Method and system for configurable network intrusion detection

US 7,243,371 B1
Filed: 11/12/2001
Issued: 07/10/2007
Est. Priority Date: 11/09/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting network intrusion comprising:

receiving configuration data associated with a defined signature;

providing an inspector shell;

generating, based on the received configuration data, a plurality of parameter-value associations for use in defining the defined signature;

automatically generating, by a computer, an inspector instance from the inspector shell and the generated parameter-value association, the inspector instance operable to;

receive traffic traveling on the network;

compare the traffic to data indicative the defined signature;

detect network intrusion in response to the comparison; and

executing the inspector instance.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment of the invention, a method for automatically generating software code operable to detect a defined signature in network traffic comprises providing an inspector shell, generating a plurality of parameter name-value associations from provided configuration data, and automatically generating, by computer, an instance of the inspector shell having a signature defined by the parameter name-value associations.

Citations

19 Claims

1. A method for detecting network intrusion comprising:
- receiving configuration data associated with a defined signature;
  
  providing an inspector shell;
  
  generating, based on the received configuration data, a plurality of parameter-value associations for use in defining the defined signature;
  
  automatically generating, by a computer, an inspector instance from the inspector shell and the generated parameter-value association, the inspector instance operable to;
  
  receive traffic traveling on the network;
  
  compare the traffic to data indicative the defined signature;
  
  detect network intrusion in response to the comparison; and
  
  executing the inspector instance.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein receiving configuration data associated with a signature comprises receiving configuration data from a user.
  - 3. The method of claim 1, wherein receiving configuration data associated with a signature comprises receiving configuration data stored in one or more data files.
  - 4. The method of claim 1, wherein the inspector instance is further operable to extract parameter names and associated values from the received traffic.
  - 5. The method of claim 1, wherein the inspector instance is further operable to determine if a parameter within the received traffic is relevant to the defined signature and, if not, discard the associated value rather than test the associated value against the signature.

6. A system for detecting network intrusion comprising:
- a packet capturer operable to acquire network traffic;
  
  a database operable to store data indicative of the network traffic acquired by the packet capturer;
  
  a plurality of engine groups, each engine group comprising a plurality of engines, each engine comprising;
  
  a parser operable to receive configuration data for use in defining a signature to be detected and create a structured version therefrom;
  
  an inspector shell comprising coding operable to compare a defined signature to the acquired network traffic; and
  
  an inspector generator operable to generate an inspector instance from the structured version of the configuration data and the inspector shell, the inspector instance operable to compare the defined signature to the acquired network traffic; and
  
  an output handler operable to generate an indication of a detected intrusion in response to a signal from the inspector instance.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 7. The system of claim 6, wherein the output handler is further operable to generate an indication of a detected intrusion.
  - 8. The system of claim 6, and further comprising a configuration handler operable to receive the configuration data from a user and provide the data to the parser.
  - 9. The system of claim 6, and further comprising a configuration file associated with the configuration handler.
  - 10. The system of claim 6, and further comprising the inspector instance.
  - 11. The system of claim 6, wherein the parser further comprises:
    - a tokenizer operable to receive the configuration data and associate parameters names with parameter values within the configuration data and create a plurality of parameters name-value pairs; and
      
      an internalizer operable to verify the parameter name-value pairs are within acceptable ranges and create an optimized data structure for the parameter name-value pairs.
  - 12. The system of claim 10, wherein the inspector instance comprises:
    - a protocol decoder operable to decode a packet of network traffic; and
      
      a comparator and evaluator operable to receive the decoded packet of network traffic and determine whether the packet matches the defined signature.
  - 13. The system of claim 12, wherein the comparator and evaluator is further operable to:
    - examine the decoded packet;
      
      determine which parameters in the decoded packet to test against the defined signature; and
      
      determine if all of the tested parameters are met.
  - 14. The system of claim 13, wherein the comparator and evaluator is further operable to halt operation upon determining that any one of the tested parameters is not met.
  - 15. The system of claim 6, wherein the database associates traffic data by Internet Protocol source and destination address.
  - 16. The system of claim 6, wherein the database associates traffic data by attributes of the acquired network traffic.
  - 17. The system of claim 6, wherein the plurality of engine groups comprise:
    - an atomic engine group;
      
      a flood engine group;
      
      a sweep engine group;
      
      a string engine group; and
      
      a service engine group.
  - 18. The system of claim 6, wherein the inspector generator is formed integral with the parser.
  - 19. The system of claim 6, wherein the packet capturer, parser, inspector shell, inspector generator, and output handler comprise computer code in the C++ programming language.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kasper, James W., Wiley, Kevin L., Beriswill, Paul A.
Primary Examiner(s)
Smithers; Matthew
Assistant Examiner(s)
Abyaneh; Ali

Application Number

US10/011,817
Time in Patent Office

2,066 Days
Field of Search

713/200, 713/201, 713/188, 709/203, 709/224, 726/22
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/85   interconnection devices, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Method and system for configurable network intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for configurable network intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links