INTRUSION DETECTION TO PREVENT IMPERSONATION ATTACKS IN COMPUTER NETWORKS

摘要

In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

主权项

1. A data processing method comprising:
a central computer receiving telemetry data from a plurality of intrusion sensors; the central computer storing authentication records in a hosts database, wherein each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer; the central computer receiving a suspect record that was sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer; the central computer determining whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record; and the central computer generating an intrusion alert when no matching record is found.