METHOD OF OPERATING AN INTRUSION DETECTION SYSTEM
First Claim
1. A method of operating an intrusion detection system, said method comprising:
- monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device, wherein the intrusion detection system comprises a signature file and a log, wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, responsive to said monitoring, determining that the signature event occurs, and increasing a value of the signature event counter;
adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval;
after said determining that the signature event occurs, determining that the value of the signature event counter exceeds the signature threshold quantity;
responsive to said determining that the value of the signature event counter exceeds the signature threshold quantity, generating an alert;
after said generating the alert, recording in a log a timestamp denoting a time of said generating the alert;
after said recording the timestamp in the log, clearing the log of any entries that are past a permissible age;
after said clearing the log, determining a present alert generation rate as a ratio of the total number of timestamps in the log to the permissible age;
after said determining the present alert generation rate, ascertaining that the present alert generation rate exceeds an alert generation rate threshold; and
responsive to said ascertaining, altering a selected element of the elements of the signature set to decrease a rate at which alerts are generated.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of operating an intrusion detection system. The system determines occurrence of a signature event indicative of a denial of service intrusion on a protected device. A value of a signature event counter is increased. The value of the signature event counter is adjusted to not include a count of signature events past a sliding window. The value of the signature event counter is determined to exceed a signature threshold quantity, followed by generation of an alert at a time subsequently recorded in a log. The log is cleared of entries past a permissible age. A present alert generation rate is determined as a ratio of the total number of timestamps in the log to the permissible age. The present alert generation rate is ascertained to exceed an alert generation rate threshold. A selected element of the signature set is altered to decrease the alert generation rate.
23 Citations
20 Claims
-
1. A method of operating an intrusion detection system, said method comprising:
-
monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device, wherein the intrusion detection system comprises a signature file and a log, wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, responsive to said monitoring, determining that the signature event occurs, and increasing a value of the signature event counter;
adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval;
after said determining that the signature event occurs, determining that the value of the signature event counter exceeds the signature threshold quantity;
responsive to said determining that the value of the signature event counter exceeds the signature threshold quantity, generating an alert;
after said generating the alert, recording in a log a timestamp denoting a time of said generating the alert;
after said recording the timestamp in the log, clearing the log of any entries that are past a permissible age;
after said clearing the log, determining a present alert generation rate as a ratio of the total number of timestamps in the log to the permissible age;
after said determining the present alert generation rate, ascertaining that the present alert generation rate exceeds an alert generation rate threshold; and
responsive to said ascertaining, altering a selected element of the elements of the signature set to decrease a rate at which alerts are generated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. Programmable media containing programmable software for operation of an intrusion detection system, said programmable software configured to implement a method by being executed by a processor, said method comprising:
-
monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device, wherein the intrusion detection system comprises a signature file and a log, wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, responsive to said monitoring, determining that the signature event occurs, and increasing a value of the signature event counter;
adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval;
after said determining that the signature event occurs, determining that the value of the signature event counter exceeds the signature threshold quantity;
responsive to said determining that the value of the signature event counter exceeds the signature threshold quantity, generating an alert;
after said generating the alert, recording in a log a timestamp denoting a time of said generating the alert;
after said recording the timestamp in the log, clearing the log of any entries that are past a permissible age;
after said clearing the log, determining a present alert generation rate as a ratio of the total number of timestamps in the log to the permissible age;
after said determining the present alert generation rate, ascertaining that the present alert generation rate exceeds an alert generation rate threshold; and
responsive to said ascertaining, altering a selected element of the elements of the signature set to decrease a rate at which alerts are generated. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification