Intrusion detection signature analysis using regular expressions and logical operators
First Claim
Patent Images
1. A packet-based method embodied in a computer-readable medium, of describing signatures used for detecting intrusion to a local network, comprising the steps of:
- using a set of regular expression identifiers to represent a set of packet types;
using logical operators to describe relationships between said packet types;
combining said at least one of said identifiers and at least one of said logical operators to provide a regular expression describing each of said signatures; and
using said regular expressions to provide an executable process.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of describing intrusion signatures, which are used by an intrusion detection system to detect attacks on a local network. The signatures are described using a “high level” syntax having features in common with regular expression and logical expression methodology. These high level signatures may then be compiled, or otherwise analyzed, to provide a process executable by a sensor or other processor-based signature detector.
-
Citations
12 Claims
-
1. A packet-based method embodied in a computer-readable medium, of describing signatures used for detecting intrusion to a local network, comprising the steps of:
-
using a set of regular expression identifiers to represent a set of packet types;
using logical operators to describe relationships between said packet types;
combining said at least one of said identifiers and at least one of said logical operators to provide a regular expression describing each of said signatures; and
using said regular expressions to provide an executable process. - View Dependent Claims (2, 3)
-
-
4. An event-based method embodied in a computer-readable medium, of describing signatures used for detecting intrusion to a local network, comprising the steps of:
-
using a first set of regular expression identifiers to represent a set of packet types;
using a second set of regular expression identifiers to represent a set of packet sequences;
using a third set of regular expression identifiers to represent a set of signature-related events;
for each signature, selecting at least one of said identifiers to provide a regular expression describing that signatures; and
using said regular expressions to provide an executable process. - View Dependent Claims (5, 6)
-
-
7. An event-based method embodied in a computer-readable medium, of describing signatures used for detecting intrusion to a local network, comprising the steps of:
-
using a set of regular expression identifiers to represent a set of signature events;
using logical operators to describe relationships between said signature events;
combining said identifiers and said logical operators to provide a regular expression describing said signatures; and
using said regular expressions to provide an executable process. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification