Source/destination operating system type-based IDS virtualization

US 7,904,960 B2
Filed: 04/27/2004
Issued: 03/08/2011
Est. Priority Date: 04/27/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method of intrusion detection system (IDS) virtualization, comprising:

receiving a stream of packets;

fingerprinting each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of a destination host for each corresponding packet;

directing each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet;

comparing each packet to a threat signature set corresponding to each identified operating system of the destination host in the virtual IDS process;

aaccepting each packet based on comparing each packet to the threat signature set;

forming a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system;

forming the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system;

forming a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and

forming a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems;

wherein directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet comprises;

directing at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and

directing the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for virtualizing network intrusion detection system (IDS) functions based on each packet'"'"'s source and/or destination host computer operating system (OS) type and characteristics are described. Virtualization is accomplished by fingerprinting each packet to determine the packet'"'"'s target OS and then vetting each packet in a virtual IDS against a reduced set of threat signatures specific to the target OS. Each virtual IDS, whether operating on a separate computer or operating as a logically distinct process or separate thread running on a single computer processor, may also operate in parallel with other virtual IDS processes. IDS processing efficiency and speed are greatly increased by the fact that a much smaller subset of threat signature universe is used for each OS-specific packet threat vetting operation.

22 Citations

View as Search Results

16 Claims

1. A method of intrusion detection system (IDS) virtualization, comprising:
- receiving a stream of packets;
  
  fingerprinting each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of a destination host for each corresponding packet;
  
  directing each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet;
  
  comparing each packet to a threat signature set corresponding to each identified operating system of the destination host in the virtual IDS process;
  
  aaccepting each packet based on comparing each packet to the threat signature set;
  
  forming a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system;
  
  forming the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system;
  
  forming a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and
  
  forming a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems;
  
  wherein directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet comprises;
  
  directing at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and
  
  directing the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein fingerprinting comprises active fingerprinting.
  - 3. The method of claim 1, wherein fingerprinting comprises passive fingerprinting.
  - 4. The method of claim 1, wherein the target operating system type is both the packet source host operating system and the packet destination host operating system.
  - 5. The method of claim 1, wherein, when fingerprinting identifies more than one target operating system type and directing occurs at substantially the same time.
  - 6. The method of claim 1, wherein:
    - directing each packet to the virtual IDS process associated with the packet destination host operating system comprises directing each packet having an identified packet destination host operating system to a set of virtual IDS processes, each virtual IDS process of the set of virtual IDS processes being associated with the identified packet destination host operating system and each virtual IDS process of the set of virtual IDS processes configured to operate in a parallel and substantially simultaneous manner relative to each other; and
      
      comparing each packet to the threat signature set corresponding to each identified packet destination host operating system in the virtual IDS process comprises comparing, by each virtual IDS process of the set of virtual IDS processes in the parallel and substantially simultaneous manner relative to each other, the packets received to the threat signature set corresponding to the identified packet destination host operating system associated with the set of virtual IDS processes.
  - 7. The method of claim 1, wherein accepting each packet based on said comparing comprises:
    - when the packet fails to match a threat signature of the threat signature set, accepting the packet for further processing; and
      
      when the packet matches a threat signature of the threat signature set, suppressing further processing of the packet.

8. An apparatus for intrusion detection system virtualization, comprising:
- means for receiving a stream of packets;
  
  means for fingerprinting each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of a packet destination host for each corresponding packet;
  
  means for directing each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet;
  
  means for comparing each packet to a threat signature set corresponding to each identified operating system of the destination host in the virtual IDS process;
  
  means for accepting each packet based on comparing each packet to the threat signature set;
  
  means for forming a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system;
  
  means for forming the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system;
  
  means for forming a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and
  
  means for forming a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems;
  
  wherein means for directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet comprises;
  
  means for directing at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and
  
  means for directing the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The apparatus of claim 8, wherein means for fingerprinting comprise means for active fingerprinting.
  - 10. The apparatus of claim 8, wherein means for fingerprinting comprise means for passive fingerprinting.
  - 11. The apparatus of claim 8, wherein the target operating system type is both the packet source host operating system and the packet destination host operating system.
  - 12. The apparatus of claim 8, wherein, when means for fingerprinting identifies more than one target operating system type and means for directing operates at substantially the same time.

13. A non-transitory computer-readable storage medium storing a computer program executable by a plurality of server computers, the computer program comprising computer instructions for:
- receiving a stream of packets;
  
  fingerprinting each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of the packet destination host;
  
  directing each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet;
  
  comparing each packet to a threat signature set corresponding to each identified operating system of the packet destination host in the virtual IDS process;
  
  accepting each packet based on comparing each packet to the threat signature set;
  
  forming a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system;
  
  forming the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system;
  
  forming a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and
  
  forming a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems;
  
  wherein directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet comprises;
  
  directing at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and
  
  directing the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet.
- View Dependent Claims (14, 15)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the computer instructions for fingerprinting comprise computer instructions for active fingerprinting.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the computer instructions for fingerprinting comprise computer instructions for passive fingerprinting.

16. An apparatus for intrusion detection system (IDS) virtualization, comprising:
- a processor configured to;
  
  receive a stream of packets;
  
  fingerprint each packet in the stream to identify at least one target operating system type, wherein the at least one target operating system type is an operating system of a destination host for each corresponding packet;
  
  direct each packet to a virtual IDS process associated with the operating system of the destination host identified for each corresponding packet;
  
  compare each packet to a threat signature set corresponding to each identified operating system of the destination host in the virtual IDS process;
  
  accept each packet based on comparing each packet to the threat signature set;
  
  form a reduced threat signature set from a received collection of threat signatures, the reduced threat signature set corresponding to a specific target operating system;
  
  form the virtual IDS process from the reduced threat signature set corresponding to the specific target operating system;
  
  form a common reduced threat signature set from a received collection of threat signatures, the common reduced threat signature set being common to at least two target operating systems; and
  
  form a common virtual IDS process from the common reduced threat signature set corresponding to the at least two target operating systems;
  
  wherein when directing each packet to the virtual IDS process associated with the operating system of the destination host identified for each corresponding packet, the processor is configured to;
  
  direct at least one packet of the stream of packets to the virtual IDS process associated with the operating system of the destination host identified for the at least one packet; and
  
  direct the at least one packet to the common virtual IDS process when the common virtual IDS process is associated with the operating system of the destination host identified for the at least one packet, the virtual IDS process and the common virtual IDS process providing parallel and substantially simultaneous processing of the at least one packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ithal, Ravishankar Ganesh
Primary Examiner(s)
Thomas; Joseph
Assistant Examiner(s)
Pan; Joseph

Application Number

US10/832,588
Publication Number

US 20080289040A1
Time in Patent Office

2,506 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 713/180, 380/200, 380/201, 380/255, 380/277, 726/2, 726 22- 25
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Source/destination operating system type-based IDS virtualization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Source/destination operating system type-based IDS virtualization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links