Apparatus and method for accelerating intrusion detection and prevention systems using pre-filtering
First Claim
1. A network intrusion detection system comprising:
- a first processing stage configured to receive and process one or more input network packets to generate one of at least a first or second processed data streams using a first set of rules;
a second processing stage configured to receive the first processed data stream and to generate in response a third processed data stream using a second set of rules; and
a third processing stage configured to receive and process the second processed data stream from the first processing stage and to receive and process the third processed data stream from the second processing stage.
2 Assignments
0 Petitions
Accused Products
Abstract
An accelerated network intrusion detection and prevention system includes, in part, first, second and third processing stages. The first processing stage receives incoming packets and generates, in response, first and second processed data streams using a first set of rules. The first processing stage optionally detects whether the received packets are suspected of attacking the network and places the received data packets in the first processed data stream. The second processing stage receives the first processed data stream and generates, in response, a third processed data stream using a second set of rules. The second processing stage optionally classifies the first processed data stream, that is suspected of launching a network attack, as either attacks or benign network traffic. A third processing stage receives and processes the second and third processed data streams.
-
Citations
53 Claims
-
1. A network intrusion detection system comprising:
-
a first processing stage configured to receive and process one or more input network packets to generate one of at least a first or second processed data streams using a first set of rules;
a second processing stage configured to receive the first processed data stream and to generate in response a third processed data stream using a second set of rules; and
a third processing stage configured to receive and process the second processed data stream from the first processing stage and to receive and process the third processed data stream from the second processing stage. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
14. The system of 13 wherein said rules include literals and regular expression patterns.
-
15. The system of 13 wherein said rules are defined by network and packet characteristics and properties derived from network and packet characteristics.
-
29. A method for detecting network intrusion, the method comprising:
-
processing one or more input network packets at a first processing stage to generate one of at least a first or second processed data streams using a first set of rules;
generating a third processed data stream at a second processing stage from the first processed data stream and in accordance with a second set of rules; and
supplying the second and third processed data streams to a third processing stage. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
-
Specification