Smart intrusion prevention policy
First Claim
1. A method for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the method comprising:
- determining, by one or more computer processors, whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection;
responsive to determining that the new connection is detected, adding, by one or more computer processors, a connection context associated with the new connection to a current connection context in a dynamic event table,wherein;
the connection context is based on one or more of;
an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity and is associated with a respective data packet, and wherein each event in the listing of two or more events is retrieved from a repository;
calculating, by one or more computer processors, a score for each event of two or more events in the dynamic event table based on the current connection context;
generating, by one or more computer processors, an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order;
performing, by one or more computer processors, a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and
responsive to determining that a signature was found for an event among the two or more events, preventing, by one or more computer processors, intrusion of the data packet associated with the event.
2 Assignments
0 Petitions
Accused Products
Abstract
A data packet is received. The data packet is a unit of data transmitted across a packet-switched network. A determination is made whether a new connection is detected. The data packet is transmitted using the new connection. In response to determining that a new connection is detected, a connection context for the new connection is added to a current connection context in a dynamic event table. The dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of one or more events. Each event of the one or more events is a malicious activity and is retrieved from a repository. A score for each event is calculated based on the current connection context. Each event in the dynamic event table is prioritized based on the calculated score for each event. The event with the highest score receives the highest priority.
14 Citations
14 Claims
-
1. A method for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the method comprising:
-
determining, by one or more computer processors, whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection; responsive to determining that the new connection is detected, adding, by one or more computer processors, a connection context associated with the new connection to a current connection context in a dynamic event table, wherein;
the connection context is based on one or more of;
an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity and is associated with a respective data packet, and wherein each event in the listing of two or more events is retrieved from a repository;
calculating, by one or more computer processors, a score for each event of two or more events in the dynamic event table based on the current connection context;generating, by one or more computer processors, an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order; performing, by one or more computer processors, a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and responsive to determining that a signature was found for an event among the two or more events, preventing, by one or more computer processors, intrusion of the data packet associated with the event. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the computer program product comprising:
-
one or more computer readable storage media; and
program instructions stored on the one or more computer readable storage media, the program instructions comprising;program instructions to determine whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection; responsive to determining that the new connection is detected, program instructions to add a connection context associated with the new connection to a current connection context in a dynamic event table, wherein;
the connection context is based on one or more of;
an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity, and wherein each event in the listing of two or more events is retrieved from a repository;program instructions to calculate a score for each event of two or more events in the dynamic event table based on the current connection context;
program instructions to generate an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order;program instructions to perform a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and responsive to determining that a signature was found for an event among the two or more events, program instructions to prevent intrusion of the data packet associated with the event. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer system for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the computer system comprising:
-
one or more computer hardware processors; one or more computer readable storage media; and program instructions stored on the one or more computer readable storage media for execution by at least one of the one or more computer hardware processors, the program instructions comprising; program instructions to determine whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection; responsive to determining that the new connection is detected, program instructions to add a connection context associated with the new connection to a current connection context in a dynamic event table, wherein;
the connection context is based on one or more of;an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity, and wherein each event in the listing of two or more events is retrieved from a repository; program instructions to calculate a score for each event of two or more events in the dynamic event table based on the current connection context; program instructions to generate an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order; program instructions to perform a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and responsive to determining that a signature was found for an event among the two or more events, program instructions to prevent intrusion of the data packet associated with the event. - View Dependent Claims (12, 13, 14)
-
Specification