(12) United States Patent
`Graham et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,237,264 B1
`Jun. 26, 2007
`
`USOO7237264B1
`
`(54) SYSTEM AND METHOD FOR PREVENTING
`NETWORK MISUSE
`
`(75) Inventors: Robert David Graham, Menlo Park,
`CA SS Peter Kavaler, Castro Valley,
`
`(73) Assignee: Internet Security Systems, Inc.,
`Atlanta, GA (US)
`-
`0
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 674 days.
`
`(*) Notice:
`
`(21) Appl. No.: 09/874,574
`
`(22) Filed:
`
`Jun. 4, 2001
`
`(51) Int. Cl.
`(2006.01)
`H04L 29/00
`(52) U.S. Cl. ........................................... 726/23: 726/25
`(58) Field of Classification Search ................ 709/225,
`709/223; 713/201, 200; 726/25, 23
`See application file for complete search history.
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`
`4,223,380
`4400,769
`4,672,609
`4,773,028
`4,819,234
`4,975,950
`5,032,979
`5,121,345
`5,204,966
`5,210,704
`5,274,824
`5,278,901
`5,309,562
`5,311,593
`5,345,595
`5,347,450
`
`9, 1980 Antonaccio et al.
`8, 1983 Kaneda et al.
`6/1987 Humphrey et al.
`9, 1988 Tallman
`4, 1989 Huber
`12/1990 Lentz
`7, 1991 Hecht et al.
`6, 1992 Lentz
`4/1993 Wittenberg et al.
`5/1993 Husseiny
`12/1993 Howarth
`1/1994 Shieh et al.
`5, 1994 Li
`5, 1994 Carmi
`9, 1994 Johnson et al.
`9/1994 Nugent
`
`I k l
`
`ersney et al.
`
`5,353,393 A 10, 1994 Bennett et al.
`5,359,659 A 10, 1994 Rosenthal
`5,371,852 A 12, 1994 Attanasio et al.
`A
`1
`5,440,723 A
`8/1995 Arnold et al.
`5,452.442 A
`9/1995 Kephart
`5,454,074 A
`9, 1995 Hartel et al.
`5,475,839 A 12/1995 Watson et al.
`5,511, 184 A
`4/1996 Lin
`5,515,508 A
`5/1996 Pettus et al.
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`EP
`EP
`WO
`WO
`WO
`
`5, 2001
`O 636 977
`8, 2003
`O 985 995
`12/1993
`WO 93,25024
`9, 1998
`WO 98.41919
`1, 1999
`WO99/00720
`(Continued)
`
`OTHER PUBLICATIONS
`Detecting Backdoors, Yin Zhang and Vem Paxson, Feb. 19, 1998.*
`(Continued)
`Primary Examiner Kambiz Zand
`Assistant Examiner—Andrew L. Nalven
`(74) Attorney, Agent, or Firm King & Spalding LLP
`
`(57)
`ABSTRACT
`A system and method for preventing misuse conditions on a
`data network are described. Embodiments of the system and
`method evaluate potential network misuse signatures by
`analyzing variables Such as the state of the network and/or
`target, the context in which the potential misuse signatures
`are detected, the response/reaction of the target and/or the
`fingerprint of the target. These and other variables may be
`factored in to the misuse determination, either alone, or in
`combination.
`
`52 Claims, 12 Drawing Sheets
`
`SARt.
`200
`
`detect data
`signature
`205
`
`Evaluata context
`of data signature
`20
`
`
`
`
`
`Target
`fingerprinted?
`215
`
`determine targets
`fingerprint
`220
`
`Correlate data signature
`with fingerprint
`225
`
`target
`wulnerable?
`23
`
`Yes
`Log data
`sigrature
`24
`
`
`
`Generate?modify alert level
`and/or take precautionary action
`235
`
`Goto SART35
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 1 of 31
`
`

`

`US 7,237,264 B1
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5, 1996 Records et al.
`5,522,026 A
`7, 1996 McKee et al.
`5,539,659 A
`9, 1996 Smaha et al.
`5,557,742 A
`5,586.260 A 12/1996 Hu
`5,590,331 A 12/1996 Lewis et al.
`5,606,668 A
`2, 1997 Shwed
`5,623,600 A
`4, 1997 Ji et al.
`5,623,601 A
`4, 1997 Vu
`5,630,061 A
`5, 1997 Richter et al.
`5,649,095 A
`7, 1997 COZZa
`5,649,185 A
`7, 1997 Antognini et al.
`5,675,711 A 10/1997 Kephart et al.
`5,696,486 A 12/1997 Policquin et al.
`5,696,822 A 12/1997 Nachenberg
`5,706,210 A
`1/1998 Kumano et al.
`5,715,395 A
`2f1998 Brabson et al.
`5,734,697 A
`3, 1998 Jabbarnezhad
`5,745,692 A
`4, 1998 Lohmann, II et al.
`5,748,098 A
`5, 1998 Grace
`5,761,504 A
`6/1998 Corrigan et al.
`5,764,887 A
`6, 1998 Kells et al.
`5,764,890 A
`6, 1998 Glasser et al.
`5,765,030 A
`6/1998 Nachenberg et al.
`5,774,727 A
`6, 1998 Walsh et al.
`5,787,177 A
`7/1998 Leppek
`5,790,799 A
`8/1998 Mogul
`5,796,942 A
`8, 1998 Esbensen
`5,798,706 A
`8, 1998 Kraemer et al.
`5,812,763. A
`9/1998 Teng
`5,815,574 A
`9/1998 Fortinsky
`5,822,517 A 10/1998 Dotan
`5,826,013 A 10/1998 Nachenberg
`5,828,833. A 10, 1998 Belville et al.
`5,832,208 A 11/1998 Chen et al.
`5,832,211 A 11/1998 Blakley, III et al.
`5,835,726 A 1 1/1998 Shwed et al.
`5,838,903 A
`1 1/1998 Blakely, III et al.
`5,842,002 A 11/1998 Schnurer et al.
`5,845,067 A 12/1998 Porter et al.
`5,848,233 A 12/1998 Radia et al.
`5,854,916 A 12/1998 Nachenberg
`5,857,191 A
`1/1999 Blackwell, Jr. et al.
`5,864,665 A
`1, 1999 Tran
`5,864,803 A
`1/1999 Nussbaum
`5,872,915 A
`2/1999 Dykes et al.
`5,872,978 A
`2f1999 Hoskins
`5,875,296 A
`2, 1999 Shi et al.
`5,878.420 A
`3, 1999 de la Salle
`5,881.236 A
`3/1999 Dickey
`5,884,033. A
`3, 1999 Duvall et al.
`5,892.903. A
`4/1999 Klaus
`5,899,999 A
`5, 1999 De Bonet
`5,905,859 A
`5/1999 Holloway et al.
`5,907,834 A
`5/1999 Kephart et al.
`5,919,257 A
`7, 1999 Trostle
`5,919,258 A
`7, 1999 Kayashima et al.
`5,922,051 A
`7/1999 Sidey
`5,925, 126 A
`7, 1999 Hsieh
`5,931,946 A
`8, 1999 Terada et al.
`5,940,591 A
`8/1999 Boyle et al.
`5,950,012 A
`9, 1999 Shiell et al.
`5,961,644 A 10/1999 Kurtzberg et al.
`5,964,839 A 10/1999 Johnson et al.
`5,964,889 A 10/1999 Nachenberg
`5,974,237 A 10, 1999 Shurmer et al.
`5.974.457 A 10/1999 Waclawsky et al.
`5,978,917 A 11/1999 Chi
`5,983,270 A 1 1/1999 Abraham et al.
`5,983,348 A 11/1999 Ji
`5,983,350 A 1 1/1999 Minear et al.
`5,987.606 A 1 1/1999 Cirasole et al.
`
`5,987,610 A 11/1999 Franczek et al.
`5,987,611 A 11/1999 Freund
`5.991,856 A 11/1999 Spilo et al.
`5.991,881. A * 11/1999 Conklin et al. ............. T13 201
`5.999,711 A 12/1999 Misra et al.
`5.999,723 A 12/1999 Nachenberg
`6,003,132 A 12, 1999 Mann
`6,006,016 A 12/1999 Faigon et al.
`6,009,467 A 12/1999 Ratcliff et al.
`6,014,645 A
`1/2000 Cunningham
`6,016,553 A
`1/2000 Schneider et al.
`6,021,510 A
`2/2000 Nachenberg
`6,026,442 A
`2/2000 Lewis et al.
`6,029,256 A
`2/2000 Kouznetsov
`6,035,323 A
`3/2000 Narayen et al.
`6,035,423. A
`3/2000 Hodges et al.
`6,041,347 A
`3/2000 Harsham et al.
`6,052,709 A
`4, 2000 Paul
`6,061,795. A
`5, 2000 Dircks et al.
`6,067,410 A
`5/2000 Nachenberg
`6,070, 190 A
`5/2000 Reps et al.
`6,070,244 A
`5, 2000 Orchier et al.
`6,073,172 A
`6/2000 Frailong et al.
`6,081,894. A
`6/2000 Mann
`6,085,224 A
`7/2000 Wagner
`6,088,803 A
`7/2000 TSO et al.
`6,088,804 A
`7, 2000 Hill et al.
`6,092,194 A
`7/2000 Touboul
`6,094,731 A
`7/2000 Waldin et al.
`6,098,173 A
`8/2000 Elgressy et al.
`6,104,783 A
`8, 2000 DeFino
`6,108,799 A
`8/2000 Boulay et al.
`6,118,940 A
`9/2000 Alexander, III et al.
`6,119,165 A
`9, 2000 Li et al.
`6,119,234 A
`9, 2000 Aziz et al.
`6,122,738 A
`9, 2000 Millard
`6,144,961 A 11/2000 de la Salle
`6,154,844. A 1 1/2000 Touboul et al.
`6,161,109 A 12/2000 Matamoros et al.
`6,167,520 A 12/2000 Touboul
`6,173,413 B1
`1/2001 Slaughter et al.
`6,185,689 B1
`2/2001 Todd, Sr. et al.
`6, 195,687 B1
`2/2001 Greaves et al.
`6,199,181 B1
`3/2001 Rechef et al.
`6,205,552 B 1
`3/2001 Fudge
`6,220,768 B1
`4/2001 Barroux
`6,226,372 B1
`5/2001 Beebe et al.
`6,230,288 B1
`5/2001 Kuo et al.
`6,266,773 B1
`7/2001 Kisor et al.
`6,266.774 B1
`7/2001 Sampath et al.
`6,271,840 B1
`8/2001 Finseth et al.
`6,272,641 B1
`8, 2001 Ji
`6,275,938 B1
`8/2001 Bond et al.
`6,275,942 B1* 8/2001 Bernhard et al. ........... T13 201
`6,278,886 B1
`8/2001 Hwang
`6.279,113 B1* 8/2001 Vaidya ........................ T26/23
`6,282,546 B1
`8/2001 Gleichauf et al.
`6,298.445 B1
`10/2001 Shostack et al.
`6,301,668 B1 * 10/2001 Gleichauf et al. .......... T13 201
`6,314,520 B1
`1 1/2001 Schell et al.
`6,314,525 B1
`11/2001 Mahalingham et al.
`6,321,338 B1
`1 1/2001 Porras et al.
`6,324,627 B1
`1 1/2001 Kricheff et al.
`6,324,647 B1
`1 1/2001 Bowman-Amuah
`6,324,656 B1
`1 1/2001 Gleichauf et al.
`6,338,141 B1
`1, 2002 Wells
`6,347,374 B1
`2/2002 Drake et al.
`6,353.385 B1
`3/2002 Molini et al.
`6,357,008 B1
`3/2002 Nachenberg
`6,377,994 B1
`4/2002 Ault et al.
`6,396,845 B1
`5/2002 Sugita
`6,397.242 B1
`5/2002 Devine et al.
`6,397.245 B1
`5/2002 Johnson, II et al.
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 2 of 31
`
`

`

`US 7,237,264 B1
`Page 3
`
`Rowland
`Bowman-Amuah
`Huffet al.
`Gleichauf et al.
`Olbricht
`Dinh et al.
`Greenfield et al.
`Crill et al.
`Trcka et al.
`Garg et al.
`Olden ........................... T26/4
`Lipson et al.
`Yang
`Blandford
`Cohen et al.
`Schell et al.
`Teal
`Porras et al.
`Shanklin et al.
`Lee et al.
`Frailong et al.
`Gleichauf et al.
`Perlman et al.
`Satyavolu et al.
`Howard et al.
`Joyce
`Proctor
`Fox et al.
`Magdych et al.
`Troyanker
`Kingsford et al.
`Shanklin et al.
`Hummel, Jr. et al.
`Meyer et al.
`Mikurak
`Osawa et al.
`Belanger
`Kunii et al.
`Moran
`Sasich et al.
`Davison et al.
`Minami
`Munson et al.
`Wood et al.
`Porras et al.
`Porras et al.
`Gorman et al.
`Porras et al.
`Hebert
`Boyd et al.
`Kouznetsov
`Schuba et al.
`Ji et al. ...................... T13 201
`Muttik
`Yan et al.
`Shanklin et al.
`Gleichauf et al.
`Campbell et al.
`Nachenberg
`Cooper et al.
`Lyle
`Hartley et al.
`Gusler et al.
`Gaul, Jr.
`Malan et al.
`Malan et al.
`Poletto et al.
`Malan et al.
`Krumel ...................... T13/200
`Rogers et al.
`Munson
`Copeland, III
`Labovitz et al.
`
`2003, OO88791 A1
`2003/0212903 A1
`2004/0010718 A1
`
`5/2003 Porras et al.
`11/2003 Porras et al.
`1/2004 Porras et al.
`
`FOREIGN PATENT DOCUMENTS
`
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`
`WO 99/13427
`WO 99/15966
`WO 99,50734
`WO 99,53391
`WO 99,57626
`WOOOO2115
`WOOOf 10278
`WOOO,25214
`WOOO.255.27
`WOOO. 34867
`WOOO/O54458
`WOOOf 54458
`WO O1,084.285
`WO O1 (84.285
`WO O2,06928
`WO O2/OO6928
`WO O2/O56152
`WO O2/10.1516
`
`3, 1999
`4f1999
`10, 1999
`10, 1999
`11, 1999
`1, 2000
`2, 2000
`5, 2000
`5, 2000
`6, 2000
`9, 2000
`9, 2000
`11 2001
`11 2001
`1, 2002
`1, 2002
`T 2002
`12/2002
`
`OTHER PUBLICATIONS
`Security Reality Check, Rik Farrow, Jul. 1, 1999, Network Maga
`Zine.
`Steve Steinke "Firewalls'. http://www.itarchitect.com/shared ar
`ticle/showArticle.jhtml?articleld=8702843&pgno=1.*
`Using the CamNet BBS FAQ, http://www.cam.net.uk/manuals/
`bbsfaq/bbsfacq.htm, Jan. 17, 1997.
`Express Storehouse Ordering System, "Accessing ESOS through
`the Network'. http://www-bfs.ucscl.edu/msslesos?man3.htm, Sep. 3,
`1996.
`Nasire, NASIRC Bulletin #94-10. http://cs-www.ncsl.nist.gov/
`secalert/nasa9410.txt, Mar. 29, 1994.
`Packages in the net directory, http://linux4ujinr.ru/usoft/WWW
`www debian.org/FTP/net.html, Mar. 20, 1997.
`Essex, David, E-Sleuths Make Net Safe for E-Commerce,
`Computerworld, Jun. 2000, pp. 1-2.
`Newman, David, Intrusion Detection Systems, Data Communica
`tions, 1998, pp. 1-9.
`International Search Report for PCT/US02/17161 of Dec. 31, 2002.
`Hyland, et al., Concentric Supervision of Security Applications: A
`New Security Management Paradigm Computer Security Applica
`tions Conference, 1998, pp. 59-68.
`Koilpillai et al., Recon- A Tool for Incident Detection, Tracking and
`Response, Darpa Information Survivability Conference and Expo
`sition, 2000, pp. 199-206.
`Alves-Foss, J. An Overview of SNIF: A Tool for Surveying
`Network Information Flow, Network and Distributed System Secu
`rity, 1995, pp. 94-101.
`Mansouri-Samani et al., A Configurable Event Service for Distrib
`uted Systems Configurable Distributed Systems, 1996, pp. 210-217.
`International Search Report for PCT/US01/13769 of March 8, 2002.
`Jagannathan et al., System Design Document: Next-Generation
`Intrusion Detection Expert Systems (NIDES), Internet Citation,
`Mar. 9, 1993, XP002136082, pp. 1-66.
`Koilpillai, Adaptive Network Security Management, DARPANGI
`PI Conference, Oct. 1998, pp. 1-27.
`Hiverworld Continuous Adaptive Risk Management, Hiverworld,
`Inc., 1999-2000, pp. 1-14.
`International Search Report for PCT/US02/04989of Sep. 19, 2002.
`International Search Report for PCT/US02/02917 of Aug. 8, 2002.
`International Search Report for PCT/US03/00155 of May 15, 2003.
`NXI Communications, Inc., White Paper, NTS Security Issues, Oct.
`15, 2001, pp. 1-12.
`Mounji et al., Distributed Audit Trail Analysis, Proceedings of the
`Symposium of Network and Distributed System Security, San
`Diego, CA, Feb. 16-17, 1995, pp. 102-112.
`
`6.405,318
`6.405,364
`6,408,391
`6,415,321
`6,429,952
`6,434,615
`6,438,600
`6,445,822
`6,453,345
`6,453,346
`6,460,141
`6,463,426
`6.467,002
`6,470.449
`6,477,585
`6,477,648
`6,477,651
`6,484,203
`6,487,666
`6,493,752
`6,496,858
`6,499,107
`6,510,523
`6,517,587
`6,519,647
`6,519,703
`6,530,024
`6,535,227
`6,546,493
`6,563,959
`6,574.737
`6,578,147
`6,584.454
`6,601,190
`6,606,744
`6,618,501
`6,628,824
`6,647,139
`6,647400
`6,661,904
`6,668,082
`6,668,084
`6,681,331
`6,691,232
`6,704,874
`6,708,212
`6,711, 127
`6,711,615
`6,718,383
`6,721,806
`6,725,377
`6,725,378
`6,728,886
`6,775,780
`6,792,144
`6,792,546
`6,816,973
`6,839,850
`6,851,057
`6,871,284
`6,886,102
`6,889,168
`6,912,676
`2001.0034847
`2002fOO32717
`2002fOO32793
`2002/0032880
`2002.0035698
`2002, 0083331
`2002, 0083334
`2002/0138753
`2002fO144156
`2003/0037136 A1
`
`6, 2002
`6, 2002
`6, 2002
`T/2002
`8, 2002
`8, 2002
`8, 2002
`9, 2002
`9, 2002
`9, 2002
`* 10, 2002
`10, 2002
`10, 2002
`10, 2002
`11, 2002
`11, 2002
`11, 2002
`11, 2002
`11, 2002
`12, 2002
`12, 2002
`12, 2002
`1, 2003
`2, 2003
`2, 2003
`2, 2003
`3, 2003
`3, 2003
`4, 2003
`5/2003
`6, 2003
`6, 2003
`6, 2003
`T 2003
`8, 2003
`9, 2003
`9, 2003
`11/2003
`11/2003
`12, 2003
`12, 2003
`12, 2003
`1, 2004
`2, 2004
`3, 2004
`3, 2004
`3, 2004
`3, 2004
`4, 2004
`4, 2004
`4, 2004
`4, 2004
`4, 2004
`8, 2004
`9, 2004
`9, 2004
`11, 2004
`1/2005
`2, 2005
`3, 2005
`4, 2005
`5/2005
`6, 2005
`10, 2001
`3, 2002
`3, 2002
`3, 2002
`3, 2002
`6, 2002
`6, 2002
`9, 2002
`10, 2002
`2, 2003
`
`*
`
`*
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 3 of 31
`
`

`

`US 7,237,264 B1
`Page 4
`
`Wobber et al., Authentication in the Taos Operating System, ACM
`Transactions on Computer Systems, vol. 12, No. 1 Feb. 1994, pp.
`3-32.
`Mayer et al., The Design of the Trusted Workstation: A True Infosec
`Product, 13" National Computer Security Conference, Washing,
`DC, Oct. 1-4, 1990, pp. 827-839.
`Dawson, Intrusion Protection for Networks, Byte, Apr. 1995, pp.
`171-172.
`Buhkan, Checkpoint Charlie, PC Week Network, Nov. 27, 1995, pp.
`N1, N6-N7.
`Process Software Technical Support Page, found on http://www.
`process.com/techsupport whitesec.html, printed off of the Process
`Software website on Feb. 26, 2003, pp. 1-5.
`Ganesan, BAfirewall: A Modern Firewall Design, Proceedings
`Internet Society Symposium on Network and Distributed System
`Security 1994, Internet Soc., 1994, pp. 99-108.
`Lee, Trusted Systems, Chapter II-1-6 of Handbook of Information
`Security Management, Ed. Zella G. Ruthberg and Harold F. Tipton,
`Auerbach, Boston and New York, 1993, pp. 345-362.
`Lunt, Automated Intrusion Detection, Chapter II-4-4 of Handbook
`of Information Security Management, Ed. Zella G. Ruthberg and
`Harold F. Tipton, Auerbach, Boston and New York, 1993, pp.
`551-563.
`Guha et al., Network Security via Reverse Engineering of TCP
`Code: Vulnerability Analysis and Proposed Solution, IEEE, Mar.
`1996, pp. 603-610.
`Garg et al., High Level Communication Primatives for Concurrent
`Systems, IEEE, 1988, pp. 92-99.
`Hastings et al., TCP/IP Spoofing Fundamentals, IEEE, May 1996,
`pp. 218-224.
`Snapp, Signature Analysis and Communication Issues in a Distrib
`uted Intrusion Detection System, Master Thesis, University of
`California, Davis, California, 1991, pp. 1-40.
`Guha et al., Network Security via Reverse Engineering of TCP
`Code: Vulnerability Analysis and Proposed Solutions, IEEE, Jul.
`1997, pp. 40-48.
`Djahandariet al. An MBone for an Application Gateway Firewall,
`IEEE, Nov. 1997, pp. 72-81.
`Kim et al., Implementing a Secure Login Environment: A Case
`Study of Using a Secure Network Layer Protocol, Department of
`Computer Science, University of Alabama, Jun. 1995, pp. 1-9.
`Satyanarayanan, Integrating Security in a Large Distributed System,
`Acm Transaction on Computer Systems, vol. 7, No. 3, Aug. 1989,
`pp. 47-280.
`Sammons, Nathaniel, "Multi-platform, Interrogation and Reporting
`with Rscan.” The Ninth Systems Administration Conference, LISA
`1995, Monterrey, California, Sep. 17-22, 1995, pp. 75-87.
`Dean et al., “Java Security: From HotJava to Netscape and
`Beyond.” Proceedings of the 1996 IEEE Symposium on Security
`and Privacy, May 6-8, 1996, Oakland, California, pp. 190-200.
`Fisch et al., “The Design of an Audit Trail Analysis Tool.” Pro
`ceedings of the 10" Annual Computer Security Applications Con
`ference, Dec. 5-9, 1994, Orlando, Florida, pp. 126-132.
`Safford et al., “The TAMU Security Package: An Ongoing Response
`to Internet Intruders in an Academic Environment,” USENIX Sym
`posium Proceedings, UNIX Security IV. Oct. 4-6, 1993, Santa
`Clara, California, pp. 91-118.
`Sugawara, Toshiharu, “A Cooperative LAN Diagnostic and Obser
`vation Expert System.” Ninth Annual Phoenix Conference on
`Computers and Communications, 1990 Conference Proceedings,
`Mar. 21-23, 1990, Scottsdale, Arizona, pp. 667-674.
`Casella, Karen A., “Security Administration in an Open Networking
`Environment.” The Ninth Systems Administration Conference,
`LISA 1995, Monterrey, California, Sep. 17-22, 1995, pp. 67-73.
`Burchell, Jonathan, “Vi-SPY: Universal NIM?' Virus Bulletin, Jan.
`1995, pp. 20-22.
`Benzel et al., “Identification of Subjects and Objects in a Trusted
`Extensible Client Server Architecture,” 18" National Information
`Systems Security Conference, Oct. 10-13, 1995, Baltimore, Mary
`land, pp. 83-99.
`Epstein et al., “Component Architectures for Trusted Netware,” 18"
`National Information Systems Security Conference, Oct. 10-13,
`1995, Baltimore, Maryland, pp. 455-463.
`
`Varadarajan, Vijay, “Design and Management of a Secure
`Networked Administration System: A Practical Approach.” 19"
`National Information Systems Security Conference, Oct. 22-25,
`1996, Baltimore, Maryland, pp. 570-580.
`Detection
`Intrusion
`Snapp et
`al., “DIDS (Distributed
`System) Motivation, Architecture, and An Early Prototype.” 14"
`National Computer Security Conference, Oct. 1-4, 1991, Washing
`ton, DC, pp. 167-176.
`Broner et al., “IntelligentI/O Rule-Based Input/Output Processing
`for Operating Systems.” Operating Systems Review, vol. 25, No. 3,
`Jul. 1991, pp. 10-26.
`Drews et al., “Special Delivery—Automatic Software Distribution
`Can Make You A Hero.” Network Computing, Aug. 1, 1994, pp. 80,
`82-86, 89, 91-95.
`Morrissey, Peter, “Walls.” Network Computing, Feb. 15, 1996, pp.
`55-59, 65-67.
`Harlander, Dr. Magnus, “Central System Administration in a
`Heterogenous Unix Environment: GeNUAdmin.” Proceedings of
`the Eighth Systems Administration Conference (LISA VIII), Sep.
`19-23, 1994, San Diego, California, pp. 1-8.
`Shaddock et al., “How to Upgrade 1500 Workstations on Saturday,
`and Still Have Time to Mow the Yard on Sunday.” The Ninth
`Systems Administration Conference LISA '95, Sep. 17-22, 1995,
`Monterrey, California, pp. 59-65.
`Anderson, Paul, “Towards a High-Level Machine Configuration
`System.” Proceedings of the Eighth Systems Administration Con
`ference (LISA VIII), Sep. 19-23, 1994, San Diego, California, pp.
`19-26.
`Cooper, Michael A., “Overhauling Rdist for the '90s,” Proceedings
`of the Sixth Systems Administration Conference (LISA VI), Oct.
`19-23, 1992, Long Beach, California, pp. 175-188.
`Vangala et al., “Software Distribution and Management in a
`Networked Enviroment.” Proceedings of the Sixth Systems Admin
`istration Conference, Oct. 19-23, 1992, Long Beach, California, pp.
`163-170.
`Kim et al., “The Design Implementation of Tripwire: A File System
`Integrity Checker,” 2". ACM Conference on Computer and Com
`munications Security, Nov. 2-4, 1994, Fairfax, Virgina, pp. 18-29.
`Winn Schwartau, “e.SecurityTM-Solving “Dumb Days' With Secu
`rity Visualization.” e-Security, Inc., Naples, FL 34103, 2000.
`Anita D'Amico, Ph.D., “Assessment of Open e-Security PlatformTM
`: Vendor-Independent Central Management of Computer Security
`Resource.” Applied Visions, Inc., 1999.
`“e. SecurityTM -Open Enterprise Security Management: Delivering
`an integrated, automated, centrally Managed Solution You Can
`Leverage Today and Tomorrow,” e-Security, Inc., Naples, FL
`34102, 1999.
`“e. SecurityTM-Vision.” e-Security, Inc., Naples, Fl, 1999.
`“e. SecurityTM -Administrator WorkbenchTM .” e-Security, Inc.
`Naples, FL, 1999.
`“e. SecurityTM-Fact Sheet,” e-Security, Inc., Naples, FL, 1999.
`“e. SecurityTM -Open e-Security PlatformTM .” e-Security, Inc.
`Naples, FL, 1999.
`Babcock, "E-Security Tackles The Enterprise,” Jul. 28, 1999;
`Inter(active Week, www.Zdnet.com.
`Kay Blough, “In Search of More-Secure Extranets.” Nov. 1, 1999,
`www.InformationWeek.com.
`Paul H. Desmond, “Making Sense of Your Security Tools.” Soft
`ware Magazine and Wiesner Publishing, www.softwaremag.com,
`1999.
`Kay Blough, “Extra Steps Can Protect Extranets.” Nov. 1, 1999,
`www. InformationWeek.com.
`Sean Hao, “Software protects e-commerce—e-Security's product
`alerts networks when hackers attack.” Florida Today, Florida.
`Scott Weiss, “Security Strategies—E-Security, Inc.” product brief,
`Hurwitz Group, Inc., Mar. 24, 2000.
`Sean Adee, CISA, “Managed Risk. Enhanced Response The Posi
`tive Impact of Real-Time Security Awareness.” Information Sys
`tems Control Journal, vol. 2, 2000.
`“Reprint Review—The Information Security Portal Open e-Secu
`rity Platform Verison 1.0', Feb. 2000, West Coast Publishing, SC
`Magazine, 1999.
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 4 of 31
`
`

`

`US 7,237,264 B1
`Page 5
`
`'e. Security—Introducing the First Integrated, Automated, and Cen
`tralized Enterprise Security Management System,” white paper,
`e-Security, Inc., Naples, FL 34102, 1999.
`Ann Harrison, “Computerworld—Integrated Security Helps Zap
`Bugs.” Feb. 21, 2000, Computerworld, vol. 34, No. 8, Framingham,
`MA
`Shruti Daté, “Justice Department Will Centrally Monitor Its Sys
`tems For Intrusions.” Apr. 3, 2000, Post-Newsweek Business Infor
`mation, Inc., www.gcn.com.
`e.SecurityTM, website pages (pp. 1-83), www.esecurityinc.com,
`e-Security, Inc., Naples, FL 34103, Sep. 14, 2000.
`Peter Sommer, “Intrusion Detection Systems as Evidence.” Com
`puter Security Research Centre, United Kingdom.
`Musman et al., System or Security Managers Adaptive Response
`Tool, DARPA Information Survivability Conference and Exposi
`tion, Jan. 25, 2000, pp. 56-68.
`Gibson Research Corporation Web Pages, Shields Up!—Internet
`Connection Security Analysis, grc.com/default.htm, Laguna Hills,
`California, 2000.
`Rouse et al., Design and Evaluation of an Onboard Computer-Based
`Information System fro Aircraft, IEEE Transactions of Systems,
`Man, and Cybernetics, vol. SMC-12, No. 4, Jul./Aug. 1982, pp.
`451-463.
`Hammer, An Intelligent Flight-Management Aid for Procedure
`Execution, IEEE Transactions on Systems, Man, and Cybernetics,
`vol. SMC-14, No. 6, Nov./Dec. 1984, pp. 885-888.
`Mann et al., Analysis of User Procedural Compliance in Controlling
`a Simulated Process, IEEE Transactions on Systems, Man, and
`Cybernetics, vol. SMC-16, No. 4, Jul/Aug. 1986.
`Todd, Signed and Delivered: An Introduction to Security and
`Authentication, Find Out How the Jave Security API Can Help you
`Secure your Code, Javaworld, Web Publishing, Inc., San Francisco,
`Dec. 1, 1998, pp. 1-5.
`Arvind, SecureThis. Inform, Association for Information and Image
`Management, Silver Spring, Sep./Oct. 1999, pp. 1-4.
`Stevens, TCP/IP Illustrated, vol. 1, 1994, pp. 247.
`Lee et al., A Generic Virus Detection Agent on the Internet, IEEE,
`30" Annual Hawaii International Conference on System Sciences,
`1997, vol. 4.
`Cutler, Inside Windows NT, 1993, Microsoft Press.
`Duncan, Advanced MS-Dos, 1986, Microsoft Press.
`McDaniel, IBM Dictionary of Computing, 1994. International Busi
`ness Machines Corporation.
`Burd, Systems Architecture, 1998, Course Technology, Second
`Edition.
`Programmer's Guide PowerJ, 1997. Sybase.
`Swimmer et al., Dynamic detection and classification of computer
`viruses using general behavior patterns, 1995, Proceedings of the
`Fifth International Virus Bulletin Conference, Boston.
`Advanced Virus Detection Technology for the Next Millenium,
`Aug. 1999, Network Associates, A Network Associates Executive
`White Paper, pp. 1-14.
`Enterprise-Grade Anti-Virus Automation in the 21" Century, Jun.
`2000, Symantec, Technology Brief, pp. 1-17.
`Kephart et al., Blueprint for a Computer Immune System, 1997.
`Retrieved from Internet, URL: http//www.research.ibm.com/
`antivirus/scipapers/kephart?VB97, pp. 1-15.
`Richardson, Enterprise Antivirus Software, Feb. 2000, Retrieved
`from Internet, URL: http://www.networkmagazine.com/article?
`nmg20000426S0006, pp. 1-6.
`Understanding and Managing Polymorphic Viruses, 1996,
`Symantec, The Symantec Enterprise Papers, vol. XXX, pp. 1-13.
`Gong, JavaTM Security Architecture (JDK 1.2), Oct. 2, 1998, Sun
`MicroSystems, Inc., Version 1.0, pp. i-iv, 1-62.
`Softworks Limited VBVM Whitepaper, Nov. 3, 1998, Retrieved
`from
`the
`Internet,
`URL:
`http://web.archive.org/web/
`1998 1203105455/http://softworksltd.com/vbvm.html, pp. 1-4.
`Kephart, A Biologically Inspired Immune System for Computers,
`1994, Artificial Life IV, pp. 130-139.
`International Search Report for PCT/US01/26804 of March 21,
`2002.
`Kosoresow et al., Intrusion Detection via System Call Traces, IEEE
`Software, pp. 35-42, Sep./Oct. 1997.
`
`Veldman, Heuristic Anti-Virus Technology, Proceedings, 3' Inter
`national Virus Bulletin Conference, pp. 67-76, Sep. 1993.
`Symantec, Understanding Heuristics: Symantec's Bloodhound
`Technology, Symantec White Paper Series, vol. XXXIV, pp. 1-14.
`Sep. 1997.
`Nachenberg, A New Technique for Detecting Polymorphic Com
`puter Viruses. A thesis Submitted in partial satisfaction of the
`requirements for the degree Master of Science in Computer Science,
`University of California Los Angeles, pp. 1-127, 1995.
`Microsoft P-Code Technology, http://msdn.microsoft.com/archive?
`default.asp?url=/archive/en-us/dinarvc/html/msdn c7pcode2.asp,
`pp. 1-6, Apr. 1992.
`DJFPP COFF Spec, http://delorie.com/digpp/doc/coff, pp. 1-15.
`Oct. 1996.
`Natvig, Sandbox Technology Inside AV Scanners, Virus Bulletin
`Conference, Sep. 2001, pp. 475-488.
`Norman introduces a new technique for eliminating new computer
`viruses, found on Norman's website, file://c: /documents%20and
`%20settings\7489\local%20settings\temporary%20internet
`%20files\olk, pp. 1-2 published Oct. 25, 2001, printed from website
`Dec. 27, 2002.
`International Search Report for PCT/US01/19142 of Jan. 17, 2003.
`Using the CamNet BBS FAQ, http://www.cam.net.uk/manuals/
`bbsfaq/bbsfacq.htm, Jan. 17, 1997.
`NASIRE, NASIRC Bulletin #94-10. http://cs-www.ncsl.nist.gov/
`secalert/nasal nasa9410.txt, Mar. 29, 1994.
`Packages in the net directory, http://linux4ujinr.ru/usoft/WWW
`www debian.org/FTP/net.html, Mar. 20 1997.
`Sundaram. An Introduction to Intrusion Detection, Copyright 1996,
`published at www.acm.org/crossroads/Xrds2-4/intrus.html, pp.
`1-12.
`Samfat, IDAMN: An Intrusion Detection Architecture for Mobile
`Networks, IEEE Journal on Selected Areas in Communications, vol.
`15, No. 7, Sep. 1997, pp. 1373-1380.
`INFO: Visual Basic Supports P-Code and Native Code Compilation
`(Q229415), http://support microsoft.com/support/kb/articles/Q229/
`4/15. ASP. pp. 1-2, Apr. 28, 1999.
`International Search Report for PCT/US99/29117 of May 2, 2000.
`Nordin, U of MNOIT Security and Assurance, Feb. 9, 2000.
`Internet Security Systems, RealSecure SiteProtector, SAFESuite
`Decisions to SiteProtector Migration, Aug. 8, 2003, pp. 1-42.
`Internet Security Systems, SAFESuite Enterprise, SAFESuite Deci
`sions, 1998.
`Internet Security Systems, SAFESuite Enterprise, Recognizing the
`Need for Enterprise Security: An Introduction to SAFESuite Deci
`sions, Aug. 1998, pp. 1-9.
`Internet Security Systems, SAFESuite Decisions 2.6, Frequently
`Asked Questions, Feb. 21, 2001, pp. 1-10.
`Internet Security Systems, SAFESuite Decisions Version 1.0, User's
`Guide, 1998, pp. 1-78.
`Porras et al., Emerald: Event Monitoring Enabling Reponses to
`Anomalous Live Disturbances, Computer Science Laboratory, SRI
`International, Menlo Park, CA, Oct. 1997, pp. 353–365.
`Cisco Systems, Empowering the Internet Generation, 1998.
`Messmer, Start-Up Puts Hackers on BlackICE, Network World
`Fusion, http://www.nwfusion.com/cgi-bin/mailto.fx/cgi. Apr. 21.
`1999, pp. 1-2.
`NetworkICE Corporation, Can You Explain How Your Product Can
`Protect a Remote User with a VPN Client?, 1998-1999, pp. 1-2,
`http://www.webarchive.org/web/2000030407 1415/advice.
`networkice.com/advice? support/kb/g000003/default.
`Yasin, Start-Up Puts Network Intruders on Ice, http://www.
`internetweek.com/story/INW 19990505S0001, May 5, pp. 1-2.
`Morency,
`NetworkWorldFusion, http://nwfusion.com/cgi-bin/
`mailto/x.cgi, Jun. 28, 1999, pp. 1-2.
`Rogers, Network ICE Touts Security Wares, Apr. 23, 1999, San
`Mateo,
`California,
`http://www.crin.corn/showArticle.
`jhtml?articleID=18829106&flatPage=true, pp. 1-2.
`Rogers, Network ICE Signs Resellers, May 26, 1999, San Mateo,
`California,
`http://www.crin.com/showArticle.
`jhtml?articleID=18805302&flatPage=true, pp. 1-2.
`
`Ex. 1007
`CISCO SYSTEMS, INC. / Page 5 of 31
`
`

`

`US 7,237,264 B1
`Page 6
`
`Internet Security Systems, I've Been Attacked! Now What?, Aug.
`27, 1999, http://www.iss.net/security center/advice/Support/KB/
`q000033/default.htm. pp. 1-2.
`Internet Security Systems, What is the Format of “Attack-List.
`CSV'?. Aug. 21, 1999, http://www.iss.net/security center/advice?
`Support/KB/q000018/default.htm. pp. 1-2.
`Neumann et al., Experience with Emerald to Date, Apr. 11-12, 1999,
`1 USENIX Workshop on Intrusion Detection and Network Moni
`toring, Santa Clara, California, pp. 1-9.
`Lindqvist et al., Detecting Computer and Network Misuse Through
`the Production-Based Expert System Toolset (P-BEST), May 9-12,
`1999, Proceedings of the 1999 IEEE Symposium on Security and
`Privacy, Oakland, California, pp. 1-16.
`Kendall, A Database of Computer Attacks for the Evaluation of
`Intrusion Detection Systems, Jun. 1999, Department of Defense
`Advanced Research Projects Agency, pp. 1-124.
`Neumann, Computer Security and the U.S. Infrastructure, Nov. 6,
`1997. Congressional Testimony, pp. 1-11.
`Porras et al., Life Traffic Analysis of TCP/IP Gateways, Nov. 10,
`1997. Internet Society's Networks and Distributed Systems Security
`Systems Symposium, Mar. 1998, http://www.sdl, Sri.com/projects/
`emerald/live-traffic.html, pp. 1-16.
`Raynaud et al., Integrated Network Management IV: 1995, Pro
`ceedings of the 4" International Symposium on Integrated Network
`Management, pp. 1-2 and 5-16.
`Heberlein et al., A Method to Detect Intrusive Activity in a
`Networked Environment, Oct. 1-4, 1991, 14" National Computer
`Security Conference, Washington, D.C., pp. 362-363 and 365-371.
`Ko et al., Execution Monitoring of Security-Critical Programs in
`Distributed Systems: A Specification-Based Approach, 1997. Pro
`ceedings of the 1997 IEEE Symposium on Security and Privacy, pp.
`175-187.
`Crosbie et al., Active Defense of a Computer System Using Autono
`mous Agents, Technical Report No. 95-008, Feb. 15, 1995, Purdue
`University, West Lafayette, Indiana, pp. 1-14.
`Mansouri-Samani et al., Monitoring Distributed Systems, Nov.
`1993, IEEE Network, pp. 20-30.
`Jakobson et al., Alarm Correlation, Nov. 1993, IEEE Network, pp.
`52-59.
`Anderson et al., Next-Generation Intrusion Detection Expert
`(NIDES), A Summary, May 1995, SRI International, pp. 1-37.
`Vertias Software, Press Release, Robust Enhancements in Verison
`6.0 Maintain Seagate WI as the De Facto Standard for Software
`Distribution, Oct. 6, 1997. Press Release, pp. 1-4. http://216.239.
`39.104/search?q=cache:HS9kmK1m2QoJ:www.veritas.com/us/
`aboutus/pressroom/199.
`Yasin, Network-Based IDS are About to Stop Crying Wolf, Security
`Mandate: Silence False Alarms, Apr. 9, 1999, http://lists.jammed.
`com/ISN/1999/04/0021.html, pp. 1-3.
`Internet Security Systems, Press Release, ISS Reports Record
`Revenues and Net Income for Second Quarter, Jul. 19, 1999,
`http://bylive01.iss.net/issEn/delivery prodetail.isp?type=Financial
`&oid=14515, pp. 1-5.
`LaPadula, State of the Art in CyberSecurity Monitoring, A Supple
`ment, Sep. 2001, Mitre Corporation, pp. 1-15.
`Balasubramaniyan et al. An Architecture for Intrusion Detection
`Using Automomous Agents, Jun. 11, 1998, Purdue University, West
`Lafayette, Indiana, pp. 1-4. http://gunther. Smeal.psu.edu/images/b9/
`f3/bb/9e/ba7f39c3871 dcedeb9abdOf70cb84607/1.png.
`Crosbie et al., Active Defense of a Computer System Using Autono
`mous Agents, Feb. 15, 1995, Technical Report No. 95-008, Purdue
`University, West Lafayette, Indiana, pp. 1-14.
`Crosbie et al., Defe