Network intrusion detection signature analysis using decision graphs
First Claim
1. A method of using a signature processor to detect signatures in an incoming datastream, the signatures representing intrusion to a local network, comprising the steps of:
- selecting at least two reference signatures having at least one common event;
representing each said common event as a node of a decision graph;
representing a non-common event associated with each signature as a subsequent level node of said decision graph;
defining at least one function for each said signature, for determining a transition between nodes associated with that signature;
providing events indicated by said datastream as input to said decision graph; and
traversing said decision graph so as to determine whether said events comprise a signature that matches one of said reference signatures;
wherein said events are of at least one event type.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of detecting signatures representing misuse of a local network. Known reference signatures having one or more common events are identified, and represented with a decision graph having one or more shared nodes. Each node of the decision graph represents the occurrence of an event. Given a set of input events, test functions associated with nodes determine the path taken during traversal of the graph. A path of the graph from the parent node to a leaf node represents the occurrence of all events that comprise a signature. The decision graph permits any of the signatures to be detected with only one traversal, and avoids the need for a separate matching process for each signature. In this manner, an entire set of all known reference signatures may be consolidated into a smaller set of decision graphs.
216 Citations
37 Claims
-
1. A method of using a signature processor to detect signatures in an incoming datastream, the signatures representing intrusion to a local network, comprising the steps of:
-
selecting at least two reference signatures having at least one common event;
representing each said common event as a node of a decision graph;
representing a non-common event associated with each signature as a subsequent level node of said decision graph;
defining at least one function for each said signature, for determining a transition between nodes associated with that signature;
providing events indicated by said datastream as input to said decision graph; and
traversing said decision graph so as to determine whether said events comprise a signature that matches one of said reference signatures;
wherein said events are of at least one event type. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable memory device encoded with a data structure for representing multiple signatures associated with misuse of a network, comprising:
-
a decision graph, having the following elements;
at least one node representing an event common to said multiple signatures;
at least two subsequent nodes, each of which represent an event not common to said multiple signatures;
at least two leaf nodes, each of which is associated with one of said multiple signatures; and
a function associated with each node that is not a leaf node, for determining transitions between nodes;
wherein said event common to said multiple signatures and said event not common to said multiple signatures are of at least one event type. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method of generating a decision graph for representing multiple signatures representing misuse of a local network, comprising the steps of:
-
describing a set of reference signatures with a regular expression language;
compiling the regular expressions representing the reference signatures, such that said reference signatures are parsed in terms of events; and
generating a decision graph as the output of said compiling step, said decision graph having nodes representing occurrences of events, wherein said events are of at least one event type, and said decision graph having functions determining transitions between nodes, and said decision graph having leaf nodes each of which represent the bottom of a path of said decision graph that connects nodes associated with events that comprise a signature. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. A method of using a signature processor to detect signatures in an incoming data stream, the signatures representing intrusion to a local network, comprising:
-
selecting at least two reference signatures having a common event and at least one non-common event;
representing the common event as a corresponding node of a decision graph;
representing the at least one non-common event as a subsequent level node of the decision graph;
defining a function for a path that associates the corresponding node and the subsequent level node, the function representing at least one criterion for transitioning from the corresponding node and the subsequent level node;
identifying one or more events indicated by the data stream; and
traversing the decision graph to determine that the identified one or more events form a signature that matches one of the at least two reference signatures, wherein traversing the decision graph comprises, determining that one of the one or more events matches the corresponding node, determining that the at least one criterion of the function for the path that associates the corresponding node and the subsequent level node is met, and in response to the determination that the at least one criterion is met, determining that another one of the one or more events that is subsequent to the one of the one or more events matches the subsequent level node. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
-
30. An apparatus, comprising:
-
a program stored on a computer readable medium and operable, when executed on a processor, to;
access a decision graph having, a node representing a common event of at least two reference signatures, a subsequent level node representing at least one non-common event of the at least two reference signatures, a path associating the node and the subsequent level node, the path having a function representing at least one criterion for transitioning from the node to the subsequent level node;
identify one or more events indicated by the data stream;
determine that the identified one or more events form a signature that matches one of the at least two reference signatures by traversing the decision graph, wherein traversing the decision graph comprises, determining that one of the one or more events matches the node, determining that the at least one criterion of the function for the path that associates the node and the subsequent level node is met, and in response to the determination that the at least one criterion is met, determining that another one of the one or more events that is subsequent to the one of the one or more events matches the subsequent level node. - View Dependent Claims (31, 32, 33, 34, 35, 36)
-
-
37. An apparatus, comprising:
-
means for storing a decision graph having, a node representing a common event of at least two reference signatures, a subsequent level node representing at least one non-common event of the at least two reference signatures, a path associating the node and the subsequent level node, the path having a function representing at least one criterion for transitioning from the node to the subsequent level node;
means for identifying one or more events indicated by the data stream; and
means for accessing the decision graph, comparing at least a part of the identified one or more events to at least a portion of the decision graph, and determining that the identified one or more events form a signature that matches one of the at least two reference signatures by traversing the decision graph, wherein traversing the decision graph comprises, determining that one of the one or more events matches the node, determining that the at least one criterion of the function for the path that associates the node and the subsequent level node is met, and in response to the determination that the at least one criterion is met, determining that another one of the one or more events that is subsequent to the one of the one or more events matches the subsequent level node.
-
Specification