×

Efficient signature packing for an intrusion detection system

  • US 7,624,446 B1
  • Filed: 01/25/2005
  • Issued: 11/24/2009
  • Est. Priority Date: 01/25/2005
  • Status: Expired due to Fees
First Claim
Patent Images

1. A computer-implemented method of packing a signature that detects a malicious data stream for an intrusion detection system, the method comprising:

  • using a computer processor configured to execute method steps comprising;

    identifying a network flow;

    identifying a plurality of signatures associated with the network flow, the signatures for detecting a malicious data stream within the network flow;

    comparing the signatures of the network flow to byte frequency distributions of a plurality of other network flows, each of the other network flows assigned to one of a plurality of hash tables;

    assigning, based on the comparison, the network flow to a particular hash table selected from the plurality of hash tables, the particular hash table selected to minimize a likelihood that a hash function maps a signature for the network flow to a same table address in the hash table as is mapped a frequently occurring byte within one of the other network flows also assigned to the hash table, wherein each network flow using a critical communications protocol is assigned to a separate hash table, and wherein each network flow using a non-critical communications protocol is assigned to one of the separate hash tables selected to minimize the overlap between a byte frequency distribution of a data stream within the critical communications protocol network flow assigned to the hash table and a byte frequency distribution of a signature for the non-critical communications protocol network flow; and

    storing the plurality of signatures that detect the malicious data stream within the network flow in the assigned hash table.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×