Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-01-15
2002-11-26
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S224000
Reexamination Certificate
active
06487666
ABSTRACT:
TECHNICAL FIELD OF THE INVENTION
This invention relates to computer networks, and more particularly to prevention of unauthorized access to a local network from computers external to the local network.
BACKGROUND OF THE INVENTION
Prevention of unauthorized access by outsiders to a computer network is a part of any network management program. This security problem has been complicated by recent trends in internetworking of a previously isolated private networks with value added networks, public networks (such as the internet), and with the networks of other enterprises.
Firewalls are one approach to preventing unauthorized access. Essentially, a firewall is a control layer inserted between an enterprise's network and the outside. It permits only some traffic to pass through. The firewall is configured by the administrator of the local network based on the enterprise's security policy. For example, the firewall may block traffic of a certain type, traffic from certain addresses, or traffic from all but a predetermined set of addresses.
Techniques used by network intruders for penetrating network system security have evolved in pace with sophisticated methods for detecting the intruders. Detection methods include software solutions, specifically, software intrusion detection systems, which continually monitor network traffic and look for known patterns of attack.
When an intrusion detection system detects inappropriate activity, it generates appropriate alarms and provides other responses while the attack is occurring. For example, the intrusion detection system might report the attack, log the attack, and terminate the misused connection.
One approach to intrusion detection relies on known patterns of unauthorized activity, referred to as “signatures”. These signatures are stored, and, in real time, compared to the packet flow incoming to the network. If a match is found, the incoming datastream is assumed to be misused.
Many existing intrusion detection systems are host-based rather than network based. A host-based system resides on a particular host computer and detects only attacks to that host. A network-based system is connected at some point on a local network and detects attacks across the entire local network.
As an example of network-based intrusion detection, one known pattern of unauthorized access is associated with “IP spoofing”, whereby an intruder sends messages to a computer with an IP address indicating that the message is from a trusted port. To engage in IP spoofing, the intruder must first use a variety of techniques to find an IP address of a trusted port and must then modify the packet headers so that it appears that the packets are coming from that port. This activity results in a signature that can be detected when matched to a previously stored signature of the same activity.
For signature indicated by a single packet, the detection process can be as simple as matching a binary string of an incoming packet to a stored binary string. However, for composite signatures, the detection process often requires the use of procedural code, involving loops, counts, comparisons and other processing mechanisms. For this reason, it necessary for a skilled programmer to write the signatures.
SUMMARY OF THE INVENTION
One aspect of the invention is a method of describing signatures used for detecting intrusion to a local network. The method combines features of both regular expression methodology and logical expression methodology. A set of regular expression identifiers is used to represent a set of “signature events”. A “signature event” may be a packet type, a sequence of packet types, or any one of a number of signature-related events, such as a count or a time period. Logical operators are used to describe relationships between the signature events, such as whether a count exceeds a certain value. For each signature, one or more of these identifiers and operators are combined to provide a regular expression describing that signature.
An advantage of the invention is that it provides an abstraction for describing intrusion signatures. The signatures are written in a descriptive language rather than in procedural computer code. Security technicians who work with local networks need not learn a programming language in order to describe signatures.
REFERENCES:
patent: 5032979 (1991-07-01), Hecht et al.
patent: 5101402 (1992-03-01), Chiu et al.
patent: 5278901 (1994-01-01), Shieh et al.
patent: 5414833 (1995-05-01), Hershey et al.
patent: 5448724 (1995-09-01), Hayashi
patent: 5488715 (1996-01-01), Wainwright
patent: 5524238 (1996-06-01), Miller et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5621889 (1997-04-01), Lermuzeaux et al.
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5793763 (1998-08-01), Mayes et al.
patent: 5796942 (1998-08-01), Esbensen
patent: 5798706 (1998-08-01), Kraemer et al.
patent: 5805801 (1998-09-01), Holloway et al.
patent: 5826014 (1998-10-01), Coley et al.
patent: 5919257 (1999-07-01), Trostle
patent: 5931946 (1999-08-01), Terada et al.
patent: 5991881 (1999-11-01), Conklin et al.
patent: 6016546 (2000-01-01), Kephart et al.
patent: 6088804 (2000-07-01), Hill et al.
patent: 6279113 (2001-08-01), Vaidya
patent: 6301668 (2001-10-01), Gleichauf et al.
patent: 6321338 (2001-11-01), Porras et al.
Stevens, W. Richard, “TCP/IP Illustrated”, 1994, Addison Wesley Longman Inc., vol. 1, p. 2,34,36.*
Bhattacharyya, “Needed: a net processor language”, Electronic Engineering Times, Aug. 28, 2000, p. 1-2.*
Shiratsuchi et al, “Studies on Intrusion Detection System Using Modular Neural Networks”, dialog search, 2002.*
“Efficient Attack Identification”, Business Wire, dialog search, Feb. 25, 2002.*
“Introduction to Algorithms,” by Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, Chap. 34, pp. 853-885, Copyright © 1990.
“Preliminary Report on Advanced Security Audit Trail Analysis on UNIX,” N. Habra et al., pp. 1-34 (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Sep. 1994.
“IDIOT-Users Guide,” M. Crosbie, et al., pp. 1-63, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Sep. 1996.
“An Introduction to Intrusion Detection,” A. Sundaram, pp. 1-10, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html).
“Use of A Taxonomy of Security Faults,” T. Aslam, et al., pp. 1-10, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Sep. 1996.
“Artificial Intelligence and Intrusion Detection: Current and Future Directions,” Jeremy Frank, pp. 1-12, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Jun. 1994.
“ASAX Conceptual Overview,” ASAX Brochure, A. Mounji, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html).
“GrlDS-A Graph Based Intrusion Detection System For Large Networks,” S. Staniford-Chen, et al., 10 pages, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html).
“A Pattern Matching Model For Misuse Intrusion Detection,” S. Kumar, et al., pp. 1-11, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html).
“An Application of Pattern Matching in Intrusion Detection”, S. Kumar, et al., pp. 1-55, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Jun. 1994.
“A Software Architecture to Support Misuse Intrusion Detection”, S. Kumar, et al., pp. 1-17, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Mar. 1995.
“Applying Genetic Programming to Intrusion Detection”, M. Crosbie, et al., pp. 1-8, (found at http://www.cs.purdue/coast/archive/data/categ24.html).
“Defending a Computer System Using Autonomous Agents”, M. Crosbie, et al., pp. 1-11, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Mar. 1994.
“Analysis Of An Algorithm For Distributed Recognition And Accountability”, C. Ko, et al., pp. 1-11, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html).
“A Standard Audit Trail Format”, Matt Bishop, 10 pages, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html).
Master Thesis entitled USTAT A Rea
Bernhard Thomas E.
Lathem Gerald S.
Shanklin Steven D.
LandOfFree
Intrusion detection signature analysis using regular... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Intrusion detection signature analysis using regular..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Intrusion detection signature analysis using regular... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2914662