System and method for dynamic distribution of intrusion signatures

US 8,347,375 B2
Filed: 10/01/2004
Issued: 01/01/2013
Est. Priority Date: 10/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method for the dynamic distribution of intrusion signatures to one or more switches and/or routers of a network system, wherein the one or more switches and/or routers include an intrusion detection system library including intrusion signatures and are interconnection devices having packet forwarding functionality and wherein the network system provides network services, the method comprising the steps of:

a. configuring at least one of the one or more switches and/or routers to monitor received network traffic for distribution triggering conditions, wherein the primary function of the configured at least one of the one or more switches and/or routers is packet forwarding;

b. detecting and identifying one or more of the distribution triggering conditions;

c. reporting information relating to the detection of the one or more distribution triggering conditions to a network security management module;

d. employing an intrusion signature deployment algorithm of the at least one of the one or more configured switches to enable the automatic transmission of intrusion signature information to a portion of the one or more configured switches and/or routers;

e. adjusting one or more priorities of at least one of the one or more configured switches and/or routers as a function of the detected triggering condition by employing the intrusion signature deployment algorithm to monitor received packets for patterns matching one or more intrusion signatures based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, the least lost performance impact at the one or more of the one or more configured switches and/or routers, or randomness; and

f. providing to a central repository the status of the monitoring priority adjustments made.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The intrusion detection function monitors for and reports detected intrusion signatures. The dynamic intrusion signatures function determines whether reported intrusion signatures exist in a library of signatures associated with a particular intrusion detection function. If the reported signature does not exist in the library, the library is updated. Detected intrusion signatures are reported to similarly enabled devices for library analysis and updating, if necessary. The related method includes the steps of monitoring for intrusion signatures or other triggering events, analyzing the events and updating IDS signature libraries as necessary.

Citations

44 Claims

1. A method for the dynamic distribution of intrusion signatures to one or more switches and/or routers of a network system, wherein the one or more switches and/or routers include an intrusion detection system library including intrusion signatures and are interconnection devices having packet forwarding functionality and wherein the network system provides network services, the method comprising the steps of:
- a. configuring at least one of the one or more switches and/or routers to monitor received network traffic for distribution triggering conditions, wherein the primary function of the configured at least one of the one or more switches and/or routers is packet forwarding;
  
  b. detecting and identifying one or more of the distribution triggering conditions;
  
  c. reporting information relating to the detection of the one or more distribution triggering conditions to a network security management module;
  
  d. employing an intrusion signature deployment algorithm of the at least one of the one or more configured switches to enable the automatic transmission of intrusion signature information to a portion of the one or more configured switches and/or routers;
  
  e. adjusting one or more priorities of at least one of the one or more configured switches and/or routers as a function of the detected triggering condition by employing the intrusion signature deployment algorithm to monitor received packets for patterns matching one or more intrusion signatures based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, the least lost performance impact at the one or more of the one or more configured switches and/or routers, or randomness; and
  
  f. providing to a central repository the status of the monitoring priority adjustments made.
- View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 29, 35, 36, 40, 41)
- - 2. The method as claimed in claim 1 further comprising the step of verifying that the transmitted intrusion signature information has been received by at least one of the one or more switches and/or routers.
  - 3. The method as claimed in claim 1 further comprising the steps of dynamically updating the library of those switches and/or routers determined not to have the one or more intrusion signatures to include the one or more intrusion signatures transmitted and reporting to a central repository completion of the step of dynamically updating.
  - 4. The method as claimed in claim 1 wherein the step of automatically transmitting are performed by a central device of the network system.
  - 5. The method as claimed in claim 3 further comprising the step of continuing to monitor the network system for the same or additional distribution triggering conditions after dynamically updating the one or more of the one or more switches and/or routers not having the one or more intrusion signatures after performing the step of employing.
  - 7. The method as claimed in claim 1 wherein the step of adjusting priorities involves selecting at least one of the one or more switches and/or routers to receive one or more designated intrusion signatures.
  - 8. The method as claimed in claim 1 further comprising the step of distributing to the one or more switches and/or routers receiving the transmitted intrusion signature information an intrusion detection function.
  - 9. The method as claimed in claim 1 wherein the step of monitoring is performed by an IDS function including a library of intrusion signatures and the step of monitoring includes the step of automatically updating by the IDS function the library of intrusion signature information for the one or more switches and/or routers.
  - 29. The method as claimed in claim 1 wherein the one or more switches and/or routers selected for receiving the transmitted intrusion signature information are selected as a function of the physical location or logical location of the one or more switches and/or routers.
  - 35. The method as claimed in claim 1 wherein the step of adjusting priorities involves selecting within one or more of the switches and/or routers one or more intrusion signatures of the libraries thereof to be monitored.
  - 36. The method as claimed in claim 1 wherein the step of adjusting priorities involves selecting at least one of the one or more switches and/or routers to conduct monitoring for one or more intrusion signatures.
  - 40. The method as claimed in claim 1 wherein the step of adjusting priorities includes the step of prioritizing the functionality of the at least one of the one or more switches and/or routers configured to monitor received packets for pattern matching based on one or more intrusion signatures before performing one or more other functions.
  - 41. The method as claimed in claim 7 wherein the step of adjusting priorities includes the step of prioritizing the functionality of the selected one or more switches and/or routers configured to monitor received packets for one or more intrusion signatures before performing one or more other functions.

6. A switch of a network system, wherein the network system provides network services, the switch comprising:
- a. an intrusion detection system library including intrusion signatures;
  
  b. an intrusion detection function for monitoring network traffic packets received at the switch for distribution triggering conditions, wherein the primary function of the switch is packet forwarding;
  
  c. an intrusion signature deployment algorithm to enable the switch to;
  
  i) receive from one or more other devices of the network system one or more intrusion signatures and update the library with the one or more received intrusion signatures upon determination that the one or more received intrusion signatures do not exist therein; and
  
  ii) transmit to one or more other switches and/or routers of the network system one or more intrusion signatures which may include the one or more received intrusion signatures;
  
  d. a reporting function to enable the switch to;
  
  i) report to a network security management module information relating to the detection of one or more of the distribution triggering conditions; and
  
  ii) providing to a central repository the status of monitoring priority adjustments made by the switch in monitoring received packets based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, least lost performance impact at the switch, or randomness.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 30, 44)
- - 23. The switch as claimed in claim 6 configured to monitor received packets for pattern matching based on one or more intrusion signatures contained in its updated library.
  - 24. The switch as claimed in claim 23 wherein the switch is further configured to only monitor the received packets for pattern matching without interfering in the primary function of forwarding packets.
  - 25. The switch as claimed in claim 24 wherein the switch is further configured to receive from one or more servers of the network system a portion of the intrusion signatures to be used in the monitoring of the received packets based on a weighting established for a distribution triggering condition detected by the one or more servers, wherein the one or more servers are not interconnection devices with packet forwarding functionality.
  - 26. The switch as claimed in claim 6 wherein the intrusion signature deployment algorithm updates the library by replacing one or more intrusion signatures existing in the library.
  - 27. The switch as claimed in claim 26 wherein the intrusion signature deployment algorithm replaces the one or more intrusion signatures by determining which of the one or more intrusion signatures to replace based on weighting established by one or more servers of the network system for a distribution triggering condition detected by the one or more servers, wherein the one or more servers are not interconnection devices with packet forwarding functionality.
  - 28. The switch as claimed in claim 27 wherein the weighting is established by the one or more servers as a function of one or more of age of the intrusion signatures contained in the library and physical location or logical location of the switch.
  - 30. The switch as claimed in claim 6 wherein the intrusion signature deployment algorithm updates the library of the switch based on the switch'"'"'s physical or logical location in the network system.
  - 44. The switch as claimed in claim 6 wherein the adjusting of one or more priorities includes selecting one or more intrusion signatures of the library in the monitoring of the received packets.

10. A method for detecting triggering conditions that may affect the security of a network system including a plurality of network devices, the method comprising the steps of:
- a. executing a distribution function on one or more servers of the network system to distribute automatically through, and directly by, the one or more servers of the network system an intrusion detection function to one or more of a plurality of switches and/or routers upon detection of one or more distribution triggering conditions, wherein the one or more of the plurality of switches and/or routers are arranged to execute the intrusion detection function while maintaining as a primary function the function of forwarding packets;
  
  b. reporting information relating to the detection of the one or more distribution triggering conditions to a network security management module;
  
  c. adjusting one or more priorities in the monitoring of received packets for patterns matching one or more intrusion signatures based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, performance impact at the one or more of the one or more switches and/or routers, or randomness; and
  
  d. providing to a central repository the status of the monitoring priority adjustments made.
- View Dependent Claims (11, 12, 31, 32, 33)
- - 11. The method as claimed in claim 10 wherein the step of executing the distribution function includes distributing the intrusion detection function to one or more of the plurality of switches and/or routers with no intrusion detection capability or activating the intrusion detection function stored or cached on one or more of the plurality of switches and/or routers.
  - 12. The method as claimed in claim 10 wherein the distribution triggering condition is selected from the group consisting of detection of one or more known intrusion signatures, a time period, a data frequency, and a manual input.
  - 31. The method as claimed in claim 10 further comprising the steps of:
    - a. establishing as part of the intrusion detection function in each of the one or more of the plurality of switches and/or routers a library including intrusion signatures;
      
      b. transmitting from the one or more servers to the one or more of the plurality of switches and/or routers intrusion signature information, wherein those one or more switches and/or routers selected for receiving the transmitted intrusion signature information are selected at least as a function of one or more distribution triggering conditions detected;
      
      c. configuring at least one of the one or more of the plurality of switches and/or routers to monitor received packets for pattern matching based on the received intrusion signature information contained in its library and to report detected intrusion signatures regardless of network service that may be the subject of a harmful network intrusion.
  - 32. The method as claimed in claim 31 further comprising the step of dynamically updating the libraries of the one or more switches and/or routers determined not to have one or more intrusion signatures transmitted from the one or more servers.
  - 33. The method as claimed in claim 31 wherein the one or more switches and/or routers receiving the transmitted intrusion signature information are selected as a function of the physical location or logical location of the one or more switches and/or routers.

13. A method for protecting a network system including one or more switches and/or routers, network services and one or more servers, the method comprising carrying out in one or more of the one or more switches and/or routers the steps of:
- a. configuring at least one of the one or more switches and/or routers with an intrusion signature deployment algorithm to receive one or more reported intrusion signatures from one or more other devices of the network system, wherein the primary function of the configured at least one of the one or more switches and/or routers is packet forwarding;
  
  b. determining whether received reported intrusion signatures exist in a library of an intrusion detection system, including intrusion signatures, of the at least one of the one or more configured switches and/or routers receiving the notification;
  
  c. updating the libraries of the at least one of the one or more configured switches and/or routers receiving the one or more reported intrusion signatures upon determination that the received reported intrusion signatures do not exist therein;
  
  d. configuring the at least one of the one or more configured switches and/or routers to monitor network traffic for distribution triggering conditions;
  
  e. detecting and identifying one or more distribution triggering conditions;
  
  f. reporting information relating to the detection of the one or more distribution triggering conditions to a network security management module;
  
  g. adjusting one or more priorities of at least one of the more or more configured switches and/or routers by employing the intrusion signature deployment algorithm to monitor received packets for patterns matching one or more intrusion signatures based on how recently the distribution triggering condition was detected, the severity of the potential harm to the network system, least lost performance impact at the one or more of the one or more configured switches and/or routers, or randomness; and
  
  h. providing to a central repository the status of the monitoring priority adjustments made.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 34, 37, 38, 39, 42, 43)
- - 14. The method as claimed in claim 13 wherein the step of receiving the reported one or more intrusion signatures includes receiving the reported one or more intrusion signatures from the one or more servers of the network system.
  - 15. The method as claimed in claim 13 wherein intrusion signatures are stored in a plurality of devices of the network system and the library of one or more of the one or more of the switches and/or routers receiving the notification does not contain all intrusion signatures stored in the network system.
  - 16. The method as claimed in claim 15 further comprising the step of configuring the one or more switches and/or routers receiving the notification to monitor for a portion of the intrusion signatures of its library.
  - 17. The method as claimed in claim 16 further comprising the step of selecting the portion of the intrusion signatures to be monitored by the one or more switches and/or routers based on a weighting established for the distribution triggering condition detected.
  - 18. The method as claimed in claim 13 further comprising the step of configuring the one or more switches and/or routers to only monitor for the intrusion signatures without interfering in the primary function of forwarding packets.
  - 19. The method as claimed in claim 18 further comprising the step of selecting a portion of the intrusion signatures to be monitored by the switches and/or routers based on a weighting established for the distribution triggering condition detected.
  - 20. The method as claimed in claim 13 wherein the step of updating the library includes the step of replacing one or more intrusion signatures existing in the library.
  - 21. The method as claimed in claim 20 wherein the step of replacing includes the step of determining which of the one or more intrusion signatures to replace based on weighting established for the distribution triggering condition detected or local criteria.
  - 22. The method as claimed in claim 21 wherein the local criteria includes age of the intrusion signatures contained in the library and physical location or logical location of the one or more switches and/or routers.
  - 34. The method as claimed in claim 13 wherein the updating step further includes the step of making a determination whether to update the library of any one or more of the one or more switches and/or routers based on the physical location or logical location of the one or more switches and/or routers.
  - 37. The method as claimed in claim 13 wherein the step of adjusting priorities involves selecting at least one of the one or more switches and/or routers to receive one or more designated intrusion signatures.
  - 38. The method as claimed in claim 13 wherein the step of adjusting priorities involves selecting within one or more of the switches and/or routers one or more intrusion signatures of the libraries thereof to be monitored.
  - 39. The method as claimed in claim 13 wherein the step of adjusting priorities involves selecting at least one of the one or more switches and/or routers to conduct monitoring for one or more intrusion signatures.
  - 42. The method as claimed in claim 13 wherein the step of adjusting priorities includes the step of prioritizing the functionality of the at least one of the one or more switches and/or routers configured to monitor received packets for pattern matching based on one or more intrusion signatures before performing one or more other functions.
  - 43. The method as claimed in claim 37 wherein the step of adjusting priorities includes the step of prioritizing the functionality of the selected one or more switches and/or routers configured to monitor received packets for one or more intrusion signatures before performing one or more other functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Roese, John J., Graham, Richard W.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US10/956,304
Publication Number

US 20050076245A1
Time in Patent Office

3,014 Days
Field of Search

709/224, 709/204, 713/201, 713/172, 726/23
US Class Current

726/13
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

System and method for dynamic distribution of intrusion signatures

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamic distribution of intrusion signatures

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links