System and method for detection of intrusion attacks on packets transmitted on a network
First Claim
1. In a multi-stage intrusion detection system, a method of detecting a plurality of intrusion attacks to a packet transmitted on a network, the intrusion attacks associated with a plurality of conditions, the method comprising:
- receiving the packet;
determining at a first stage of the intrusion detection system whether a first condition assigned to the first stage is satisfied for the packet;
determining at a second stage of the intrusion detection system whether a second condition assigned to the second stage is satisfied for the packet; and
determining that the packet corresponds to an intrusion attack when it is determined that the first condition and the second condition are satisfied.
3 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system detects and takes appropriate action against intrusion attacks on packets transmitted on a network. Various conditions for the intrusion attacks are described in the form of a rule tree. The intrusion detection system employs a pipelined structure including a plurality of modules, and parts of the rule are assigned to the modules. The modules determine in a pipelined manner whether the conditions of an intrusion attack are satisfied. In an intrusion attack on the packet is detected, the intrusion detection system takes appropriate action against the determined intrusion attack.
-
Citations
26 Claims
-
1. In a multi-stage intrusion detection system, a method of detecting a plurality of intrusion attacks to a packet transmitted on a network, the intrusion attacks associated with a plurality of conditions, the method comprising:
-
receiving the packet; determining at a first stage of the intrusion detection system whether a first condition assigned to the first stage is satisfied for the packet; determining at a second stage of the intrusion detection system whether a second condition assigned to the second stage is satisfied for the packet; and determining that the packet corresponds to an intrusion attack when it is determined that the first condition and the second condition are satisfied. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An intrusion detection system for detecting a plurality of intrusion attacks to a packet transmitted on a network, each intrusion attack associated with a plurality of conditions, each condition belonging to one of a first, second, third, fourth and fifth set of conditions, the intrusion detection system comprising:
-
a generic extension builder for (i) receiving the packet, (ii) processing the first set of conditions on the packet to generate generic extensions, and (iii) outputting the packet along with the generic extensions added to the packet; a session cache module coupled to the generic extension builder for (i) receiving the packet with the generic extension, (ii) processing the second set of conditions on the packet to generate session cache extensions, and (iii) outputting the packet along with the generic extensions and the session cache extensions added to the packet; an application decode module coupled to the session cache module for (i) receiving the packet with the generic extensions and the session cache extensions, (ii) processing the third set of conditions on the packet to generate application decode extensions, and (iii) outputting the packet along with the generic extensions, the session cache extensions, and the application decode extensions added to the packet; a rule engine module coupled to the application decode module for (i) receiving the packet with the generic extensions, the session cache extensions, and the application decode extensions;
(ii) processing the fourth set of conditions on the packet to generate rule engine extensions, and (iii) outputting the packet along with the generic extensions, the session cache extensions, the application decode extensions, and the rule engine extensions added to the packet; andan intrusion detection policy engine coupled to the rule engine module for (i) receiving the packet with the generic extensions, the session cache extensions, the application decode extensions, and the rule engine extensions;
(ii) processing the fifth set of conditions on the packet, (iii) determining whether all the conditions of an intrusion attack are satisfied based upon the generic extensions, the session cache extensions, the application decode extensions, the rule engine extensions, and the processed fifth set of conditions, (iv) taking an action corresponding to the determined intrusion attack, and (v) outputting the packet. - View Dependent Claims (8)
-
-
9. A multi-stage intrusion detection system for detecting a plurality of intrusion attacks to a packet transmitted on a network, each intrusion attack associated with a plurality of conditions, the multi-stage intrusion detection system comprising:
-
a plurality of modules each corresponding to selected ones of the conditions and each determining whether the corresponding conditions are satisfied; and a policy manager controlling selected ones of the modules and providing information used in determining whether the corresponding conditions are satisfied to the selected ones of the modules, wherein an intrusion attack is detected when all the conditions corresponding to the intrusion attack are determined to be satisfied by the respective modules.
-
-
10. An intrusion detection system for detecting a plurality of intrusion attacks to a packet transmitted on a communication network, each intrusion attack associated with a rule having a plurality of conditions and an action to be taken when the intrusion attack is detected, the intrusion detection system comprising:
-
a rule database storing the rules for each of the intrusion attacks; a policy compiler coupled to the rule database and converting the conditions in the rules to a rule tree, the rule tree including a plurality of condition node pairs each having an expression node and a value node, each condition node pair corresponding to one condition and coupled to another condition node pair via at least one branch to form a plurality of paths, such that traversing along one of the paths corresponds to determining the conditions of a rule associated with one of the intrusion attacks; and an intrusion detection policy agent coupled to the policy compiler for determining whether an intrusion attack occurred to the packet based upon the rule tree provided by the policy compiler. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
- 19. A computer-readable medium storing a rule tree for use in an intrusion detection system for detecting a plurality of intrusion attacks to a packet transmitted on a network, each intrusion attack associated with a rule having a plurality of conditions and an action to be taken when the intrusion attack is detected, wherein the rule tree comprises a plurality of condition node pairs each having an expression node and a value node, each condition node pair corresponding to one condition and coupled to another condition node pair via a branch to form a plurality of paths, such that traversing along one of the paths corresponds to determining all the conditions of the rule associated with one of the intrusion attacks.
-
21. A multi-stage intrusion detection system for detecting a plurality of intrusion attacks to a packet transmitted on a network, the intrusion attacks associated with a plurality of conditions, the multi-stage intrusion detection system comprising:
-
a first stage receiving the packet and determining whether a first condition assigned to the first stage is satisfied for the packet; and a second stage determining whether a second condition assigned to the second stage is satisfied for the packet, wherein the multi-stage intrusion detection system determines that the packet corresponds to an intrusion attack when it is determined that the first condition and the second condition are satisfied. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification