Intrusion prevention for active networked applications
First Claim
Patent Images
1. A computerized method comprising:
- determining an active networked application;
filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application;
evaluating network traffic using the subset of intrusion rules;
detecting when no networked application is active; and
suspending the evaluating of network traffic until a networked application is active;
wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources.
11 Assignments
0 Petitions
Accused Products
Abstract
Intrusion prevention for a computer is based on intrusion rules corresponding to active networked applications executing on the computer. The intrusion rules are a subset of a full ruleset that may include signatures of known attacks or heuristic rules. The subset changes as network connections for active applications are initiated and terminated, or as the active applications terminate.
-
Citations
47 Claims
-
1. A computerized method comprising:
-
determining an active networked application; filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application; evaluating network traffic using the subset of intrusion rules; detecting when no networked application is active; and suspending the evaluating of network traffic until a networked application is active; wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computerized method comprising:
-
determining an active networked application; filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application; evaluating network traffic using the subset of intrusion rules; and continuing the evaluating of network traffic if no networked application is active; wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources; wherein the subset of rules further corresponds to an operating system.
-
-
18. A computer-readable medium having executable instructions to cause a computer to perform a method comprising:
-
determining an active networked application; filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application; evaluating network traffic using the subset of intrusion rules; detecting when no networked application is active; and suspending the evaluating of network traffic until a network application is active; wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A computer-readable medium having executable instructions to cause a computer to perform a method comprising:
-
determining an active networked application; filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application; evaluating network traffic using the subset of intrusion rules; and continuing the evaluating of network traffic if no networked application is active; wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources; wherein the subset of rules further corresponds to an operating system.
-
-
31. A system comprising:
-
a processor coupled to a memory through a bus; and an intrusion prevention process executed from the memory by the processor to cause the processor to determine an active networked application, to filter a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application, and to evaluate network traffic using the subset of intrusion rules; wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources; wherein the intrusion prevention process further causes the processor to detect when no networked application is active, and to suspend the evaluating of network traffic until a network application is active. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A system comprising:
-
a processor coupled to a memory through a bus; and an intrusion prevention process executed from the memory by the processor to cause the processor to determine an active networked application, to filter a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application, and to evaluate network traffic using the subset of intrusion rules; wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources; wherein the intrusion prevention process further causes the processor to further filter the intrusion rules based on an operating system and to continue the evaluating of network traffic if no networked application is active.
-
-
44. An apparatus comprising:
-
means for determining when an active application becomes an active networked application; means for filtering coupled to the means for determining to create a subset of intrusion rules corresponding to the active networked application from a set of intrusion rules, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application; and means for evaluating coupled to the means for filtering to evaluate network traffic using the subset of intrusion rules; wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources; wherein the means for determining, further detects when no networked application is active and the means for evaluating further suspends the evaluation of network traffic until the means for determining determines a networked application is active. - View Dependent Claims (45, 46)
-
-
47. An apparatus comprising
means for determining when an active application becomes an active networked application; -
means for filtering coupled to the means for determining to create a subset of intrusion rules corresponding to the active networked application from a set of intrusion rules, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application; and means for evaluating coupled to the means for filtering to evaluate network traffic using the subset of intrusion rules; wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources; wherein the means for filtering further filters the intrusion rules corresponding to an operating system and the means for evaluating continues the evaluation of network traffic when the means for determining determines no networked application is active.
-
Specification