System and method for incorporating quality-of-service and reputation in an intrusion detection and prevention system

US 9,043,909 B2
Filed: 08/28/2013
Issued: 05/26/2015
Est. Priority Date: 11/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining by a firewall whether a first packet should be admitted to a protected network;

receiving at an intrusion prevention system of the protected network a first reputation score for the first packet based upon a first source of the first packet, wherein the firewall is different from the intrusion protection system, and wherein the first reputation score is provided from a database of the intrusion prevention system;

providing the first packet to a first one of a plurality of buffers of the intrusion prevention system, wherein each buffer is associated with a different range of reputation scores, and wherein the first reputation score for the first packet is within the range of reputation scores associated with the first buffer;

processing the first packet by a first one of a plurality of processing engines to determine if the first packet includes an exploit;

forwarding the first packet to the protected network when the first packet does not include the exploit;

determining by the firewall whether a second packet should be admitted to the protected network;

receiving at the intrusion prevention system a second reputation score for the second packet based upon a second source of the second packet; and

bypassing the buffers in response to the second reputation score being greater than a first threshold, and forwarding the second packet to the protected network without processing the second packet by any of the processing engines.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion prevention system includes a processor, processing engines, buffers that are associated with a different range of reputation scores, and a storage device having a database and an application. The processor executes the application to determine that a firewall has admitted a packet, determine a reputation score for the packet from the database, provide the packet to a buffer that has a reputation score range that includes the reputation score of the packet, provide the packet from the buffer to a processing engine, process the packet by in the processing engine to determine if the packet includes an exploit, and forward the packet to the protected network if the first packet does not include the exploit.

24 Citations

View as Search Results

17 Claims

1. A method comprising:
- determining by a firewall whether a first packet should be admitted to a protected network;
  
  receiving at an intrusion prevention system of the protected network a first reputation score for the first packet based upon a first source of the first packet, wherein the firewall is different from the intrusion protection system, and wherein the first reputation score is provided from a database of the intrusion prevention system;
  
  providing the first packet to a first one of a plurality of buffers of the intrusion prevention system, wherein each buffer is associated with a different range of reputation scores, and wherein the first reputation score for the first packet is within the range of reputation scores associated with the first buffer;
  
  processing the first packet by a first one of a plurality of processing engines to determine if the first packet includes an exploit;
  
  forwarding the first packet to the protected network when the first packet does not include the exploit;
  
  determining by the firewall whether a second packet should be admitted to the protected network;
  
  receiving at the intrusion prevention system a second reputation score for the second packet based upon a second source of the second packet; and
  
  bypassing the buffers in response to the second reputation score being greater than a first threshold, and forwarding the second packet to the protected network without processing the second packet by any of the processing engines.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein:
    - providing the first packet to the first buffer is in further response to determining that the first reputation score is less than the first threshold and greater than a second threshold; and
      
      the method further comprises dropping the first packet when the first reputation score is lower than the second threshold.
  - 3. The method of claim 1, further comprising:
    - determining by the firewall whether a third packet should be admitted to the protected network;
      
      receiving at the intrusion prevention system a third reputation score for the third packet based upon a third source of the third packet;
      
      providing the third packet to a second one of the buffers, wherein the third reputation score for the third packet is within the range of reputation scores associated with the second buffer;
      
      processing the third packet by a second one of the processing engines to determine if the third packet includes an exploit;
      
      forwarding the third packet to the protected network when the third packet does not include the exploit.
  - 4. The method of claim 3, wherein:
    - the first packet is provided to the first processing engine when a scheduler determines that the first processing system is a first available processing engine; and
      
      the third packet is provided to the second processing engine when the scheduler determines that the second processing system is a third available processing engine.
  - 5. The method of claim 3, wherein:
    - the first processing engine is associated with the first buffer; and
      
      the second processing engine is associated with the second buffer.
  - 6. The method of claim 5, wherein the first processing engine and the second processing engines provide different intrusion prevention processing.
  - 7. The method of claim 1, wherein the first reputation score is provided to the database from a reputation service.
  - 8. The method of claim 1, wherein:
    - each buffer is associated with a different range of quality of services of a plurality of quality of service; and
      
      providing the first packet to the first buffer is in further response to determining that the first packet has a first quality of service, wherein the first quality of service is within the range of quality of services associated with the first buffer.
  - 9. The method of claim 8, further comprising:
    - determining by the firewall whether a third packet should be admitted to the protected network;
      
      receiving at the intrusion prevention system a third reputation score for the third packet based upon a second source of the second packet;
      
      in response to determining that the third packet has a second quality of service, providing the third packet to a second one of the buffers, wherein the third packet is provided to the second buffer when the third reputation score is within the range of reputation scores associated with the second buffer and when the second quality of service is within the range of quality of services associated with the second buffer;
      
      providing the third packet to a third one of the processing engines;
      
      processing the third packet by the third processing engine to determine if the third packet includes the exploit; and
      
      forwarding the third packet to the protected network when the third packet does not include the exploit.

10. An intrusion prevention system comprising:
- a processor;
  
  a plurality of processing engines;
  
  a plurality of buffers, wherein each buffer is associated with a different range of reputation scores; and
  
  a storage device including;
  
  a database; and
  
  an application;
  
  wherein the processor is operable to execute the application to;
  
  determine that a firewall has admitted a first packet;
  
  determine a first reputation score for the first packet based upon a first source of the first packet, wherein the reputation score is received from the database;
  
  provide the first packet to a first one of the buffers when the first reputation score is within the range of reputation scores associated with the first buffer;
  
  process the first packet in the first processing engine to determine if the first packet includes an exploit;
  
  forward the first packet to the protected network when the first packet does not include the exploit;
  
  determine that the firewall has admitted a second packet;
  
  determine a second reputation score for the second packet based upon a second source of the second packet;
  
  bypass the buffers when the second reputation score is greater than a first threshold; and
  
  forward the second packet to the protected network without processing the second packet by any of the processing engines;
  
  wherein;
  
  providing the first packet to the first buffer is in further response to determining that the first reputation score is less than the first threshold and greater than a second threshold; and
  
  the processor is further operable to execute the application to drop the first packet when the first reputation score is lower than the second threshold.
- View Dependent Claims (11, 12, 13)
- - 11. The intrusion prevention system of claim 10, wherein the processor is further operable to execute the application to:
    - determine that the firewall has admitted a third packet to the protected network;
      
      determine a third reputation score for the third packet based upon a third source of the second packet;
      
      provide the third packet to a second one of the buffers when the third reputation score is within the range of reputation scores associated with the second buffer;
      
      process the third packet in the second processing engine to determine if the third packet includes the exploit; and
      
      forward the third packet to the protected network if the third packet does not include the exploit.
  - 12. The intrusion prevention system of claim 11, further comprising a scheduler, and wherein:
    - the first packet is provided to the first processing engine when the scheduler determines that the first processing system is a first available processing engine.
  - 13. The intrusion prevention system of claim 11, wherein:
    - the first processing engine is associated with the first buffer; and
      
      the second processing engine is associated with the second buffer.

14. A non-transitory computer readable medium including code for performing a method, the method comprising:
- determining by a firewall whether a first packet should be admitted to a protected network;
  
  receiving at an intrusion prevention system of the protected network a first reputation score for the first packet based upon a first source of the first packet, wherein the firewall is different from the intrusion protection system;
  
  providing the first packet to a first one of a plurality of buffers of the intrusion prevention system, wherein each buffer is associated with a different range of reputation scores, and wherein the first reputation score for the first packet is within the range of reputation scores associated with the first buffer;
  
  processing the first packet by a first one of a plurality of processing engines to determine if the first packet includes an exploit;
  
  forwarding the first packet to the protected network when the first packet does not include the exploit;
  
  determining by the firewall whether a second packet should be admitted to the protected network;
  
  receiving at the intrusion prevention system a second reputation score for the second packet based upon a second source of the second packet; and
  
  bypassing the buffers in response to the second reputation score being greater than a first threshold, and forwarding the second packet to the protected network without processing the second packet by any of the processing engines;
  
  wherein;
  
  each buffer is associated with a different range of quality of services of a plurality of quality of service; and
  
  providing the first packet to the first buffer is in further response to determining that the first packet has a first quality of service, wherein the first quality of service is within the range of quality of services associated with the first buffer.
- View Dependent Claims (15, 16, 17)
- - 15. The computer readable medium of claim 14, wherein:
    - providing the first packet to the first buffer is in further response to determining that the first reputation score is less than the first threshold and greater than a second threshold; and
      
      the method further comprises dropping the first packet when the first reputation score is lower than the second threshold.
  - 16. The computer readable medium of claim 14, the method further comprising:
    - determining by the firewall whether a third packet should be admitted to the protected network;
      
      receiving at the intrusion prevention system a third reputation score for the third packet based upon a third source of the third packet;
      
      providing the third packet to a second one of the buffers, wherein the third reputation score for the third packet is within the range of reputation scores associated with the second buffer;
      
      processing the third packet by a second one of the processing engines to determine if the third packet includes an exploit; and
      
      forwarding the third packet to the protected network when the third packet does not include the exploit.
  - 17. The computer readable medium of claim 14, the method further comprising:
    - determining by the firewall whether a third packet should be admitted to the protected network;
      
      receiving at the intrusion prevention system a third reputation score for the third packet based upon a second source of the second packet;
      
      in response to determining that the third packet has a second quality of service, providing the third packet to a second one of the buffers, wherein the third packet is provided to the second buffer when the third reputation score is within the range of reputation scores associated with the second buffer and when the second quality of service is within the range of quality of services associated with the second buffer;
      
      providing the third packet to a third one of the processing engines;
      
      processing the third packet by the third processing engine to determine if the third packet includes the exploit; and
      
      forwarding the third packet to the protected network when the third packet does not include the exploit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Thomas, Ashley
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US14/012,891
Publication Number

US 20140007217A1
Time in Patent Office

636 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 47/32   by discarding or delaying d...

H04L 47/522   Dynamic queue service slot ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/126   the source of the received ...

H04L 63/1441   Countermeasures against mal...

System and method for incorporating quality-of-service and reputation in an intrusion detection and prevention system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for incorporating quality-of-service and reputation in an intrusion detection and prevention system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links