Extension model for improved parsing and describing protocols
First Claim
1. In a computing environment, a computer-implemented method comprising:
- receiving, by an intrusion detection engine implemented on at least one processor, data corresponding to network protocols;
parsing the data, including arranging a plurality of modules in a tree-like structure, the plurality of modules including at least one parent module and at least one child module, the at least one parent module comprising a protocol definition and the at least one child module comprising a protocol definition extension, in which a child module specifies a parent module and specifies a condition set containing at least one condition that, in response to the at least one condition being met, prompts the parent module to invoke the child module, the parent module parsing the data corresponding to the network protocols to determine whether to invoke the child module;
processing a selected module of the plurality of modules to determine whether the selected module has a parent module associated therewith; and
responsive to determining that the selected module does not have a parent module associated therewith, designating the selected module as a top-level parent module.
2 Assignments
0 Petitions
Accused Products
Abstract
Described is a technology by which an engine parses data based upon modules arranged in a tree-like model structure. Only those modules that meet a condition with respect to the data are invoked for processing the data. Each child module specifies a parent module and specifies a condition for when the parent is to invoke the child module. As a module processes the data, if a child module'"'"'s specified condition is met, it invokes the corresponding child module, (which in turn may invoke a lower child if its condition is met, and so on). When the data corresponds to protocols, the model facilitates protocol layering. A top level parent may represent one protocol (e.g., TCP), a child beneath may represent a lower-layer protocol (e.g., HTTP), whose children may handle certain types of HTTP commands, or correspond to a signature that the child module is programmed to detect.
28 Citations
20 Claims
-
1. In a computing environment, a computer-implemented method comprising:
-
receiving, by an intrusion detection engine implemented on at least one processor, data corresponding to network protocols; parsing the data, including arranging a plurality of modules in a tree-like structure, the plurality of modules including at least one parent module and at least one child module, the at least one parent module comprising a protocol definition and the at least one child module comprising a protocol definition extension, in which a child module specifies a parent module and specifies a condition set containing at least one condition that, in response to the at least one condition being met, prompts the parent module to invoke the child module, the parent module parsing the data corresponding to the network protocols to determine whether to invoke the child module; processing a selected module of the plurality of modules to determine whether the selected module has a parent module associated therewith; and responsive to determining that the selected module does not have a parent module associated therewith, designating the selected module as a top-level parent module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. In a computing environment, a system comprising:
-
memory coupled to a bus system, the memory comprising computer useable program code; one or more processing units, the one or more processing units configured to execute the computer useable program code to implement a parsing engine, the parsing engine configured to parse data corresponding to network protocols; and a tree-structured model comprising a plurality of modules, including at least one parent module having at least one child module, the at least one parent module comprising a protocol definition and the at least one child module comprising a protocol definition extension, the parsing engine configured to access the tree-structured model to parse the data, including; invoking the at least one parent module from a top-level module based upon a condition being met, the at least one parent module providing processing for parsing the data and invoking the at least one child module for further processing upon another condition being met, the at least one child module specifies the at least one parent module and the other condition that prompts the at least one parent module to invoke the at least one child module; processing a selected module of the plurality of modules to determine whether the selected module has an associated parent module; and responsive to determining that the selected module does not have an associated parent module, designating the selected module as a top-level parent module within the tree-structured model. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. One or more computer storage devices having computer-executable instructions, which on execution by a computer, cause the computer to:
-
receive, by a parsing engine implemented on at least one processor, data corresponding to network protocols; and parse the data based on a plurality of modules arranged in a tree-like structure, in which a child module specifies a parent module and a condition set containing at least one condition for the parent module invoking the child module, the parent module comprising a protocol definition and the child module comprising a protocol definition extension, the parent module parsing the data corresponding to the network protocols, and evaluating the data to determine whether to invoke the child module, and responsive to the at least one condition specified by the child module being met, the parent module invoking the child module as a rule visitor during the parsing; process a selected module of the plurality of modules to determine whether the selected module has an associated parent module; and responsive to determining that the selected module does not have an associated parent module, designate the selected module as a top-level parent module. - View Dependent Claims (19, 20)
-
Specification