Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack
First Claim
1. A method of operating an intrusion detection system, comprising the steps of:
- monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device,wherein the intrusion detection system comprises an intrusion detection server and an intrusion detection sensor,wherein the intrusion detection sensor is coupled to the intrusion detection server and to the protected device,wherein the intrusion detection sensor comprises a governor, a programmable processor that oversees operation of the intrusion detection sensor, and a signature file,wherein the governor includes a log, a timer, an alert generation rate threshold, and one or more rules that prescribe actions to be taken in order to decrease the generation rate of alerts by the intrusion detection sensor when the present alert generation rate exceeds the alert generation rate threshold,wherein operation of the timer, utilization of the alert generation rate threshold, and implementation of the one or more rules are carried out by instructions executed by the programmable processor,wherein the log consists of a list of timestamps that record the times at which the intrusion detection sensor generates alerts,wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, andwherein the signature event includes a bit pattern that identifies the signature event,responsive to said monitoring determining that the signature event occurs, increasing a value of the signature event counter and comparing the value of the signature event counter with the signature threshold quantity;
adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval; and
for each occurrence of the value of the signature event counter exceeding the signature threshold quantity;
generating an alert by the intrusion detection sensor;
after said generating, recording in the log a timestamp denoting a time of generating the alert, said time of generating the alert derived from the timer;
after said recording, clearing the log of any entries that are past a permissible age, said permissible age equal to a ratio of a cap imposed by the governor upon a rate of generation of alerts by the intrusion detector sensor to the alert generation rate threshold;
after said clearing, determining from contents of the log the present alert generation rate, said determining the present alert generation rate comprising dividing the number of timestamps in the log by the permissible age;
after said determining, comparing the present alert generation rate with the alert generation rate threshold, said comparing ascertaining that the present alert generation rate exceeds the alert generation rate threshold;
responsive to said ascertaining that the present alert generation rate exceeds the alert generation rate threshold, altering an element of the signature set to decrease a rate at which alerts are generated by the intrusion detection sensor, said altering the element being implemented in accordance with said one or more rules.
2 Assignments
0 Petitions
Accused Products
Abstract
An intrusion detection system is improved by altering its signatures and thresholds during a denial of service attack, in order to decrease the rate at which an intrusion detection sensor sends alerts to an intrusion detection server. A governor within the sensor is associated with each signature. The governor may include an alert log, a timer, an alert-generation-rate threshold, and rules that prescribe actions to be taken when the alert-generation-rate threshold is exceeded. The governor records the generation time of each alert by the sensor, and determines the rate at which the sensor is presently generating alerts. When the present alert-generation rate exceeds the alert-generation-rate threshold, the governor alters the associated signature threshold to decrease the alert generation rate of the intrusion detection sensor.
64 Citations
12 Claims
-
1. A method of operating an intrusion detection system, comprising the steps of:
-
monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device, wherein the intrusion detection system comprises an intrusion detection server and an intrusion detection sensor, wherein the intrusion detection sensor is coupled to the intrusion detection server and to the protected device, wherein the intrusion detection sensor comprises a governor, a programmable processor that oversees operation of the intrusion detection sensor, and a signature file, wherein the governor includes a log, a timer, an alert generation rate threshold, and one or more rules that prescribe actions to be taken in order to decrease the generation rate of alerts by the intrusion detection sensor when the present alert generation rate exceeds the alert generation rate threshold, wherein operation of the timer, utilization of the alert generation rate threshold, and implementation of the one or more rules are carried out by instructions executed by the programmable processor, wherein the log consists of a list of timestamps that record the times at which the intrusion detection sensor generates alerts, wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, and wherein the signature event includes a bit pattern that identifies the signature event, responsive to said monitoring determining that the signature event occurs, increasing a value of the signature event counter and comparing the value of the signature event counter with the signature threshold quantity; adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval; and for each occurrence of the value of the signature event counter exceeding the signature threshold quantity; generating an alert by the intrusion detection sensor; after said generating, recording in the log a timestamp denoting a time of generating the alert, said time of generating the alert derived from the timer; after said recording, clearing the log of any entries that are past a permissible age, said permissible age equal to a ratio of a cap imposed by the governor upon a rate of generation of alerts by the intrusion detector sensor to the alert generation rate threshold; after said clearing, determining from contents of the log the present alert generation rate, said determining the present alert generation rate comprising dividing the number of timestamps in the log by the permissible age; after said determining, comparing the present alert generation rate with the alert generation rate threshold, said comparing ascertaining that the present alert generation rate exceeds the alert generation rate threshold; responsive to said ascertaining that the present alert generation rate exceeds the alert generation rate threshold, altering an element of the signature set to decrease a rate at which alerts are generated by the intrusion detection sensor, said altering the element being implemented in accordance with said one or more rules. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Programmable media containing programmable software for operation of an intrusion detection system, programmable software comprising the steps of:
-
monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device, wherein the intrusion detection system comprises an intrusion detection server and an intrusion detection sensor, wherein the intrusion detection sensor is coupled to the intrusion detection server and to the protected device, wherein the intrusion detection sensor comprises a governor, a programmable processor that oversees operation of the intrusion detection sensor, and a signature file, wherein the governor includes a log, a timer, an alert generation rate threshold, and one or more rules that prescribe actions to be taken in order to decrease the generation rate of alerts by the intrusion detection sensor when the present alert generation rate exceeds the alert generation rate threshold, wherein operation of the timer, utilization of the alert generation rate threshold, and implementation of the one or more rules are carried out by instructions executed by the programmable processor, wherein the log consists of a list of timestamps that record the times at which the intrusion detection sensor generates alerts, wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, and wherein the signature event includes a bit pattern that identifies the signature event; responsive to said monitoring determining that the signature event occurs, increasing a value of the signature event counter and comparing the value of the signature event counter with the signature threshold quantity; adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval; and for each occurrence of the value of the signature event counter exceeding the signature threshold quantity; generating an alert by the intrusion detection sensor; after said generating, recording in the log a timestamp denoting a time of generating the alert, said time of generating the alert derived from the timer; after said recording, clearing the log of any entries that are past a permissible age, said permissible age equal to a ratio of a cap imposed by the governor upon a rate of generation of alerts by the intrusion detector sensor to the alert generation rate threshold; after said clearing, determining from contents of the log the present alert generation rate, said determining the present alert generation rate comprising dividing the number of timestamps in the log by the permissible age; after said determining, comparing the present alert generation rate with the alert generation rate threshold, said comparing ascertaining that the present alert generation rate exceeds the alert generation rate threshold; responsive to said ascertaining that the present alert generation rate exceeds the alert generation rate threshold, altering an element of the signature set to decrease a rate at which alerts are generated by the intrusion detection sensor, said altering the element being implemented in accordance with said one or more rules. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification