Intrusion detection signature analysis using regular expressions and logical operators
First Claim
Patent Images
1. An intrusion detection system comprising:
- a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
a set of packet types represented by a set of regular expression identifiers; and
logical operators describing relationships between the packet types; and
an intrusion detection sensor operable to examine packets of data and compare the packets to the plurality of regular expressions describing intrusion signatures.
0 Assignments
0 Petitions
Accused Products
Abstract
A method of describing intrusion signatures, which are used by an intrusion detection system to detect attacks on a local network. The signatures are described using a “high level” syntax having features in common with regular expression and logical expression methodology. These high level signatures may then be compiled, or otherwise analyzed, to provide a process executable by a sensor or other processor-based signature detector.
-
Citations
30 Claims
-
1. An intrusion detection system comprising:
-
a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
a set of packet types represented by a set of regular expression identifiers; and
logical operators describing relationships between the packet types; and
an intrusion detection sensor operable to examine packets of data and compare the packets to the plurality of regular expressions describing intrusion signatures. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An intrusion detection system comprising:
-
a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
a set of packet types represented by a set of regular expression identifiers; and
logical operators describing relationships between the packet types; and
logic encoded in a computer-readable medium operable to examine packets of data and compare the packets to regular expressions describing intrusion signatures. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An intrusion detection system comprising:
-
a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
a set of signature events represented by a set of regular expression identifiers; and
logical operators describing relationships between the signature events; and
an intrusion detection sensor operable to examine network traffic and compare the traffic to the regular expressions describing intrusion signatures. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. An intrusion detection system comprising:
-
a plurality of regular expressions embodied in a computer-readable medium describing at least one intrusion signature used in detecting intrusion to a network, the regular expressions comprising;
a set of signature events represented by a set of regular expression identifiers; and
logical operators describing relationships between the signature events; and
logic encoded in a computer-readable medium operable to examine network traffic and compare the traffic to regular expressions describing intrusion signatures. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification