(12) United States Patent ao) Patent No.: us 6,789,202 Bi
Ko et al. (45) Date of Patent: Sep. 7,2004
One embodiment of the present invention provides a providing policy-driven intrusion detection system for a networked computer system. This system operates by receiving a global policy for intrusion detection for the networked computer system. This global policy specifies rules in the form of a global security condition for the networked computer system and a global response to be performed in response to the global security condition. The system compiles the global policy into local policies for local regions of the networked computer system. Each local policy specifies at least one rule in the form of a local security condition for an associated local region of the networked computer system and a local response to be performed in response to the local security condition. The system communicates the local policies to local analyzers that control security for the local regions. A local analyzer compiles a local policy into specifiers for local sensors in a local region associated with the local analyzer. These specifiers are communicated to the local computer systems in the local region. This allows local computer systems to implement the local sensors.
4 Claims, 3 Drawing Sheets