Detecting public network attacks using signatures and fast content analysis
First Claim
1. A method comprising:
- obtaining a portion of data to be analyzed to determine a network attack;
carrying out a data reduction on said portion to reduce said data portion to a reduced data portion in a repeatable manner; and
analyzing a plurality of said reduced data portions to detect common elements within said reduced data portion, said analyzing reviewing for common content indicative of a network attack.
5 Assignments
0 Petitions
Accused Products
Abstract
Detecting attacks against computer systems by automatically detecting signatures based on predetermined characteristics of the intrusion. One aspect looks for commonalities among a number of different network messages, and establishes an intrusion signature based on those commonalities. Data reduction techniques, such as a hash function, are used to minimize the amount of resources which are necessary to establish the commonalities. In an embodiment, signatures are created based on the data reduction hash technique. Frequent signatures are found by reducing the signatures using that hash technique. Each of the frequent signatures is analyzed for content, and content which is spreading is flagged as being a possible attack. Additional checks can also be carried out to look for code within the signal, to look for spam, backdoors, or program code.
195 Citations
87 Claims
-
1. A method comprising:
-
obtaining a portion of data to be analyzed to determine a network attack;
carrying out a data reduction on said portion to reduce said data portion to a reduced data portion in a repeatable manner; and
analyzing a plurality of said reduced data portions to detect common elements within said reduced data portion, said analyzing reviewing for common content indicative of a network attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 37, 40, 41, 42, 44, 46, 47, 48, 49, 50, 52, 53, 54, 55)
-
-
36. An apparatus comprising:
-
a signature generator, having a connection to a network, to obtain a portion of data from the network, operating to carry out a data reduction on said data portion to reduce said data portion to a reduced data portion in a repeatable manner; and
a memory, storing said reduced data portions; and
wherein said signature generator also operates to detect common elements within said reduced data portion, said analyzing reviewing for common content indicative of a network attack. - View Dependent Claims (38, 39, 43, 45, 51, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
-
-
69. A method, comprising:
-
monitoring network content on a network, and obtaining at least a portion of data on said network;
data reducing said portion of data using a data reduction function which reduces said portion of data to a reduced data portion in repeatable manner, such that each portion which has the same content is reduced to the same reduced data portion;
analyzing said reduced data portion to find network content which repeats a specified number of times, and to establish said network content which repeats said specified number of times as frequent content;
identifying address information which includes at least one of a source information or destination information for sources and/or destinations, of said frequent content, and determining if a number of sources and/or destinations for said frequent content is increasing; and
identifying the frequent content as associated with a network attack, based on said identifying. - View Dependent Claims (70, 71, 72, 73, 74, 75, 76, 77, 78, 79)
-
-
80. A system, comprising:
-
a signature generator, monitoring network content to obtain at least a portion of data from said network, and to data reduce said portion according to a data reduction function which reduces said portion to a reduced data portion in a repeatable manner such that each portion which has the same content is reduced to the same reduced data portion;
a memory, storing said reduced data portion;
wherein said signature generator counts a number of said reduced data portions and establishes said reduced data portion as frequent content based on said counting, and produces information indicative of said reduced data portion; and
an intrusion detection system, operating to protect a network against attacks, said intrusion detection system receiving information from said signature generator indicative of said frequent content, and using said information to monitor against said attacks. - View Dependent Claims (81, 82, 83, 84, 85, 86)
-
-
87. An apparatus comprising:
-
an entry device, having a connection to a network, to obtain a portion of data from the network, operating to carry out a data reduction on said data portion to reduce said data portion to a reduced data portion in a repeatable manner;
a memory, storing said reduced data portions; and
a signature generator that operates to generate signatures that are used to detect common elements within said reduced data portion, said analyzing reviewing for common content indicative of a network attack.
-
Specification