
`[0006] FIG. 3 is a block diagram of an embodiment of a
`client intrusion detection system.
`
`[0007] FIG. 4 is a block diagram of an embodiment of
`another network configuration.
`
`[0008] FIG. 5 is a block diagram of an embodiment of a
`server intrusion detection system.
`
`[0009] FIG. 6 is a flowchart showing an embodiment of a
`process of adding an application.
`
`DESCRIPTION
`
`[0010] Referring to FIG. 1, an example network configu(cid:173)
`ration 100 includes client terminals 102(1)-102(N) and a
`server 104 that can implement a real time intrusion detection
`system. (N represents a whole number.) The client terminals
`102(1)-102(N) each include an agent 106(1)-106(N) that can
`monitor information received at its associated client terminal
`102(1)-102(N) from a network 108, a corporate network
`110, and/or other sources. If one of the agents 106(1)-106(N)
`detects a possible security problem in any of the informa(cid:173)
`tion, the agent can report the possible security problem in
`real time to the server 104 through a firewall 112, a virtual
`private network (VPN) 114, and a corporate server 116. The
`security problem is labeled "possible" because the server
`104 may determine it not to be a security problem.
`
`[0011] The server 104 may then update its collection of
`security data 118 and the corporate server's collection of
`security data 120 to reflect this reported possible security
`problem. Additionally, the server 104 can in real time inform
`
`all of the client terminals 102(1)-102(N) of this possible
`security problem via each of the agents 106(1)-106(N).
`
`[0012]
`In this way, the server 104 can propagate any
`possible security problems seen by any one of the client
`terminals 102(1)-102(N) to all of the client terminals 102(1)-
`102(N) so that all of the client terminals 102(1)-102(N) can
`defend against that possible security problem in real time
`(e.g., monitor for or prevent that security problem). Further(cid:173)
`more, with the server 104 able to receive security updates
`from multiple client terminals and to inform all (or at least
`a subset) of the client terminals 102(1)-102(N) in real time
`upon detection and/or correction of a security problem, any
`potentially negative effects of the security problem can be
`reduced or eliminated in real time.
`
`[0013] The server 104 can also use the possible security
`problems reported by all of the agents 106(1)-106(N) to help
`detect intrusion patterns, new intrusion techniques, and other
`security problems that may not be apparent to an individual
`client terminal or to a small number of client terminals. The
`server 104 can inform all of the client terminals 102(1)-
`102(N) of such detected security issues in real time so that
`the client terminals 102(1)-102(N) may monitor information
`for those security issues.
`
`[0014]
`"Real time" generally means continuous. Some(cid:173)
`thing occurring in real time can happen fast enough so the
`appropriate response occurs quickly, e.g., administrators at a
`server can address a security problem, clients may be
`notified of a security problem and/or modified to reduce or
`eliminate any potentially negative effects of a security
`problem, etc. Thus, while "real time" can mean instanta(cid:173)
`neously or within a fraction of a second, it could mean a
`longer time period, such as minutes, hours, days, etc., for
`less aggressive and/or slower systems or in instances of any
`kind of network delay.
`
`[0015] Generally, a security problem involves an intru(cid:173)
`sion. The intrusion may come from a recognized party (e.g.,
`one of the client terminals 102(1)-102(N)) or from an
`unrecognized, non-client third party (e.g., an intruder 122).
`Examples of security problems can include:
`
`[0016] a) confidentiality, e.g., ensuring that only
`authorized parties can access resources available
`behind the firewall 112 (such as resources made
`available by the corporate network 110),
`
`[0017] b) control and integrity, e.g., enabling only
`certain parties to access, edit, add, and/or delete
`resources available behind the firewall 112 and iden(cid:173)
`tifying non-standard network or resource access pat(cid:173)
`terns,
`
`[0018] c) authenticity, e.g., verifying the identity of
`parties, and/or
`
`[0019] d) vulnerability, e.g., determining weaknesses
`in the security of the corporate network 110, the
`firewall 112, and the VPN 114.
`
`[0020]
`It might be useful to detect security problems in the
`network configuration 100. The corporate network 110 may
`include a server that an organization associated with the
`corporate network 110 may want available over the VPN 114
`to the client terminals 102(1)-102(N). These may include
`employees of the organization, customers of the organiza(cid:173)
`tion, contractors of the organization, and other authorized
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 8
`
`

`
`US 2003/0110392 Al
`
`Jun. 12,2003
`
`2
`
`parties. The organization may not, however, want any other
`parties to have access to the corporate network 110 or for the
`authorized parties to
`illicitly use or access restricted
`resources available in the corporate network 110. Thus, the
`organization may deploy an intrusion detection system
`including the server 104, the corporate server 116, and the
`agents 106(1)-106(N) at each of the client terminals 102(1)-
`102(N). The network configuration 100 may, of course,
`include additional security precautions.
`
`[0021] Before further discussing detecting intrusions, the
`elements in the network configuration 100 are further
`described.
`
`[0022] The elements in the network configuration 100 can
`be implemented in a variety of ways. Information commu(cid:173)
`nicated between elements included in the network configu(cid:173)
`ration 100 can include data, instructions, or a combination of
`the two. The information may be in packets. Each sent
`packet may be part of a packet stream, where each of the
`packets included in the packet stream fits together to form a
`timewise contiguous stream of data. Information may be
`communicated between endpoints via multicast, unicast, or
`some combination of both.
`
`[0023] The corporate network 110 and the network 108
`can each include any kind and any combination of networks
`such as an Internet, a local area network (LAN) or other
`local network, a private network, a public network, or other
`similar network. Typically, the network 108 includes a
`public network while the corporate network 110 includes a
`private network. Communications through the corporate
`network 110 and the network 108 may be secured with a
`mechanism such as Transport Layer Security/Secure Socket
`Layer (TLS/SSL), wireless TLS (WTLS), or secure Hyper(cid:173)
`text Transfer Protocol (S-HTTP). Although discussed here
`as having a corporate association, the corporate network 110
`can be associated with any type of organization: corporate,
`individual, non-profit, educational, etc.
`
`[0024] The VPN 114 generally includes a private network
`existing within a public network. Information may be sent
`on the VPN 114 using public communication links (e.g., via
`the Internet), but the information may be protected with
`encryption and/or other security mechanisms so that only
`authorized users may access the information through the
`VPN 114.
`
`[0025] The client terminals 102(1)-102(N) can each
`include any device capable of communicating with the
`network 108 and with the corporate network 110 through the
`VPN 114. Examples of such devices include a mobile
`computer, a stationary computer, a workstation, a server, a
`telephone, a pager, a personal digital assistant, and other
`similar devices. The intruder 122 may also include any of
`these example devices.
`
`[0026] The agents 106(1)-106(N) can each include any
`mechanism capable of communicating with the corporate
`server 116 and executing an intrusion detection system on its
`associated client terminal. Examples of such agents include
`software programs or routines, applications, bots, and other
`similar mechanisms.
`
`device. The server 104 may serve as a network operations
`center (NOC), a central network management server.
`Responsibilities of the server 104 may include setting poli(cid:173)
`cies regarding detection of possible security problems,
`monitoring general network issues, detecting intrusion pat(cid:173)
`terns or new intrusion techniques, researching anomalies,
`receiving alerts from the corporate server 116, requesting a
`response to security updates from the corporate server 116
`and/or the agents 106(1 )-106(N), creating updates to trans(cid:173)
`mit to the agents 106(1 )-106(N), investigating possible
`security problems, resolving possible security problems,
`logging possible security problems received from the agents
`106(1)-106(N), and performing other similar tasks.
`
`[0028] The corporate server 116 can include any device
`capable of communicating with the server 104 and the
`agents 106(1)-106(N) such as a file server, an application
`server, a mobile computer, a stationary computer, or other
`similar device. The corporate server 116 may serve as an
`NOC for the corporate network 110. Responsibilities of the
`corporate server 116 may include setting policies regarding
`detection of possible security problems, monitoring general
`network issues, receiving alerts from the agents 106(1)-
`106(N), approving updates for the agents 106(1)-106(N)
`transmitted from the server 104, investigating possible secu(cid:173)
`rity problems, and performing other similar tasks.
`
`[0029] The collections of data 118 and 120 can each
`include a storage mechanism such as a data queue, a buffer,
`a local or remote memory device, a cache, or other similar
`storage mechanism. The collections of data 118 and 120 may
`be organized as databases. The collections of data 118 and
`120 may be included in their respective servers 104 and 116
`rather than exist as separate elements as shown in the
`network configuration 100.
`
`[0030] The firewall 112 can include any hardware and/or
`software mechanism able to prevent unauthorized access to
`or from a network, such as between a private network (e.g.,
`the corporate network 110) and a public network (e.g., the
`network 108).
`
`[0031] Elements included in the network configuration
`100 can communicate with other element(s) included in the
`network configuration 100 over one or more communication
`links. These communication links can include any kind and
`any combination of communication links such as modem
`links, Ethernet links, cables, point-to-point links, infrared
`connections, fiber optic links, wireless links, cellular links,
`Bluetooth, satellite links, and other similar links.
`
`[0032] Elements included in the network configuration
`100 may be remotely located from one another. That is,
`elements may be located in different geographical regions,
`may be physically separated by one or more communication
`links, may be included in different networks, and otherwise
`be separately located. For example, each of the client
`terminals 102(1)-102(N) may be located at different branch
`offices of an organization maintaining the corporate network
`110 at a main branch office. The server 104 may be located
`at the main branch office or at another location, such as at a
`third party network maintenance site.
`
`[0027] The server 104 can include any device capable of
`communicating with the network 108 and the corporate
`server 116 such as a file server, an application server, a
`mobile computer, a stationary computer, or other similar
`
`[0033] Furthermore, the network configuration 100 is sim(cid:173)
`plified for ease of explanation. The network configuration
`100 may include more or fewer additional elements such as
`networks, communication links, proxy servers, firewalls or
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 9
`
`

`
`US 2003/0110392 Al
`
`Jun. 12,2003
`
`3
`
`other security mechanisms, Internet Service Providers
`(ISPs), gatekeepers, gateways, switches, routers, hubs, client
`terminals, and other elements.
`[0034] Referring to FIG. 2, a process 200 shows an
`example of detecting intrusions using the server 104, the
`corporate server 116, and the agents 106(1)-106(N) at each
`of the client terminals 102(1)-102(N). Although the process
`200 is described with reference to the elements included in
`the network configuration 100 of FIG. 1, this or a similar
`process may be performed in another, similar network
`configuration.
`[0035]
`In the process 200, the agents 106(1)-106(N) each
`run 202 on their associated client terminals 102(1)-102(N).
`For simplicity in this example, the client terminal 102(1) is
`referred to as "client 102" while its associated agent 106(1)
`is referred to as "agent 106." The attributes of the client 102
`and the agent 106 may similarly apply to the other client
`terminals and the other agents included in the network
`configuration 100.
`[0036] The agent 106 typically waits (idles) on its asso(cid:173)
`ciated client 102 until the occurrence of one or more events.
`In the process 200, the agent 106 waits until information
`arrives 204 at the client 102. The information typically
`arrives at the client 102 through the VPN 114, the corporate
`network 110, or the network 108 from one of the other client
`terminals or from another terminal capable of communicat(cid:173)
`ing through the VPN 114, the corporate network 110, or the
`network 108.
`[0037] When information arrives at the client 102, the
`agent 106 examines the information and determines 206 if
`the information includes or indicates a known anomaly.
`Known anomalies include security problems that the server
`104 has identified to the agent 106 and/or security problems
`that the agent 106 was initially configured to identify (and
`that have not since been deleted as anomalies to identify).
`The agent 106 may make this determination in real time.
`[0038]
`In identifying known anomalies, the agent 106 may
`compare the information with information included in a
`collection of anomalies data included as part of the agent
`106, in a collection of anomalies data included in the client
`102 or otherwise accessible to the agent 106, in the corporate
`collection of security data 120, or in another similar
`resource.
`[0039] For example, a packet may arrive at the client 102.
`The agent 106 may compare a source Internet Protocol (IP)
`address included in or with the packet with IP addresses of
`known intruders included in the corporate collection of
`security data 120. In another example when a packet arrives
`at the client 102, the agent 106 may examine the packet for
`particular queries or commands that fit an intrusion pattern
`or technique identified in the corporate collection of security
`data 120.
`[0040]
`If the agent 106 does not detect a known anomaly,
`then the agent 102 returns 208 to waiting for another piece
`of information to arrive at the client 102 or to examining a
`piece of information that already arrived at the client 102.
`The client 102 may also process the information as appro(cid:173)
`priate because the information does not present a known
`security problem.
`[0041]
`If the agent 106 does detect a known anomaly, then
`the agent 106 can report 210 the anomaly to the server 104.
`
`The agent 106 may report the anomaly in real time. The
`agent 106 may report the anomaly directly to the server 104
`or to the server 104 through a network such as the VPN 114.
`The agent 106 may not report the anomaly to the server 104
`or even know that notice of the anomaly will reach the server
`104 but rather report the anomaly to an intermediary, such
`as to the corporate server 116 via the VPN 114. In this
`particular example, assume that the agent 106 transmits
`notice of the anomaly to the server 104 via the VPN 114 and
`the corporate server 116.
`[0042] Once the agent 106 reports the anomaly, the agent
`106 returns 212 to waiting for another piece of information
`to arrive at the client 102 or to examining a piece of
`information that previously arrived at the client 102.
`[0043] The server 104 receives notice of the anomaly and
`can examine the anomaly to determine 214 if the anomaly
`constitutes an actual anomaly, e.g., a known security prob(cid:173)
`lem, a possible security problem serious enough to report to
`the client terminals 102(1)-102(N), etc. The server 104 may
`make such a determination in real time.
`[0044] The server 104 may individually examine the
`anomaly or the server 104 may examine the anomaly in
`conjunction with other information accessible by the server
`104, e.g., information included in the collection of security
`data 118, information sent to the server 104 from other
`sources, information accessible to the server 104 through the
`network 108 and/or the corporate server 116, and other
`similar types of information. The server 104 may examine
`the anomaly in any number of ways and may examine all
`anomalies in the same way or limit particular examinations
`to particular types of anomalies.
`[0045]
`In individually examining the anomaly, the server
`104 may, for example, search for particular information in
`the anomaly such as a network address previously noted as
`a security problem, a particular query or command associ(cid:173)
`ated with a known intrusion pattern or technique, a particular
`file name or file type associated with a known intrusion
`pattern or technique, and other similar types of information.
`In another example, the server 104 may check the identity of
`the sender of the information that triggered the agent 106 to
`report the anomaly.
`[0046]
`In examining the anomaly in conjunction with
`other information, the server 104 may, for example, compare
`the anomaly with information previously logged at the
`server 104, perhaps in the collection of security data 118. For
`instance, the server 104 may look for non-standard access
`patterns, such as logins at unexpected hours or from unex(cid:173)
`pected locations or users.
`
`[0047]
`If after whatever examination or examinations the
`server 104 performs on the anomaly the server 104 deter(cid:173)
`mines that the anomaly is not an actual anomaly, then the
`server 104 can log 216 the anomaly, e.g., in the collection of
`security data 118, for record-keeping purposes and/or to use
`in examining subsequently reported anomalies. The process
`then ends 218. The server 104 can, of course, continue
`examining other anomalies and continue performing any of
`its other duties.
`
`If, however, the server 104 determines that the
`[0048]
`anomaly is an actual anomaly, then the server 104 may
`document the anomaly and/or perform or instigate corrective
`procedures to address the anomaly. The server 104 may
`
`Commerce Bancshares, Inc., et al.
`Exhibit 1004
`Page 10
`
`

`
`US 2003/0110392 Al
`
`Jun. 12,2003
`
`4
`
`perform such documentation and instigation automatically
`in real time upon recognition of the security problem. The
`server 104 may, however, delay such documentation and/or
`instigation until an administrator reviews the anomaly and/
`or any corrective procedures recommended by the server
`104. The server 104 also may delegate the documentation
`and/or instigation to another mechanism, such as the cor(cid:173)
`porate server 116.
`
`In documenting the anomaly, the server 104 can log
`[0049]
`220 the anomaly. Generally, logging the anomaly includes
`storing a record of the anomaly in the collection of security
`data 118. Information logged about an anomaly can include
`which of the client terminals 102(1)-102(N) reported the
`anomaly to the server 104, the time that the anomaly was
`sent to and/or received by the server 104, the nature of the
`anomaly, and/or other similar types of information.
`
`[0050] Once logged, the server 104 may use the informa(cid:173)
`tion about the anomaly along with other security problem
`information
`in performing general intrusion detection
`actions. Such actions can include monitoring and analyzing
`client and system activity (including examination of other
`the server 104), performing audits,
`anomalies sent to
`inspecting all incoming and outgoing information (e.g.,
`packets), assessing integrity, recognizing attack patterns,
`reporting possible intrusions, and performing other similar
`tasks.
`
`[0051] The server 104 can notify 222 the client terminals
`102(1)-102(N) of the anomaly. The server 104 may send this
`notification in real time. The server 104 typically notifies the
`client terminals 102(1)-102(N) via the VPN 114. The server
`104 may only notify the client 102, but typically notifies all
`of the client terminals 102(1)-102(N).
`
`[0052] The notification to the client terminals 102(1)-
`102(N) can include the server 104 alerting the agents
`106(1)-106(N) of the anomaly. In this way, the agents
`106(1)-106(N) can all receive real time notification of the
`anomaly, immediately being able to check for that anomaly
`in examining information arriving at its respective client
`terminals 102(1 )-102(N).
`
`[0053] The notification may also include the server 104
`notifying the client terminals 102(1)-102(N) with a message
`or other alert. For example, the server 104 may send a
`message to the client terminals 102(1 )-102(N) via electronic
`mail, pager, or other similar mechanism, cause a visual
`and/or audio notice to appear at the client terminals 102(1)-
`102(N), and/or take other similar actions.
`
`[0054]
`In addition to or instead of notifying the client
`terminals 102(1)-102(N) of the anomaly, the server 104 may
`notify 224 the firewall 112 of the anomaly. The server 104
`may send this notification in real time. This notification may
`include updating the collection of corporate security data
`120 to include information about the anomaly, modifying
`security procedures to account for the anomaly, or perform(cid:173)
`ing other similar tasks.
`
`ficiently severe, then reporting the anomaly as soon as
`possible may enable the client terminals 102(1)-102(N) to
`more quickly receive notice of the anomaly and may more
`quickly reduce or eliminate any harmful effects of the
`anomaly. Waiting for the server 104 to complete a more
`detailed evaluation of the anomaly than the agent 106
`already made before sending a report of the anomaly may
`incur a delay long enough for the client terminals 102(1)-
`102(N) to accept or pass information that would be identi(cid:173)
`fied as an anomaly using information in the report.
`
`[0056] Once the server 104 reports the anomaly to the
`appropriate element or elements, then the server 104 may
`attempt 226 to address the anomaly. Addressing the anomaly
`generally includes mitigating or eliminating any potentially
`negative effects of the anomaly. The server 104 may auto(cid:173)
`matically attempt to address the anomaly, or the server 104
`may log some or all security problems for an administrator
`to examine and address at a later time.
`
`If the server 104 does address the anomaly, e.g.,
`[0057]
`develop a strategy to combat the effects of the anomaly on
`the VPN 114, then the server 104 can send 228 a remedy to
`the client terminals 102(1)-102(N) and/or the firewall 112.
`
`[0058] Whether the server 104 addresses the anomaly or
`not, the server 104 may follow up 230 on the source of the
`anomaly, e.g., the intruder 122 or one of the client terminals
`102(1)-102(N). Such follow up may include sending notice
`to the source that a security problem originated at the
`source's location, triggering a corporate security problem
`procedure, or performing another similar action.
`
`[0059] Referring to FIG. 3, a client setup 300 shows an
`example configuration of the client 102. Although the client
`setup 300 is described with reference to the elements
`included in the network configuration 100 of FIG. 1, this or
`a similar setup may be implemented in another, similar
`network configuration.
`
`[0060] The client setup 300 includes a core mechanism
`302, an enhancements mechanism 304, and a management
`mechanism 306. Each of these mechanisms 302, 304, and
`306 is described below.
`
`[0061] The core mechanism 302 can function as the agent
`106, performing such actions as checking for and detecting
`known anomalies in information that arrives at the client 102
`and reporting any detected anomalies. The core mechanism
`302 includes an application monitor 308, a firewall 310, and
`an intrusion detection mechanism 312.
`
`Information may enter the client setup 300 at the
`[0062]
`application monitor 308. The application monitor 308 can
`examine the information and determine if the information
`includes or indicates a known anomaly. In this examination
`and determination, the application monitor may consult
`information included in an application monitor collection of
`data 314 and/or a control program 316 included in the
`management mechanism 306.
`
`[0055] The server 104 may report the anomaly to the
`appropriate element or elements included in the network
`configuration 100 in real time and subsequently determine if
`the anomaly constitutes an actual security problem. In that
`case, the server 104 may needlessly report an anomaly if the
`anomaly turns out to not constitute an actual security prob(cid:173)
`lem. If, however, the implications of the anomaly are suf-
`
`[0063] The control program 316 is generally responsible
`for coordinating commu