Methods and systems for intrusion detection
First Claim
1. A method for optimizing rules in an intrusion detection system, comprising:
- creating a plurality of different rule sets from a plurality of intrusion detection system rules, including combining only one or two unique rules with all generic rules for the same transport protocol to form unique rule sets, and combining all generic rules for the same transport protocol to form generic rule sets, wherein each intrusion detection system rule in the unique rule sets or generic rule sets is for a same transport protocol, wherein the only one or two unique rules specify parameters in a transport header or an IP header which are different from parameters of every other rule, wherein generic rules specify content but not parameters in a transport header or an IP header, wherein each rule set indicates a combination of parameters of the combined rules;
determining at least one rule set that matches each packet by comparing parameters but not the content of the packet to the indicated combination of parameters of the at least one rule set; and
inspecting the content and parameters of the packet with only the intrusion detection system rules in the at least one rule set that matches the packet.
3 Assignments
0 Petitions
Accused Products
Abstract
Performance of an intrusion detection system is enhanced with the addition of rule optimization, set-based rule inspection, and protocol flow analysis. During rule optimization, rule sets are created and selected in such a way that for every incoming packet only a single rule set has to be searched. Set-based rule inspection divides rules into content and non-content type rules. Only search patterns of content type rules are initially compared to a packet. Rules containing matched search patterns are validated with a parameterized search against the packet. Matches are recorded as events. Non-content rules are searched against a packet using a parameterized search. These matches are also recorded as an event. At least one event is selected per packet for logging. Protocol flow analysis determines the direction of flow of network traffic. Based on the direction of flow and the protocol, portions of packets can be eliminated from rule inspection.
-
Citations
31 Claims
-
1. A method for optimizing rules in an intrusion detection system, comprising:
-
creating a plurality of different rule sets from a plurality of intrusion detection system rules, including combining only one or two unique rules with all generic rules for the same transport protocol to form unique rule sets, and combining all generic rules for the same transport protocol to form generic rule sets, wherein each intrusion detection system rule in the unique rule sets or generic rule sets is for a same transport protocol, wherein the only one or two unique rules specify parameters in a transport header or an IP header which are different from parameters of every other rule, wherein generic rules specify content but not parameters in a transport header or an IP header, wherein each rule set indicates a combination of parameters of the combined rules; determining at least one rule set that matches each packet by comparing parameters but not the content of the packet to the indicated combination of parameters of the at least one rule set; and inspecting the content and parameters of the packet with only the intrusion detection system rules in the at least one rule set that matches the packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for resolving unique conflicts between at least two rule sets that match parameters of a packet during rule set selection in an intrusion detection system, comprising:
-
creating defined unique conflict rule sets, wherein each defined unique conflict rule set is created by combining at least two unique rule sets defined by a user as rule sets capable of having a unique conflict together with all generic rules for the same transport protocol, wherein each rule in the unique rule sets is for the same transport protocol, wherein the at least two unique rule sets specify parameters in a transport header or an IP header which are different from parameters of every other rule, wherein each unique conflict rule set indicates a combination of parameters of the combined rule sets; comparing the parameters but not the content of the packet to the indicated combination of parameters of each defined unique conflict rule set of the defined unique conflict rule sets; selecting for inspection a defined unique conflict rule set from the list of defined unique conflict rule sets if the parameters of the packet match the defined unique conflict rule set; selecting for inspection each of the at least two rule sets that match parameters of the packet if the parameters of the packet do not match a defined unique conflict rule set of the defined unique conflict rule sets; and inspecting the content and parameters of the packet with only the selected rule sets. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A method for resolving unique conflicts between at least two rule sets that match parameters of a packet during rule set selection in an intrusion detection system, comprising:
-
creating defined unique conflict rule sets, wherein each defined unique conflict rule set is created by combining at least two unique rule sets defined by a user as rule sets capable of having a unique conflict together with all generic rules for the same transport protocol, wherein each rule in the unique rule sets is for the same transport protocol, wherein the at least two unique rule sets specify parameters in a transport header or an IP header which are different from parameters of every other rule, wherein each unique conflict rule set indicates a combination of parameters of the combined rule sets; comparing the parameters but not the content of the packet to the indicated combination of parameters of each defined unique conflict rule set of the defined unique conflict rule sets; selecting for inspection a defined unique conflict rule set from the defined unique conflict rule sets if the parameters of the packet match the defined unique conflict rule set; selecting randomly for inspection one of the at least two rule sets that matches parameters of the packet if the parameters of the packet do not match a defined unique conflict rule set of the defined unique conflict rule sets; and inspecting the content and parameters of the packet with only the selected rules. - View Dependent Claims (18)
-
-
19. A system for intrusion detection, the system comprising:
-
a packet acquisition system, wherein the packet acquisition system intercepts a packet transmitted across a computer network and wherein the packet acquisition system decodes the packet; a preprocessor, wherein the preprocessor receives decoded packet information from the packet acquisition system and wherein the preprocessor preprocesses the packet; a detection engine, wherein the detection engine receives preprocessed packet information from the preprocessor and wherein the detection engine inspects the packet for intrusions; a logging system, wherein the logging system receives and stores detected intrusion information from the detection engine; and a rule optimizer, wherein the rule optimizer creates a plurality of different rule sets from a plurality of intrusion detection rules, including combining only one or two unique rules with all generic rules for the same transport protocol to form unique rule sets, and combining all generic rules for the same transport protocol to form generic rule sets, wherein each intrusion detection system rule in the unique rule sets or generic rule sets is for the same transport protocol, wherein the only one or two unique rules specify parameters in a transport header or an IP header which are different from parameters of every other rule, wherein generic rules specify packet content but not parameters in a transport header or an IP header, wherein each rule set indicates a combination of parameters of the combined rules, and the rule optimizer provides the plurality of rule sets to the detection engine, wherein, for each packet that the detection engine processes, the detection engine determines at least one rule set that matches each packet by comparing parameters but not the content of the packet to the indicated combination of parameters of the at least one rule set and inspects the content and parameters of the packet with only the intrusion detection system rules in the at least one rule set that matches each packet. - View Dependent Claims (20, 21, 22)
-
-
23. A method for detecting rule matches during packet processing in an intrusion detection system, wherein a packet has content areas and wherein the packet header fields are non-content areas, comprising:
-
identifying each rule as one of a content rule and a non-content rule, wherein a non-content rule tests packet header fields and does not inspect content, and wherein a content rule tests for a pattern match in the content area and can include rule parameters to compare to a packet; scanning a search pattern parameter of a rule identified as a content rule against a packet to identify a first match of the search pattern parameter and the content of the packet; after the scanning, if there is a first match for the packet, comparing the rule parameters of each rule that matched with packet parameters of the packet to identify a second match between the rule parameters and the packet parameters; if there is a second match, adding the second match to a list of intrusion events; comparing non-content rule parameters of each rule identified as a non-content rule with the packet parameters to identify a third match; if there is a third match, adding the third match of to the list of intrusion events; and selecting at least one intrusion event from the list of intrusion events for the packet for logging. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
-
30. A system for intrusion detection in a packet processing network, wherein a packet has content areas and wherein the packet header fields are non-content areas, the system comprising:
-
a packet acquisition system, wherein the packet acquisition system intercepts a packet transmitted across a computer network and wherein the packet acquisition system decodes the packet; a preprocessor, wherein the preprocessor receives decoded packet information from the packet acquisition system and wherein the preprocessor preprocesses the packet; a detection engine, wherein the detection engine receives preprocessed packet information from the preprocessor, and wherein the detection engine; identifies each rule as one of a content rule and a non-content rule, wherein a non-content rule tests packet header fields and does not inspect content, wherein a content rule tests for a pattern match in the content area and can include rule parameters to compare to a packet, scans a search pattern parameter of a rule identified as a content rule against the packet to identify at least one first match of the search pattern parameter and the content of the packet, after the scanning, if there is at least one first match for the packet, compares the rule parameters of each rule that matched to packet parameters of the packet to identify a second match between the rule parameters and the packet parameters, if there is a second match, adds each second match to a list of intrusion events, compares non-content rule parameters of each rule identified as a non-content rule with the packet parameters to identify a third match, if there is a third match, adds each third match to the list of intrusion events, and selects for the packet at least one intrusion event from the list of queued intrusion events for logging; and a logging system, wherein the logging system receives and stores detected intrusion information from the detection engine.
-
-
31. A system for intrusion detection in a packet processing network, wherein a packet has content areas and wherein the packet header fields are non-content areas, the system comprising:
-
a packet acquisition system, wherein the packet acquisition system intercepts a packet transmitted across a computer network and wherein the packet acquisition system decodes the packet; a preprocessor, wherein the preprocessor receives decoded packet information from the packet acquisition system and wherein the preprocessor preprocesses the packet; a detection engine, wherein the detection engine receives preprocessed packet information from the preprocessor, wherein the detection engine determines a protocol associated with the packet, determines a type of data flow associated with the protocol, and processes the packet in accordance with the determined type of data flow, wherein the detection engine; identifies each rule as one of a content rule and a non-content rule, wherein a non-content rule tests packet header fields and does not inspect content, wherein a content rule tests for a pattern match in the content area and can include rule parameters to compare to a packet, scans a search pattern parameter of a rule identified as a content rule against the packet to identify at least one first match of the search pattern parameter and the content of the packet, after the scanning, if there is at least one first match for the packet, compares the rule parameters of each rule that matched to packet parameters of the packet to identify a second match between the rule parameters and the packet parameters, if there is a second match, adds each second match to a list of intrusion events, compares non-content rule parameters of each rule identified as a non-content rule with the packet parameters to identify a third match, if there is a third match, adds each third match to the list of intrusion events, and selects for the packet at least one intrusion event from the list of queued intrusion events for logging; a logging system, wherein the logging system receives and stores detected intrusion information from the detection engine; and a rule optimizer, wherein the rule optimizer creates a plurality of different rule sets from a plurality of intrusion detection rules, including combining only one or two unique rules with all generic rules for the same transport protocol to form unique rule sets, and combining all generic rules for the same transport protocol to form generic rule sets, wherein each rule in the unique rule sets or generic rule sets is for the same transport protocol, wherein the only one or two unique rules specify parameters in a transport header or an IP header which are different from parameters of every other rule, wherein generic rules specify packet content but not parameters in a transport header or an IP header, wherein each rule set indicates a combination of parameters of the combined rules, and provides the plurality of rules sets to the detection engine, wherein the detection engine selects at least one rule set from the plurality of rule sets for inspection for each packet that the detection engine processes by comparing parameters but not the content of the packet to the indicated combination of parameters of the at least one rule set, wherein the detection engine inspects the content and parameters of the packet with only the rules in the at least one rule set that matches the packet.
-
Specification