Automatic Categorization of IDPS Signatures from multiple different idps systems

US 20170331841A1
Filed: 05/11/2016
Published: 11/16/2017
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

accessing unknown and reference signatures, wherein the unknown and reference signatures indicate patterns that correspond to known threats to resources in a computer environment and comprise a plurality of descriptive elements having information describing different aspects of a corresponding signature;

creating a set of similarity measures of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element;

integrating the set of similarity measures to generate an overall similarity metric;

using the overall similarity metric to find appropriate categories in the reference signatures into which the unknown signatures should be placed;

placing the unknown signatures into the appropriate categories to create a mapping from the unknown signatures to the reference signatures; and

outputting the mapping for use by an intrusion detection and prevention system for determining whether a threat has occurred to the resources in the computer environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Unknown and reference signatures are accessed. The unknown and reference signatures indicate patterns that correspond to known threats to resources (such as computer systems and/or computer networks) in a computer environment and comprise a multitude of descriptive elements having information describing different aspects of a corresponding signature. A set of similarity measures is created of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element. The set of similarity measures are integrated to generate an overall similarity metric. The overall similarity metric is used to find appropriate categories in the reference signatures into which the unknown signatures should be placed. The unknown signatures are placed into the appropriate categories to create a mapping from the unknown signatures to the reference signatures. The mapping is output for use by an IDPS for determining whether a threat has occurred to the resources in the computer environment.

Citations

21 Claims

1. A method, comprising:
- accessing unknown and reference signatures, wherein the unknown and reference signatures indicate patterns that correspond to known threats to resources in a computer environment and comprise a plurality of descriptive elements having information describing different aspects of a corresponding signature;
  
  creating a set of similarity measures of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element;
  
  integrating the set of similarity measures to generate an overall similarity metric;
  
  using the overall similarity metric to find appropriate categories in the reference signatures into which the unknown signatures should be placed;
  
  placing the unknown signatures into the appropriate categories to create a mapping from the unknown signatures to the reference signatures; and
  
  outputting the mapping for use by an intrusion detection and prevention system for determining whether a threat has occurred to the resources in the computer environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein using the overall similarity metric to find appropriate categories comprises using a majority-voting scheme for the overall similarity metric to find the appropriate categories in the reference signatures.
  - 3. The method of claim 2, wherein using a majority-voting scheme for the overall similarity metric further comprises, for each unknown signature, selecting a top k most similar reference signatures and finding their majority category as the unknown signature'"'"'s final category.
  - 4. The method of claim 1, wherein the similarity measures comprise similarity matrices and integrating further comprises:
    - searching for optimal weights to aggregate the similarity matrices in a training phase if labeled information is available or using default weights if labeled information is not available; and
      
      aggregating the similarity matrices into a result matrix based on the optimal weights.
  - 5. The method of claim 1, wherein the descriptive elements comprise for each signature one or more of the following:
    - signature name, keywords, risk level, common vulnerabilities and exposures code, and a description.
  - 6. The method of claim 1, wherein creating a set of similarity measures of the unknown and reference signatures from different perspectives comprises performing one or more of the following:
    - using a n-gram similarity on one or more of the descriptive elements for the unknown and reference signatures;
      
      using Jaccard similarity on one or more of the descriptive elements for the unknown and reference signatures;
      
      using an equivalence measure on one or more of the descriptive elements for the unknown and reference signatures; and
      
      using cosine similarity of latent semantic indexing on one or more of the descriptive elements for the unknown and reference signatures.
  - 7. The method of claim 1, wherein:
    - outputting further comprises outputting the mapping to memory; and
      
      the method further comprises using the mapping to convert unknown signatures from one or more source intrusion detection and prevention systems into reference signatures for a target intrusion detection and prevention system and sending the reference signatures that have been converted to the target intrusion detection and prevention system for use by the target intrusion detection and prevention system for determining whether a threat has occurred to the resources in the one or more source intrusion detection and prevention systems.
  - 8. The method of claim 1, wherein outputting further comprises sending the mapping to the intrusion detection and prevention system for use by the intrusion detection and prevention system for determining whether the threat has occurred.
  - 9. The method of claim 1, further comprising determining, by the intrusion detection and prevention system, whether a threat has occurred to the resources in the computer environment by using at least the mapping.
  - 10. The method of claim 9, further comprising outputting one or more alerts in response to a determination the threat has occurred to the resources in the computer environment.
  - 11. The method of claim 10, wherein outputting the one or more alerts comprises outputting the one or more alerts to a console viewable by an analyst.
  - 12. The method of claim 9, further comprising performing, in response to a determination a threat has occurred, one or more remedial actions concerning the resources in the computer environment.
  - 13. The method of claim 1, wherein the resources in the computer environment comprise one or more of the following:
    - one or more computer systems or one or more computer networks.

14. A computer system, comprising:
- one or more memories comprising computer-readable code; and
  
  one or more processors, wherein the one or more processors, in response to executing the computer-readable code, cause the computer system to perform operations comprising the following;
  
  accessing unknown and reference signatures, wherein the unknown and reference signatures indicate patterns that correspond to known threats to resources in a computer environment and comprise a plurality of descriptive elements having information describing different aspects of a corresponding signature;
  
  creating a set of similarity measures of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element;
  
  integrating the set of similarity measures to generate an overall similarity metric;
  
  using the overall similarity metric to find appropriate categories in the reference signatures into which the unknown signatures should be placed;
  
  placing the unknown signatures into the appropriate categories to create a mapping from the unknown signatures to the reference signatures; and
  
  outputting the mapping for use by an intrusion detection and prevention system for determining whether a threat has occurred to the resources in the computer environment.

15. A method, comprising:
- accessing reference signatures, where the reference signatures have been converted from unknown signatures to the reference signatures by using a mapping between unknown and reference signatures, wherein the unknown and reference signatures indicate patterns that correspond to known threats to resources in a computer environment; and
  
  using the reference signatures, which have been converted from the unknown signatures using the mapping, to determine whether a threat has occurred to the resources in the computer environment.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, wherein the mapping has been previously determined using the following:
    - creating a set of similarity measures of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element;
      
      integrating the set of similarity measures to generate an overall similarity metric;
      
      using the overall similarity metric to find most appropriate categories in the reference signatures into which the unknown signatures should be placed; and
      
      placing the unknown signatures into the appropriate categories to create the mapping from the unknown signatures to the reference signatures.
  - 17. The method of claim 15, further comprising, prior to accessing the reference signatures, converting the unknown signatures to the reference signatures by using the mapping between unknown and reference signatures.
  - 18. The method of claim 16, wherein using the overall similarity metric to find appropriate categories comprises using a majority-voting scheme for the overall similarity metric to find the appropriate categories in the reference signatures.
  - 19. The method of claim 16, wherein the similarity measures comprise similarity matrices and integrating further comprises:
    - searching for optimal weights to aggregate the similarity matrices in a training phase if labeled information is available or using default weights if labeled information is not available; and
      
      aggregating the similarity matrices into a result matrix based on the optimal weights.
  - 20. The method of claim 16, wherein the descriptive elements comprise for each signature one or more of the following:
    - signature name, keywords, risk level, common vulnerabilities and exposures code, and a description.
  - 21. The method of claim 16, wherein creating a set of similarity measures of the unknown and reference signatures from different perspectives comprises performing one or more of the following:
    - using a n-gram similarity on one or more of the descriptive elements for the unknown and reference signatures;
      
      using Jaccard similarity on one or more of the descriptive elements for the unknown and reference signatures;
      
      using an equivalence measure on one or more of the descriptive elements for the unknown and reference signatures; and
      
      using cosine similarity of latent semantic indexing on one or more of the descriptive elements for the unknown and reference signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
HU, Xin, Jang, Jiyong, Schales, Douglas Lee, Stoecklin, Marc Philippe, Wang, Ting

Granted Patent

US 10,542,014 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 16/901   Indexing; Data structures t...

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Automatic Categorization of IDPS Signatures from multiple different idps systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic Categorization of IDPS Signatures from multiple different idps systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links