APPARATUS AND METHOD FOR IMPROVING DETECTION PERFORMANCE OF INTRUSION DETECTION SYSTEM

US 20150113646A1
Filed: 07/23/2014
Published: 04/23/2015
Est. Priority Date: 10/18/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for improving detection performance of an intrusion detection system, comprising:

a transformed detected data generation unit for changing pieces of original detected data, detected based on current detection rules, to pieces of transformed detected data complying with a transformed detected data standard;

a transformed detected data classification unit for classifying the pieces of transformed detected data by attack type, classifying pieces of transformed detected data for respective attack types by current detection rule, and classifying pieces of transformed detected data for respective detection rules into true positives/false positives;

a transformed keyword tree generation unit for generating a true positive transformed keyword tree and a false positive transformed keyword tree, based on results of classification by the transformed detected data classification unit;

a true positive path identification unit for generating a true positive node by comparing the true positive transformed keyword tree with the false positive transformed keyword tree, and for identifying a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree; and

a true positive detection pattern generation unit for generating a true positive detection pattern based on the identified true positive path.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus for improving detection performance of an intrusion detection system includes a transformed detected data generation unit for changing original detected data, detected based on current detection rules, to transformed detected data complying with transformed detected data standard. A transformed detected data classification unit classifies the transformed detected data by attack type, classifies transformed detected data for attack types by current detection rule, and classifies transformed detected data for detection rules into true positives/false positives. A transformed keyword tree generation unit generates a true positive transformed keyword tree and a false positive transformed keyword tree. A true positive path identification unit generates a true positive node, and identifies a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree. A true positive detection pattern generation unit generates a true positive detection pattern based on the true positive path.

Citations

16 Claims

1. An apparatus for improving detection performance of an intrusion detection system, comprising:
- a transformed detected data generation unit for changing pieces of original detected data, detected based on current detection rules, to pieces of transformed detected data complying with a transformed detected data standard;
  
  a transformed detected data classification unit for classifying the pieces of transformed detected data by attack type, classifying pieces of transformed detected data for respective attack types by current detection rule, and classifying pieces of transformed detected data for respective detection rules into true positives/false positives;
  
  a transformed keyword tree generation unit for generating a true positive transformed keyword tree and a false positive transformed keyword tree, based on results of classification by the transformed detected data classification unit;
  
  a true positive path identification unit for generating a true positive node by comparing the true positive transformed keyword tree with the false positive transformed keyword tree, and for identifying a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree; and
  
  a true positive detection pattern generation unit for generating a true positive detection pattern based on the identified true positive path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the transformed detected data standard includes a plurality of fields including source Internet Protocol (IP) field, source port field, destination IP field, destination port field, payload field, and true positive/false positive identification information field.
  - 3. The apparatus of claim 2, wherein the plurality of fields further include a serial number field or a message field for detection rules.
  - 4. The apparatus of claim 1, wherein the true positive transformed keyword tree includes a plurality of nodes, each including a symbol at a current position and a traversal count value passing through the symbol at the current position.
  - 5. The apparatus of claim 1, wherein the false positive transformed keyword tree includes a plurality of nodes, each including a symbol at a current position and a traversal count value passing through the symbol at the current position.
  - 6. The apparatus of claim 1, wherein the true positive path identification unit sets a node, remaining after nodes of the false positive transformed keyword tree have been excluded from the true positive transformed keyword tree, to the true positive node.
  - 7. The apparatus of claim 1, wherein the true positive path identification unit searches for a node between the base node of the true positive transformed keyword tree and the true positive node, and sets a connection path from a root node of the true positive transformed keyword tree to the true positive node via the searched node, as the true positive path.
  - 8. The apparatus of claim 1, wherein the true positive detection pattern generation unit creates a new detection rule based on the generated true positive detection pattern.

9. A method for improving detection performance of an intrusion detection system, comprising:
- changing, by a transformed detected data generation unit, changing pieces of original detected data, detected based on current detection rules, to pieces of transformed detected data complying with a transformed detected data standard;
  
  classifying, by a transformed detected data classification unit, the pieces of transformed detected data by attack type, classifying, by the transformed detected data classification unit, pieces of transformed detected data for respective attack types by current detection rule, and classifying, by the transformed detected data classification unit, pieces of transformed detected data for respective detection rules into true positives/false positives;
  
  generating, by a transformed keyword tree generation unit, a true positive transformed keyword tree and a false positive transformed keyword tree, based on results of the classification;
  
  generating, by a true positive path identification unit, a true positive node by comparing the true positive transformed keyword tree with the false positive transformed keyword tree, and identifying, by the true positive path identification unit, a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree; and
  
  generating, by a true positive detection pattern generation unit, a true positive detection pattern based on the identified true positive path.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the transformed detected data standard includes a plurality of fields including source Internet Protocol (IP) field, source port field, destination IP field, destination port field, payload field, and true positive/false positive identification information field.
  - 11. The method of claim 10, wherein the plurality of fields further include a serial number field or a message field for detection rules.
  - 12. The method of claim 9, wherein the true positive transformed keyword tree includes a plurality of nodes, each including a symbol at a current position and a traversal count value passing through the symbol at the current position.
  - 13. The method of claim 9, wherein the false positive transformed keyword tree includes a plurality of nodes, each including a symbol at a current position and a traversal count value passing through the symbol at the current position.
  - 14. The method of claim 9, wherein identifying the true positive path is configured to set a node, remaining after nodes of the false positive transformed keyword tree have been excluded from the true positive transformed keyword tree, to the true positive node.
  - 15. The method of claim 9, wherein identifying the true positive path is configured to search for a node between the base node of the true positive transformed keyword tree and the true positive node, and set a connection path from a root node of the true positive transformed keyword tree to the true positive node via the searched node, as the true positive path
  - 16. The method of claim 9, wherein generating the true positive detection pattern is configured to create a new detection rule based on the generated true positive detection pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Artelling Incorporated
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
HONG, Soonjwa, OH, Hyung Geun, SOHN, Ki Wook, LEE, NamHoon, LEE, Seokwon, LEE, TaekKyu, JUNG, KyuCheol, KIM, Geunyong

Granted Patent

US 9,275,224 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1408 by monitoring network traff...

APPARATUS AND METHOD FOR IMPROVING DETECTION PERFORMANCE OF INTRUSION DETECTION SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR IMPROVING DETECTION PERFORMANCE OF INTRUSION DETECTION SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links