Intrusion detection method and signature table

US 20030110393A1
Filed: 12/12/2001
Published: 06/12/2003
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. An intrusion detection method, comprising the steps of:

storing a plurality of signatures in a signature table of an intrusion detection system; and

ranking at least two signatures of the plurality of signatures by likelihood of occurrence.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Performance of a pattern-matching intrusion detection system (IDS) is improved by ranking signatures in its signature table by likelihood of occurrence, so that the table may be searched efficiently. Occurrence data associated with signatures is kept, and the ranking adaptively revised according to updates of the data. When the IDS detects a system event, the signature table is searched. If the search does not find a signature matching the event, thereby suggesting that the event poses no threat, a null signature is added to the signature table in a strategic location to terminate future searches early. In one embodiment, null signatures may be stored in a cache. When a system event is detected, the cache is searched. If a match is not found, the signature table is searched. If a match is not found in the signature table, a null signature is cached.

Citations

20 Claims

1. An intrusion detection method, comprising the steps of:
- storing a plurality of signatures in a signature table of an intrusion detection system; and
  
  ranking at least two signatures of the plurality of signatures by likelihood of occurrence.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the plurality of signatures includes at least one null signature.
  - 3. The method of claim 1, wherein said at least two signatures includes at least one null signature.

4. An intrusion detection method, comprising the steps of:
- storing a plurality of signatures in a signature table of an intrusion detection system;
  
  detecting, by the intrusion detection system, a system event; and
  
  comparing the system event with the plurality of signatures;
  
  wherein the step of comparing is performed in a sequence according to a ranking of the plurality of signatures by likelihood of occurrence.
- View Dependent Claims (5)
- - 5. The method of claim 4, wherein the ranking of the plurality of signatures by likelihood of occurrence is computed from occurrence data.

6. An intrusion detection method, comprising the steps of:
- storing a plurality of signatures in a signature table of an intrusion detection system, said plurality of signatures including at least one null signature;
  
  ranking the plurality of signatures by likelihood of occurrence to provide a ranking order;
  
  detecting, by an intrusion detection system, a system event; and
  
  comparing the system event with the plurality of signatures;
  
  wherein the step of comparing is performed in a sequence according to the ranking order.

7. A method of managing a signature table for an intrusion detection system, comprising the steps of:
- detecting, by an intrusion detection system, a system event;
  
  determining whether a signature table of the intrusion detection system includes a signature with a signature event that matches the system event; and
  
  when the signature table does not include a signature with a signature event that matches the system event, storing, in the signature table, a null signature with a signature event that matches the system event.

8. A method of managing a signature table for an intrusion detection system, comprising the steps of:
- detecting, by an intrusion detection system, a system event;
  
  determining whether a signature table of the intrusion detection system includes a signature event that matches the system event; and
  
  when the signature table includes a signature event that matches the system event, updating occurrence data associated with the signature event.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, further including the step of ranking at least two signatures included in the signature table by likelihood of occurrence computed from the occurrence data.
  - 10. The method of claim 8, further including the step of:
    - when the signature table does not include a signature event that matches the system event, storing a null signature in the signature table.
  - 11. The method of claim 10, wherein the null signature includes a signature event that matches the system event.

12. An intrusion detection method, comprising the steps of:
- detecting, by an intrusion detection system, a system event;
  
  determining whether a cache of the intrusion detection system includes a signature event that matches the system event;
  
  when the cache does not include the signature event, determining whether a signature table of the intrusion detection system includes the signature event; and
  
  when the signature table does not include the signature event, storing the signature event in the cache.
- View Dependent Claims (13)
- - 13. The method of claim 12, wherein the signature event is stored in the cache as part of a null signature, and wherein the step of storing includes a step of storing the null signature in the cache.

14. An intrusion detection system, comprising:
- an event detector for detecting a system event;
  
  a signature table comprising signatures; and
  
  logic for searching the signature table responsive to detection of the system event by the event detector;
  
  wherein the signature table includes at least one null signature and at least one signature that is not a null signature.

15. A signature table of an intrusion detection system, said signature table comprising a plurality of signatures, wherein at least one signature of the plurality of signatures includes occurrence data.

16. A signature table of an intrusion detection system, said signature table comprising a plurality of signatures, wherein at least one signature of the plurality of signatures is a null signature.
- View Dependent Claims (17, 18)
- - 17. The signature table of claim 16, wherein at least one signature of the plurality of signatures includes occurrence data.
  - 18. The signature table of claim 16, wherein at least one signature of the plurality of signatures is a null signature that includes occurrence data.

19. An intrusion detection system, comprising:
- an event detector for detecting a system event;
  
  a signature table comprising signatures; and
  
  logic for searching the signature table responsive to detection of the system event by the event detector;
  
  wherein the logic searches the signature table in a sequence according to a ranking of the signatures by likelihood of occurrence.
- View Dependent Claims (20)
- - 20. The intrusion detection system of claim 19, wherein likelihood of occurrence is observed frequency of occurrence computed from occurrence data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Kim, Nathaniel Wook, Brock, Ashley Anderson, McClain, Kevin Thomas

Granted Patent

US 7,150,043 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Intrusion detection method and signature table

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection method and signature table

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links