Device, system and method for use of micro-policies in intrusion detection/prevention
First Claim
1. A method performed in an intrusion detection/prevention system, for associating attack detection/prevention rules with a target in a communication network, for a particular flow, wherein the attack detection/prevention rules are provided for the target without differentiation as to flows, wherein a particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target, comprising:
- monitoring transmissions in a particular flow;
binding a micro-policy to a target of the particular flow based on the monitored transmissions; and
applying the micro-policy to the target to detect an intrusion in the particular flow according to the micro-policy rules which were bound to the target of the particular flow,wherein binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow.
3 Assignments
0 Petitions
Accused Products
Abstract
A method, computer system and/or computer readable medium, associates attack detection/prevention rules with a target in a communication network. The attack detection/prevention rules are provided for the target without differentiation as to flows. A particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target. A micro-policy is bound to a target of the particular flow based on monitored transmissions. The micro-policy that was bound to the target of the particular flow, is applied to the target to detect an intrusion in the particular flow. Binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow.
-
Citations
20 Claims
-
1. A method performed in an intrusion detection/prevention system, for associating attack detection/prevention rules with a target in a communication network, for a particular flow, wherein the attack detection/prevention rules are provided for the target without differentiation as to flows, wherein a particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target, comprising:
-
monitoring transmissions in a particular flow; binding a micro-policy to a target of the particular flow based on the monitored transmissions; and applying the micro-policy to the target to detect an intrusion in the particular flow according to the micro-policy rules which were bound to the target of the particular flow, wherein binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable medium comprising instructions being executed by a computer, the instructions including a computer-implemented method for associating attack detection/prevention rules with a target in a communication network, for a particular flow, wherein the attack detection/prevention rules are provided for the target without differentiation as to flows, wherein a particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target, the instructions for implementing:
-
monitoring transmissions in a particular flow; binding a micro-policy to a target of the particular flow based on the monitored transmissions; and applying the micro-policy to the target to detect an intrusion in the particular flow according to the micro-policy rules which were bound to the target of the particular flow, wherein binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for detecting or preventing intrusions, for use with attack detection/prevention rules, with a target in the communication network, for a particular flow, wherein the attack detection/prevention rules are provided for the target without differentiation as to flows, wherein a particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target, comprising:
-
a monitor unit configured to facilitate monitoring transmissions in a particular flow; a binder unit configured for binding a micro-policy to a target of the particular flow based on the monitored transmissions; and an application unit configured to facilitate applying the micro-policy to the target to detect/prevent an intrusion in the particular flow according to the micro-policy rules which were bound to the target of the particular flow, wherein binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification