Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack
First Claim
Patent Images
1. A method of operating an intrusion detection system, the method comprising the steps of:
- determining a present alert generation rate of an intrusion detection system;
comparing the present alert generation rate with an alert generation rate threshold; and
altering an element of a signature set of the intrusion detection system responsive to an outcome of the step of comparing.
2 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system is improved by altering its signatures and thresholds during a denial of service attack, in order to decrease the rate at which an intrusion detection sensor sends alerts to an intrusion detection server. A governor within the sensor is associated with each signature. The governor may include an alert log, a timer, an alert-generation-rate threshold, and rules that prescribe actions to be taken when the alert-generation-rate threshold is exceeded. The governor records the generation time of each alert by the sensor, and determines the rate at which the sensor is presently generating alerts. When the present alert-generation rate exceeds the alert-generation-rate threshold, the governor alters the associated signature threshold to decrease the alert generation rate of the intrusion detection sensor.
-
Citations
12 Claims
-
1. A method of operating an intrusion detection system, the method comprising the steps of:
-
determining a present alert generation rate of an intrusion detection system;
comparing the present alert generation rate with an alert generation rate threshold; and
altering an element of a signature set of the intrusion detection system responsive to an outcome of the step of comparing.
-
-
2. A method of operating an intrusion detection sensor, the method comprising the steps of:
-
determining a present alert generation rate of an intrusion detection sensor;
comparing the present alert generation rate with an alert generation rate threshold; and
when the present alert generation rate exceeds the alert generation rate threshold, altering an element of a signature set of the intrusion detection sensor to decrease an alert generation rate of the intrusion detection sensor. - View Dependent Claims (3, 4)
-
-
5. A method of operating an intrusion detection system, comprising the steps of:
-
monitoring for occurrence of a signature event; and
when a signature event occurs, increasing a value of a signature event counter and comparing the value of the signature event counter with a signature threshold quantity; and
when the value of the signature event counter exceeds the signature threshold quantity, generating an alert, recording a time of generating the alert in a log, determining from contents of the log a present alert generation rate, and comparing the present alert generation rate with an alert generation rate threshold; and
when the present alert generation rate exceeds the alert generation rate threshold, altering an element of a signature set of an intrusion detection system to decrease an alert generation rate of an intrusion detection sensor. - View Dependent Claims (6, 7)
-
-
8. Programmable media containing programmable software for operation of an intrusion detection system, programmable software comprising the steps of:
-
determining a present alert generation rate of an intrusion detection system;
comparing the present alert generation rate with an alert generation rate threshold; and
altering an element of a signature set of the intrusion detection system responsive to an outcome of the step of comparing.
-
-
9. Programmable media containing programmable software for operation of an intrusion detection sensor, programmable software comprising the steps of:
-
determining a present alert generation rate of an intrusion detection sensor;
comparing the present alert generation rate with an alert generation rate threshold; and
when the present alert generation rate exceeds the alert generation rate threshold, altering an element of a signature set of the intrusion detection sensor to decrease an alert generation rate of the intrusion detection sensor.
-
-
10. Programmable media containing programmable software for operation of an intrusion detection system, programmable software comprising the steps of:
-
monitoring for occurrence of a signature event; and
when a signature event occurs, increasing a value of a signature event counter and comparing the value of the signature event counter with a signature threshold quantity; and
when the value of the signature event counter exceeds the signature threshold quantity, generating an alert, recording a time of generating the alert in a log, determining from contents of the log a present alert generation rate, and comparing the present alert generation rate with an alert generation rate threshold; and
when the present alert generation rate exceeds the alert generation rate threshold, altering an element of a signature set of an intrusion detection system to decrease an alert generation rate of an intrusion detection server. - View Dependent Claims (11, 12)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeTrend Micro Inc.
-
Original AssigneeInternational Business Machines Corporation
-
InventorsLingafelt, Charles Steven, Bardsley, Jeffrey Scott, Kim, Nathaniel Wook, Brock, Ashley Anderson
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current713/201
-
CPC Class CodesG06F 21/55 Detecting local intrusion o...G06F 2221/2101 Auditing as a secondary aspectH04L 63/1408 by monitoring network traff...H04L 63/1458 Denial of Service
