System for high speed network intrusion detection
First Claim
1. A method of intrusion detection in a packet based network, the network including a network interface card for receiving data units, placing the received data units into predetermined memory locations, and for generating interrupts when data units are received, the method comprising:
- receiving an interrupt from the network interface card;
determining if a data unit in a predetermined memory location is indicative of a network intrusion;
determining if a subsequent data unit is present in an adjacent predetermined memory location;
determining if the subsequent data unit, if present, is indicative of a network intrusion; and
clearing the interrupt if a subsequent data unit is not present.
1 Assignment
0 Petitions
Accused Products
Abstract
A network intrusion detection system for detection of an intrusion through the analysis of data units on a network connection is described herein. The network intrusion detection system provides enhanced memory performance through an interrupt handling routine that minimises calls to the operating system, and mitigates the performance overhead of copying data units from one memory location to another. Data units received from an external network are placed into a ring buffer for in place analysis to reduce data transfer overhead.
-
Citations
23 Claims
-
1. A method of intrusion detection in a packet based network, the network including a network interface card for receiving data units, placing the received data units into predetermined memory locations, and for generating interrupts when data units are received, the method comprising:
-
receiving an interrupt from the network interface card;
determining if a data unit in a predetermined memory location is indicative of a network intrusion;
determining if a subsequent data unit is present in an adjacent predetermined memory location;
determining if the subsequent data unit, if present, is indicative of a network intrusion; and
clearing the interrupt if a subsequent data unit is not present. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network intrusion detection system, for detecting network intrusions from an external network, having a database of signatures indicative of network intrusions, the network intrusion detection system comprising:
-
a ring buffer of memory elements, for storing a plurality of data units;
a network interface card, operatively connected to both the external network for receiving data units, and the ring buffer for transferring the received data units into the memory elements of the ring buffer, for generating an interrupt when a data unit is transferred to an otherwise empty ring buffer; and
an analysis engine, operatively connected to the database for retrieving the signatures, operatively connected to the network interface card for receiving interrupts, and operatively connected to the ring buffer for retrieving data units from the memory elements, for determining, upon receipt of an interrupt from the network interface card, if a retrieved data unit is indicative of a network intrusion using the database signatures, for retrieving a subsequent data unit from the ring buffer, if one is available, upon completion of the prior determination, for determining if the subsequent retrieved data unit is indicative of a network intrusion using the database signatures, and for clearing the interrupt received from the network interface card when no further subsequent data units are available from the ring buffer. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification