×

Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack

  • US 7,308,714 B2
  • Filed: 09/27/2001
  • Issued: 12/11/2007
  • Est. Priority Date: 09/27/2001
  • Status: Expired due to Term
First Claim
Patent Images

1. A method of operating an intrusion detection system, comprising the steps of:

  • monitoring, by the intrusion detection system, for occurrence of a signature event that is indicative of a denial of service intrusion on a protected device, said denial of service intrusion attempting to impede operation of the protected device,wherein the intrusion detection system comprises an intrusion detection server and an intrusion detection sensor,wherein the intrusion detection sensor is coupled to the intrusion detection server and to the protected device,wherein the intrusion detection sensor comprises a governor, a programmable processor that oversees operation of the intrusion detection sensor, and a signature file,wherein the governor includes a log, a timer, an alert generation rate threshold, and one or more rules that prescribe actions to be taken in order to decrease the generation rate of alerts by the intrusion detection sensor when the present alert generation rate exceeds the alert generation rate threshold,wherein operation of the timer, utilization of the alert generation rate threshold, and implementation of the one or more rules are carried out by instructions executed by the programmable processor,wherein the log consists of a list of timestamps that record the times at which the intrusion detection sensor generates alerts,wherein the signature file includes a signature set comprising elements that include a signature set identifier, a signature event, a signature event counter that keeps count of the number of occurrences of the signature event, a signature threshold quantity, and a signature threshold interval, andwherein the signature event includes a bit pattern that identifies the signature event,responsive to said monitoring determining that the signature event occurs, increasing a value of the signature event counter and comparing the value of the signature event counter with the signature threshold quantity;

    adjusting the value of the signature event counter to not include a count of signature events past a sliding window specified by the signature threshold interval; and

    for each occurrence of the value of the signature event counter exceeding the signature threshold quantity;

    generating an alert by the intrusion detection sensor;

    after said generating, recording in the log a timestamp denoting a time of generating the alert, said time of generating the alert derived from the timer;

    after said recording, clearing the log of any entries that are past a permissible age, said permissible age equal to a ratio of a cap imposed by the governor upon a rate of generation of alerts by the intrusion detector sensor to the alert generation rate threshold;

    after said clearing, determining from contents of the log the present alert generation rate, said determining the present alert generation rate comprising dividing the number of timestamps in the log by the permissible age;

    after said determining, comparing the present alert generation rate with the alert generation rate threshold, said comparing ascertaining that the present alert generation rate exceeds the alert generation rate threshold;

    responsive to said ascertaining that the present alert generation rate exceeds the alert generation rate threshold, altering an element of the signature set to decrease a rate at which alerts are generated by the intrusion detection sensor, said altering the element being implemented in accordance with said one or more rules.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×