Dynamic rule generation for an enterprise intrusion detection system

US 7,895,649 B1
Filed: 04/04/2003
Issued: 02/22/2011
Est. Priority Date: 04/04/2003
Status: Active Grant

First Claim

Patent Images

1. Non-transitory machine-accessible and readable media comprising software that, when executed by a computer, operates to:

receive a plurality of packet flows from a plurality of sensors at a plurality of ports between an external network and an internal network;

aggregate the plurality of packet flows into an aggregated packet flow;

dynamically process the aggregated packet flow to detect if one or more packets in the plurality of packet flows represent an attack on the internal network;

automatically generate a response message in response to the attack, the response message operable to identify or impede the attack; and

automatically communicate the response message to a response message file, the plurality of sensors operable to process packets received at the plurality of ports from the external network according to the response message file.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for dynamically generating rules for an enterprise intrusion detection system comprises receiving a packet flow from a sensor. The packet flow is dynamically processed to detect if the packet flow represents an attack on the enterprise system. A response message is automatically generated in response to the attack, the response message comprising a signature to identify the attack. The response message is automatically communicated to a response message file, the response message file comprising at least one response message.

296 Citations

30 Claims

1. Non-transitory machine-accessible and readable media comprising software that, when executed by a computer, operates to:
- receive a plurality of packet flows from a plurality of sensors at a plurality of ports between an external network and an internal network;
  
  aggregate the plurality of packet flows into an aggregated packet flow;
  
  dynamically process the aggregated packet flow to detect if one or more packets in the plurality of packet flows represent an attack on the internal network;
  
  automatically generate a response message in response to the attack, the response message operable to identify or impede the attack; and
  
  automatically communicate the response message to a response message file, the plurality of sensors operable to process packets received at the plurality of ports from the external network according to the response message file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The non-transitory machine-accessible and readable media of claim 1, wherein the software is further operable when executed to communicate one or more processing messages to one or more of the plurality of sensors.
  - 3. The non-transitory machine-accessible and readable media of claim 2, the one or more processing messages to one or more of the plurality of sensors each consisting of one of the following:
    - an instruction to the sensor to poll the response message file;
      
      an instruction to the sensor to reset;
      
      an instruction to the sensor to shutdown;
      
      an instruction to the sensor to intercept one or more packets; and
      
      an instruction to the sensor to close an associated port.
  - 4. The non-transitory machine-accessible and readable media of claim 1, wherein the software is further operable when executed to associate a generation date to the response message, the generation date indicating a date of the automatic generation of the response message.
  - 5. The non-transitory machine-accessible and readable media of claim 4 wherein the software is further operable when executed to:
    - compare the generation date to an aging date, the aging date representing a past date that precedes a current date by a predetermined number of days; and
      
      in response to the generation date of the response message preceding the aging date, automatically remove the associated response message from the response message file.
  - 6. The non-transitory machine-accessible and readable media of claim 1, wherein the software is further operable when executed to:
    - compute a verification value for the generated response message; and
      
      associate the verification value with the generated response message.
  - 7. The non-transitory machine-accessible and readable media of claim 6, wherein the plurality of sensors are operable to verify the response message based, at least in part, on the verification value.
  - 8. The non-transitory machine-accessible and readable media of claim 1, wherein the software is further operable when executed to communicate the response message to each of a plurality of response message files, each response message file comprising at least one response message and being associated with at least one sensor.
  - 9. The non-transitory machine-accessible and readable media of claim 1, wherein the software is further operable when executed to detect if one or more packets in the plurality of packet flows is a stage of the attack, the attack comprising a plurality of stages.
  - 10. The non-transitory machine-accessible and readable media of claim 9, wherein the generated response message comprises a first response message, the first response message operable to identify or impede the detected stage of the attack, and the software is further operable when executed to:
    - automatically generate a second response message, the second response message operable to identify or impede later stages of the attack; and
      
      automatically communicate the second response message to the response message file.

11. A method comprising:
- receiving a plurality of packet flows from a plurality of sensors at a plurality of ports between an external network and an internal network;
  
  aggregating the plurality of packet flows into an aggregated packet flow;
  
  dynamically processing the aggregated packet flow to detect if one or more packets in the plurality of packet flows represent an attack on the internal network;
  
  automatically generating a response message in response to the attack, the response message operable to identify or impede the attack; and
  
  automatically communicating the response message to a response message file, the plurality of sensors operable to process packets received at the plurality of ports from the external network according to the response message file.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 further comprising communicating one or more processing messages to one or more of the plurality of sensors.
  - 13. The method of claim 12, the one or more processing messages to one or more of the plurality of sensors each consisting of one of the following:
    - an instruction to the sensor to poll the response message file;
      
      an instruction to the sensor to reset;
      
      an instruction to the sensor to shutdown;
      
      an instruction to the sensor to intercept one or more packets; and
      
      an instruction to the sensor to close an associated port.
  - 14. The method of claim 11 further comprising associating a generation date to the response message, the generation date indicating a date of the automatic generation of the response message.
  - 15. The method of claim 14 further comprising:
    - comparing the generation date to an aging date, the aging date representing a past date that precedes a current date by a predetermined number of days; and
      
      in response to the generation date of the response message preceding the aging date, automatically removing the associated response message from the response message file.
  - 16. The method of claim 11 further comprising:
    - computing a verification value for the generated response message; and
      
      associating the verification value with the generated response message.
  - 17. The method of claim 16, wherein the plurality of sensors are operable to verify the response message based, at least in part, on the verification value.
  - 18. The method of claim 11 further comprising communicating the response message to each of a plurality of response message files, each response message file comprising at least one response message and being associated with at least one sensor.
  - 19. The method of claim 11, further comprising detecting if one or more packets in the plurality of packet flows is a stage of the attack, the attack comprising a plurality of stages.
  - 20. The method of claim 19, wherein the generated response message comprises a first response message, the first response message operable to identify or impede the detected stage of the attack and the method further comprising:
    - generating a second response message, the second response message operable to identify or impede later stages of the attack; and
      
      automatically communicating the second response message to the response message file.

21. A system comprising:
- a plurality of sensors operable to receive data from a plurality of ports between an external network and an internal network, the plurality of sensors operable to process the received data according to a response message file;
  
  the response message file;
  
  a manager server communicably connected to the plurality of sensors and to the response message file, the manager server operable to;
  
  receive a plurality of packet flows from the plurality of sensors;
  
  aggregate the plurality of packet flows into an aggregated packet flow;
  
  dynamically process the aggregated packet flow to detect if one or more packets in the plurality of packet flows represent an attack on the internal network;
  
  automatically generate a response message in response to the attack, the response message operable to identify or impede the attack; and
  
  automatically communicate the response message to the response message file.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, the manager server further operable to communicate one or more processing messages to one or more of the plurality of sensors.
  - 23. The system of claim 22, the one or more processing messages to one or more of the plurality sensors each consisting of one of the following:
    - an instruction to the sensor to poll the response message file;
      
      an instruction to the sensor to reset;
      
      an instruction to the sensor to shutdown;
      
      an instruction to the sensor to intercept one or more packets; and
      
      an instruction to the sensor to close an associated port.
  - 24. The system of claim 21, the manager server further operable to associate a generation date to the response message, the generation date indicating a date of the automatic generation of the response message.
  - 25. The system of claim 24, the manager server further operable to:
    - compare the generation date to an aging date, the aging date representing a past date that precedes a current date by a predetermined number of days; and
      
      in response to the generation date of the response message preceding the aging date, automatically remove the associated response message from the response message file.
  - 26. The system of claim 21, the manager server further operable to:
    - compute a verification value for the generated response message; and
      
      associate the verification value with the generated response message.
  - 27. The system of claim 26, the plurality of sensors further operable to verify the response message based, at least in part, on the verification value.
  - 28. The system of claim 21, wherein:
    - the response message file comprises one of a plurality of response message files, each response message file being associated with at least one sensor; and
      
      the manager server is further operable to communicate the response message to each of at least a subset of the plurality of response message files.
  - 29. The system of claim 21, wherein the manager server is further operable to detect if one or more packets in the plurality of packet flows is a stage of the attack, the attack comprising a plurality of stages.
  - 30. The system of claim 29, wherein the generated response message comprises a first response message, the first response message operable to identify or impede the detected stage of the attack and the manager server further operable to:
    - automatically generate a second response message, the second response message operable to identify or impede at least one of the later stages of the attack; and
      
      automatically communicate the second response message to the response message file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Rockwood, Troy Dean, Rixon, Matthew C., Brook, Jon-Michael C., Brooks, Randall S.
Primary Examiner(s)
ZIA, SYED

Application Number

US10/407,700
Time in Patent Office

2,881 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 41/22   comprising specially adapte...

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Dynamic rule generation for an enterprise intrusion detection system

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

296 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Dynamic rule generation for an enterprise intrusion detection system

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

296 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others