System and method for dynamic distribution of intrusion signatures
First Claim
1. A method for the dynamic distribution of intrusion signatures involving one or more devices of a network system, the method comprising the steps of:
- a. monitoring the network system for one or more intrusion signatures;
b. upon detecting one or more intrusion signatures by one or more devices of the network system, reporting information of the one or more detected intrusion signatures to one or more others of the devices of the network system;
c. for each of the one or more others of the devices, upon receiving the reported intrusion signature information, analyzing whether the intrusion signature information exists in a library of the device; and
d. dynamically updating the library of any of the one or more other devices not including the reported intrusion signature information to include the reported intrusion signature information.
13 Assignments
0 Petitions
Accused Products
Abstract
A system and method for the dynamic distribution of intrusion signatures to aid in protecting a network system from harmful activities. An analysis function includes means for identifying one or more intrusion signatures to be dynamically distributed to an intrusion detection function for monitoring. The analysis function and/or the intrusion detection function may be centralized or distributed. Monitoring may be prioritized, localized, and made operational or non-operational. The intrusion detection function may be embodied in either or both of an appliance and a network forwarding device. The analysis function may distribute the intrusion detection function in addition to the intrusion signatures. In one embodiment of the invention, the system includes an intrusion detection function and a dynamic intrusion signatures function. The intrusion detection function monitors for and reports detected intrusion signatures. The dynamic intrusion signatures function determines whether reported intrusion signatures exist in a library of signatures associated with a particular intrusion detection function. If the reported signature does not exist in the library, the library is updated. Detected intrusion signatures are reported to similarly enabled devices for library analysis and updating, if necessary. The related method includes the steps of monitoring for intrusion signatures or other triggering events, analyzing the events and updating IDS signature libraries as necessary. Optional steps of the method include verifying that reported information has been received and acted upon, and recording of the detection, reporting, and updating information in a central repository. The system and method enable dynamic distribution of IDS signatures enabling improved network IDS coverage while limiting the processing and storage requirements of network devices, particularly forwarding devices such as switches and routers that may include the IDS function. That capability enables broader coverage, faster and better tuned responses to harmful activities.
-
Citations
47 Claims
-
1. A method for the dynamic distribution of intrusion signatures involving one or more devices of a network system, the method comprising the steps of:
-
a. monitoring the network system for one or more intrusion signatures;
b. upon detecting one or more intrusion signatures by one or more devices of the network system, reporting information of the one or more detected intrusion signatures to one or more others of the devices of the network system;
c. for each of the one or more others of the devices, upon receiving the reported intrusion signature information, analyzing whether the intrusion signature information exists in a library of the device; and
d. dynamically updating the library of any of the one or more other devices not including the reported intrusion signature information to include the reported intrusion signature information. - View Dependent Claims (2, 3, 4, 6, 7)
-
-
8. A system for the dynamic distribution of intrusion signatures among a plurality of devices of a network system, the system comprising:
-
a. for one or more of the plurality of devices, an intrusion detection function designed to monitor for and report detected intrusion signatures, the intrusion detection function including a library of intrusion signatures; and
b. for one or more of the plurality of devices, a dynamic intrusion signatures function to report detected intrusion signatures to others of the plurality of devices, to analyze received reported intrusion signatures from others of the plurality of devices for existence in the library, and to update dynamically the library if the received reported intrusion signatures do not exist therein. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system for the dynamic distribution of intrusion signatures among a plurality of devices of a network system, the system comprising:
-
a. a reporting function for reporting one or more detected intrusion signatures;
b. an analyzing function for determining whether received detected intrusion signatures information exists in a library of intrusion signatures;
c. a dynamic updating function for updating the library upon determination that the reported detected intrusion information does not exist therein; and
d. an intrusion detection function for monitoring for intrusion signatures based upon the dynamic updating of the library. - View Dependent Claims (16, 17)
-
-
18. A method to improve the detection of triggering conditions that may affect the security of a network system including a plurality of network devices, the method comprising the steps of:
-
a. dynamically distributing one or more intrusion signatures to one or more of the plurality of network devices upon detection of a distribution triggering condition; and
b. monitoring the network system for the one or more distributed intrusion signatures. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
-
26. A system for improving the detection of triggering conditions that may affect the security of a network system including a plurality of network devices, the system comprising:
-
a. an analysis function designed to receive trigger information, determine whether and where to dynamically distribute one or more intrusion signatures to one or more of the plurality of network devices; and
b. an intrusion detection function to monitor for the one or more dynamically distributed intrusion signatures. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
- 45. A method to improve the detection of triggering conditions that may affect the security of a network system including a plurality of network devices, the method comprising the step of distributing an intrusion detection function to one or more of the plurality of network devices upon detection of a distribution triggering condition.
Specification