Intrusion detection signature analysis using regular expressions and logical operators
First Claim
Patent Images
1. A packet-based method embodied in a computer-readable medium, of describing signatures used for detecting intrusion to a local network, comprising the steps of:
- using a set of regular expression identifiers to represent a set of packet types;
using logical operators to describe relationships between said packet types;
combining said at least one of said identifiers and at least one of said logical operators to provide a regular expression describing each of said signatures; and
using said regular expressions to provide an executable process.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of describing intrusion signatures, which are used by an intrusion detection system to detect attacks on a local network. The signatures are described using a “high level” syntax having features in common with regular expression and logical expression methodology. These high level signatures may then be compiled, or otherwise analyzed, to provide a process executable by a sensor or other processor-based signature detector.
-
Citations
12 Claims
-
1. A packet-based method embodied in a computer-readable medium, of describing signatures used for detecting intrusion to a local network, comprising the steps of:
-
using a set of regular expression identifiers to represent a set of packet types;
using logical operators to describe relationships between said packet types;
combining said at least one of said identifiers and at least one of said logical operators to provide a regular expression describing each of said signatures; and
using said regular expressions to provide an executable process. - View Dependent Claims (2, 3)
-
-
4. An event-based method embodied in a computer-readable medium, of describing signatures used for detecting intrusion to a local network, comprising the steps of:
-
using a first set of regular expression identifiers to represent a set of packet types;
using a second set of regular expression identifiers to represent a set of packet sequences;
using a third set of regular expression identifiers to represent a set of signature-related events;
for each signature, selecting at least one of said identifiers to provide a regular expression describing that signatures; and
using said regular expressions to provide an executable process. - View Dependent Claims (5, 6)
-
-
7. An event-based method embodied in a computer-readable medium, of describing signatures used for detecting intrusion to a local network, comprising the steps of:
-
using a set of regular expression identifiers to represent a set of signature events;
using logical operators to describe relationships between said signature events;
combining said identifiers and said logical operators to provide a regular expression describing said signatures; and
using said regular expressions to provide an executable process. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
Original AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
InventorsLathem, Gerald S., Shanklin, Steven D., Bernhard, Thomas E.
-
Primary Examiner(s)Hayes, Gail
-
Assistant Examiner(s)Revak, Christopher A.
-
Application NumberUS09/232,385Time in Patent Office1,411 DaysField of Search709/223, 709/224, 713/168, 713/176, 713/177, 713/178, 713/187, 713/188, 713/200, 713/201US Class Current726/23CPC Class CodesG06F 21/55 Detecting local intrusion o...H04L 63/1408 by monitoring network traff...H04L 63/1425 Traffic logging, e.g. anoma...
