Signature based network intrusion detection system and method
First Claim
Patent Images
1. A computer-implemented method for execution with computer code embodied on a tangible computer readable medium for detecting intrusions on a network, comprising:
- storing signature profiles identifying patterns associated with network intrusions in a signature database;
generating classification rules based on said signature profiles;
receiving data packets transmitted on the network;
classifying data packets having corresponding classification rules according to said generated classification rules;
forwarding said classified packets to a signature engine for comparison with signature profiles; and
performing a table lookup to select an action to be performed on said classified packets based on the classification;
wherein the classification is carried out by a first classification stage capable of classifying the data packets based on a first set of packet characteristics, and a second classification stage capable of classifying the data packets received from the first classification stage based on a second set of packet characteristics;
wherein one of the actions is comparing said classified packets to at least a subset of the signature profiles;
wherein the first set of packet characteristics on which the classification of the first classification stage is based includes at least one of a destination address, a protocol type, and a destination port number;
wherein the second set of packet characteristics on which the classification of the second classification stage is based includes at least one of a packet type and a size;
wherein classifying said data packets comprises classifying said data packets according to at least one packet field into groups, and classifying said data packets within each of the groups according to TCP flags;
wherein the second classification stage remains in communication with a flow table for identifying an action to be taken with respect to the data packets;
wherein the action identified utilizing the flow table includes dropping at least one of the data packets and updating one or more fields in the flow table;
wherein the first classification stage precedes the second classification stage.
11 Assignments
0 Petitions
Accused Products
Abstract
A signature based intrusion detection method and system are disclosed. A method for detecting intrusions on a network generally comprises storing signature profiles identifying patterns associated with network intrusions in a signature database and generating classification rules based on the signature profiles. Data packets transmitted on the network and having corresponding classification rules are classified according to generated classification rules. Classified packets are forwarded to a signature engine for comparison with signature profiles.
-
Citations
32 Claims
-
1. A computer-implemented method for execution with computer code embodied on a tangible computer readable medium for detecting intrusions on a network, comprising:
-
storing signature profiles identifying patterns associated with network intrusions in a signature database; generating classification rules based on said signature profiles; receiving data packets transmitted on the network; classifying data packets having corresponding classification rules according to said generated classification rules; forwarding said classified packets to a signature engine for comparison with signature profiles; and performing a table lookup to select an action to be performed on said classified packets based on the classification; wherein the classification is carried out by a first classification stage capable of classifying the data packets based on a first set of packet characteristics, and a second classification stage capable of classifying the data packets received from the first classification stage based on a second set of packet characteristics; wherein one of the actions is comparing said classified packets to at least a subset of the signature profiles; wherein the first set of packet characteristics on which the classification of the first classification stage is based includes at least one of a destination address, a protocol type, and a destination port number; wherein the second set of packet characteristics on which the classification of the second classification stage is based includes at least one of a packet type and a size; wherein classifying said data packets comprises classifying said data packets according to at least one packet field into groups, and classifying said data packets within each of the groups according to TCP flags; wherein the second classification stage remains in communication with a flow table for identifying an action to be taken with respect to the data packets; wherein the action identified utilizing the flow table includes dropping at least one of the data packets and updating one or more fields in the flow table; wherein the first classification stage precedes the second classification stage. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 26, 27, 28, 29, 30, 31, 32)
-
-
15. An intrusion detection system including a tangible computer readable medium comprising:
-
a signature classifier comprising a first stage classifier operable to classify packets according to at least one packet field into groups during a first classification stage, and a second stage classifier operable to classify said packets within each of the groups according to TCP flags during a second classification stage; a flow table configured to support table lookups of actions associated with classified packets; a signature database for storing signature profiles identifying patterns associated with network intrusions; and a detection engine operable to perform a table lookup at the flow table to select an action to be performed on said classified packets based on the classification, wherein comparing said classified packets to at least a subset of the signature profiles is one of the actions; wherein classifying said packets according to at least one packet field during the first classification stage comprises classifying said packets according to at least one of a destination address, a protocol type, and a destination port number; wherein the second classification stage remains in communication with the flow table for identifying the action to be performed on said classified packets; wherein the action includes dropping at least one of said classified packets and updating one or more fields in the flow table; wherein the first classification stage precedes the second classification stage. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer program product embodied on a tangible computer readable medium for detecting intrusions on a network, comprising:
-
code that stores signature profiles identifying patterns associated with network intrusions in a signature database; code that generates classification rules based on said signature profiles; code that receives data packets transmitted on the network; code that classifies data packets having corresponding classification rules according to said generated classification rules; code that forwards said classified packets to a signature engine for comparison with signature profiles and stores signature profiles identifying patterns associated with network intrusions in a signature database; and code that performs a table lookup to select an action to be performed on said classified packets based on the classification; wherein the classification is carried out by a first classification stage capable of classifying the data packets based on a first set of packet characteristics, and a second classification stage capable of classifying the data packets received from the first classification stage based on a second set of packet characteristics; wherein one of the actions is comparing said classified packets to at least a subset of the signature profiles; wherein the first set of packet characteristics on which the classification of the first classification stage is based includes at least one of a destination address, a protocol type, and a destination port number; wherein the second set of packet characteristics on which the classification of the second classification stage is based includes at least one of a packet type and a size, wherein classifying said data packets comprises classifying said data packets according to at least one packet field into groups, and classifying said data packets within each of the groups according to TCP flags; wherein the second classification stare remains in communication with a flow table for identifying an action to be taken with respect to the data packets; wherein the action identified utilizing the flow table includes dropping at least one of the data packets and updating one or more fields in the flow table; wherein the first classification stage precedes the second classification stage.
-
Specification