Intrusion detection method and signature table
First Claim
1. An intrusion detection method, comprising the steps of:
- storing a plurality of signatures in a signature table of an intrusion detection system; and
ranking at least two signatures of the plurality of signatures by likelihood of occurrence.
2 Assignments
0 Petitions
Accused Products
Abstract
Performance of a pattern-matching intrusion detection system (IDS) is improved by ranking signatures in its signature table by likelihood of occurrence, so that the table may be searched efficiently. Occurrence data associated with signatures is kept, and the ranking adaptively revised according to updates of the data. When the IDS detects a system event, the signature table is searched. If the search does not find a signature matching the event, thereby suggesting that the event poses no threat, a null signature is added to the signature table in a strategic location to terminate future searches early. In one embodiment, null signatures may be stored in a cache. When a system event is detected, the cache is searched. If a match is not found, the signature table is searched. If a match is not found in the signature table, a null signature is cached.
-
Citations
20 Claims
-
1. An intrusion detection method, comprising the steps of:
storing a plurality of signatures in a signature table of an intrusion detection system; and
ranking at least two signatures of the plurality of signatures by likelihood of occurrence.- View Dependent Claims (2, 3)
-
4. An intrusion detection method, comprising the steps of:
-
storing a plurality of signatures in a signature table of an intrusion detection system;
detecting, by the intrusion detection system, a system event; and
comparing the system event with the plurality of signatures;
wherein the step of comparing is performed in a sequence according to a ranking of the plurality of signatures by likelihood of occurrence. - View Dependent Claims (5)
-
-
6. An intrusion detection method, comprising the steps of:
-
storing a plurality of signatures in a signature table of an intrusion detection system, said plurality of signatures including at least one null signature;
ranking the plurality of signatures by likelihood of occurrence to provide a ranking order;
detecting, by an intrusion detection system, a system event; and
comparing the system event with the plurality of signatures;
wherein the step of comparing is performed in a sequence according to the ranking order.
-
-
7. A method of managing a signature table for an intrusion detection system, comprising the steps of:
-
detecting, by an intrusion detection system, a system event;
determining whether a signature table of the intrusion detection system includes a signature with a signature event that matches the system event; and
when the signature table does not include a signature with a signature event that matches the system event, storing, in the signature table, a null signature with a signature event that matches the system event.
-
-
8. A method of managing a signature table for an intrusion detection system, comprising the steps of:
-
detecting, by an intrusion detection system, a system event;
determining whether a signature table of the intrusion detection system includes a signature event that matches the system event; and
when the signature table includes a signature event that matches the system event, updating occurrence data associated with the signature event. - View Dependent Claims (9, 10, 11)
-
-
12. An intrusion detection method, comprising the steps of:
-
detecting, by an intrusion detection system, a system event;
determining whether a cache of the intrusion detection system includes a signature event that matches the system event;
when the cache does not include the signature event, determining whether a signature table of the intrusion detection system includes the signature event; and
when the signature table does not include the signature event, storing the signature event in the cache. - View Dependent Claims (13)
-
-
14. An intrusion detection system, comprising:
-
an event detector for detecting a system event;
a signature table comprising signatures; and
logic for searching the signature table responsive to detection of the system event by the event detector;
wherein the signature table includes at least one null signature and at least one signature that is not a null signature.
-
-
15. A signature table of an intrusion detection system, said signature table comprising a plurality of signatures, wherein at least one signature of the plurality of signatures includes occurrence data.
- 16. A signature table of an intrusion detection system, said signature table comprising a plurality of signatures, wherein at least one signature of the plurality of signatures is a null signature.
-
19. An intrusion detection system, comprising:
-
an event detector for detecting a system event;
a signature table comprising signatures; and
logic for searching the signature table responsive to detection of the system event by the event detector;
wherein the logic searches the signature table in a sequence according to a ranking of the signatures by likelihood of occurrence. - View Dependent Claims (20)
-
Specification