Source/destination operating system type-based IDS virtualization

US 20080289040A1
Filed: 04/27/2004
Published: 11/20/2008
Est. Priority Date: 04/27/2004
Status: Active Grant

First Claim

Patent Images

1. A method of intrusion detection system virtualization, comprising:

receiving a stream of packets;

fingerprinting each packet in a said stream to identify at least one target operating system (OS) type;

directing each said packet to a virtual IDS process corresponding to each said identified target OS type;

comparing each said packet to a threat signature set corresponding to each said identified target OS type in said virtual IDS process; and

accepting each said packet based on said comparing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for virtualizing network intrusion detection system (IDS) functions based on each packet'"'"'s source and/or destination host computer operating system (OS) type and characteristics are described. Virtualization is accomplished by fingerprinting each packet to determine the packet'"'"'s target OS and then vetting each packet in a virtual IDS against a reduced set of threat signatures specific to the target OS. Each virtual IDS, whether operating on a separate computer or operating as a logically distinct process or separate thread running on a single computer processor, may also operate in parallel with other virtual IDS processes. IDS processing efficiency and speed are greatly increased by the fact that a much smaller subset of threat signature universe is used for each OS-specific packet threat vetting operation.

Citations

38 Claims

1. A method of intrusion detection system virtualization, comprising:
- receiving a stream of packets;
  
  fingerprinting each packet in a said stream to identify at least one target operating system (OS) type;
  
  directing each said packet to a virtual IDS process corresponding to each said identified target OS type;
  
  comparing each said packet to a threat signature set corresponding to each said identified target OS type in said virtual IDS process; and
  
  accepting each said packet based on said comparing.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said fingerprinting comprises active fingerprinting.
  - 3. The method of claim 1, wherein said fingerprinting comprises passive fingerprinting.
  - 4. The method of claim 1, wherein said target OS type is the packet source host OS.
  - 5. The method of claim 1, wherein said target OS type is the packet destination host OS.
  - 6. The method of claim 1, wherein said target OS type is both the packet source host OS and the packet destination host OS.
  - 7. The method of claim 1, wherein, when said fingerprinting identifies more than one target OS type, said directing occurs at substantially the same time.

8. A method of intrusion detection system virtualization using operating system type information, comprising:
- forming a plurality of reduced threat signature sets from a signature universe based on operating system type;
  
  virtualizing an intrusion detection system (IDS) into a plurality of virtual IDS processes corresponding to said plurality of reduced threat signature sets;
  
  receiving a stream of packets;
  
  fingerprinting each packet in a said stream to identify at least one target operating system type;
  
  directing each said packet to the virtual IDS process corresponding to each said target operating system type;
  
  comparing each said packet to said reduced threat signature set in said virtual IDS process; and
  
  accepting each said packet based on said comparing.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 36, 37, 38)
- - 9. The method of claim 8, wherein said plurality of reduced threat signature sets comprises a set of signatures common to more than one operating system type.
  - 10. The method of claim 8, wherein said fingerprinting comprises active fingerprinting.
  - 11. The method of claim 8, wherein said fingerprinting comprises passive fingerprinting.
  - 12. The method of claim 8, wherein said target operating system type is the packet source host operating system.
  - 13. The method of claim 8, wherein said target operating system type is the packet destination host operating system.
  - 14. The method of claim 8, wherein said target OS type is both the packet source host OS and the packet destination host OS.
  - 15. The method of claim 8, wherein, when said fingerprinting identifies more than one target operating system type, said directing to the virtual IDS process corresponding to each said target operating system type occurs at substantially the same time.
  - 36. The method of claim 8, wherein the signature universe includes a plurality of threat signatures greater in number than any one of the reduced threat signature sets.
  - 37. The method of claim 36, wherein the threat signatures include threat signatures of threats common to more than one target operating system, and wherein further comprising:
    - grouping the threat signatures of the common threats into a separate one of the reduced threat signature sets;
      
      comparing each said packet to said separate reduced threat signature set; and
      
      accepting each said packet based on said comparing.
  - 38. The method of claim 8, further comprising checking whether a source operating system of each packet is capable of using a protocol carried by each said packet, and accepting each said packet only if the packet passes the checking.

16. An apparatus for intrusion detection system (IDS) virtualization, comprising:
- a first network interface connected to an unprotected network;
  
  a fingerprinter operably connected to said first network interface for receiving a plurality of packets and configured to determine at least one corresponding target operating system (OS) fingerprint for each said packet;
  
  a director connected to said fingerprinter configured to receive said plurality of packets and said corresponding target OS fingerprints, wherein said director directs each said packet to one or more virtual IDS units according to said at least one corresponding OS fingerprint; and
  
  a second network interface connecting said one or more virtual IDS units to a protected network;
  
  wherein at least one said virtual IDS units comprises at least one threat signature specific to an operating system and is configured to accept only packets that do not match any said threat signature.
- View Dependent Claims (17, 18, 19)
- - 17. The apparatus of claim 16, wherein said fingerprinter employs passive fingerprinting algorithms.
  - 18. The apparatus of claim 16, wherein said fingerprinter employs active fingerprinting algorithms.
  - 19. The apparatus of claim 16, wherein, when said fingerprinter identifies more than one target OS fingerprint, said director directs each said packet to said virtual IDS units at substantially the same time.

20. An apparatus for intrusion detection system virtualization, comprising:
- means for receiving a stream of packets;
  
  means for fingerprinting each packet in a said stream to identify at least one target operating system (OS) type;
  
  means for directing each said packet to a virtual IDS process corresponding to each said identified target OS type;
  
  means for comparing each said packet to a threat signature set corresponding to each said identified target OS type in said virtual IDS process; and
  
  means for accepting each said packet based on said comparing.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The apparatus of claim 20, wherein said means for fingerprinting comprise means for active fingerprinting.
  - 22. The apparatus of claim 20, wherein said means for fingerprinting comprise means for passive fingerprinting.
  - 23. The apparatus of claim 20, wherein said target OS type is the packet source host OS.
  - 24. The apparatus of claim 20, wherein said target OS type is the packet destination host OS.
  - 25. The apparatus of claim 20, wherein said target OS type is both the packet source host OS and the packet destination host OS.
  - 26. The apparatus of claim 20, wherein, when said means for fingerprinting identifies more than one target OS type, said means for directing operates at substantially the same time.

27-29. -29. (canceled)

30. A computer-readable medium storing a computer program executable by a plurality of server computers, the computer program comprising computer instructions for:
- receiving a stream of packets;
  
  fingerprinting each packet in a said stream to identify at least one target operating system (OS) type;
  
  directing each said packet to a virtual IDS process corresponding to each said identified target OS type;
  
  comparing each said packet to a threat signature set corresponding to each said identified target OS type in said virtual IDS process; and
  
  accepting each said packet based on said comparing.
- View Dependent Claims (31, 32)
- - 31. The computer-readable medium of claim 30, wherein said computer instructions for fingerprinting comprise computer instructions for active fingerprinting.
  - 32. The computer-readable medium of claim 30, wherein said computer instructions for fingerprinting comprise computer instructions for passive fingerprinting.

33-35. -35. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ithal, Ravishankar Ganesh

Granted Patent

US 7,904,960 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Source/destination operating system type-based IDS virtualization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Source/destination operating system type-based IDS virtualization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links