Abstract: Disclosed herein is an anomaly detection method for a packet-based network which includes several network resources, also called network-related software objects. The method includes monitoring the network resources of the packet-based network, ordering the monitored network resources according to a given ordering criterion, and detecting an anomaly in the packet-based network based on the ordered network resources. In particular, detecting an anomaly includes forming a detection feature vector based on the ordered network resources, and feeding the detection feature vector to a machine learning system configured to detect an anomaly in the packet-based network based on the detection feature vector. The detection feature vector includes detection feature items related to corresponding monitored network resources, and arranged in the detection feature vector depending on the ordering of the corresponding monitored network resources.

Abstract: A honeypot system for protecting a mobile communication network against malware includes one or more user-less mobile devices including a monitoring module for monitoring the events conveying software applications in the associated mobile device as well as a controller client module that emulates human-like interaction with the user-less devices as a function of the events monitored. The system controllably performs, for the applications conveyed by the events monitored, one or more of the following steps: i) installing the application on the device; ii) executing the application installed on the device; and iii) de-installing the application from the device. After any of these steps, the state of the device is checked in order to detect if any anomalous variation has occurred in the state of the device indicative of the device being exposed to the risk of malware. If any anomalous variation is detected, the system issues a malware alert message.

Abstract: Disclosed herein is an anomaly detection method for a packet-based network which includes several network resources, also called network-related software objects. The method includes monitoring the network resources of the packet-based network, ordering the monitored network resources according to a given ordering criterion, and detecting an anomaly in the packet-based network based on the ordered network resources. In particular, detecting an anomaly includes forming a detection feature vector based on the ordered network resources, and feeding the detection feature vector to a machine learning system configured to detect an anomaly in the packet-based network based on the detection feature vector. The detection feature vector includes detection feature items related to corresponding monitored network resources, and arranged in the detection feature vector depending on the ordering of the corresponding monitored network resources.

Abstract: A system for providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols. The system includes a monitoring module configured for monitoring data flows in the network, a protocol identification engine configured for detecting information on the application layer protocols involved in the monitored data flows, and an intrusion detection module configured for operating based on the information on application layer protocols detected. Intrusion detection is thus provided independently of any predefined association between the network ports and the application layer protocols.

Abstract: A system for detecting unauthorised use of a network is provided with a pattern matching engine for searching attack signatures into data packets, and with a response analysis engine for detecting response signatures into data packets sent back from an attacked network/computer. When a suspect signature has been detected into a packet, the system enters an alarm status starting a monitoring process on the packets sent back from the potentially attacked network/computer. An alarm is generated only in case the analysis of the response packets produces as well a positive result. Such intrusion detection system is much less prone to false positives and misdiagnosis than a conventional pattern matching intrusion detection system.

Abstract: Packet flows are processed, e.g. to perform an intrusion detection function in a communication network, by means of a multiprocessor system including a plurality of processing units. The packets are distributed for processing among the processing units via a distribution function. Such a distribution function is selectively allotted to one of the processing units of the plurality. A preferred embodiment of the arrangement involves using a single Symmetric Multi-Processor machine with a single network port to Gigabit/sec link. The corresponding system architecture does not require any intermediate device, or any external load balancing mechanism. All the processing work is performed on a single system, which is able to dynamically balance the traffic load among the several independent CPUs. By resorting to a specific scheduling arrangement, such a system is able to effectively distribute the computations required to perform both the loadbalancing and the detection operations.

Abstract: A honeypot system for protecting a mobile communication network against malware includes one or more user-less mobile devices including a monitoring module for monitoring the events conveying software applications in the associated mobile device as well as a controller client module that emulates human-like interaction with the user-less devices as a function of the events monitored. The system controllably performs, for the applications conveyed by the events monitored, one or more of the following steps: i) installing the application on the device; ii) executing the application installed on the device; and iii) de-installing the application from the- device. After any of these steps, the state of the device is checked in order to detect if any anomalous variation has occurred in the state of the device indicative of the device being exposed to the risk of malware. If any anomalous variation is detected, the system issues a malware alert message.

Abstract: A system for providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols. The system includes a monitoring module configured for monitoring data flows in the network, a protocol identification engine configured for detecting information on the application layer protocols involved in the monitored data flows, and an intrusion detection module configured for operating based on the information on application layer protocols detected. Intrusion detection is thus provided independently of any predefined association between the network ports and the application layer protocols.

Abstract: Apparatus for monitoring operation of a processing system includes a set of modules for monitoring operation of a set of system primitives that allocate or release the system resources and are used by different processes running on the system. Preferably, the modules include at least one application knowledge module tracking the processes running on the system and monitoring the resources used thereby, a network knowledge module monitoring connections by the processes running on the system, a file-system analysis module monitoring the file-related operations performed within the system, and a device monitoring module monitoring operation of commonly used modules with the system. A preferred field of application is in host-based intrusion detection systems.

Abstract: A system for detecting unauthorised use of a network is provided with a pattern matching engine for searching attack signatures into data packets, and with a response analysis engine for detecting response signatures into data packets sent back from an attacked network/computer. When a suspect signature has been detected into a packet, the system enters an alarm status starting a monitoring process on the packets sent back from the potentially attacked network/computer. An alarm is generated only in case the analysis of the response packets produces as well a positive result. Such intrusion detection system is much less prone to false positives and misdiagnosis than a conventional pattern matching intrusion detection system.