System and method for automated configuration of intrusion detection systems
First Claim
Patent Images
1. A method, comprising:
- receiving from a network investigation system one or more combinations of metadata parameters that have been identified by an analyst of the network investigation system as being indicative of malicious traffic within network traffic, wherein the receiving is performed by a first interface of an apparatus comprising the first interface, a second interface, and a processor;
based on the received combinations of the metadata parameters, formulating, by the processor, one or more Intrusion Detection System (IDS) rules that identify the malicious traffic, wherein formulating the IDS rules comprises presenting both the network traffic and the combinations of metadata parameters to an operator on a computer terminal via a graphical user interface (GUI), wherein the GUI allows the operator to manipulate the presentation of the network traffic and the combinations of metadata parameters so as to find combinations of metadata parameter values that are characteristic of the malicious traffic, and upon finding the combinations of metadata parameter values that are characteristic of the malicious traffic, automatically generating, by the processor, an IDS rule that matches the found combinations; and
configuring, by the processor via the second interface, an IDS to identify the malicious traffic in the network traffic, by provisioning the IDS with the IDS rules.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for automated generation of malicious traffic signatures, for use in Intrusion Detection Systems (IDS). A rule generation system formulates IDS rules based on traffic analysis results obtained from a network investigation system. The rule generation system then automatically configures the IDS to apply the rules. An analysis process in the network investigation system comprises one or more metadata filters that are indicative of malicious traffic. An operator of the rule generation system is provided with a user interface that is capable of displaying the network traffic filtered in accordance with such filters.
-
Citations
12 Claims
-
1. A method, comprising:
-
receiving from a network investigation system one or more combinations of metadata parameters that have been identified by an analyst of the network investigation system as being indicative of malicious traffic within network traffic, wherein the receiving is performed by a first interface of an apparatus comprising the first interface, a second interface, and a processor; based on the received combinations of the metadata parameters, formulating, by the processor, one or more Intrusion Detection System (IDS) rules that identify the malicious traffic, wherein formulating the IDS rules comprises presenting both the network traffic and the combinations of metadata parameters to an operator on a computer terminal via a graphical user interface (GUI), wherein the GUI allows the operator to manipulate the presentation of the network traffic and the combinations of metadata parameters so as to find combinations of metadata parameter values that are characteristic of the malicious traffic, and upon finding the combinations of metadata parameter values that are characteristic of the malicious traffic, automatically generating, by the processor, an IDS rule that matches the found combinations; and configuring, by the processor via the second interface, an IDS to identify the malicious traffic in the network traffic, by provisioning the IDS with the IDS rules. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Apparatus, comprising;
-
a first interface, for communicating with a network investigation system; a second interface, for communicating with an Intrusion Detection System (IDS); a memory and a processor, which is configured to receive from the network investigation system over the first interface one or more combinations of metadata parameters that have been identified by an analyst of the network investigation system as being indicative of malicious traffic within network traffic, to formulate, based on the received combinations of the metadata parameters, one or more intrusion Detection System (IDS) rules that identify the malicious traffic, and, using the second interface, to configure an IDS to identify the malicious traffic in the network traffic, by provisioning the IDS with the IDS rules;
wherein the processor formulates the IDS rules by at least presenting both the network traffic and the combinations of metadata parameters to an operator on a computer terminal via a graphical user interface (GUI), wherein the GUI allows the operator to manipulate the presentation of the network traffic and the combinations of metadata parameters so as to find combinations of metadata parameter values that are characteristic of the malicious traffic, and upon finding the combinations of metadata parameter values that are characteristic of the malicious traffic, automatically generating, by the processor, an IDS rule that matches the found combinations. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification