Utilizing endpoint asset awareness for network intrusion detection

US 10,171,483 B1
Filed: 08/23/2013
Issued: 01/01/2019
Est. Priority Date: 08/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a prioritizing scan, a destination identifier from a network payload;

performing, by the prioritizing scan, a hash function on the destination identifier to compute a hash value, wherein a destination endpoint is determined by using the hash value as a key to query destination mapping data and wherein the hash function is defined in stored configuration data;

determining, by a processing device executing an intrusion device, a sensitivity level of the destination endpoint that was determined based on the hash value, wherein the sensitivity level is based at least in part on a content of data stored at the destination endpoint;

identifying one or more rules that correspond to sensitive content data stored at the destination endpoint, wherein the one or more rules describe a number of signatures in a subset of the plurality of signatures and specify individual signatures from the plurality of signatures to be included in the subset of the plurality of signatures and a prioritization action;

wherein the subset of signatures specific to the sensitive content data stored at the destination endpoint comprises a number of signatures that is proportional to a sensitivity level of content data stored at the destination endpoint, and wherein first content of the specific subset of the plurality of signatures is distinct from second content of other subsets of the plurality of signatures that correspond to other sensitivity levels; and

determining, by the intrusion device, whether network data comprises an intrusion in view of the subset of signatures, wherein determining whether the network data comprises an intrusion comprises prioritizing scanning of the network data in view of one or more thresholds for various sensitivity levels of the destination endpoint, and applying the prioritization action to the network data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion device identifies network data to be sent to a destination endpoint and determines a sensitivity level of the destination endpoint based on asset valuation. The intrusion device identifies a subset of signatures that corresponds to the sensitivity level of the destination endpoint and determines whether the network data includes an intrusion based on the subset of signatures.

54 Citations

View as Search Results

17 Claims

1. A method comprising:
- determining, by a prioritizing scan, a destination identifier from a network payload;
  
  performing, by the prioritizing scan, a hash function on the destination identifier to compute a hash value, wherein a destination endpoint is determined by using the hash value as a key to query destination mapping data and wherein the hash function is defined in stored configuration data;
  
  determining, by a processing device executing an intrusion device, a sensitivity level of the destination endpoint that was determined based on the hash value, wherein the sensitivity level is based at least in part on a content of data stored at the destination endpoint;
  
  identifying one or more rules that correspond to sensitive content data stored at the destination endpoint, wherein the one or more rules describe a number of signatures in a subset of the plurality of signatures and specify individual signatures from the plurality of signatures to be included in the subset of the plurality of signatures and a prioritization action;
  
  wherein the subset of signatures specific to the sensitive content data stored at the destination endpoint comprises a number of signatures that is proportional to a sensitivity level of content data stored at the destination endpoint, and wherein first content of the specific subset of the plurality of signatures is distinct from second content of other subsets of the plurality of signatures that correspond to other sensitivity levels; and
  
  determining, by the intrusion device, whether network data comprises an intrusion in view of the subset of signatures, wherein determining whether the network data comprises an intrusion comprises prioritizing scanning of the network data in view of one or more thresholds for various sensitivity levels of the destination endpoint, and applying the prioritization action to the network data.
- View Dependent Claims (2, 3, 4, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein identifying the subset of signatures specific to the confidentiality of the sensitive content data stored at the destination endpoint comprises:
    - identifying individual signatures of the plurality of signatures in view of one or more policies,wherein the one or more policies define the individual signatures that correspond to the confidentiality of the sensitive content data stored at the destination endpoint in view of user input.
  - 3. The method of claim 1, wherein identifying the number of signatures that is proportional to the confidentiality of the sensitive content data stored at the destination endpoint comprises:
    - identifying a greater number of signatures for data that corresponds to a high level of sensitivity than a number of signatures for data that corresponds to a low level of sensitivity.
  - 4. The method of claim 1, wherein the confidentiality of the sensitive content data stored at the destination endpoint is in view of at least one of user input or user activity data.
  - 12. The method of claim 1, wherein prioritizing scanning of the network data comprises accessing rules which associate sensitivity levels with priorities for evaluating data.
  - 13. The method of claim 12, wherein said priorities for evaluating data includean indication that processing of data corresponding to a sensitivity level of highly-sensitive should be processed with a high priority;
    - andan indication that processing of data corresponding to a sensitivity level of non-sensitive should be processed with a low priority.
  - 14. The method of claim 12, wherein scheduling of processing of data which is to processed with a high priority is added to a top of a queue;
    - andwherein scheduling of processing of data which is to processed with a low priority is added to a bottom of the queue.
  - 15. The method of claim 1, wherein determining the sensitivity level of the destination endpoint comprises accessing endpoint classification data that associates destination endpoints with a sensitivity level;
    - andwherein identifying the subset of a plurality of signatures comprises using the determined sensitivity level to access rules which associate sensitivity levels with signatures.
  - 16. The method of claim 1, wherein the prioritization action comprises:
    - when the sensitivity level of the destination endpoint is a low level of sensitivity, evaluation of the network data is marked as low priority; and
      
      when the sensitivity level of the destination endpoint is a high level of sensitivity, the evaluation of the network data is marked as high priority.

5. An apparatus comprising:
- a memory; and
  
  a processing device comprising circuitry configured to;
  
  determine a destination identifier from a network payload;
  
  perform a hash function on the destination identifier to compute a hash value, wherein a destination endpoint is determined by using the hash value as a key to query destination mapping data and wherein the hash function is defined in stored configuration data;
  
  determine a sensitivity level of the destination endpoint that was determined based on the hash value, wherein the sensitivity level is based at least in part on confidentiality of content of data stored at the destination endpoint;
  
  identify one or more rules that correspond to sensitive content data stored at the destination endpoint, wherein the one or more rules describe a number of signatures in a subset of the plurality of signatures and specify individual signatures from the plurality of signatures to be included in the subset of the plurality of signatures and a prioritization action;
  
  wherein the subset of signatures specific to the sensitive content data stored at the destination endpoint comprisesa number of signatures that is proportional to a sensitivity level of content data stored at the destination endpoint, and wherein first content of the specific subset of the plurality of signatures is distinct from second content of other subsets of the plurality of signatures that correspond to other sensitivity levels;
  
  determine whether the network data comprises an intrusion in view of the subset of signatures, wherein to determine whether the network data comprises an intrusion comprises prioritizing scanning of the network data in view of one or more thresholds for various sensitivity levels of the destination endpoint.
- View Dependent Claims (6, 7, 8, 17)
- - 6. The apparatus of claim 5, wherein to identify the subset of signatures specific to the confidentiality of the sensitive content data stored at the destination endpoint comprises the processing device to:
    - identify individual signatures of the plurality of signatures in view of one or more policies, wherein the one or more policies define the individual signatures that correspond to the confidentiality of the sensitive content data stored at the destination endpoint in view of user input.
  - 7. The apparatus of claim 5, wherein to identify the number of signatures that is proportional to the confidentiality of the sensitive content data stored at the destination endpoint the processing device is configured to:
    - identify a greater number of signatures for data that corresponds to a high level of sensitivity than a number of signatures for data that corresponds to a low level of sensitivity.
  - 8. The apparatus of claim 5, wherein the confidentiality of the sensitive content data stored at the destination endpoint is in view of at least one of user input or user activity data.
  - 17. The apparatus as recited in claim 5, wherein:
    - when the sensitivity level of the destination endpoint is a low level of sensitivity, evaluation of the network data is marked as low priority; and
      
      when the sensitivity level of the destination endpoint is a high level of sensitivity, the evaluation of the network data is marked as high priority.

9. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to:
- determine a destination identifier from a network payload;
  
  perform a hash function on the destination identifier to compute a hash value, wherein a destination endpoint is determined by using the hash value as a key to query destination mapping data and wherein the hash function is defined in stored configuration data;
  
  determine a sensitivity level of the destination endpoint that was determined based on the hash value, of the destination endpoint in view of the destination identifier, wherein the sensitivity level is based at least in part on confidentiality of content of data stored at the destination endpoint;
  
  identify one or more rules that correspond to sensitive content data stored at the destination endpoint, wherein the one or more rules describe a number of signatures in a subset of the plurality of signatures and specify individual signatures from the plurality of signatures to be included in the subset of the plurality of signatures and a prioritization action;
  
  wherein the subset of signatures specific to the sensitive content data stored at the destination endpoint comprises a number of signatures that is proportional to a sensitivity level of content data stored at the destination endpoint, and wherein first content of the specific subset of the plurality of signatures is distinct from second content of other subsets of the plurality of signatures that correspond to other sensitivity levels;
  
  determine whether the network data comprises an intrusion in view of the subset of signatures, wherein to determine whether the network data comprises an intrusion comprises prioritizing scanning of the network data in view of one or more thresholds for various sensitivity levels of the destination endpoint.
- View Dependent Claims (10, 11)
- - 10. The non-transitory computer readable storage medium of claim 9, wherein identifying the subset of signatures specific to the confidentiality of the sensitive content data stored at the destination endpoint, the processing device to:
    - identify individual signatures of the plurality of signatures in view of one or more policies, wherein the one or more policies define the individual signatures that correspond to the confidentiality of the sensitive content data stored at the destination endpoint in view of user input.
  - 11. The non-transitory computer readable storage medium of claim 9, wherein the number of signatures that is proportional to the confidentiality of the sensitive content data stored at the destination endpoint comprises:
    - a number of signatures that corresponds to a high level of sensitivity that is greater than a number of signatures that corresponds to a low level of sensitivity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Banerjee, Deb
Primary Examiner(s)
Cribbs, Malcolm
Assistant Examiner(s)
Wright, Bryan

Application Number

US13/974,440
Time in Patent Office

1,957 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1416 Event detection, e.g. attac...

Utilizing endpoint asset awareness for network intrusion detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Utilizing endpoint asset awareness for network intrusion detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links