Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-06-04
2001-08-21
Beausoleil, Robert (Department: 2184)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S154000, C709S229000
Reexamination Certificate
active
06279113
ABSTRACT:
TECHNICAL FIELD
The present invention relates generally to a method and system for providing security on a communication system and, more particularly, the invention relates to detecting intrusion attempts into system resources by monitoring for attack signatures.
DESCRIPTION OF THE RELATED ART
Computer networks enable multiple communication devices such as computers, fax machines, and modems to communicate with each other. In systems which employ a client-server computing model, server devices can generally be viewed as being a service provider and client devices are consumers of the services. Instead of each device on a network being self-sufficient, resources are contained in servers, which extend capabilities throughout the network. Client devices access the resources necessary to perform functions from the servers. For instance, a user might use a client application to obtain a compound document, perhaps an annual sales report containing spread sheet graphs and explanatory text, where part of the document is located on a first server (the text) and another part is located on a second server (the graphs).
Although the client-server system can provide an efficient means for managing resources of a computer system, significant security issues arise regarding control of access to sensitive material stored on the servers. Large corporate networks often include servers storing sensitive material, access to which must be closely regulated. Often the set of client objects which are permitted access to a particular server application will change over time. A significant need remains for a security system which regulates access to certain objects on a computer system and which provides the flexibility to allow for the changing requirements of security of the system.
U.S. Pat. No. 5,720,033 to Deo describes a security platform for networked processors which limits access to system resources by implementing a rules based system for types of access of security interests to one or more served application programs. The platform provides rule sets, each of which associates an access type with a subject. An example of a subject is a particular user. Optionally, the rule sets also associate an access type with a set of objects, which are specific system resources to which access is sought. Access demands made by a particular served application are compared to the rule sets to determine whether the access demanded is permissible. The platform permits access by a subject to an object if a rule is found for (a) the access type or (b) an access class to which the access type belongs which defines access between (A) either (i) the subject or (ii) a superclass to which the subject belongs and (B) either (i) the object or (ii) the superclass to which the object belongs.
Although the security platform described above provides a partial solution to the network security problem by enabling detection of unauthorized access attempts which are based in the application layer of the OSI model, the security platform is unable to detect network intrusions based in lower levels of the OSI model. The security platform might be unable to detect an attempt to deliver a malicious data packet capable of causing a malfunction in a network object upon delivery because the security platform regulates access to a network object based on the identity of a subject. Consequently, a subject which is authorized to access a network object can deliver a malicious packet to that network object without being detected. The security platform described above is designed for access control to an object residing on a particular UNIX server. However, the platform is ineffective for detection of network security breaches unrelated to access control, such as transmission of malicious data packets.
U.S. Pat. No. 5,727,146 to Savoldi et al. describes a source address security system for both training and non-training objects, wherein network access to a port is secured by monitoring the source address of packets that are sent as a device attempts to transmit to the port over the network. If the source address of a packet matches an authorized source address assigned to the port, then the device is permitted to access the network. The source address security system requires that the address of all devices authorized to access a network be known so that the source address of a device which has transmitted a particular packet can be compared to source addresses of all authorized devices to determine if the device in question is permitted to access the network. Only if the source address of a device is known to the security system will the device be allowed to access the network.
A static signature database intrusion detection system (IDS) overcomes some of the above described limitations by providing a static signature database engine which includes a set of attack signature processing functions, each of which is configured to detect a specific intrusion type. Each attack signature is descriptive of a pattern which constitutes a known security violation. The system monitors network traffic by sequentially executing every processing function of a database engine for each data packet received over a network. Each processing function of the database engine is integrally associated with a corresponding attack signature making it problematic to incorporate new attack signatures into an existing static signature database. An entirely new database engine must be constructed in order to incorporate a new attack signature. This limitation also results in the built-in IDS not being able to allow addition and customization of new signatures. Furthermore, a built-in database IDS suffers from performance loss due to the sequential execution of every processing function for each packet received over the network. The IDS performance degrades further as more signatures are added to the database engine because of the resulting delay caused by the sequential processing by the static database engine.
What is needed is a network intrusion detection system which provides efficient extensibility to include newly discovered network attack signatures and which allows modifications to recognize new attack signatures without substantially affecting performance of the network intrusion detection.
SUMMARY OF THE INVENTION
A dynamic signature inspection-based network intrusion detection system and method include a processor which is configured such that it is mutually independent from configuring storage of attack signature profiles. In a preferred embodiment, the processor may be implemented either as a virtual processor in software or as an actual hardware processor. The mutual independence of the processor from the attack signature profiles allows additional attack signature profiles to be integrated into the intrusion detection system without requiring any corresponding modification of the processor. The mutual independence of the processor from the attack signature profiles also enables the system to allocate processing requirements of network monitoring for attack signatures among various sites on the network according to a distribution of network objects in order to maintain high performance of the dynamic signature inspection-based network IDS.
The dynamic signature-based network IDS includes multiple attack signature profiles which are each descriptive of identifiable characteristics associated with particular network intrusion attempts associated with network objects located on the network. Network intrusion attempts include unauthorized attempts to access network objects, unauthorized manipulation of network data, including data transport, alteration or deletion, and attempted delivery of malicious data packets capable of causing a malfunction of a network object. The attack signature profiles can include generic attack and/or customized attack signature profiles for particular network objects on the network. Customized attack signature profiles can be added to a set of generic attack signature profiles without having to modify the processor, thereby fac
Baderman Scott
Beausoleil Robert
Internet Tools, Inc.
Luce Forward Hamilton & Scripps LLP
LandOfFree
Dynamic signature inspection-based network intrusion detection does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Dynamic signature inspection-based network intrusion detection, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Dynamic signature inspection-based network intrusion detection will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2537175