METHOD OF OPERATING AN INTRUSION DETECTION SYSTEM

US 20080077989A1
Filed: 08/20/2007
Published: 03/27/2008
Est. Priority Date: 09/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method of operating an intrusion detection system, said method comprising:

monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device, wherein the intrusion detection system comprises a signature file and a log, wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, responsive to said monitoring, determining that the signature event occurs, and increasing a value of the signature event counter;

adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval;

after said determining that the signature event occurs, determining that the value of the signature event counter exceeds the signature threshold quantity;

responsive to said determining that the value of the signature event counter exceeds the signature threshold quantity, generating an alert;

after said generating the alert, recording in a log a timestamp denoting a time of said generating the alert;

after said recording the timestamp in the log, clearing the log of any entries that are past a permissible age;

after said clearing the log, determining a present alert generation rate as a ratio of the total number of timestamps in the log to the permissible age;

after said determining the present alert generation rate, ascertaining that the present alert generation rate exceeds an alert generation rate threshold; and

responsive to said ascertaining, altering a selected element of the elements of the signature set to decrease a rate at which alerts are generated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating an intrusion detection system. The system determines occurrence of a signature event indicative of a denial of service intrusion on a protected device. A value of a signature event counter is increased. The value of the signature event counter is adjusted to not include a count of signature events past a sliding window. The value of the signature event counter is determined to exceed a signature threshold quantity, followed by generation of an alert at a time subsequently recorded in a log. The log is cleared of entries past a permissible age. A present alert generation rate is determined as a ratio of the total number of timestamps in the log to the permissible age. The present alert generation rate is ascertained to exceed an alert generation rate threshold. A selected element of the signature set is altered to decrease the alert generation rate.

23 Citations

View as Search Results

20 Claims

1. A method of operating an intrusion detection system, said method comprising:
- monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device, wherein the intrusion detection system comprises a signature file and a log, wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, responsive to said monitoring, determining that the signature event occurs, and increasing a value of the signature event counter;
  
  adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval;
  
  after said determining that the signature event occurs, determining that the value of the signature event counter exceeds the signature threshold quantity;
  
  responsive to said determining that the value of the signature event counter exceeds the signature threshold quantity, generating an alert;
  
  after said generating the alert, recording in a log a timestamp denoting a time of said generating the alert;
  
  after said recording the timestamp in the log, clearing the log of any entries that are past a permissible age;
  
  after said clearing the log, determining a present alert generation rate as a ratio of the total number of timestamps in the log to the permissible age;
  
  after said determining the present alert generation rate, ascertaining that the present alert generation rate exceeds an alert generation rate threshold; and
  
  responsive to said ascertaining, altering a selected element of the elements of the signature set to decrease a rate at which alerts are generated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the permissible age is equal to a ratio of a cap upon a rate of generation of alerts to the alert generation rate threshold.
  - 3. The method of claim 1, wherein the intrusion detection system comprises an intrusion detection sensor configured to generate alerts, wherein the intrusion detection sensor comprises a governor and the signature file, and wherein the governor includes the log.
  - 4. The method of claim 3, wherein the log consists of a list of timestamps that record the times at which the intrusion detection sensor generates alerts.
  - 5. The method of claim 1, wherein the selected element is the signature threshold quantity, and wherein said altering the selected element comprises increasing the signature threshold quantity.
  - 6. The method of claim 1, wherein the selected element is the signature threshold interval, and wherein said altering the selected element comprises decreasing the signature threshold interval.
  - 7. The method of claim 1, wherein said generating the alert comprises alerting an administrator of suspected denial of service intrusions upon the protected device.
  - 8. The method of claim 1, wherein the protected device is selected from the group consisting of a computer, a web server, and a workstation.
  - 9. The method of claim 1, said method further comprising:
    - awaiting, by the governor, for occurrence of a scheduled update time;
      
      for each scheduled update time occurrence;
      
      clearing the log of any entries that are past the permissible age, followed by determining the current alert generation rate as ratio of the total number of timestamps in the log to the permissible age.
  - 10. The method of claim 1, wherein after said ascertaining and before said altering, the method further comprises determining that the signature set is at its initial state at which no changes in the signature set have been made.

11. Programmable media containing programmable software for operation of an intrusion detection system, said programmable software configured to implement a method by being executed by a processor, said method comprising:
- monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device, wherein the intrusion detection system comprises a signature file and a log, wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, responsive to said monitoring, determining that the signature event occurs, and increasing a value of the signature event counter;
  
  adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval;
  
  after said determining that the signature event occurs, determining that the value of the signature event counter exceeds the signature threshold quantity;
  
  responsive to said determining that the value of the signature event counter exceeds the signature threshold quantity, generating an alert;
  
  after said generating the alert, recording in a log a timestamp denoting a time of said generating the alert;
  
  after said recording the timestamp in the log, clearing the log of any entries that are past a permissible age;
  
  after said clearing the log, determining a present alert generation rate as a ratio of the total number of timestamps in the log to the permissible age;
  
  after said determining the present alert generation rate, ascertaining that the present alert generation rate exceeds an alert generation rate threshold; and
  
  responsive to said ascertaining, altering a selected element of the elements of the signature set to decrease a rate at which alerts are generated.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The programmable media of claim 11, wherein the permissible age is equal to a ratio of a cap upon a rate of generation of alerts to the alert generation rate threshold.
  - 13. The programmable media of claim 11, wherein the intrusion detection system comprises an intrusion detection sensor configured to generate alerts, wherein the intrusion detection sensor comprises a governor and the signature file, and wherein the governor includes the log.
  - 14. The programmable media of claim 13, wherein the log consists of a list of timestamps that record the times at which the intrusion detection sensor generates alerts.
  - 15. The programmable media of claim 11, wherein the selected element is the signature threshold quantity, and wherein said altering the selected element comprises increasing the signature threshold quantity.
  - 16. The programmable media of claim 11, wherein the selected element is the signature threshold interval, and wherein said altering the selected element comprises decreasing the signature threshold interval.
  - 17. The programmable media of claim 11, wherein said generating the alert comprises alerting an administrator of suspected denial of service intrusions upon the protected device.
  - 18. The programmable media of claim 11, wherein the protected device is selected from the group consisting of a computer, a web server, and a workstation.
  - 19. The programmable media of claim 11, said method further comprising:
    - awaiting, by the governor, for occurrence of a scheduled update time;
      
      for each scheduled update time occurrence;
      
      clearing the log of any entries that are past the permissible age, followed by determining the current alert generation rate as ratio of the total number of timestamps in the log to the permissible age.
  - 20. The programmable media of claim 11, wherein after said ascertaining and before said altering, the method further comprises determining that the signature set is at its initial state at which no changes in the signature set have been made.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Brock, Ashley, Bardsley, Jeffrey, Kim, Nathaniel, Lingafelt, Charles

Granted Patent

US 7,730,537 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

METHOD OF OPERATING AN INTRUSION DETECTION SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

METHOD OF OPERATING AN INTRUSION DETECTION SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others