Intrusion detection signature analysis using regular expressions and logical operators

US 6,792,546 B1
Filed: 11/25/2002
Issued: 09/14/2004
Est. Priority Date: 01/15/1999
Status: Expired due to Term

First Claim

Patent Images

1. An intrusion detection system comprising:

a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;

a set of packet types represented by a set of regular expression identifiers; and

logical operators describing relationships between the packet types; and

an intrusion detection sensor operable to examine packets of data and compare the packets to the plurality of regular expressions describing intrusion signatures.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of describing intrusion signatures, which are used by an intrusion detection system to detect attacks on a local network. The signatures are described using a “high level” syntax having features in common with regular expression and logical expression methodology. These high level signatures may then be compiled, or otherwise analyzed, to provide a process executable by a sensor or other processor-based signature detector.

228 Citations

30 Claims

1. An intrusion detection system comprising:
- a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
  
  a set of packet types represented by a set of regular expression identifiers; and
  
  logical operators describing relationships between the packet types; and
  
  an intrusion detection sensor operable to examine packets of data and compare the packets to the plurality of regular expressions describing intrusion signatures.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the packet types are selected from the group consisting of TCP packets, UDP packets, and ICMP packets.
  - 3. The system of claim 1, and wherein the intrusion detection sensor is further operable to perform each of the following functions:
    - checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, TCP stream reassembly, and pattern matching.
  - 4. The system of claim 1, wherein the at least one intrusion signature comprises a malicious intent attack signature.
  - 5. The system of claim 1, wherein the at least one intrusion signature comprises a denial of service attack signature.
  - 6. The system of claim 1, wherein the at least one intrusion signature comprises an invasion attempt attack signature.
  - 7. The system of claim 1, wherein the at least one intrusion signature comprises an atomic attack signature.
  - 8. The system of claim 1, wherein the at least one intrusion signature comprises a composite attack signature.

9. An intrusion detection system comprising:
- a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
  
  a set of packet types represented by a set of regular expression identifiers; and
  
  logical operators describing relationships between the packet types; and
  
  logic encoded in a computer-readable medium operable to examine packets of data and compare the packets to regular expressions describing intrusion signatures.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the packet types are selected from the group consisting of TCP packets, UDP packets, and ICMP packets.
  - 11. The system of claim 9, and wherein the logic is further operable to perform each of the following functions:
    - checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, TCP stream reassembly, and pattern matching.
  - 12. The system of claim 9, wherein the at least one intrusion signature comprises a malicious intent attack signature.
  - 13. The system of claim 9, wherein the at least one intrusion signature comprises a denial of service attack signature.
  - 14. The system of claim 9, wherein the at least one intrusion signature comprises an invasion attempt attack signature.
  - 15. The system of claim 9, wherein the at least one intrusion signature comprises an atomic attack signature.
  - 16. The system of claim 9, wherein the at least one intrusion signature comprises a composite attack signature.

17. An intrusion detection system comprising:
- a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
  
  a set of signature events represented by a set of regular expression identifiers; and
  
  logical operators describing relationships between the signature events; and
  
  an intrusion detection sensor operable to examine network traffic and compare the traffic to the regular expressions describing intrusion signatures.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The system of claim 17, and wherein the intrusion detection sensor is further operable to perform each of the following functions:
    - checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, TCP stream reassembly, and pattern matching.
  - 19. The system of claim 17, wherein the at least one intrusion signature comprises a malicious intent attack signature.
  - 20. The system of claim 17, wherein the at least one intrusion signature comprises a denial of service attack signature.
  - 21. The system of claim 17, wherein the at least one intrusion signature comprises an invasion attempt attack signature.
  - 22. The system of claim 17, wherein the at least one intrusion signature comprises an atomic attack signature.
  - 23. The system of claim 17, wherein the at least one intrusion signature comprises a composite attack signature.

24. An intrusion detection system comprising:
- a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
  
  a set of signature events represented by a set of regular expression identifiers; and
  
  logical operators describing relationships between the signature events; and
  
  logic encoded in a computer-readable medium operable to examine network traffic and compare the traffic to regular expressions describing intrusion signatures.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The system of claim 24, and wherein the intrusion detection sensor is further operable to perform each of the following functions:
    - checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, TCP stream reassembly, and pattern matching.
  - 26. The system of claim 24, wherein the at least one intrusion signature comprises a malicious intent attack signature.
  - 27. The system of claim 24, wherein the at least one intrusion signature comprises a denial of service attack signature.
  - 28. The system of claim 24, wherein the at least one intrusion signature comprises an invasion attempt attack signature.
  - 29. The system of claim 24, wherein the at least one intrusion signature comprises an atomic attack signature.
  - 30. The system of claim 24, wherein the at least one intrusion signature comprises a composite attack signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Lathem, Gerald S., Shanklin, Steven D., Bernhard, Thomas E.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US10/304,173
Time in Patent Office

659 Days
Field of Search

713/163, 713/176, 713/177, 713/178, 713/187, 713/188, 713/200, 713/201, 709/223, 709/224, 714/38
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Intrusion detection signature analysis using regular expressions and logical operators

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

228 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection signature analysis using regular expressions and logical operators

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

228 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links