Efficient signature packing for an intrusion detection system
First Claim
1. A computer-implemented method of packing a signature that detects a malicious data stream for an intrusion detection system, the method comprising:
- using a computer processor configured to execute method steps comprising;
identifying a network flow;
identifying a plurality of signatures associated with the network flow, the signatures for detecting a malicious data stream within the network flow;
comparing the signatures of the network flow to byte frequency distributions of a plurality of other network flows, each of the other network flows assigned to one of a plurality of hash tables;
assigning, based on the comparison, the network flow to a particular hash table selected from the plurality of hash tables, the particular hash table selected to minimize a likelihood that a hash function maps a signature for the network flow to a same table address in the hash table as is mapped a frequently occurring byte within one of the other network flows also assigned to the hash table, wherein each network flow using a critical communications protocol is assigned to a separate hash table, and wherein each network flow using a non-critical communications protocol is assigned to one of the separate hash tables selected to minimize the overlap between a byte frequency distribution of a data stream within the critical communications protocol network flow assigned to the hash table and a byte frequency distribution of a signature for the non-critical communications protocol network flow; and
storing the plurality of signatures that detect the malicious data stream within the network flow in the assigned hash table.
3 Assignments
0 Petitions
Accused Products
Abstract
A flow assignment module identifies different network flows'"'"' characteristics and the characteristics of the signatures for the different network flows. Based on the identified characteristics, the flow assignment module assigns a network flow to a hash table among a small set of hash tables for storing signatures for that network flow. The flow assignment module assigns the network flow in such a way to minimize the likelihood that a signature for the network flow is hashed to a table entry that frequently occurs in a different network flow assigned to the same hash table. The flow assignment module identifies a hash table for the network flow where there is the least overlap between a signature for that network flow and a frequent byte in another network flow.
-
Citations
17 Claims
-
1. A computer-implemented method of packing a signature that detects a malicious data stream for an intrusion detection system, the method comprising:
using a computer processor configured to execute method steps comprising; identifying a network flow; identifying a plurality of signatures associated with the network flow, the signatures for detecting a malicious data stream within the network flow; comparing the signatures of the network flow to byte frequency distributions of a plurality of other network flows, each of the other network flows assigned to one of a plurality of hash tables; assigning, based on the comparison, the network flow to a particular hash table selected from the plurality of hash tables, the particular hash table selected to minimize a likelihood that a hash function maps a signature for the network flow to a same table address in the hash table as is mapped a frequently occurring byte within one of the other network flows also assigned to the hash table, wherein each network flow using a critical communications protocol is assigned to a separate hash table, and wherein each network flow using a non-critical communications protocol is assigned to one of the separate hash tables selected to minimize the overlap between a byte frequency distribution of a data stream within the critical communications protocol network flow assigned to the hash table and a byte frequency distribution of a signature for the non-critical communications protocol network flow; and storing the plurality of signatures that detect the malicious data stream within the network flow in the assigned hash table. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A computer system for packing a signature that detects a malicious data stream for an intrusion detection system, the computer system comprising:
-
a processor; a computer-readable storage medium storing executable software modules that cause the processor to perform steps, comprising; identifying a network flow; identifying a plurality of signatures associated with the network flow, the signatures for detecting a malicious data stream within the network flow; comparing the signatures of the network flow to byte frequency distributions of a plurality of other network flows, each of the other network flows assigned to one of a plurality of hash tables; assigning, based on the comparison, the network flow to a particular hash table selected from the plurality of hash tables, the particular hash table selected to minimize a likelihood that a hash function maps a signature for the network flow to a same table address in the hash table as is mapped a frequently occurring byte within one of the other network flows also assigned to the hash table, wherein each network flow using a critical communications protocol is assigned to a separate hash table, and wherein each network flow using a non-critical communications protocol is assigned to one of the separate hash tables selected to minimize the overlap between a byte frequency distribution of a data stream within the critical communications protocol network flow assigned to the hash table and a byte frequency distribution of a signature for the non-critical communications protocol network flow; and storing the plurality of signatures that detect the malicious data stream within the network flow in the assigned hash table. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product having a computer-readable storage medium having embodied thereon program code for packing a signature that detects a malicious data stream for an intrusion detection system, the program code comprising:
a flow assignment module for; identifying a network flow; identifying a plurality of signatures associated with the network flow, the signatures for detecting a malicious data stream within the network flow; comparing the signatures of the network flow to byte frequency distributions of a plurality of other network flows, each of the other network flows assigned to one of a plurality of hash tables; assigning, based on the comparison, the network flow to a particular hash table selected from the plurality of hash tables, the particular hash table selected to minimize a likelihood that a hash function maps a signature for the network flow to a same table address in the hash table as is mapped a frequently occurring byte within one of the other network flows also assigned to the hash table, wherein each network flow using a critical communications protocol is assigned to a separate hash table, and wherein each network flow using a non-critical communications protocol is assigned to one of the separate hash tables selected to minimize the overlap between a byte frequency distribution of a data stream within the critical communications protocol network flow assigned to the hash table and a byte frequency distribution of a signature for the non-critical communications protocol network flow; and storing the plurality of signatures that detect the malicious data stream within the network flow in the assigned hash table. - View Dependent Claims (14, 15, 16, 17)
Specification