Source/destination operating system type-based IDS virtualization
First Claim
1. A method of intrusion detection system virtualization, comprising:
- receiving a stream of packets;
fingerprinting each packet in a said stream to identify at least one target operating system (OS) type;
directing each said packet to a virtual IDS process corresponding to each said identified target OS type;
comparing each said packet to a threat signature set corresponding to each said identified target OS type in said virtual IDS process; and
accepting each said packet based on said comparing.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for virtualizing network intrusion detection system (IDS) functions based on each packet'"'"'s source and/or destination host computer operating system (OS) type and characteristics are described. Virtualization is accomplished by fingerprinting each packet to determine the packet'"'"'s target OS and then vetting each packet in a virtual IDS against a reduced set of threat signatures specific to the target OS. Each virtual IDS, whether operating on a separate computer or operating as a logically distinct process or separate thread running on a single computer processor, may also operate in parallel with other virtual IDS processes. IDS processing efficiency and speed are greatly increased by the fact that a much smaller subset of threat signature universe is used for each OS-specific packet threat vetting operation.
-
Citations
38 Claims
-
1. A method of intrusion detection system virtualization, comprising:
-
receiving a stream of packets; fingerprinting each packet in a said stream to identify at least one target operating system (OS) type; directing each said packet to a virtual IDS process corresponding to each said identified target OS type; comparing each said packet to a threat signature set corresponding to each said identified target OS type in said virtual IDS process; and accepting each said packet based on said comparing. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of intrusion detection system virtualization using operating system type information, comprising:
-
forming a plurality of reduced threat signature sets from a signature universe based on operating system type; virtualizing an intrusion detection system (IDS) into a plurality of virtual IDS processes corresponding to said plurality of reduced threat signature sets; receiving a stream of packets; fingerprinting each packet in a said stream to identify at least one target operating system type; directing each said packet to the virtual IDS process corresponding to each said target operating system type; comparing each said packet to said reduced threat signature set in said virtual IDS process; and accepting each said packet based on said comparing. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 36, 37, 38)
-
-
16. An apparatus for intrusion detection system (IDS) virtualization, comprising:
-
a first network interface connected to an unprotected network; a fingerprinter operably connected to said first network interface for receiving a plurality of packets and configured to determine at least one corresponding target operating system (OS) fingerprint for each said packet; a director connected to said fingerprinter configured to receive said plurality of packets and said corresponding target OS fingerprints, wherein said director directs each said packet to one or more virtual IDS units according to said at least one corresponding OS fingerprint; and a second network interface connecting said one or more virtual IDS units to a protected network; wherein at least one said virtual IDS units comprises at least one threat signature specific to an operating system and is configured to accept only packets that do not match any said threat signature. - View Dependent Claims (17, 18, 19)
-
-
20. An apparatus for intrusion detection system virtualization, comprising:
-
means for receiving a stream of packets; means for fingerprinting each packet in a said stream to identify at least one target operating system (OS) type; means for directing each said packet to a virtual IDS process corresponding to each said identified target OS type; means for comparing each said packet to a threat signature set corresponding to each said identified target OS type in said virtual IDS process; and means for accepting each said packet based on said comparing. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
-
27-29. -29. (canceled)
-
30. A computer-readable medium storing a computer program executable by a plurality of server computers, the computer program comprising computer instructions for:
-
receiving a stream of packets; fingerprinting each packet in a said stream to identify at least one target operating system (OS) type; directing each said packet to a virtual IDS process corresponding to each said identified target OS type; comparing each said packet to a threat signature set corresponding to each said identified target OS type in said virtual IDS process; and accepting each said packet based on said comparing. - View Dependent Claims (31, 32)
-
-
33-35. -35. (canceled)
Specification