Source/destination operating system type-based IDS virtualization
First Claim
1. A method of intrusion detection system (IDS) virtualization, comprising:
- receiving a stream of packets;
fingerprinting each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of a destination host for each corresponding packet;
directing each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet;
comparing each packet to a threat signature set corresponding to each identified operating system of the destination host in the virtual IDS process;
aaccepting each packet based on comparing each packet to the threat signature set;
forming a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system;
forming the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system;
forming a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and
forming a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems;
wherein directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet comprises;
directing at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and
directing the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for virtualizing network intrusion detection system (IDS) functions based on each packet'"'"'s source and/or destination host computer operating system (OS) type and characteristics are described. Virtualization is accomplished by fingerprinting each packet to determine the packet'"'"'s target OS and then vetting each packet in a virtual IDS against a reduced set of threat signatures specific to the target OS. Each virtual IDS, whether operating on a separate computer or operating as a logically distinct process or separate thread running on a single computer processor, may also operate in parallel with other virtual IDS processes. IDS processing efficiency and speed are greatly increased by the fact that a much smaller subset of threat signature universe is used for each OS-specific packet threat vetting operation.
22 Citations
16 Claims
-
1. A method of intrusion detection system (IDS) virtualization, comprising:
-
receiving a stream of packets; fingerprinting each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of a destination host for each corresponding packet; directing each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet; comparing each packet to a threat signature set corresponding to each identified operating system of the destination host in the virtual IDS process;
aaccepting each packet based on comparing each packet to the threat signature set; forming a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system; forming the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system; forming a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and forming a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems; wherein directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet comprises; directing at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and directing the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus for intrusion detection system virtualization, comprising:
-
means for receiving a stream of packets; means for fingerprinting each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of a packet destination host for each corresponding packet; means for directing each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet; means for comparing each packet to a threat signature set corresponding to each identified operating system of the destination host in the virtual IDS process; means for accepting each packet based on comparing each packet to the threat signature set; means for forming a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system; means for forming the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system; means for forming a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and means for forming a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems; wherein means for directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet comprises; means for directing at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and means for directing the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing a computer program executable by a plurality of server computers, the computer program comprising computer instructions for:
-
receiving a stream of packets;
fingerprinting each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of the packet destination host;directing each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet;
comparing each packet to a threat signature set corresponding to each identified operating system of the packet destination host in the virtual IDS process;accepting each packet based on comparing each packet to the threat signature set; forming a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system; forming the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system; forming a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and forming a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems; wherein directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet comprises;
directing at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; anddirecting the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet. - View Dependent Claims (14, 15)
-
-
16. An apparatus for intrusion detection system (IDS) virtualization, comprising:
-
a processor configured to; receive a stream of packets; fingerprint each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of a destination host for each corresponding packet; direct each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet; compare each packet to a threat signature set corresponding to each identified operating system of the destination host in the virtual IDS process; accept each packet based on comparing each packet to the threat signature set; form a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system; form the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system; form a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and form a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems; wherein when directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet, the processor is configured to; direct at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and direct the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet.
-
Specification