INTELLIGENT INTRUSION DETECTION UTILIZING CONTEXT-BASED GRAPH-MATCHING OF NETWORK ACTIVITY

摘要

A method, system, and computer program product for utilizing a mapping of activity occurring at and between devices (132-138) on a computer network to detect and prevent network intrusions. An enhanced graph matching intrusion detection system (eGMIDS) 100 (including an eGMIDS utility 235) is provided that comprises data collection functions, data fusion techniques, graph matching algorithms, and secondary and other search mechanisms. Threats are modeled as a set of entities and interrelations between the entities and sample threat patterns are stored within a database. The eGMIDS utility 235 initiates a graph matching algorithm by which the threat patterns are compared within the generated activity graph via subgraph isomorphism. A multi-layered approach including a targeted secondary layer search following a match during a primary layer search is provided. Searches are tempered by attributes and constraints and the eGMIDS reduces the number of threat patterns searched by utilizing ontological generalization.