Automatic Categorization of IDPS Signatures from multiple different idps systems
First Claim
1. A method, comprising:
- accessing unknown and reference signatures, wherein the unknown and reference signatures indicate patterns that correspond to known threats to resources in a computer environment and comprise a plurality of descriptive elements having information describing different aspects of a corresponding signature;
creating a set of similarity measures of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element;
integrating the set of similarity measures to generate an overall similarity metric;
using the overall similarity metric to find appropriate categories in the reference signatures into which the unknown signatures should be placed;
placing the unknown signatures into the appropriate categories to create a mapping from the unknown signatures to the reference signatures; and
outputting the mapping for use by an intrusion detection and prevention system for determining whether a threat has occurred to the resources in the computer environment.
1 Assignment
0 Petitions
Accused Products
Abstract
Unknown and reference signatures are accessed. The unknown and reference signatures indicate patterns that correspond to known threats to resources (such as computer systems and/or computer networks) in a computer environment and comprise a multitude of descriptive elements having information describing different aspects of a corresponding signature. A set of similarity measures is created of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element. The set of similarity measures are integrated to generate an overall similarity metric. The overall similarity metric is used to find appropriate categories in the reference signatures into which the unknown signatures should be placed. The unknown signatures are placed into the appropriate categories to create a mapping from the unknown signatures to the reference signatures. The mapping is output for use by an IDPS for determining whether a threat has occurred to the resources in the computer environment.
-
Citations
21 Claims
-
1. A method, comprising:
-
accessing unknown and reference signatures, wherein the unknown and reference signatures indicate patterns that correspond to known threats to resources in a computer environment and comprise a plurality of descriptive elements having information describing different aspects of a corresponding signature; creating a set of similarity measures of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element; integrating the set of similarity measures to generate an overall similarity metric; using the overall similarity metric to find appropriate categories in the reference signatures into which the unknown signatures should be placed; placing the unknown signatures into the appropriate categories to create a mapping from the unknown signatures to the reference signatures; and outputting the mapping for use by an intrusion detection and prevention system for determining whether a threat has occurred to the resources in the computer environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer system, comprising:
-
one or more memories comprising computer-readable code; and one or more processors, wherein the one or more processors, in response to executing the computer-readable code, cause the computer system to perform operations comprising the following; accessing unknown and reference signatures, wherein the unknown and reference signatures indicate patterns that correspond to known threats to resources in a computer environment and comprise a plurality of descriptive elements having information describing different aspects of a corresponding signature; creating a set of similarity measures of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element; integrating the set of similarity measures to generate an overall similarity metric; using the overall similarity metric to find appropriate categories in the reference signatures into which the unknown signatures should be placed; placing the unknown signatures into the appropriate categories to create a mapping from the unknown signatures to the reference signatures; and outputting the mapping for use by an intrusion detection and prevention system for determining whether a threat has occurred to the resources in the computer environment.
-
-
15. A method, comprising:
-
accessing reference signatures, where the reference signatures have been converted from unknown signatures to the reference signatures by using a mapping between unknown and reference signatures, wherein the unknown and reference signatures indicate patterns that correspond to known threats to resources in a computer environment; and using the reference signatures, which have been converted from the unknown signatures using the mapping, to determine whether a threat has occurred to the resources in the computer environment. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification