Intrusion detection system and method having dynamically loaded signatures

US 6,477,651 B1
Filed: 01/08/1999
Issued: 11/05/2002
Est. Priority Date: 01/08/1999
Status: Expired due to Term

First Claim

Patent Images

1. An intrusion detection system for detecting unauthorized use of a network, the system comprising:

an analysis object for identifying a signature in network data, the signature associated with an attack on a network vulnerability;

an intrusion detection analysis engine interfaced with the network to accept network data, and interfaced with the analysis object, the intrusion detection analysis engine operable to instanciate the analysis object with network data and to use the instance of the analysis object to detect an attack on the network; and

an application programming interface operable to dynamically interface a new analysis object with the intrusion detection analysis engine on a runtime basis, wherein the new analysis object comprises an identification of a signature in network data associated with an attack on a new network vulnerability.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system and method for detecting unauthorized or malicious use of network resources includes an intrusion detection analysis engine that instanciates one or more analysis objects to detect signatures associated with attacks on network vulnerabilities. As new network vulnerabilities are identified, new analysis objects can be dynamically interfaced on a runtime basis with the intrusion detection analysis engine to detect signatures associated with the new network vulnerabilities. A signature application programming interface supports communication between the intrusion detection analysis engine and the analysis objects. When the instance of an analysis object indicates that an associated signature exists in network data, the intrusion detection analysis engine can provide an alarm.

189 Citations

21 Claims

1. An intrusion detection system for detecting unauthorized use of a network, the system comprising:
- an analysis object for identifying a signature in network data, the signature associated with an attack on a network vulnerability;
  
  an intrusion detection analysis engine interfaced with the network to accept network data, and interfaced with the analysis object, the intrusion detection analysis engine operable to instanciate the analysis object with network data and to use the instance of the analysis object to detect an attack on the network; and
  
  an application programming interface operable to dynamically interface a new analysis object with the intrusion detection analysis engine on a runtime basis, wherein the new analysis object comprises an identification of a signature in network data associated with an attack on a new network vulnerability.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1 further comprising additional analysis objects, each analysis object for identifying a predetermined signature in network data associated with a predetermined network vulnerability.
  - 3. The system of claim 1 further comprising a data collector converter for collecting network data and providing the network data to the intrusion detection analysis engine.

4. A method for detecting an attack on a network, the method comprising the steps of:
- providing network data to an intrusion detection analysis engine;
  
  instanciating an analysis object with the network data;
  
  pre-compiling the analysis object;
  
  dynamically interfacing the analysis object with the intrusion detection analysis engine on a runtime basis; and
  
  detecting an attack on the network with the instance of the analysis object.
- View Dependent Claims (5, 6, 7)
- - 5. The method of claim 4 further comprising the step dynamically of interfacing additional analysis objects with the intrusion detection analysis engine through an application programming interface.
  - 6. The method of claim 5 wherein each analysis object detects a predetermined signature associated with an attack on a predetermined network vulnerability.
  - 7. The method of claim 6 further comprising the steps of:

8. A method for detecting unauthorized use of a network, the method comprising the steps of:
- determining a signature associated with an attack on a network vulnerability;
  
  creating an analysis object, the analysis object for analyzing network data to detect the signature;
  
  dynamically providing the analysis object to an intrusion detection system through an application programming interface; and
  
  detecting an attack on the network vulnerability with the intrusion detection system using the analysis object to detect the signature.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8 wherein the network data comprises network traffic data.
  - 10. The method of claim 8 wherein the network data comprises audit trail data.
  - 11. The method of claim 8 wherein the data comprises system information data.
  - 12. The method of claim 8 wherein the dynamically providing step further comprises pre-compiling the analysis object into binary code and providing the analysis object to the intrusion detection system while the intrusion detection system is operating.
  - 13. The method of claim 8 further comprising the step of generating an alarm when an attack is detected.

14. A method for detecting an attack on a network comprising the steps of:
- collecting network data;
  
  providing the network data to an intrusion detection system;
  
  dynamically interfacing the intrusion detection system with an analysis object using an application programming interface; and
  
  detecting an attack on the network with the intrusion detection system and the analysis object.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14 wherein the analysis object detects a signature associated with an attack on a predetermined network vulnerability.
  - 16. The method of claim 14 wherein the interfacing step further comprises interfacing the intrusion detection system with plural analysis objects, each analysis object for detecting a predetermined signature associated with a predetermined attack on the network.
  - 17. The method of claim 16 wherein the network data comprises network traffic data.
  - 18. The method of claim 16 wherein the network data comprises audit trail data.
  - 19. The method of claim 16 wherein the network data comprises system information data.
  - 20. The method of claim 14 further comprising the steps of:
21. The method of claim 14 wherein using the application programming interface step further comprises the steps of:
- precompiling the new analysis object into binary code; and
  
  dynamically interfacing the new analysis object with the intrusion detection system at runtime.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Teal, Daniel M.
Primary Examiner(s)
Hayes, Gail
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US09/227,987
Time in Patent Office

1,397 Days
Field of Search

713/200, 713/201
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1416 Event detection, e.g. attac...

Intrusion detection system and method having dynamically loaded signatures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

189 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection system and method having dynamically loaded signatures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

189 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links