System and method for dynamic distribution of intrusion signatures

US 20050076245A1
Filed: 10/01/2004
Published: 04/07/2005
Est. Priority Date: 10/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method for the dynamic distribution of intrusion signatures involving one or more devices of a network system, the method comprising the steps of:

a. monitoring the network system for one or more intrusion signatures;

b. upon detecting one or more intrusion signatures by one or more devices of the network system, reporting information of the one or more detected intrusion signatures to one or more others of the devices of the network system;

c. for each of the one or more others of the devices, upon receiving the reported intrusion signature information, analyzing whether the intrusion signature information exists in a library of the device; and

d. dynamically updating the library of any of the one or more other devices not including the reported intrusion signature information to include the reported intrusion signature information.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for the dynamic distribution of intrusion signatures to aid in protecting a network system from harmful activities. An analysis function includes means for identifying one or more intrusion signatures to be dynamically distributed to an intrusion detection function for monitoring. The analysis function and/or the intrusion detection function may be centralized or distributed. Monitoring may be prioritized, localized, and made operational or non-operational. The intrusion detection function may be embodied in either or both of an appliance and a network forwarding device. The analysis function may distribute the intrusion detection function in addition to the intrusion signatures. In one embodiment of the invention, the system includes an intrusion detection function and a dynamic intrusion signatures function. The intrusion detection function monitors for and reports detected intrusion signatures. The dynamic intrusion signatures function determines whether reported intrusion signatures exist in a library of signatures associated with a particular intrusion detection function. If the reported signature does not exist in the library, the library is updated. Detected intrusion signatures are reported to similarly enabled devices for library analysis and updating, if necessary. The related method includes the steps of monitoring for intrusion signatures or other triggering events, analyzing the events and updating IDS signature libraries as necessary. Optional steps of the method include verifying that reported information has been received and acted upon, and recording of the detection, reporting, and updating information in a central repository. The system and method enable dynamic distribution of IDS signatures enabling improved network IDS coverage while limiting the processing and storage requirements of network devices, particularly forwarding devices such as switches and routers that may include the IDS function. That capability enables broader coverage, faster and better tuned responses to harmful activities.

Citations

47 Claims

1. A method for the dynamic distribution of intrusion signatures involving one or more devices of a network system, the method comprising the steps of:
- a. monitoring the network system for one or more intrusion signatures;
  
  b. upon detecting one or more intrusion signatures by one or more devices of the network system, reporting information of the one or more detected intrusion signatures to one or more others of the devices of the network system;
  
  c. for each of the one or more others of the devices, upon receiving the reported intrusion signature information, analyzing whether the intrusion signature information exists in a library of the device; and
  
  d. dynamically updating the library of any of the one or more other devices not including the reported intrusion signature information to include the reported intrusion signature information.
- View Dependent Claims (2, 3, 4, 6, 7)
- - 2. The method as claimed in claim 1 further comprising the step of reporting the detected intrusion signature information to a central repository.
  - 3. The method as claimed in claim 1 further comprising the step of verifying that the reported detected intrusion signature information has been received by one or more of the one or more others of the devices.
  - 4. The method as claimed in claim 1 further comprising the step of reporting to a central repository completion of the step of updating.
  - 6. The method as claimed in claim 1 further comprising the step of continuing to monitor the network system after updating of the one or more others of the devices.
  - 7. The method as claimed in claim 1 wherein the devices of the network system are selected from the group consisting of switches, routers, and intrusion detection appliances.

8. A system for the dynamic distribution of intrusion signatures among a plurality of devices of a network system, the system comprising:
- a. for one or more of the plurality of devices, an intrusion detection function designed to monitor for and report detected intrusion signatures, the intrusion detection function including a library of intrusion signatures; and
  
  b. for one or more of the plurality of devices, a dynamic intrusion signatures function to report detected intrusion signatures to others of the plurality of devices, to analyze received reported intrusion signatures from others of the plurality of devices for existence in the library, and to update dynamically the library if the received reported intrusion signatures do not exist therein.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system as claimed in claim 8 wherein the dynamic intrusion signatures function includes a reporting sub-function, an analysis sub-function, and an updating sub-function.
  - 10. The system as claimed in claim 9 wherein one or more of the one or more of the plurality of devices includes both the intrusion detection function and the dynamic intrusion signatures function.
  - 11. The system as claimed in claim 8 wherein the libraries of the intrusion detection functions of the plurality of devices do not have an equal number of intrusion signatures.
  - 12. The system as claimed in claim 8 wherein the libraries of the intrusion detection functions of the plurality of devices do not have the same sets of intrusion signatures.
  - 13. The system as claimed in claim 8 wherein the intrusion detection function is embodied in one or more network intrusion detection systems.
  - 14. The system as claimed in claim 8 wherein the intrusion detection function and the dynamic intrusion signatures function are both embodied in one or more network devices selected from the group consisting of switches and routers.

15. A system for the dynamic distribution of intrusion signatures among a plurality of devices of a network system, the system comprising:
- a. a reporting function for reporting one or more detected intrusion signatures;
  
  b. an analyzing function for determining whether received detected intrusion signatures information exists in a library of intrusion signatures;
  
  c. a dynamic updating function for updating the library upon determination that the reported detected intrusion information does not exist therein; and
  
  d. an intrusion detection function for monitoring for intrusion signatures based upon the dynamic updating of the library.
- View Dependent Claims (16, 17)
- - 16. The system as claimed in claim 15 wherein the reporting function, the analyzing function and the updating function are embodied in a network device selected from the group consisting of switches and routers.
  - 17. The system as claimed in claim 15 further comprising means for communicating with an intrusion detection function.

18. A method to improve the detection of triggering conditions that may affect the security of a network system including a plurality of network devices, the method comprising the steps of:
- a. dynamically distributing one or more intrusion signatures to one or more of the plurality of network devices upon detection of a distribution triggering condition; and
  
  b. monitoring the network system for the one or more distributed intrusion signatures.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method as claimed in claim 18 wherein the triggering condition is selected from the group consisting of detection of one or more known intrusion signatures, a time period, a data frequency, a security event alarm, and a manual input.
  - 20. The method as claimed in claim 18 further comprising the step of first monitoring the network system for intrusion signatures and, upon detecting an intrusion signature at one or more of the network devices, distributing that and/or other intrusion signatures to one or more others of the plurality of network devices.
  - 21. The method as claimed in claim 18 wherein the step of monitoring the network system for the one or more distributed intrusion signatures includes the step of adjusting the priorities of the one or more others of the plurality of network devices to focus on monitoring for one or more of the one or more distributed intrusion signatures.
  - 22. The method as claimed in claim 18 further comprising the step of weighting the importance of the one or more distributed intrusion signatures to be monitored.
  - 23. The method as claimed in claim 22 wherein the step of weighting includes weighting based on how recently an intrusion signature was detected, the severity of the potential harm to the network system, least lost performance by the one or more of the plurality of network devices performing the monitoring, or randomness.
  - 24. The method as claimed in claim 18 further comprising the step of distributing an intrusion detection function with the distribution of the one or more intrusion signatures.
  - 25. The method as claimed in claim 18 wherein the step of monitoring is performed by an IDS function including a library of intrusion signatures and the step of dynamically distributing the one or more intrusion signatures includes updating the library of intrusion signatures.

26. A system for improving the detection of triggering conditions that may affect the security of a network system including a plurality of network devices, the system comprising:
- a. an analysis function designed to receive trigger information, determine whether and where to dynamically distribute one or more intrusion signatures to one or more of the plurality of network devices; and
  
  b. an intrusion detection function to monitor for the one or more dynamically distributed intrusion signatures.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 27. The system as claimed in claim 26 wherein the analysis function is embodied in a server.
  - 28. The system as claimed in claim 27 wherein the server is centralized.
  - 29. The system as claimed in claim 27 wherein the server is distributed.
  - 30. The system as claimed in claim 26 wherein the intrusion detection function is embodied in an intrusion detection system.
  - 31. The system as claimed in claim 26 wherein the analysis function includes one or more algorithms designed to identify the intrusion signatures to be distributed or selected from a cached or stored library and the one or more of the plurality of network devices subject of the distribution or selection.
  - 32. The system as claimed in claim 31 wherein the analysis function is further designed to weight the importance of the one or more distributed intrusion signatures to be monitored and provides the weighting to the intrusion detection function for the monitoring.
  - 33. The system as claimed in claim 32 wherein the weighting is based on how recently an intrusion signature was detected, the severity of the potential harm to the network system, least lost performance by the one or more of the plurality of network devices performing the monitoring, or randomness.
  - 34. The system as claimed in claim 26 wherein the analysis function is further designed to distribute the intrusion detection function to a select one or more of the plurality of network devices with the distribution of the one or more intrusion signatures.
  - 35. The system as claimed in claim 34 wherein at least one of the one or more selected network devices is selected from the group consisting of routers and switches.
  - 36. The system as claimed in claim 26 further comprising a library of intrusion signatures associated with the intrusion detection function.
  - 37. The system as claimed in claim 36 wherein the library is distributed among two or more of the plurality of network devices.
  - 38. The system as claimed in claim 37 wherein the library is cached or stored on the two or more of the plurality of network devices, or dynamically loaded by the analysis function.
  - 39. The system as claimed in claim 26 wherein the intrusion detection function is cached or stored on one or more of the plurality of network devices and activated by the analysis function upon selecting, dynamically distributing, or both, the one or more intrusion signatures.
  - 40. The system as claimed in claim 26 wherein the trigger condition is selected from the group consisting of detection of one or more known intrusion signatures, a time period, a data frequency, a security event alarm, and a manual input.
  - 41. The system as claimed in claim 26 wherein the analysis function is embodied in a server function including a central library of intrusion signatures, and a plurality of algorithms to identify the one or more intrusion signatures of the library to be dynamically distributed.
  - 42. The system as claimed in claim 41 wherein the server function is designed to establish a priority of monitoring by the intrusion detection function.
  - 43. The system as claimed in claim 42 wherein the analysis function is designed to dynamically update the distribution of the one or more intrusion signatures based on receiving monitoring information.
  - 44. The system as claimed in claim 41 wherein the server function is distributed.

45. A method to improve the detection of triggering conditions that may affect the security of a network system including a plurality of network devices, the method comprising the step of distributing an intrusion detection function to one or more of the plurality of network devices upon detection of a distribution triggering condition.
- View Dependent Claims (46, 47)
- - 46. The method as claimed in claim 45 wherein the step of distributing includes distributing the intrusion detection function to one or more network devices with no intrusion detection capability or activating the intrusion detection function stored or cached on one or more network devices.
  - 47. The method as claimed in claim 45 wherein the distribution triggering condition is selected from the group consisting of detection of one or more known intrusion signatures, a time period, a data frequency, and a manual input.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Roese, John J., Graham, Richard W.

Granted Patent

US 8,347,375 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

System and method for dynamic distribution of intrusion signatures

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamic distribution of intrusion signatures

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links