Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing
First Claim
1. A method, performed in an intrusion detection/prevention system in a computer system, for evaluating network traffic against rules, comprising:
- receiving network traffic;
checking for a matching pattern in the network traffic;
upon identifying the matching pattern in the network traffic, evaluating the network traffic with the matching pattern against rules specific to the matching pattern, wherein the rules specific to the matching pattern are represented by a rule tree, wherein references to rule options are represented in the rule tree and the rule options are stored separately from the rule tree, the rule tree representing each unique rule by each unique path from a root of the tree to each of the leaf nodes, and the rule tree representing a rule option as a non-leaf node of the rule tree, the evaluating of the network traffic including;
processing, against the network traffic, the rule options in the rule tree beginning at the root of the rule tree;
wherein processing of all of the rules represented by the subtrees of nodes with rule options that do not match are eliminated,wherein the network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options which match the network traffic.
3 Assignments
0 Petitions
Accused Products
Abstract
In an intrusion detection/prevention system, network traffic is received and checked for a matching pattern. Upon identifying the matching pattern, the network traffic with the matching pattern is evaluated against rules that are represented by a rule tree. References to rule options are represented in the rule tree and are stored separately from the rule tree. The rule tree represents unique rules by unique paths from a root of the tree to the leaf nodes, and represents rule options as non-leaf nodes of the rule tree. Evaluating the network traffic includes processing, against the network traffic, the rule options in the rule tree beginning at the root. Processing of the rules represented by subtrees of nodes with rule options that do not match is eliminated. The network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options that match the network traffic.
-
Citations
20 Claims
-
1. A method, performed in an intrusion detection/prevention system in a computer system, for evaluating network traffic against rules, comprising:
-
receiving network traffic; checking for a matching pattern in the network traffic; upon identifying the matching pattern in the network traffic, evaluating the network traffic with the matching pattern against rules specific to the matching pattern, wherein the rules specific to the matching pattern are represented by a rule tree, wherein references to rule options are represented in the rule tree and the rule options are stored separately from the rule tree, the rule tree representing each unique rule by each unique path from a root of the tree to each of the leaf nodes, and the rule tree representing a rule option as a non-leaf node of the rule tree, the evaluating of the network traffic including; processing, against the network traffic, the rule options in the rule tree beginning at the root of the rule tree; wherein processing of all of the rules represented by the subtrees of nodes with rule options that do not match are eliminated, wherein the network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options which match the network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable storage medium comprising instructions being executed by a computer in connection with an intrusion detection/prevention system, the instructions including a computer-implemented method for evaluating network traffic against rules, the instructions for implementing:
-
receiving network traffic; checking for a matching pattern in the network traffic; upon identifying the matching pattern in the network traffic, evaluating the network traffic with the matching pattern against rules specific to the matching pattern, wherein the rules specific to the matching pattern are represented by a rule tree, wherein references to rule options are represented in the rule tree and the rule options are stored separately from the rule tree, the rule tree representing each unique rule by each unique path from a root of the tree to each of the leaf nodes, and the rule tree representing a rule option as a non-leaf node of the rule tree, the evaluating of the network traffic including; processing, against the network traffic, the rule options in the rule tree beginning at the root of the rule tree; wherein processing of all of the rules represented by the subtrees of nodes with rule options that do not match are eliminated, wherein network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options which match the network traffic. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer system for evaluating network traffic against rules in connection with an intrusion detection/prevention system, comprising:
-
(A) a transceiver operable to receive or transmit network traffic; and (B) a processor cooperatively operable with the memory and the transceiver, and configured to facilitate; obtaining network traffic to be transmitted on the transceiver or which was received by the transceiver; checking for a matching pattern in the network traffic; upon identifying the matching pattern in the network traffic, evaluating the network traffic with the matching pattern against rules specific to the matching pattern, wherein the rules specific to the matching pattern are represented by a rule tree, wherein references to rule options are represented in the rule tree and the rule options are stored separately from the rule tree, the rule tree representing each unique rule by each unique path from a root of the tree to each of the leaf nodes, and the rule tree representing a rule option as a non-leaf node of the rule tree, the evaluating of the network traffic including; processing, against the network traffic, the rule options in the rule tree beginning at the root of the rule tree; wherein processing of all of the rules represented by the subtrees of nodes with rule options that do not match are eliminated, wherein network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options which match the network traffic. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification