INTRUSION DETECTION SYSTEMS AND METHODS
First Claim
1. A method, comprising:
- receiving data via an electronic network;
segmenting the data into data items;
isolating one of the data items to obtain a selected data item;
processing the selected data item in accordance with a first processing technique to obtain a first characteristic metric;
processing the selected data item in accordance with a second processing technique to obtain a second characteristic metric, wherein the second processing technique is different from the first processing technique;
combining the first and second characteristic metrics to obtain an aggregate thumbprint of the selected data item; and
comparing the aggregate thumbprint to a plurality of aggregate thumbprints stored in a library of aggregate thumbprints to determine whether a match exists between the aggregate thumbprint and any of the aggregate thumbprints in the library of aggregate thumbprints.
13 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for intrusion and virus detection in computer networks. Data from a file, network byte stream, or other source is segmented and resulting data items are subjected to multiple processing techniques to obtain respective result values, or thumbprints. The multiple thumbprints for respective data items are then aggregated to obtain a single result value, or aggregate thumbprint. The components of the aggregate thumbprint may be “fuzzified” to allow for less preciseness in the single result value. The aggregate thumbprint is compared to other similarly generated aggregate thumbprints stored in a library. Alerts may be generated when the same aggregate thumbprint is detected multiple times.
19 Citations
20 Claims
-
1. A method, comprising:
-
receiving data via an electronic network; segmenting the data into data items; isolating one of the data items to obtain a selected data item; processing the selected data item in accordance with a first processing technique to obtain a first characteristic metric; processing the selected data item in accordance with a second processing technique to obtain a second characteristic metric, wherein the second processing technique is different from the first processing technique; combining the first and second characteristic metrics to obtain an aggregate thumbprint of the selected data item; and comparing the aggregate thumbprint to a plurality of aggregate thumbprints stored in a library of aggregate thumbprints to determine whether a match exists between the aggregate thumbprint and any of the aggregate thumbprints in the library of aggregate thumbprints. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of detecting similar, but non-identical, data, comprising:
-
selecting a data item from a database; generating a string, wherein the string is comprised of a plurality individual characteristic metrics in respect to the data item, wherein each characteristic metric has been reduced in precision from an originally calculated value; comparing the string to a plurality of strings stored in a library of strings to determine whether a match exists between the string and any of the strings stored in the library of strings; and generating an alert when a match is found or adding the string to the library of strings when a match is not found. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system for detecting similar data items, comprising:
-
an analysis module having, or being in communication with, physical memory configured to store electronic data; a data item database in communication with the analysis module; and a string library in communication with the analysis module, wherein the analysis module is configured to select a data item from the data item database, generate a string comprised of a plurality individual characteristic metrics in respect to the data item where each characteristic metric is reduced in precision from an originally calculated value, compare the string to a plurality of strings stored in the string library to determine whether a match exists between the string and any of the strings stored in the string library, and generate an alert when a match is found, or add the string to the string library when a match is not found. - View Dependent Claims (18, 19, 20)
-
Specification