Device, system and method for use of micro-policies in intrusion detection/prevention

US 20080196102A1
Filed: 10/05/2007
Published: 08/14/2008
Est. Priority Date: 10/06/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method performed in an intrusion detection/prevention system, for associating attack detection/prevention rules with a target in a communication network, for a particular flow, wherein the attack detection/prevention rules are provided for the target without differentiation as to flows, wherein a particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target, comprising:

monitoring transmissions in a particular flow;

binding a micro-policy to a target of the particular flow based on the monitored transmissions; and

applying the micro-policy to the target to detect an intrusion in the particular flow according to the micro-policy rules which were bound to the target of the particular flow,wherein binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer system and/or computer readable medium, associates attack detection/prevention rules with a target in a communication network. The attack detection/prevention rules are provided for the target without differentiation as to flows. A particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target. A micro-policy is bound to a target of the particular flow based on monitored transmissions. The micro-policy that was bound to the target of the particular flow, is applied to the target to detect an intrusion in the particular flow. Binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow.

160 Citations

View as Search Results

20 Claims

1. A method performed in an intrusion detection/prevention system, for associating attack detection/prevention rules with a target in a communication network, for a particular flow, wherein the attack detection/prevention rules are provided for the target without differentiation as to flows, wherein a particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target, comprising:
- monitoring transmissions in a particular flow;
  
  binding a micro-policy to a target of the particular flow based on the monitored transmissions; and
  
  applying the micro-policy to the target to detect an intrusion in the particular flow according to the micro-policy rules which were bound to the target of the particular flow,wherein binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, further comprising binding a new micro-policy to the target when there is a new flow to the target.
  - 3. The method according to claim 1, wherein there are plural micro-policies, the micro-policies utilizing an attribute table with plural entries indicating:
    - an internet protocol (ip) address, an operating system, a protocol, and a micro-policy that is to be bound for the ip address, the operating system, and the protocol,wherein the micro-policies in the attribute table are addressable by the ip address,wherein the selecting includes addressing the attribute table by the ip address in transmissions in the particular flow to locate the micro-policy indicated in the attribute table that is to be bound, wherein the located micro-policy is used as the selected micro-policy.
  - 4. The method according to claim 1, wherein the rules which are selected further are limited to a network service associated with the particular flow.
  - 5. The method according to claim 1, wherein the monitoring is performed in accordance with a TCP layer.
  - 6. The method according to claim 1, further comprising performing a matching via a fast pattern matcher with a subset of possible detections utilizing a finite state machine to determine the attack prevention/detection rules which are relevant to the target of the particular flow.
  - 7. The method according to claim 1, wherein the applying includes forwarding the rules in the micro-policy to an intrusion detection/prevention engine.

8. A computer-readable medium comprising instructions being executed by a computer, the instructions including a computer-implemented method for associating attack detection/prevention rules with a target in a communication network, for a particular flow, wherein the attack detection/prevention rules are provided for the target without differentiation as to flows, wherein a particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target, the instructions for implementing:
- monitoring transmissions in a particular flow;
  
  binding a micro-policy to a target of the particular flow based on the monitored transmissions; and
  
  applying the micro-policy to the target to detect an intrusion in the particular flow according to the micro-policy rules which were bound to the target of the particular flow,wherein binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium according to claim 8, further comprising instructions for binding a new micro-policy to the target when there is a new flow to the target.
  - 10. The computer-readable medium according to claim 8, wherein there are plural micro-policies, the micro-policies utilizing an attribute table with plural entries indicating:
    - an internet protocol (ip) address, an operating system, a protocol, and micro-policy that is to be bound for the ip address, the operating system, and the protocol,wherein the micro-policies in the attribute table are addressable by the ip address,wherein the selecting includes addressing the attribute table by the ip address in transmissions in the particular flow to locate the micro-policy indicated in the attribute table that is to be bound, wherein the located micro-policy is used as the selected micro-policy.
  - 11. The computer-readable medium according to claim 8, wherein the rules which are selected further are limited to a network service associated with the particular flow.
  - 12. The computer-readable medium according to claim 8, wherein the monitoring is performed in accordance with a TCP layer.
  - 13. The computer-readable medium according to claim 8, further comprising instructions for performing a matching via a fast pattern matcher with a subset of possible detections utilizing a finite state machine to determine the attack prevention/detection rules which are relevant to the target of the particular flow.
  - 14. The computer-readable medium according to claim 8, wherein the applying includes forwarding the rules in the micro-policy to an intrusion detection/prevention engine.

15. A computer system for detecting or preventing intrusions, for use with attack detection/prevention rules, with a target in the communication network, for a particular flow, wherein the attack detection/prevention rules are provided for the target without differentiation as to flows, wherein a particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target, comprising:
- a monitor unit configured to facilitate monitoring transmissions in a particular flow;
  
  a binder unit configured for binding a micro-policy to a target of the particular flow based on the monitored transmissions; and
  
  an application unit configured to facilitate applying the micro-policy to the target to detect/prevent an intrusion in the particular flow according to the micro-policy rules which were bound to the target of the particular flow,wherein binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system according to claim 15, wherein the binder unit is further configured to bind a new micro-policy to the target when there is a new flow to the target.
  - 17. The computer system according to claim 15, wherein there are plural micro-policies, the micro-policies utilizing an attribute table with plural entries indicating:
    - an internet protocol (ip) address, an operating system, a protocol, a micro-policy that is to be bound for the ip address, the operating system and the protocol,wherein the micro-policies in the attribute table are addressable by the ip address,wherein the selecting includes addressing the attribute table by the ip address in transmissions in the particular flow to locate the micro-policy indicated in the attribute table that is to be bound, wherein the located micro-policy is used as the selected micro-policy.
  - 18. The computer system according to claim 15, wherein the rules which are selected further are limited to a network service associated with the particular flow.
  - 19. The computer system according to claim 15, further comprising a receiving unit configured to facilitate receiving transmissions, whereinthe transmissions are received in accordance with a TCP layer, and the monitoring is performed in accordance with the TCP layer.
  - 20. The computer system according to claim 15, wherein the selecting is performed by a fast pattern matcher with a subset of possible detections utilizing a finite state machine to determine the attack prevention/detection rules which are relevant to the target of the particular flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Roesch, Martin Frederick

Application Number

US11/905,980
Publication Number

US 20080196102A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

H04L 63/1408   by monitoring network traff...

Device, system and method for use of micro-policies in intrusion detection/prevention

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

160 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system and method for use of micro-policies in intrusion detection/prevention

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

160 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links