Detecting public network attacks using signatures and fast content analysis
First Claim
1. A machine-implemented method for automatically identifying new signatures to use in identifying a previously unknown intrusive network attack, comprising:
- obtaining a collection of data items to be analyzed to identify the network attack, wherein said data items are parts of messages that were sent over a data network;
reducing said data items in said collection to reduce said data collection to a reduced data collection of reduced data items, wherein the reduced data items in the reduced data collection have a smaller size and a constant predetermined relation with data items in the data collection and at least some of the data items in the data collection that differ are reduced to the same reduced data item;
analyzing a plurality of said reduced data items to detect common elements in the plurality of said reduced data items, said analyzing identifying common content indicative of the previously unknown network attack; and
sending the common content to one or more of a signature blocker and a signature manager for use as a new signature in identifying the previously unknown intrusive network attack.
5 Assignments
0 Petitions
Accused Products
Abstract
Detecting attacks against computer systems by automatically detecting signatures based on predetermined characteristics of the intrusion. One aspect looks for commonalities among a number of different network messages, and establishes an intrusion signature based on those commonalities. Data reduction techniques, such as a hash function, are used to minimize the amount of resources which are necessary to establish the commonalities. In an embodiment, signatures are created based on the data reduction hash technique. Frequent signatures are found by reducing the signatures using that hash technique. Each of the frequent signatures is analyzed for content, and content which is spreading is flagged as being a possible attack. Additional checks can also be carried out to look for code within the signal, to look for spam, backdoors, or program code.
47 Citations
50 Claims
-
1. A machine-implemented method for automatically identifying new signatures to use in identifying a previously unknown intrusive network attack, comprising:
-
obtaining a collection of data items to be analyzed to identify the network attack, wherein said data items are parts of messages that were sent over a data network; reducing said data items in said collection to reduce said data collection to a reduced data collection of reduced data items, wherein the reduced data items in the reduced data collection have a smaller size and a constant predetermined relation with data items in the data collection and at least some of the data items in the data collection that differ are reduced to the same reduced data item; analyzing a plurality of said reduced data items to detect common elements in the plurality of said reduced data items, said analyzing identifying common content indicative of the previously unknown network attack; and sending the common content to one or more of a signature blocker and a signature manager for use as a new signature in identifying the previously unknown intrusive network attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A machine-implemented method for automatically identifying new signatures to use in identifying a previously unknown intrusive network attack, comprising:
-
monitoring network content on a network and obtaining at least portions of the data on said network; data reducing said portions of the data using a data reduction function which reduces said portions of the data to reduced data portions in a repeatable manner such that each portion which has the same content is reduced to the same reduced data portion and at least some of the portions that differ are reduced to the same reduced data portion; analyzing said reduced data portions to find network content which repeats a specified number of times in order to establish said network content which repeats said specified number of times as frequent content; identifying address information of said frequent content, wherein the address information includes at least one of source information or destination information that characterizes the respective of sources and/or destinations of said frequent content and determining if a number of sources and/or destinations of said frequent content is increasing; identifying the frequent content as associated with the previously unknown network attack based on said identifying and determining, and sending the frequent content to one or more of a signature blocker and a signature manager. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A machine-implemented method for automatically identifying new signatures to use in identifying a previously unknown intrusive network attack, comprising:
-
obtaining a collection of data items to be analyzed to identify the previously unknown network attack; reducing said data items in said collection to reduce said data collection to a reduced data collection of reduced data items, wherein the reduced data items in the reduced data collection have a smaller size and a constant predetermined relation with data items in the data collection and at least some of the data items in the data collection that differ are reduced to the same reduced data item; analyzing a plurality of said reduced data items to determine frequently occurring sections of message information indicative of a network attack; carrying out an additional test on said frequently occurring sections of message information, comprising maintaining a first list of unassigned addresses, wherein the unassigned addresses are maintained as reduced addresses that have a smaller size and a constant predetermined relation with the unassigned addresses and at least some of the unassigned addresses that differ are reduced to the same reduced address, forming a second list of source addresses that have sent to the unassigned addresses on said first list, wherein the source addresses are maintained as reduced addresses that have a smaller size and a constant predetermined relation with the source addresses and at least some of the source addresses that differ are reduced to the same reduced address, and comparing a current source of a frequently occurring section to said second list; and based on the additional test, sending some of the frequently occurring sections to one or more of a signature blocker and a signature manager.
-
-
50. A machine-implemented method for automatically identifying new signatures to use in identifying a previously unknown intrusive network attack, comprising:
-
obtaining a collection of data items to be analyzed to identify the network attack, wherein said data items comprise a first subset of a network packet including payload and header; reducing said data items in said collection to reduce said data collection to a reduced data collection of reduced data items, wherein the reduced data items in the reduced data collection have a smaller size and a constant predetermined relation with data items in the data collection and at least some of the data items in the data collection that differ are reduced to the same reduced data item; analyzing a plurality of said reduced data items to detect common elements, said analyzing reviewing for common content indicative of a network attack; obtaining a second subset of the same network packet for subsequent analysis; and based on the subsequent analysis, sending some of the common content to one or more of a signature blocker and a signature manager.
-
Specification