Abstract: An auxiliary method for investigating lurking program incidents is disclosed. The method is to keep monitoring a plurality of processes run by a computer system and save process-invoking relationship data of each process being monitored when the process is created and terminated. Simultaneously, a system registry database of the computer system is also monitored and autostart-registered data of the programs is saved. Then correlate the process-invoking relationship data to the autostart-registered data for generating and saving process-invoking relationship log so as to extract and save high-level crucial clues of suspicious lurking programs. By the present method, only a little amount of high level crucial clues and process-invoking relationship log is collected and a few system resources is consumed for providing clear evidence that is helpful to investigation of lurking program incidents. Thus cost of time and labor for collecting and analyzing large amount of low-level logs is saved.

Abstract: A method of detecting network worms include the following steps: (1) Profiling the TCP connection information collected from the protected network, quantifying the plurality of statuses contained in the TCP connection information; (2) Clustering the connection profiles to discover all the anomaly clusters that are specified by the condition composing of several adaptive thresholds; (3) Correlating the anomaly clusters to result in a new cluster graph or to extend an existing cluster graph; (4) Issuing a security incident about the worm propagation according to the propagation condition that also composes of several adaptive thresholds; and (5) Keeping and maintaining the status of the cluster graphs.

Abstract: The method for eliminating invalid intrusion alerts operates according to a set of filter rules that are generated from given firewall rules. As a filter that implements this method receives an intrusion alert, it directly matches the features of the alert against its own rules, and then decides the validity of the alert. By coupling with the method, various filter-rule sets could be generated for numerous firewalls that may be not on the same specification, and an on-line deployment method could be applied to deploy filter-rule sets for filters. By applying the invention, it is reachable to eliminate invalid intrusion alerts precisely and efficiently, and to deploy quickly and with less manpower.

Abstract: A method and architecture for on-line classification-based intrusion alert correlation are provided. This method applies layered architecture to split and correlate alerts. An alert-splitting technique is used to separate mostly general alerts from more valuable or complicated alerts. Only more important alerts are selected to correlate with known attack scenarios to discover important attack information. Therefore, the disadvantages in the prior art where correlation is shielded and over-consumption of computation resource are solved.

Abstract: A method of detecting network worms include the following steps: (1) Profiling the TCP connection information collected from the protected network, quantifying the plurality of statuses contained in the TCP connection information; (2) Clustering the connection profiles to discover all the anomaly clusters that are specified by the condition composing of several adaptive thresholds; (3) Correlating the anomaly clusters to result in a new cluster graph or to extend an existing cluster graph; (4) Issuing a security incident about the worm propagation according to the propagation condition that also composes of several adaptive thresholds; and (5) Keeping and maintaining the status of the cluster graphs.