System and method for dynamic distribution of intrusion signatures
First Claim
1. A method for the dynamic distribution of intrusion signatures to one or more switches and/or routers of a network system, wherein the one or more switches and/or routers include an intrusion detection system library including intrusion signatures and are interconnection devices having packet forwarding functionality and wherein the network system provides network services, the method comprising the steps of:
- a. configuring at least one of the one or more switches and/or routers to monitor received network traffic for distribution triggering conditions, wherein the primary function of the configured at least one of the one or more switches and/or routers is packet forwarding;
b. detecting and identifying one or more of the distribution triggering conditions;
c. reporting information relating to the detection of the one or more distribution triggering conditions to a network security management module;
d. employing an intrusion signature deployment algorithm of the at least one of the one or more configured switches to enable the automatic transmission of intrusion signature information to a portion of the one or more configured switches and/or routers;
e. adjusting one or more priorities of at least one of the one or more configured switches and/or routers as a function of the detected triggering condition by employing the intrusion signature deployment algorithm to monitor received packets for patterns matching one or more intrusion signatures based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, the least lost performance impact at the one or more of the one or more configured switches and/or routers, or randomness; and
f. providing to a central repository the status of the monitoring priority adjustments made.
13 Assignments
0 Petitions
Accused Products
Abstract
The intrusion detection function monitors for and reports detected intrusion signatures. The dynamic intrusion signatures function determines whether reported intrusion signatures exist in a library of signatures associated with a particular intrusion detection function. If the reported signature does not exist in the library, the library is updated. Detected intrusion signatures are reported to similarly enabled devices for library analysis and updating, if necessary. The related method includes the steps of monitoring for intrusion signatures or other triggering events, analyzing the events and updating IDS signature libraries as necessary.
-
Citations
44 Claims
-
1. A method for the dynamic distribution of intrusion signatures to one or more switches and/or routers of a network system, wherein the one or more switches and/or routers include an intrusion detection system library including intrusion signatures and are interconnection devices having packet forwarding functionality and wherein the network system provides network services, the method comprising the steps of:
-
a. configuring at least one of the one or more switches and/or routers to monitor received network traffic for distribution triggering conditions, wherein the primary function of the configured at least one of the one or more switches and/or routers is packet forwarding; b. detecting and identifying one or more of the distribution triggering conditions; c. reporting information relating to the detection of the one or more distribution triggering conditions to a network security management module; d. employing an intrusion signature deployment algorithm of the at least one of the one or more configured switches to enable the automatic transmission of intrusion signature information to a portion of the one or more configured switches and/or routers; e. adjusting one or more priorities of at least one of the one or more configured switches and/or routers as a function of the detected triggering condition by employing the intrusion signature deployment algorithm to monitor received packets for patterns matching one or more intrusion signatures based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, the least lost performance impact at the one or more of the one or more configured switches and/or routers, or randomness; and f. providing to a central repository the status of the monitoring priority adjustments made. - View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 29, 35, 36, 40, 41)
-
-
6. A switch of a network system, wherein the network system provides network services, the switch comprising:
-
a. an intrusion detection system library including intrusion signatures; b. an intrusion detection function for monitoring network traffic packets received at the switch for distribution triggering conditions, wherein the primary function of the switch is packet forwarding; c. an intrusion signature deployment algorithm to enable the switch to;
i) receive from one or more other devices of the network system one or more intrusion signatures and update the library with the one or more received intrusion signatures upon determination that the one or more received intrusion signatures do not exist therein; and
ii) transmit to one or more other switches and/or routers of the network system one or more intrusion signatures which may include the one or more received intrusion signatures;d. a reporting function to enable the switch to;
i) report to a network security management module information relating to the detection of one or more of the distribution triggering conditions; and
ii) providing to a central repository the status of monitoring priority adjustments made by the switch in monitoring received packets based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, least lost performance impact at the switch, or randomness. - View Dependent Claims (23, 24, 25, 26, 27, 28, 30, 44)
-
-
10. A method for detecting triggering conditions that may affect the security of a network system including a plurality of network devices, the method comprising the steps of:
-
a. executing a distribution function on one or more servers of the network system to distribute automatically through, and directly by, the one or more servers of the network system an intrusion detection function to one or more of a plurality of switches and/or routers upon detection of one or more distribution triggering conditions, wherein the one or more of the plurality of switches and/or routers are arranged to execute the intrusion detection function while maintaining as a primary function the function of forwarding packets; b. reporting information relating to the detection of the one or more distribution triggering conditions to a network security management module; c. adjusting one or more priorities in the monitoring of received packets for patterns matching one or more intrusion signatures based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, performance impact at the one or more of the one or more switches and/or routers, or randomness; and d. providing to a central repository the status of the monitoring priority adjustments made. - View Dependent Claims (11, 12, 31, 32, 33)
-
-
13. A method for protecting a network system including one or more switches and/or routers, network services and one or more servers, the method comprising carrying out in one or more of the one or more switches and/or routers the steps of:
-
a. configuring at least one of the one or more switches and/or routers with an intrusion signature deployment algorithm to receive one or more reported intrusion signatures from one or more other devices of the network system, wherein the primary function of the configured at least one of the one or more switches and/or routers is packet forwarding; b. determining whether received reported intrusion signatures exist in a library of an intrusion detection system, including intrusion signatures, of the at least one of the one or more configured switches and/or routers receiving the notification; c. updating the libraries of the at least one of the one or more configured switches and/or routers receiving the one or more reported intrusion signatures upon determination that the received reported intrusion signatures do not exist therein; d. configuring the at least one of the one or more configured switches and/or routers to monitor network traffic for distribution triggering conditions; e. detecting and identifying one or more distribution triggering conditions; f. reporting information relating to the detection of the one or more distribution triggering conditions to a network security management module; g. adjusting one or more priorities of at least one of the more or more configured switches and/or routers by employing the intrusion signature deployment algorithm to monitor received packets for patterns matching one or more intrusion signatures based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, least lost performance impact at the one or more of the one or more configured switches and/or routers, or randomness; and h. providing to a central repository the status of the monitoring priority adjustments made. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 34, 37, 38, 39, 42, 43)
-
Specification