Matching with a large vulnerability signature ruleset for high performance network defense
First Claim
1. A computer-implemented method for network intrusion detection, said method comprising:
- capturing a data message;
invoking a protocol parser to extract content of a protocol field from the data message;
constructing a signature table, where each row of the signature table represents a vulnerability signature, each column of the signature table represents a protocol field to be matched, and each cell of the signature table represents how the corresponding field is matched on the corresponding vulnerability signature;
for each column in the signature table, examining the contents of the protocol field against corresponding entries for all vulnerability signatures in the signature table and labelling each vulnerability signature that matches the contents of the protocol field as a candidate signature;
iteratively combining candidate signatures from different columns to produce a final matching outcome; and
detecting an unwanted network intrusion based on the final matching outcome.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and apparatus are provided for vulnerability signature based Network Intrusion Detection and/or Prevention which achieves high throughput comparable to that of the state-of-the-art regex-based systems while offering improved accuracy. A candidate selection algorithm efficiently matches thousands of vulnerability signatures simultaneously using a small amount of memory. A parsing transition state machine achieves fast protocol parsing. Certain examples provide a computer-implemented method for network intrusion detection. The method includes capturing a data message and invoking a protocol parser to parse the data message. The method also includes matching the parsed data message against a plurality of vulnerability signatures in parallel using a candidate selection algorithm and detecting an unwanted network intrusion based on an outcome of the matching.
223 Citations
20 Claims
-
1. A computer-implemented method for network intrusion detection, said method comprising:
-
capturing a data message; invoking a protocol parser to extract content of a protocol field from the data message; constructing a signature table, where each row of the signature table represents a vulnerability signature, each column of the signature table represents a protocol field to be matched, and each cell of the signature table represents how the corresponding field is matched on the corresponding vulnerability signature; for each column in the signature table, examining the contents of the protocol field against corresponding entries for all vulnerability signatures in the signature table and labelling each vulnerability signature that matches the contents of the protocol field as a candidate signature; iteratively combining candidate signatures from different columns to produce a final matching outcome; and detecting an unwanted network intrusion based on the final matching outcome. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A vulnerability-based network intrusion detection/prevention system comprising:
-
a processor configured to implement; a protocol parser including a parsing state machine to extract content of a protocol field from a protocol data unit according to an associated application protocol specification; and a matching engine configured to; construct a signature table, where each row of the signature table represents a vulnerability signature, each column of the signature table represents a protocol field to be matched, and each cell of the signature table represents how the corresponding field is matched on the corresponding vulnerability signature, the matching engine configured to, for each column in the signature table, examine the contents of the protocol field against corresponding entries for all vulnerability signatures in the signature table and label each vulnerability signature that matches the contents of the protocol field as a candidate signature; iteratively combine candidate signatures from different columns to produce a final matching outcome; and detect an unwanted network intrusion based on the final matching outcome. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium having a set of instructions stored thereon which, when executed, instruct a processor to implement a vulnerability-based network intrusion detection system comprising:
-
a protocol parser including a parsing state machine to extract content of a protocol field from a protocol data unit according to an associated application protocol specification; and a matching engine configured to; construct a signature table, where each row of the signature table represents a vulnerability signature, each column of the signature table represents a protocol field to be matched, and each cell of the signature table represents how the corresponding field is matched on the corresponding vulnerability signature, the matching engine configured to, for each column in the signature table, examine the contents of the protocol field against corresponding entries for all vulnerability signatures in the signature table and label each vulnerability signature that matches the contents of the protocol field as a candidate signature; iteratively combine candidate signatures from different columns to produce a final matching outcome; and detect an unwanted network intrusion based on the final matching outcome. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification