Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack
First Claim
1. A method of operating an intrusion detection system, the method comprising the steps of:
- determining a present alert generation rate of an intrusion detection system;
comparing the present alert generation rate with an alert generation rate threshold; and
altering an element of a signature set of the intrusion detection system responsive to an outcome of the step of comparing.
2 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system is improved by altering its signatures and thresholds during a denial of service attack, in order to decrease the rate at which an intrusion detection sensor sends alerts to an intrusion detection server. A governor within the sensor is associated with each signature. The governor may include an alert log, a timer, an alert-generation-rate threshold, and rules that prescribe actions to be taken when the alert-generation-rate threshold is exceeded. The governor records the generation time of each alert by the sensor, and determines the rate at which the sensor is presently generating alerts. When the present alert-generation rate exceeds the alert-generation-rate threshold, the governor alters the associated signature threshold to decrease the alert generation rate of the intrusion detection sensor.
-
Citations
12 Claims
-
1. A method of operating an intrusion detection system, the method comprising the steps of:
-
determining a present alert generation rate of an intrusion detection system;
comparing the present alert generation rate with an alert generation rate threshold; and
altering an element of a signature set of the intrusion detection system responsive to an outcome of the step of comparing.
-
-
2. A method of operating an intrusion detection sensor, the method comprising the steps of:
-
determining a present alert generation rate of an intrusion detection sensor;
comparing the present alert generation rate with an alert generation rate threshold; and
when the present alert generation rate exceeds the alert generation rate threshold, altering an element of a signature set of the intrusion detection sensor to decrease an alert generation rate of the intrusion detection sensor. - View Dependent Claims (3, 4)
-
-
5. A method of operating an intrusion detection system, comprising the steps of:
-
monitoring for occurrence of a signature event; and
when a signature event occurs, increasing a value of a signature event counter and comparing the value of the signature event counter with a signature threshold quantity; and
when the value of the signature event counter exceeds the signature threshold quantity, generating an alert, recording a time of generating the alert in a log, determining from contents of the log a present alert generation rate, and comparing the present alert generation rate with an alert generation rate threshold; and
when the present alert generation rate exceeds the alert generation rate threshold, altering an element of a signature set of an intrusion detection system to decrease an alert generation rate of an intrusion detection sensor. - View Dependent Claims (6, 7)
-
-
8. Programmable media containing programmable software for operation of an intrusion detection system, programmable software comprising the steps of:
-
determining a present alert generation rate of an intrusion detection system;
comparing the present alert generation rate with an alert generation rate threshold; and
altering an element of a signature set of the intrusion detection system responsive to an outcome of the step of comparing.
-
-
9. Programmable media containing programmable software for operation of an intrusion detection sensor, programmable software comprising the steps of:
-
determining a present alert generation rate of an intrusion detection sensor;
comparing the present alert generation rate with an alert generation rate threshold; and
when the present alert generation rate exceeds the alert generation rate threshold, altering an element of a signature set of the intrusion detection sensor to decrease an alert generation rate of the intrusion detection sensor.
-
-
10. Programmable media containing programmable software for operation of an intrusion detection system, programmable software comprising the steps of:
-
monitoring for occurrence of a signature event; and
when a signature event occurs, increasing a value of a signature event counter and comparing the value of the signature event counter with a signature threshold quantity; and
when the value of the signature event counter exceeds the signature threshold quantity, generating an alert, recording a time of generating the alert in a log, determining from contents of the log a present alert generation rate, and comparing the present alert generation rate with an alert generation rate threshold; and
when the present alert generation rate exceeds the alert generation rate threshold, altering an element of a signature set of an intrusion detection system to decrease an alert generation rate of an intrusion detection server. - View Dependent Claims (11, 12)
-
Specification