Dynamic signature inspection-based network intrusion detection
DCFirst Claim
1. A method for detecting network intrusion attempts associated with network objects on a communications network including the steps of:
- storing a list of attack signature profiles descriptive of attack signatures associated with said network intrusion attempts;
storing corresponding data representative of a correspondence between subsets of said attack signature profiles and said network objects such that each network object has a corresponding stored subset of attack signature profiles and more than one subset of attack signature profiles corresponds to network objects;
monitoring network traffic transmitted over said communications network for data addressed to one of said network objects;
in response to detecting said data addressed to said network object, accessing a subset of attack signature profiles corresponding to said network object based on said correspondence data; and
executing at least one attack signature profile included in said subset corresponding to said network object to determine if said data addressed to said network object is associated with a network intrusion attempt.
6 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A signature based dynamic network intrusion detection system (IDS) includes attack signature profiles which are descriptive of characteristics of known network security violations. The attack signature profiles are organized into sets of attack signature profiles according to security requirements of network objects on a network. Each network object is assigned a set of attack signature profiles which is stored in a signature profile memory together with association data indicative of which sets of attack signature profiles correspond to which network objects. A monitoring device monitors network traffic for data addressed to the network objects. Upon detecting a data packet addressed to one of the network objects, packet information is extracted from the data packet. The extracted information is utilized to obtain a set of attack signature profiles corresponding to the network object based on the association data. A virtual processor executes instructions associated with attack signature profiles to determine if the packet is associated with a known network security violation. An attack signature profile generator is utilized to generate additional attack signature profiles configured for processing by the virtual processor in the absence of any corresponding modification of the virtual processor.
1251 Citations
20 Claims
-
1. A method for detecting network intrusion attempts associated with network objects on a communications network including the steps of:
-
storing a list of attack signature profiles descriptive of attack signatures associated with said network intrusion attempts;
storing corresponding data representative of a correspondence between subsets of said attack signature profiles and said network objects such that each network object has a corresponding stored subset of attack signature profiles and more than one subset of attack signature profiles corresponds to network objects;
monitoring network traffic transmitted over said communications network for data addressed to one of said network objects;
in response to detecting said data addressed to said network object, accessing a subset of attack signature profiles corresponding to said network object based on said correspondence data; and
executing at least one attack signature profile included in said subset corresponding to said network object to determine if said data addressed to said network object is associated with a network intrusion attempt. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A network-based dynamic signature inspection system for detecting attack signatures on a network comprising:
-
a data monitoring device configured to detect network data addressed to a first set of network objects, said monitoring device having an input for receiving said data and an output for signaling a detection of said data;
signature profile memory including;
a) attack signature profiles descriptive of network signaling patterns which constitute said attack signatures, each attack signature profile being configured to enable recognition of one of said attack signatures, each attack signature being associated with a known network security violation; and
b) association data corresponding each of said first set of network objects to an associated subset of said attack signature profiles such that more than one of said subsets of said attack signature profiles corresponds to said first set of network objects; and
processor means, responsive to said detection signaling, for processing an attack signature profile included in a subset of said signature profiles assigned to one of said first set of network objects, reception of a detection signal indicative of a detection by said monitoring device of data addressed to said network object triggering access by said processor means to said subset of said signature profiles assigned to said network object based on said association data. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A network-based dynamic signature inspection system for detecting attack signatures on a network comprising:
-
a data monitoring device configured to detect network data addressed to a first set of network objects, said monitoring device having an input for receiving said data and an output for signaling a detection of said data;
signature profile memory including;
a) attack signature profiles descriptive of network signaling patterns which constitute said attack signatures, each attack signature profile being configured to enable recognition of one of said attack signatures, each attack signature being associated with a known network security violation; and
b) association data corresponding each of said first set of network objects to an associated subset of said attack signature profiles such that more than one of said subset of said attack signature profiles corresponds to said first set of network objects; and
processor means, responsive to said detection signaling, for processing an attack signature profile included in a subset of said signature profiles assigned to one of said first set of network objects, reception of a detection signal indicative of a detection by said monitoring device of data addressed to said network object triggering access by said processor means to said subset of said signature profiles assigned to said network object based on said association data wherein said data monitoring device, said signature profile memory, and said processor means are all contained in a first data collector located on a first network segment on which said first set of said network objects reside, said system further comprising;
a second data collector including a second data monitoring device, a second signature profile memory, and second processor means, said second data collector being located on a second network segment including a second set of said network objects, said second processor means being a duplicate of said first processor means; and
a network configuration generator configured to assign a first plurality of said signature profile subsets to said first data collector based on a configuration of said first set of network objects and to assign a second plurality of signature profile subsets to said second data collector based on a configuration of said second set of network objects.
-
-
15. A method for providing network intrusion detection on a network including first and second network objects comprising the steps of:
-
storing first and second sets of attack signature profiles associated respectively with first and second network objects at a first site on said network, each attack signature profile being configured to detect a network signaling pattern associated with a known network security violation;
monitoring network traffic at said first site for data addressed to one of said first and second network objects;
upon detecting data addressed to said first network object, accessing said first set of attack signature profiles;
utilizing a processor to execute an attack signature profile from said first set of attack signature profiles;
determining whether said execution of said attack signature profile reveals a known network security violation; and
generating additional attack signature profiles configured to be executed by said processor in the absence of modifying said processor. - View Dependent Claims (16, 17, 18, 19)
deploying a duplicate of said processor at a second site on said network;
storing a third set of attack signature profiles associated with a third network object at said second site;
monitoring said network traffic at said second site for network data addressed to said third network object; and
executing at least one attack signature profile in said third set of attack signature profiles at said second site upon detecting said network data addressed to said third network object.
-
-
17. The method of claim 15 wherein said executing step includes determining whether a predetermined number of events occur within a predetermined time interval.
-
18. The method of claim 15 wherein said step of utilizing said processor to execute said attack signature profile includes:
-
translating said attack signature profile into a set of instructions to be sequentially executed to enable recognition of a set of sequentially occurring events which collectively constitute said known network security violation;
sequentially executing said set of instructions; and
upon recognizing each of said set of events, storing data representative of an occurrence of said each event.
-
-
19. The method of claim 18 wherein said determining step includes determining whether said known security violation has occurred based on said stored data representative of said occurrence of said each event.
-
20. A computer system comprising:
-
a plurality of attack signature profiles comprising machine readable data corresponding to attack signatures associated with network intrusion attempts; and
corresponding data comprising machine readable data representative of a correspondence between a plurality of network objects and subsets of attack signature profiles.
-
Specification