System and method for incorporating quality-of-service and reputation in an intrusion detection and prevention system
First Claim
1. A method comprising:
- determining by a firewall whether a first packet should be admitted to a protected network;
receiving at an intrusion prevention system of the protected network a first reputation score for the first packet based upon a first source of the first packet, wherein the firewall is different from the intrusion protection system, and wherein the first reputation score is provided from a database of the intrusion prevention system;
providing the first packet to a first one of a plurality of buffers of the intrusion prevention system, wherein each buffer is associated with a different range of reputation scores, and wherein the first reputation score for the first packet is within the range of reputation scores associated with the first buffer;
processing the first packet by a first one of a plurality of processing engines to determine if the first packet includes an exploit;
forwarding the first packet to the protected network when the first packet does not include the exploit;
determining by the firewall whether a second packet should be admitted to the protected network;
receiving at the intrusion prevention system a second reputation score for the second packet based upon a second source of the second packet; and
bypassing the buffers in response to the second reputation score being greater than a first threshold, and forwarding the second packet to the protected network without processing the second packet by any of the processing engines.
11 Assignments
0 Petitions
Accused Products
Abstract
An intrusion prevention system includes a processor, processing engines, buffers that are associated with a different range of reputation scores, and a storage device having a database and an application. The processor executes the application to determine that a firewall has admitted a packet, determine a reputation score for the packet from the database, provide the packet to a buffer that has a reputation score range that includes the reputation score of the packet, provide the packet from the buffer to a processing engine, process the packet by in the processing engine to determine if the packet includes an exploit, and forward the packet to the protected network if the first packet does not include the exploit.
-
Citations
17 Claims
-
1. A method comprising:
-
determining by a firewall whether a first packet should be admitted to a protected network; receiving at an intrusion prevention system of the protected network a first reputation score for the first packet based upon a first source of the first packet, wherein the firewall is different from the intrusion protection system, and wherein the first reputation score is provided from a database of the intrusion prevention system; providing the first packet to a first one of a plurality of buffers of the intrusion prevention system, wherein each buffer is associated with a different range of reputation scores, and wherein the first reputation score for the first packet is within the range of reputation scores associated with the first buffer; processing the first packet by a first one of a plurality of processing engines to determine if the first packet includes an exploit; forwarding the first packet to the protected network when the first packet does not include the exploit; determining by the firewall whether a second packet should be admitted to the protected network; receiving at the intrusion prevention system a second reputation score for the second packet based upon a second source of the second packet; and bypassing the buffers in response to the second reputation score being greater than a first threshold, and forwarding the second packet to the protected network without processing the second packet by any of the processing engines. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An intrusion prevention system comprising:
-
a processor; a plurality of processing engines; a plurality of buffers, wherein each buffer is associated with a different range of reputation scores; and a storage device including; a database; and an application; wherein the processor is operable to execute the application to; determine that a firewall has admitted a first packet; determine a first reputation score for the first packet based upon a first source of the first packet, wherein the reputation score is received from the database; provide the first packet to a first one of the buffers when the first reputation score is within the range of reputation scores associated with the first buffer; process the first packet in the first processing engine to determine if the first packet includes an exploit; forward the first packet to the protected network when the first packet does not include the exploit; determine that the firewall has admitted a second packet; determine a second reputation score for the second packet based upon a second source of the second packet; bypass the buffers when the second reputation score is greater than a first threshold; and forward the second packet to the protected network without processing the second packet by any of the processing engines; wherein; providing the first packet to the first buffer is in further response to determining that the first reputation score is less than the first threshold and greater than a second threshold; and the processor is further operable to execute the application to drop the first packet when the first reputation score is lower than the second threshold. - View Dependent Claims (11, 12, 13)
-
-
14. A non-transitory computer readable medium including code for performing a method, the method comprising:
-
determining by a firewall whether a first packet should be admitted to a protected network; receiving at an intrusion prevention system of the protected network a first reputation score for the first packet based upon a first source of the first packet, wherein the firewall is different from the intrusion protection system; providing the first packet to a first one of a plurality of buffers of the intrusion prevention system, wherein each buffer is associated with a different range of reputation scores, and wherein the first reputation score for the first packet is within the range of reputation scores associated with the first buffer; processing the first packet by a first one of a plurality of processing engines to determine if the first packet includes an exploit; forwarding the first packet to the protected network when the first packet does not include the exploit; determining by the firewall whether a second packet should be admitted to the protected network; receiving at the intrusion prevention system a second reputation score for the second packet based upon a second source of the second packet; and bypassing the buffers in response to the second reputation score being greater than a first threshold, and forwarding the second packet to the protected network without processing the second packet by any of the processing engines; wherein; each buffer is associated with a different range of quality of services of a plurality of quality of service; and providing the first packet to the first buffer is in further response to determining that the first packet has a first quality of service, wherein the first quality of service is within the range of quality of services associated with the first buffer. - View Dependent Claims (15, 16, 17)
-
Specification