Utilizing endpoint asset awareness for network intrusion detection
First Claim
Patent Images
1. A method comprising:
- determining, by a prioritizing scan, a destination identifier from a network payload;
performing, by the prioritizing scan, a hash function on the destination identifier to compute a hash value, wherein a destination endpoint is determined by using the hash value as a key to query destination mapping data and wherein the hash function is defined in stored configuration data;
determining, by a processing device executing an intrusion device, a sensitivity level of the destination endpoint that was determined based on the hash value, wherein the sensitivity level is based at least in part on a content of data stored at the destination endpoint;
identifying one or more rules that correspond to sensitive content data stored at the destination endpoint, wherein the one or more rules describe a number of signatures in a subset of the plurality of signatures and specify individual signatures from the plurality of signatures to be included in the subset of the plurality of signatures and a prioritization action;
wherein the subset of signatures specific to the sensitive content data stored at the destination endpoint comprises a number of signatures that is proportional to a sensitivity level of content data stored at the destination endpoint, and wherein first content of the specific subset of the plurality of signatures is distinct from second content of other subsets of the plurality of signatures that correspond to other sensitivity levels; and
determining, by the intrusion device, whether network data comprises an intrusion in view of the subset of signatures, wherein determining whether the network data comprises an intrusion comprises prioritizing scanning of the network data in view of one or more thresholds for various sensitivity levels of the destination endpoint, and applying the prioritization action to the network data.
2 Assignments
0 Petitions
Accused Products
Abstract
An intrusion device identifies network data to be sent to a destination endpoint and determines a sensitivity level of the destination endpoint based on asset valuation. The intrusion device identifies a subset of signatures that corresponds to the sensitivity level of the destination endpoint and determines whether the network data includes an intrusion based on the subset of signatures.
54 Citations
17 Claims
-
1. A method comprising:
-
determining, by a prioritizing scan, a destination identifier from a network payload; performing, by the prioritizing scan, a hash function on the destination identifier to compute a hash value, wherein a destination endpoint is determined by using the hash value as a key to query destination mapping data and wherein the hash function is defined in stored configuration data; determining, by a processing device executing an intrusion device, a sensitivity level of the destination endpoint that was determined based on the hash value, wherein the sensitivity level is based at least in part on a content of data stored at the destination endpoint; identifying one or more rules that correspond to sensitive content data stored at the destination endpoint, wherein the one or more rules describe a number of signatures in a subset of the plurality of signatures and specify individual signatures from the plurality of signatures to be included in the subset of the plurality of signatures and a prioritization action; wherein the subset of signatures specific to the sensitive content data stored at the destination endpoint comprises a number of signatures that is proportional to a sensitivity level of content data stored at the destination endpoint, and wherein first content of the specific subset of the plurality of signatures is distinct from second content of other subsets of the plurality of signatures that correspond to other sensitivity levels; and determining, by the intrusion device, whether network data comprises an intrusion in view of the subset of signatures, wherein determining whether the network data comprises an intrusion comprises prioritizing scanning of the network data in view of one or more thresholds for various sensitivity levels of the destination endpoint, and applying the prioritization action to the network data. - View Dependent Claims (2, 3, 4, 12, 13, 14, 15, 16)
-
-
5. An apparatus comprising:
-
a memory; and a processing device comprising circuitry configured to; determine a destination identifier from a network payload; perform a hash function on the destination identifier to compute a hash value, wherein a destination endpoint is determined by using the hash value as a key to query destination mapping data and wherein the hash function is defined in stored configuration data; determine a sensitivity level of the destination endpoint that was determined based on the hash value, wherein the sensitivity level is based at least in part on confidentiality of content of data stored at the destination endpoint; identify one or more rules that correspond to sensitive content data stored at the destination endpoint, wherein the one or more rules describe a number of signatures in a subset of the plurality of signatures and specify individual signatures from the plurality of signatures to be included in the subset of the plurality of signatures and a prioritization action; wherein the subset of signatures specific to the sensitive content data stored at the destination endpoint comprises a number of signatures that is proportional to a sensitivity level of content data stored at the destination endpoint, and wherein first content of the specific subset of the plurality of signatures is distinct from second content of other subsets of the plurality of signatures that correspond to other sensitivity levels; determine whether the network data comprises an intrusion in view of the subset of signatures, wherein to determine whether the network data comprises an intrusion comprises prioritizing scanning of the network data in view of one or more thresholds for various sensitivity levels of the destination endpoint. - View Dependent Claims (6, 7, 8, 17)
-
-
9. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to:
-
determine a destination identifier from a network payload; perform a hash function on the destination identifier to compute a hash value, wherein a destination endpoint is determined by using the hash value as a key to query destination mapping data and wherein the hash function is defined in stored configuration data; determine a sensitivity level of the destination endpoint that was determined based on the hash value, of the destination endpoint in view of the destination identifier, wherein the sensitivity level is based at least in part on confidentiality of content of data stored at the destination endpoint; identify one or more rules that correspond to sensitive content data stored at the destination endpoint, wherein the one or more rules describe a number of signatures in a subset of the plurality of signatures and specify individual signatures from the plurality of signatures to be included in the subset of the plurality of signatures and a prioritization action; wherein the subset of signatures specific to the sensitive content data stored at the destination endpoint comprises a number of signatures that is proportional to a sensitivity level of content data stored at the destination endpoint, and wherein first content of the specific subset of the plurality of signatures is distinct from second content of other subsets of the plurality of signatures that correspond to other sensitivity levels; determine whether the network data comprises an intrusion in view of the subset of signatures, wherein to determine whether the network data comprises an intrusion comprises prioritizing scanning of the network data in view of one or more thresholds for various sensitivity levels of the destination endpoint. - View Dependent Claims (10, 11)
-
Specification