Methods and systems for intrusion detection
First Claim
1. A method for optimizing rules in an intrusion detection system, comprising:
- creating a plurality of rule sets from a plurality of intrusion detection system rules;
determining at least one rule set for each packet by comparing parameters of the packet to parameters of the at least one rule set; and
inspecting the packet with the at least one rule set.
3 Assignments
0 Petitions
Accused Products
Abstract
Performance of an intrusion detection system is enhanced with the addition of rule optimization, set-based rule inspection, and protocol flow analysis. During rule optimization, rule sets are created and selected in such a way that for every incoming packet only a single rule set has to be searched. Set-based rule inspection divides rules into content and non-content type rules. Only search patterns of content type rules are initially compared to a packet. Rules containing matched search patterns are validated with a parameterized search against the packet. Matches are recorded as events. Non-content rules are searched against a packet using a parameterized search. These matches are also recorded as an event. At least one event is selected per packet for logging. Protocol flow analysis determines the direction of flow of network traffic. Based on the direction of flow and the protocol, portions of packets can be eliminated from rule inspection.
185 Citations
33 Claims
-
1. A method for optimizing rules in an intrusion detection system, comprising:
-
creating a plurality of rule sets from a plurality of intrusion detection system rules;
determining at least one rule set for each packet by comparing parameters of the packet to parameters of the at least one rule set; and
inspecting the packet with the at least one rule set. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for resolving unique conflicts between at least two rule sets that match parameters of a packet during rule set selection in an intrusion detection system, comprising:
-
creating defined unique conflict rule sets, wherein each defined unique conflict rule set is created by combining at least two unique rule sets defined by a user as rule sets capable of having a unique conflict;
comparing at the parameters of the packet to each defined unique conflict rule set of the defined unique conflict rule sets;
selecting for inspection a defined unique conflict rule set from the list of defined unique conflict rule sets if the parameters of the packet match the defined unique conflict rule set; and
selecting for inspection each of the at least two rule sets that match parameters of the packet if the parameters of the packet do not match a defined unique conflict rule set of the defined unique conflict rule sets. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A method for resolving unique conflicts between at least two rule sets that match parameters of a packet during rule set selection in an intrusion detection system, comprising:
-
creating defined unique conflict rule sets, wherein each defined unique conflict rule set is created by combining at least two unique rule sets defined by a user as rule sets capable of having a unique conflict;
comparing the parameters of the packet to each defined unique conflict rule set of the defined unique conflict rule sets;
selecting for inspection a defined unique conflict rule set from the defined unique conflict rule sets if the parameters of the packet match the defined unique conflict rule set; and
selecting randomly for inspection one of the at least two rule sets that matches parameters of the packet if the parameters of the packet do not match a defined unique conflict rule set of the defined unique conflict rule sets.
-
-
14. A system for intrusion detection, the system comprising:
-
a packet acquisition system, wherein the packet acquisition system intercepts a packet transmitted across a computer network and wherein the packet acquisition system decodes the packet;
a preprocessor, wherein the preprocessor receives decoded packet information from the packet acquisition system and wherein the preprocessor preprocesses the packet;
a detection engine, wherein the detection engine receives preprocessed packet information from the preprocessor and wherein the detection engine inspects the packet for intrusions;
a logging system, wherein the logging system receives and stores detected intrusion information from the detection engine; and
a rule optimizer, wherein the rule optimizer creates a plurality of rule sets from a plurality of intrusion detection rules and provides the plurality of rules sets to the detection engine, wherein the detection engine selects at least one rule set from the plurality of rule sets for inspection for each packet that the detection engine processes. - View Dependent Claims (15, 16)
-
-
17. A method for detecting rule matches during packet processing in an intrusion detection system, comprising:
-
identifying each rule as one of a content rule and a non-content rule;
scanning a search pattern parameter of a rule identified as a content rule against a packet;
adding a match of the search pattern parameter and the packet to a list of content match events;
comparing remaining rule parameters of each rule associated with each item on the list of content match events with packet parameters of the packet;
adding a match of all the remaining rule parameters with the packet parameters to a list of intrusion events;
comparing non-content rule parameters of each rule identified as a non-content rule with the packet parameters;
adding a match of all the non-content rule parameters with the packet parameters to the list of intrusion events; and
selecting at least one intrusion event from the list of intrusion events for the packet for logging. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A system for intrusion detection, the system comprising:
-
a packet acquisition system, wherein the packet acquisition system intercepts a packet transmitted across a computer network and wherein the packet acquisition system decodes the packet;
a preprocessor, wherein the preprocessor receives decoded packet information from the packet acquisition system and wherein the preprocessor preprocesses the packet;
a detection engine, wherein the detection engine receives preprocessed packet information from the preprocessor, wherein the detection engine inspects the packet for intrusions, and wherein the detection engine identifies each rule as one of a content rule and a non-content rule, scans a search pattern parameter of a rule identified as a content rule against a packet, adds a match of the search pattern parameter and the packet to a list of content match events, compares remaining rule parameters of each rule associated with each item on the list of content match events with packet parameters of the packet, adds each match of all the remaining rule parameters with the packet parameters to a list of intrusion events, compares non-content rule parameters of each rule identified as a non-content rule with the packet parameters, adds each match of all the non-content rule parameters with the packet parameters to the list of intrusion events, and selects for the packet at least one intrusion event from the list of queued intrusion events for logging; and
a logging system, wherein the logging system receives and stores detected intrusion information from the detection engine.
-
-
25. A method for analyzing data flow in a computer network using an intrusion detection system, comprising:
-
intercepting a packet transmitted on the computer network;
determining a protocol associated with the packet;
determining a type of data flow associated with the protocol; and
processing the packet in accordance with the determined type of data flow. - View Dependent Claims (26, 27, 28)
-
-
29. A method for determining the portions of HTTP data flow in a computer network that should not be processed by an intrusion detection system, comprising:
-
intercepting a packet on the computer network;
determining if a transport protocol of the packet comprises a TCP portion;
determining if a source port in a header portion of the TCP portion comprises a Web server port, if the transport protocol comprises the TCP portion;
determining if a destination port of the header portion comprises a Web server port, if the source port comprises a Web server port;
decoding a data portion of the TCP portion, if the destination port does not comprise a Web server port;
determining if the data portion comprises an HTTP response header;
processing the data portion only up to an HTTP maximum response bytes limit and ignoring the remainder of the data portion, if the data portion comprises the HTTP response header; and
ignoring the data portion, if the data portion does not comprise the HTTP response header. - View Dependent Claims (30, 31)
-
-
32. A system for intrusion detection, the system comprising:
-
a packet acquisition system, wherein the packet acquisition system intercepts a packet transmitted across a computer network and wherein the packet acquisition system decodes the packet;
a preprocessor, wherein the preprocessor receives decoded packet information from the packet acquisition system and wherein the preprocessor preprocesses the packet;
a detection engine, wherein the detection engine receives preprocessed packet information from the preprocessor, wherein the detection engine inspects the packet for intrusions, and wherein the detection engine determines a protocol associated with the packet, determines a type of data flow associated with the protocol, and processes the packet in accordance with the determined type of data flow; and
a logging system, wherein the logging system receives and stores detected intrusion information from the detection engine.
-
-
33. A system for intrusion detection, the system comprising:
-
a packet acquisition system, wherein the packet acquisition system intercepts a packet transmitted across a computer network and wherein the packet acquisition system decodes the packet;
a preprocessor, wherein the preprocessor receives decoded packet information from the packet acquisition system and wherein the preprocessor preprocesses the packet;
a detection engine, wherein the detection engine receives preprocessed packet information from the preprocessor, wherein the detection engine inspects the packet for intrusions, and wherein the detection engine determines a protocol associated with the packet, determines a type of data flow associated with the protocol, and processes the packet in accordance with the determined type of data flow, wherein the detection engine inspects the packet for intrusions, and wherein the detection engine identifies each rule as one of a content rule and a non-content rule, scans a search pattern parameter of a rule identified as a content rule against a packet, adds a match of the search pattern parameter and the packet to a list of content match events, compares remaining rule parameters of each rule associated with each item on the list of content match events with packet parameters of the packet, adds each match of all the remaining rule parameters with the packet parameters to a list of intrusion events, compares non-content rule parameters of each rule identified as a non-content rule with the packet parameters, adds each match of all the non-content rule parameters with the packet parameters to the list of intrusion events, and selects for the packet at least one intrusion event from the list of queued intrusion events for logging;
a logging system, wherein the logging system receives and stores detected intrusion information from the detection engine; and
a rule optimizer, wherein the rule optimizer creates a plurality of rule sets from a plurality of intrusion detection rules and provides the plurality of rules sets to the detection engine, wherein the detection engine selects at least one rule set from the plurality of rule sets for inspection for each packet that the detection engine processes.
-
Specification