BACKGROUND OF THE INVENTION 1. Field of the Invention The invention relates generally to the field of computer networks. More particularly, the invention relates to computer network security systems.

2. Discussion of the Related Art The use of computer networks has increased dramatically in recent years with the rise of the Internet and intranets, such as local area networks (LANs).

Unfortunately, this surge in network usage also generates a growing concern over security issues. Network security can be defined as the process of preventing and detecting unauthorized use of a computer network.

A Firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware, software, or a combination of both. All commands entering or leaving the network pass through the firewall, which examines each command and blocks those that do not meet the specified security criteria. Nevertheless, these criteria are fixed and cannot be

dynamically created, updated, or implemented.

What is needed is a method and apparatus by which a distributed group of computing devices such as, for example, Internet Protocol (IP) -enabled devices, may dynamically construct and implement network access and connectivity rules.

SUMMARY OF THE INVENTION There is a need for the following embodiments. Of course, the invention is not limited to these embodiments.

According to an aspect of the invention, a method for securing a network comprises receiving a request from a client at a network device connected to a network, transmitting data from the network device to a policy server if the request is a failed request, analyzing the failed request to determine if the client is a hostile client, creating a security rule if the client is a hostile client, communicating the security rule to the network device, modifying a network device access rule according to the security rule, and blocking the hostile client from the network as a function of the network device access rule.

According to another aspect of the invention, a network security apparatus comprises a computer network, a client computer coupled to the computer network, a network device coupled to the computer network, and a policy server coupled to the computer network; the network device receiving a request from a client computer and transmitting data to the policy server if the request is a failed request, the policy server analyzing the failed request to determine if the client computer is a hostile client, creating a security rule if the client computer is a hostile client, communicating the

security rule to the network device, modifying a network device access rule according to the security rule, and blocking the hostile client from the computer network.

These, and other, embodiments of the invention will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. It should be understood, however, that the following description, while indicating various embodiments of the invention and numerous specific details thereof, is given by way of illustration and not of limitation. Many substitutions, modifications, additions and/or rearrangements may be made within the scope of the invention without departing from the spirit thereof, and the invention includes all such substitutions, modifications, additions and/or rearrangements.

BRIEF DESCRIPTION OF THE DRAWINGS The drawings accompanying and forming part of this specification are included to depict certain aspects of the invention. A clearer conception of the invention, and of the components and operation of systems provided with the invention, will become more readily apparent by referring to the exemplary, and therefore nonlimiting, embodiments illustrated in the drawings, wherein like reference numerals (if they occur in more than one view) designate the same or similar elements. The invention may be better understood by reference to one or more of these drawings in combination with the description presented herein. It should be noted that the features illustrated in the drawings are not necessarily drawn to scale.

Figure 1 is a block diagram of a distributed security system, representing an embodiment of the invention.

Figure 2 is a block diagram of an exemplary client computer, representing an embodiment of the invention.

Figure 3 is a block diagram of a computer network policy server, representing an embodiment of the invention.

Figure 4 is a flowchart of a distributed security method, representing an embodiment of the invention.

DETAILED DESCRIPTION The invention and the various features and advantageous details thereof are explained more fully with reference to the nonlimiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. It should be understood that the detailed description and the specific examples, while indicating specific embodiments of the invention, are given by way of illustration only and not by way of limitation. Various substitutions, modifications, additions and/or rearrangements within the spirit and/or scope of the underlying inventive concept will become apparent to those of ordinary skill in the art from this disclosure.

The invention may include a method and apparatus for surveillance and detection of attempted intrusions into computers connected to a network. The invention may also include a method and apparatus for the systematic monitoring, intrusion identification, notification, tracking, and elimination of unauthorized activities, such as methods or systems used by"hackers"to intrude into computer networks. Prior-art technologies for network security monitoring have generally been limited to detection and notification capabilities.

In one embodiment, the invention may include a method and apparatus for providing a security system that detects unauthorized activity on a network, determines the presence of at least one hostile host, and denies connectivity by one or more hosts identified as a hostile host. The invention may also include a method and apparatus by which a distributed group of IP-enabled devices may dynamically construct and implement network access and connectivity rules. In another embodiment, the invention may include providing data that is useful for evidence of theft or misuse of electronically stored property.

Referring to Figure 1, a block diagram of a distributed security system 100 is depicted, according to an embodiment of the invention. A representative section of the distributed security system 100 may comprise a plurality of client computers 118 and 120, a policy server 125, and a plurality of computing/network devices 130.

Each computing device depicted in Figure 1 may be configured to electronically communicate via a network 101 such as, for example, the Internet. In addition, the policy server 125 and the plurality of computing devices 130 may be controlled by one business entity and thus also configured to electronically communicate via a local area network (LAN) 102, or the like.

The client computers 118 and 120 are described in greater detail with respect to Figure 2. The policy server 125 and the plurality of computing devices 130 are described in greater detail with respect to Figure 3. It should be appreciated that the illustrative embodiment shown in Figure 1 is one suitable computing environment for the invention and that the methods described below may be implemented in any computing environment. For instance, the competing environment of Figure 1 may

be configured on an intranet, thereby limiting the computing devices to a closed system.

Referring to Figure 2, a block diagram of the exemplary client computer 120 detailed in Figure 1 is depicted in accordance with one aspect of the invention. The client computer 120 may be any general purpose computing device, such as a personal computer, server, or the like. One of ordinary skill in the art will appreciate that the client computer 120 may also be a distributed computing device, such as a network of servers. In addition, the client computer 120 may be any other communications device such as a two-way pager, mobile phone, personal data assistant (PDA), or any other computing device having network capabilities. Those of ordinary skill in the art will appreciate that the computing device 120 may include more components than those shown and described below. However, it is not necessary that all of these generally conventional components be shown in order to disclose an illustrative embodiment for practicing the invention.

As shown in Figure 2, the client computer 120 includes a network interface 230 for connecting to the network 101. One of ordinary skill in the art will appreciate that the network interface 230 includes the necessary circuitry for such a connection, and may also be constructed for use with the TCP/IP protocol. The client computer 120 also includes a processing unit 210, a display 240, and a memory 250.

The memory 250 generally comprises a random access memory (RAM), a read-only memory (ROM), and a permanent mass storage device, such as a disk drive. The memory 250 stores the program code necessary for operating the client computer 120 and for providing a user interface on the display 240. In addition, the memory 250

may store a network application 255, such as a web browser, mail application, or the like. The network application 255 is utilized by a user of the client computer 120 to access various network servers, such as a file server, mail server, etc. It will be appreciated that these software components may be loaded from a computer-readable medium into memory 250 of the client computer 120 using a drive mechanism associated with the computer-readable medium, such as a floppy, tape or CD-ROM drive (not shown), or via the network interface 230.

Referring to Figure 3, a block diagram of the computer network policy server 125 detailed in Figure 1 is depicted according to one exemplary embodiment of the invention. The policy server 125, may contain at least one of the components described above with reference to the client computer 120 of Figure 2. For instance, the policy server 125 may comprise a processing unit 310, a display 340, a mass memory 350, and an interface 330, all interconnected to a bus 320. The policy server 125 may also comprise a security application 355 and a host database 356 in the memory 350. In one embodiment, the security application 355 is configured to carry out a method of the invention as detailed in Figure 4, and the host database 356 is configured to store the data collected from the network devices 130.

Referring again to Figure 1, for purposes of illustrating various aspects of the invention, the network devices 130 may be a client or server computer configured in a manner that is similar to the above-described devices. Alternatively, the network devices 130 may be in the form of a router, firewall, or any other electronic device configured to communicate with a network. In one embodiment, a single computer may perform the functions of the policy server 125 and of the computing device 130.

The invention may provide a system and method for network surveillance and detection of attempted intrusions into computers connected to a network. As applied to the example network 100 described above, one embodiment of the system of the invention involves a network having a plurality of devices such as a policy server 125, plurality of computing devices 130 and a plurality of client computers 118 and 120.

In one embodiment of the invention, the policy server 125 receives and analyzes data describing attempted intrusions from various computing devices 130 on the network 101. The policy server 125 server then may generate a set of security rules, which allow the computing devices 130 to selectively lock out hostile hosts having a history of attempted intrusions.

Referring to Figure 4, a flowchart of a distributed security method 400 is depicted according to one exemplary embodiment of the invention. Steps 405-415 may be performed by the computing devices 130, while steps 420-435 may be performed by the policy server 125, both detailed in Figure 1. In step 405, a computing device 130 of the network receives a request. In step 410, the computing device 130 may determine the presence of an attempted intrusion and transmit data describing the attempted intrusion to the policy server 125. In one embodiment, the presence of an attempted intrusion may be determined if a device receives a request to open an unavailable PORT. For instance, the presence of an attempted intrusion may be determined if a device 130, such as a firewall, receives a request to open PORT 20, a PORT normally reserved for email services. In another example, a request to open PORT 80 on a firewall may indicate the presence of an attempted intrusion. In summary, any request that does not match a service or an available PORT on a

particular device may indicate the presence of an attempted intrusion. In other embodiments, the presence of an attempted intrusion may be determined by other types of network activity such as a failed login or any other failed access request. If a device 130 determines the presence of an attempted intrusion, control passes to step 415, otherwise the method 400 ends.

In step 415, a computing device 130 may transmit data describing each attempted intrusion, also referred to herein as access data, to the policy server 125. In one embodiment, each computing device 130 records the and periodically transmits the recorded access data to the policy server 125. In another embodiment, the computing devices 130 of the network may be configured to transmit the access data to the policy server 125 each time the presence of an attempted intrusion is determined. The access data may include the IP address of the host transmitting the access request, the time and date of each attempted intrusion, and other related data.

In step 420, the access data is analyzed for a pattern by the policy sever 125.

In one mode of operation, the policy server 125 is configured to continuously receive and record the access data from the computing devices 130. The policy server 125 may also continuously analyze the access data for patterns to determine the presence of a hostile host. In one embodiment, the policy server 125 maintains a cached list of known sources of unauthorized connection attempts and evaluates the potential hostility of each attempt.

In step 425, if a source is determined to be responsible for a predetermined number of unauthorized attempts, it may be promoted into a cached list of known hostile hosts and control passed to step 430, otherwise the method 400 ends. In one

specific embodiment, if one particular host, such as the host 118 of Figure 1, repeatedly attempts to access one particular device 130 in the network, the policy server 125 may determine the presence of a hostile host. In another embodiment, if one particular host, such as the host 118 of Figure 1, sends a number of failed access requests to a number of unique devices 130 on the network, the policy server 125 may determine the presence of a hostile host. In addition, policy server 125 may determine the presence of a hostile host if there are many failed request to open a particular PORT on one or more devices 130. In other embodiments, any one of the above- described embodiments, or combinations thereof, may be utilized to determine the presence of a hostile host. For example, if a host 118 executes a systematic PORT scan to open PORT 80 on each device 130 in the network, the policy server 125 may determine the presence of a hostile host.

In step 430, once the presence of a hostile host is determined, the policy server 125 then may generate and/or update a set of security rules in step, which allow the computing devices 130 to lock out specific hosts having a history of attempted intrusions. In one embodiment, the policy server 125 can establish a rule to lock out any network request transmitted from a particular internet protocol (IP) address. In this example, if a particular host, such as the device labeled as a'hostile host'118 in Figure 1, is the source of many attempted intrusions, the policy server 125 may provide instructions to each device 130 in the network to refuse any request from that particular host. In one embodiment, the policy server 125 is configured to update and modify the security rules on an ongoing basis, thereby identifying potential hostile hosts as patterns of intrusion or unauthorized access attempts develop.

In step 435, as the security rules are updated, the security rules are communicated from the policy server 125 to the plurality of devices on the network.

In one embodiment, each device 130 in the network may periodically poll the policy server 125 to request an updated set of security rules. In response to the poll from an individual device, the policy server 125 retrieves a set of security rules from a database storing the updated security rules, and transmits the updated security rules to the requesting device. As can be appreciated by one of ordinary skill in the art, the method of this embodiment can be described as having data"pulled"from the policy server 125 to the plurality of devices on the network. By the use of this embodiment, the devices on the network may be configured to deny access to any incoming data that is randomly sent to each device, and each device may be configured to only accept data when the device sends a request for specific data. In another embodiment, the policy server 125 may communicate to the plurality of devices on the network by other means, such as a data"push"from the policy server 125 to each device. In this alternative embodiment, the updated security rules stored on the policy server 125 are periodically distributed to each network device 130 by any one of a number of communication methods known in the art.

Once a particular device 130 receives the updated security rules, the device may then modify its access rules, thereby locking out hosts that may be deemed as a hostile host. Each device 130 may also vary the level of its own participation with respect to the security rules received by the policy server 125. For instance, in one embodiment, some devices 130 may mirror the rules provided by the policy server 125. In an alternative embodiment, certain devices 130 may mirror a set of

security rules generated by a subset of devices 130 in the network. In this alternative embodiment, the policy server 125, or a second policy server (not shown), may generate a set of security rules based on access data received from a specific group of devices 130.

By the use of the above-described system and method, attempted intrusions on a small number of devices in a particular network can be used to preempt intrusions directed to other devices in the network. In one embodiment, each device may specify the level of its own participation in the dynamic rules. In addition, the invention may provide a network security system that allows a number of network devices to dynamically update a security list, allowing each device to readily adapt itself to rapidly changing environments.

The terms a or an, as used herein, are defined as one or more than one. The term plurality, as used herein, is defined as two or more than two. The term another, as used herein, is defined as at least a second or more. The terms including and/or having, as used herein, are defined as comprising (i. e. , open language). The term coupled, as used herein, is defined as connected, although not necessarily directly, and not necessarily mechanically. The term means, as used herein, is defined as hardware, finnware and/or software for achieving a result. The term program or software, as used herein, is defined as a sequence of instructions designed for execution on a computer system. A program, or computer program, may include a subroutine, a function, a procedure, an object method, an object implementation, an executable application, an applet, a servlet, a source code, an object code, a shared

library/dynamic load library and/or other sequence of instructions designed for execution on a computer system.

The appended claims are not to be interpreted as including means-plus- function limitations, unless such a limitation is explicitly recited in a given claim <BR> <BR> using the phrase (s)"means for"and/or"step for. "Subgeneric embodiments of the invention are delineated by the appended independent claims and their equivalents.

Specific embodiments of the invention are differentiated by the appended dependent claims and their equivalents.