System and method for automated configuration of intrusion detection systems

US 9,479,523 B2
Filed: 04/28/2014
Issued: 10/25/2016
Est. Priority Date: 04/28/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving from a network investigation system one or more combinations of metadata parameters that have been identified by an analyst of the network investigation system as being indicative of malicious traffic within network traffic, wherein the receiving is performed by a first interface of an apparatus comprising the first interface, a second interface, and a processor;

based on the received combinations of the metadata parameters, formulating, by the processor, one or more Intrusion Detection System (IDS) rules that identify the malicious traffic, wherein formulating the IDS rules comprises presenting both the network traffic and the combinations of metadata parameters to an operator on a computer terminal via a graphical user interface (GUI), wherein the GUI allows the operator to manipulate the presentation of the network traffic and the combinations of metadata parameters so as to find combinations of metadata parameter values that are characteristic of the malicious traffic, and upon finding the combinations of metadata parameter values that are characteristic of the malicious traffic, automatically generating, by the processor, an IDS rule that matches the found combinations; and

configuring, by the processor via the second interface, an IDS to identify the malicious traffic in the network traffic, by provisioning the IDS with the IDS rules.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for automated generation of malicious traffic signatures, for use in Intrusion Detection Systems (IDS). A rule generation system formulates IDS rules based on traffic analysis results obtained from a network investigation system. The rule generation system then automatically configures the IDS to apply the rules. An analysis process in the network investigation system comprises one or more metadata filters that are indicative of malicious traffic. An operator of the rule generation system is provided with a user interface that is capable of displaying the network traffic filtered in accordance with such filters.

Citations

12 Claims

1. A method, comprising:
- receiving from a network investigation system one or more combinations of metadata parameters that have been identified by an analyst of the network investigation system as being indicative of malicious traffic within network traffic, wherein the receiving is performed by a first interface of an apparatus comprising the first interface, a second interface, and a processor;
  
  based on the received combinations of the metadata parameters, formulating, by the processor, one or more Intrusion Detection System (IDS) rules that identify the malicious traffic, wherein formulating the IDS rules comprises presenting both the network traffic and the combinations of metadata parameters to an operator on a computer terminal via a graphical user interface (GUI), wherein the GUI allows the operator to manipulate the presentation of the network traffic and the combinations of metadata parameters so as to find combinations of metadata parameter values that are characteristic of the malicious traffic, and upon finding the combinations of metadata parameter values that are characteristic of the malicious traffic, automatically generating, by the processor, an IDS rule that matches the found combinations; and
  
  configuring, by the processor via the second interface, an IDS to identify the malicious traffic in the network traffic, by provisioning the IDS with the IDS rules.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, wherein formulating the IDS rules comprises defining the rule based on data content of the network traffic in addition to the combinations of the metadata parameters.
  - 3. The method according to claim 1, wherein presenting the network traffic to the operator comprises automatically selecting a partial subset of the combinations of the metadata parameters, and presenting, to the operator via the GUI, the network traffic filtered only in accordance with the selected partial subset.
  - 4. The method according to claim 1, wherein automatically generating the IDS rule comprises automatically generating a regular expression that matches the found combinations.
  - 5. The method according to claim 1, wherein configuring the IDS comprises verifying a performance of an IDS rule in the IDS prior to configuring the IDS to apply the IDS rule to live network traffic.
  - 6. The method according to claim 5, wherein verifying the performance comprises requesting an operator to modify the IDS rule in response to detecting that the performance of the IDS rule is insufficient.

7. Apparatus, comprising;
- a first interface, for communicating with a network investigation system;
  
  a second interface, for communicating with an Intrusion Detection System (IDS);
  
  a memory and a processor, which is configured to receive from the network investigation system over the first interface one or more combinations of metadata parameters that have been identified by an analyst of the network investigation system as being indicative of malicious traffic within network traffic, to formulate, based on the received combinations of the metadata parameters, one or more intrusion Detection System (IDS) rules that identify the malicious traffic, and, using the second interface, to configure an IDS to identify the malicious traffic in the network traffic, by provisioning the IDS with the IDS rules;
  
  wherein the processor formulates the IDS rules by at least presenting both the network traffic and the combinations of metadata parameters to an operator on a computer terminal via a graphical user interface (GUI), wherein the GUI allows the operator to manipulate the presentation of the network traffic and the combinations of metadata parameters so as to find combinations of metadata parameter values that are characteristic of the malicious traffic, and upon finding the combinations of metadata parameter values that are characteristic of the malicious traffic, automatically generating, by the processor, an IDS rule that matches the found combinations.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus according to claim 7, wherein the processor is configured to define the rule based on data content of the network traffic in addition to the combinations of the metadata parameters.
  - 9. The apparatus according to claim 7, wherein the processor is configured to present the network traffic to the operator by at least automatically selecting a partial subset of the combinations of the metadata parameters, and presenting, to the operator via the GUI, the network traffic filtered only in accordance with the selected partial subset.
  - 10. The apparatus according to claim 7, wherein the processor is configured to automatically generate the IDS rule by automatically generating a regular expression that matches the found combinations.
  - 11. The apparatus according to claim 7, wherein the processor is configured to verify a performance of an IDS rule in the IDS prior to configuring the IDS to apply the IDS rule to live network traffic.
  - 12. The apparatus according to claim 11, wherein the processor is configured to request an operator to modify the IDS rule in response to detecting that the performance of the IDS rule is insufficient.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Altman, Yuval, Keren, Assaf Yosef
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US14/263,097
Publication Number

US 20140325653A1
Time in Patent Office

911 Days
Field of Search

726 21- 23, 713/194, 709/220
US Class Current

1/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

System and method for automated configuration of intrusion detection systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automated configuration of intrusion detection systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links