Signature based network intrusion detection system and method

US 7,424,744 B1
Filed: 03/05/2002
Issued: 09/09/2008
Est. Priority Date: 03/05/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for execution with computer code embodied on a tangible computer readable medium for detecting intrusions on a network, comprising:

storing signature profiles identifying patterns associated with network intrusions in a signature database;

generating classification rules based on said signature profiles;

receiving data packets transmitted on the network;

classifying data packets having corresponding classification rules according to said generated classification rules;

forwarding said classified packets to a signature engine for comparison with signature profiles; and

performing a table lookup to select an action to be performed on said classified packets based on the classification;

wherein the classification is carried out by a first classification stage capable of classifying the data packets based on a first set of packet characteristics, and a second classification stage capable of classifying the data packets received from the first classification stage based on a second set of packet characteristics;

wherein one of the actions is comparing said classified packets to at least a subset of the signature profiles;

wherein the first set of packet characteristics on which the classification of the first classification stage is based includes at least one of a destination address, a protocol type, and a destination port number;

wherein the second set of packet characteristics on which the classification of the second classification stage is based includes at least one of a packet type and a size;

wherein classifying said data packets comprises classifying said data packets according to at least one packet field into groups, and classifying said data packets within each of the groups according to TCP flags;

wherein the second classification stage remains in communication with a flow table for identifying an action to be taken with respect to the data packets;

wherein the action identified utilizing the flow table includes dropping at least one of the data packets and updating one or more fields in the flow table;

wherein the first classification stage precedes the second classification stage.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A signature based intrusion detection method and system are disclosed. A method for detecting intrusions on a network generally comprises storing signature profiles identifying patterns associated with network intrusions in a signature database and generating classification rules based on the signature profiles. Data packets transmitted on the network and having corresponding classification rules are classified according to generated classification rules. Classified packets are forwarded to a signature engine for comparison with signature profiles.

Citations

32 Claims

1. A computer-implemented method for execution with computer code embodied on a tangible computer readable medium for detecting intrusions on a network, comprising:
- storing signature profiles identifying patterns associated with network intrusions in a signature database;
  
  generating classification rules based on said signature profiles;
  
  receiving data packets transmitted on the network;
  
  classifying data packets having corresponding classification rules according to said generated classification rules;
  
  forwarding said classified packets to a signature engine for comparison with signature profiles; and
  
  performing a table lookup to select an action to be performed on said classified packets based on the classification;
  
  wherein the classification is carried out by a first classification stage capable of classifying the data packets based on a first set of packet characteristics, and a second classification stage capable of classifying the data packets received from the first classification stage based on a second set of packet characteristics;
  
  wherein one of the actions is comparing said classified packets to at least a subset of the signature profiles;
  
  wherein the first set of packet characteristics on which the classification of the first classification stage is based includes at least one of a destination address, a protocol type, and a destination port number;
  
  wherein the second set of packet characteristics on which the classification of the second classification stage is based includes at least one of a packet type and a size;
  
  wherein classifying said data packets comprises classifying said data packets according to at least one packet field into groups, and classifying said data packets within each of the groups according to TCP flags;
  
  wherein the second classification stage remains in communication with a flow table for identifying an action to be taken with respect to the data packets;
  
  wherein the action identified utilizing the flow table includes dropping at least one of the data packets and updating one or more fields in the flow table;
  
  wherein the first classification stage precedes the second classification stage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1 further comprising dropping data packets without corresponding classification rules.
  - 3. The method of claim 1 further comprising classifying said data packets within each of the groups according to packet length.
  - 4. The method of claim 1 wherein classifying said data packets according to the at least one packet field comprises classifying said data packets according to protocol type.
  - 5. The method of claim 1 wherein classifying said data packets according to the at least one packet field comprises classifying said data packets according to destination port number.
  - 6. The method of claim 1 wherein classifying said data packets according to the at least one packet field comprises classifying said data packets according to destination address.
  - 7. The method of claim 1 wherein one of the actions of the table is dropping the at least one of the data packets.
  - 8. The method of claim 1 further comprising generating an alert following the table lookup.
  - 9. The method of claim 1 wherein the table lookup is performed in the flow table and further comprising updating a field of the flow table.
  - 10. The method of claim 1 further comprising partitioning signatures into disjoint groups to define subsets of signature profiles.
  - 11. The method of claim 10 further comprising comparing said data packets to at least one of the subsets of signature profiles.
  - 12. The method of claim 1 further comprising filtering said received data packets.
  - 13. The method of claim 1 wherein receiving said data packets comprises capturing said data packets at a network analysis device.
  - 14. The method of claim 13 further comprising decoding protocols after receiving said packets.
  - 26. The method of claim 1, wherein the first set of packet characteristics includes the destination address, the protocol type, and the destination port number.
  - 27. The method of claim 1, wherein the second set of packet characteristics includes the packet type and the size.
  - 28. The method of claim 1, wherein the flow table is at least one hash table.
  - 29. The method of claim 1, wherein the classification rules are generated after filtering the data packets.
  - 30. The method of claim 27, wherein the packet type is determined based on a TCP flag.
  - 31. The method of claim 1, wherein the signature engine uses a priority scheme to ensure that a subset of the signature profiles are compared with the classified packets based on a number of the data packets received.
  - 32. The method of claim 1, wherein the action identified utilizing the flow table includes dropping all unclassified packets.

15. An intrusion detection system including a tangible computer readable medium comprising:
- a signature classifier comprising a first stage classifier operable to classify packets according to at least one packet field into groups during a first classification stage, and a second stage classifier operable to classify said packets within each of the groups according to TCP flags during a second classification stage;
  
  a flow table configured to support table lookups of actions associated with classified packets;
  
  a signature database for storing signature profiles identifying patterns associated with network intrusions; and
  
  a detection engine operable to perform a table lookup at the flow table to select an action to be performed on said classified packets based on the classification, wherein comparing said classified packets to at least a subset of the signature profiles is one of the actions;
  
  wherein classifying said packets according to at least one packet field during the first classification stage comprises classifying said packets according to at least one of a destination address, a protocol type, and a destination port number;
  
  wherein the second classification stage remains in communication with the flow table for identifying the action to be performed on said classified packets;
  
  wherein the action includes dropping at least one of said classified packets and updating one or more fields in the flow table;
  
  wherein the first classification stage precedes the second classification stage.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The system of claim 15 further comprising a data monitoring device having a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data.
  - 17. The system of claim 16 further comprising application program interfaces configured to allow the intrusion detection system access to applications of the data monitoring device to perform intrusion detection.
  - 18. The system of claim 16 further comprising a parser operable to parse, generate, and load signatures at the detection engine.
  - 19. The system of claim 16 further comprising an alarm manager operable to generate alarms.
  - 20. The system of claim 16 further comprising a filter configured to filter out packets received at the intrusion detection system.
  - 21. The system of claim 16 further comprising a capture engine configured to forward packets and temporarily store packets for later analysis by the data monitoring device.
  - 22. The system of claim 15 wherein the flow table is a hash table.
  - 23. The system of claim 15 wherein action options listed in the flow table include the dropping the at least one of said classified packets and generating an alarm.
  - 24. The system of claim 23 wherein the action options further include the dropping the at least one of said classified packets and the updating the one or more fields of the flow table.

25. A computer program product embodied on a tangible computer readable medium for detecting intrusions on a network, comprising:
- code that stores signature profiles identifying patterns associated with network intrusions in a signature database;
  
  code that generates classification rules based on said signature profiles;
  
  code that receives data packets transmitted on the network;
  
  code that classifies data packets having corresponding classification rules according to said generated classification rules;
  
  code that forwards said classified packets to a signature engine for comparison with signature profiles and stores signature profiles identifying patterns associated with network intrusions in a signature database; and
  
  code that performs a table lookup to select an action to be performed on said classified packets based on the classification;
  
  wherein the classification is carried out by a first classification stage capable of classifying the data packets based on a first set of packet characteristics, and a second classification stage capable of classifying the data packets received from the first classification stage based on a second set of packet characteristics;
  
  wherein one of the actions is comparing said classified packets to at least a subset of the signature profiles;
  
  wherein the first set of packet characteristics on which the classification of the first classification stage is based includes at least one of a destination address, a protocol type, and a destination port number;
  
  wherein the second set of packet characteristics on which the classification of the second classification stage is based includes at least one of a packet type and a size,wherein classifying said data packets comprises classifying said data packets according to at least one packet field into groups, and classifying said data packets within each of the groups according to TCP flags;
  
  wherein the second classification stare remains in communication with a flow table for identifying an action to be taken with respect to the data packets;
  
  wherein the action identified utilizing the flow table includes dropping at least one of the data packets and updating one or more fields in the flow table;
  
  wherein the first classification stage precedes the second classification stage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Wu, Handong, Peckham, Robert Lom, Schwab, Stephen
Primary Examiner(s)
Song; Hosuk
Assistant Examiner(s)
Dada; Beemnet W

Application Number

US10/092,179
Time in Patent Office

2,380 Days
Field of Search

726/22, 726/23, 709/224, 709/223, 713/153, 713/154, 713/164, 713/165, 713/166, 713/188, 370/392
US Class Current

726/23
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/1416 Event detection, e.g. attac...

Signature based network intrusion detection system and method

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Signature based network intrusion detection system and method

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links