公开(公告)号：US07996424B2

公开(公告)日：2011-08-09

申请号：US12010900

申请日：2008-01-31

申请人： Marc A. Norton ,  Daniel J. Roelker

发明人： Marc A. Norton ,  Daniel J. Roelker

IPC分类号： G06F7/00 ,  G06F17/30

CPC分类号： G06F17/30985 ,  Y10S707/922 ,  Y10S707/99939

摘要： Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition tables with sixteen bit elements outperform state transition tables with thirty-two bit elements and do not reduce the functionality of intrusion detection system using the Aho-Corasick algorithm.

摘要翻译： 本发明的实施例涉及用于优化和减少模式匹配应用中的状态机算法的存储器需求的系统和方法。 入侵检测系统通过将状态表表示为三个独立的数据结构来减少Aho-Corasick算法的内存需求。 通过将带状行稀疏矩阵技术应用于状态表的状态转换表，也减少了Aho-Corasick算法的存储器要求。 通过执行不区分大小写的搜索来提高入侵检测系统的模式匹配性能，其中读取字符时将测试序列的字符转换为大写字母。 测试显示，具有16位元素的状态转换表优于具有32位元素的状态转换表，并且不会使用Aho-Corasick算法降低入侵检测系统的功能。

公开(公告)号：US07496962B2

公开(公告)日：2009-02-24

申请号：US10951796

申请日：2004-09-29

申请人： Daniel J. Roelker ,  Marc A. Norton

发明人： Daniel J. Roelker ,  Marc A. Norton

IPC分类号： G06F11/00

CPC分类号： H04L63/0227 ,  H04L63/1408

摘要： A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.

摘要翻译： 用于入侵检测系统（IDS）的超文本传输​​协议（HTTP）检查引擎包括HTTP策略选择组件，请求通用资源标识符（URI）发现组件和URI归一化模块。 HTTP策略选择组件使用数据包标识HTTP入侵检测策略。 请求URI发现组件定位数据包中的URI。 URI归一化模块解码URI内的模糊处理。 在另一个实施例中，在网络上发送的分组被截取。 数据包被解析。 识别分组的因特网协议（IP）地址。 确定网络设备的HTTP入侵检测策略。 URI位于数据包中。 将来自入侵检测系统规则的模式与定位的URI进行比较。 在另一个实施例中，IDS包括分组获取系统，网络和传输重组模块，HTTP检查引擎，检测引擎和日志记录系统。

公开(公告)号：US07305708B2

公开(公告)日：2007-12-04

申请号：US10793887

申请日：2004-03-08

申请人： Marc A. Norton ,  Daniel J. Roelker

发明人： Marc A. Norton ,  Daniel J. Roelker

IPC分类号： H04L9/00 ,  G08B23/00 ,  G06F15/18

CPC分类号： H04L63/0227 ,  H04L63/14

摘要： Performance of an intrusion detection system is enhanced with the addition of rule optimization, set-based rule inspection, and protocol flow analysis. During rule optimization, rule sets are created and selected in such a way that for every incoming packet only a single rule set has to be searched. Set-based rule inspection divides rules into content and non-content type rules. Only search patterns of content type rules are initially compared to a packet. Rules containing matched search patterns are validated with a parameterized search against the packet. Matches are recorded as events. Non-content rules are searched against a packet using a parameterized search. These matches are also recorded as an event. At least one event is selected per packet for logging. Protocol flow analysis determines the direction of flow of network traffic. Based on the direction of flow and the protocol, portions of packets can be eliminated from rule inspection.

摘要翻译： 通过增加规则优化，基于集合的规则检查和协议流分析，增强了入侵检测系统的性能。 在规则优化期间，创建和选择规则集，使得对于每个传入数据包，只能搜索单个规则集。 基于集合的规则检查将规则划分为内容和非内容类型规则。 最初仅将内容类型规则的搜索模式与数据包进行比较。 包含匹配搜索模式的规则通过针对分组的参数化搜索来验证。 比赛记录为事件。 使用参数化搜索针对分组搜索非内容规则。 这些比赛也被记录为一个事件。 每个数据包至少选择一个事件进行记录。 协议流分析确定网络流量的流向。 根据流程和协议的方向，可以从规则检查中消除数据包的部分。

公开(公告)号：US07756885B2

公开(公告)日：2010-07-13

申请号：US11785609

申请日：2007-04-19

申请人： Marc A. Norton ,  Daniel J. Roelker

发明人： Marc A. Norton ,  Daniel J. Roelker

IPC分类号： G06F17/30

CPC分类号： G06F17/30985 ,  Y10S707/922 ,  Y10S707/99939

摘要： Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition table with sixteen bit elements outperform state transition table with thirty-two bit elements and do not reduce the functionality of intrusion detection systems using the Aho-Corasick algorithm.

摘要翻译： 本发明的实施例涉及用于在模式匹配应用中优化和减少状态机算法的存储器需求的系统和方法。 入侵检测系统通过将状态表表示为三个独立的数据结构来减少Aho-Corasick算法的内存需求。 通过将带状行稀疏矩阵技术应用于状态表的状态转换表，也减少了Aho-Corasick算法的存储器要求。 通过执行不区分大小写的搜索来提高入侵检测系统的模式匹配性能，其中读取字符时将测试序列的字符转换为大写字母。 测试显示，具有16位元素的状态转换表优于具有32位元素的状态转换表，并且不会使用Aho-Corasick算法降低入侵检测系统的功能。

公开(公告)号：US07539681B2

公开(公告)日：2009-05-26

申请号：US10898220

申请日：2004-07-26

申请人： Marc A. Norton ,  Daniel J. Roelker

发明人： Marc A. Norton ,  Daniel J. Roelker

IPC分类号： G06F17/30 ,  G06F7/04

CPC分类号： G06F17/30985 ,  Y10S707/922 ,  Y10S707/99939

摘要： Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition tables with sixteen bit elements outperform state transition tables with thirty-two bit elements and do not reduce the functionality of intrusion detection systems using the Aho-Corasick algorithm.

摘要翻译： 本发明的实施例涉及用于优化和减少模式匹配应用中的状态机算法的存储器需求的系统和方法。 入侵检测系统通过将状态表表示为三个独立的数据结构来减少Aho-Corasick算法的内存需求。 通过将带状行稀疏矩阵技术应用于状态表的状态转换表，也减少了Aho-Corasick算法的存储器要求。 通过执行不区分大小写的搜索来提高入侵检测系统的模式匹配性能，其中读取字符时将测试序列的字符转换为大写字母。 测试显示，具有16位元素的状态转换表优于具有32位元素的状态转换表，并且不会使用Aho-Corasick算法降低入侵检测系统的功能。

公开(公告)号：US20080276316A1

公开(公告)日：2008-11-06

申请号：US10951796

申请日：2004-09-29

申请人： Daniel J. Roelker ,  Marc A. Norton

发明人： Daniel J. Roelker ,  Marc A. Norton

IPC分类号： G06F21/00

CPC分类号： H04L63/0227 ,  H04L63/1408

摘要： A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.

摘要翻译： 用于入侵检测系统（IDS）的超文本传输​​协议（HTTP）检查引擎包括HTTP策略选择组件，请求通用资源标识符（URI）发现组件和URI归一化模块。 HTTP策略选择组件使用数据包标识HTTP入侵检测策略。 请求URI发现组件定位数据包中的URI。 URI归一化模块解码URI内的模糊处理。 在另一个实施例中，在网络上发送的分组被截取。 数据包被解析。 识别分组的因特网协议（IP）地址。 确定网络设备的HTTP入侵检测策略。 URI位于数据包中。 将来自入侵检测系统规则的模式与定位的URI进行比较。 在另一个实施例中，IDS包括分组获取系统，网络和传输重组模块，HTTP检查引擎，检测引擎和日志记录系统。

公开(公告)号：US20080133523A1

公开(公告)日：2008-06-05

申请号：US12010900

申请日：2008-01-31

申请人： Marc A. Norton ,  Daniel J. Roelker

发明人： Marc A. Norton ,  Daniel J. Roelker

IPC分类号： G06F7/06

CPC分类号： G06F17/30985 ,  Y10S707/922 ,  Y10S707/99939

摘要： Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition tables with sixteen bit elements outperform state transition tables with thirty-two bit elements and do not reduce the functionality of intrusion detection system using the Aho-Corasick algorithm.

摘要翻译： 本发明的实施例涉及用于优化和减少模式匹配应用中的状态机算法的存储器需求的系统和方法。 入侵检测系统通过将状态表表示为三个独立的数据结构来减少Aho-Corasick算法的内存需求。 通过将带状行稀疏矩阵技术应用于状态表的状态转换表，也减少了Aho-Corasick算法的存储器要求。 通过执行不区分大小写的搜索来提高入侵检测系统的模式匹配性能，其中读取字符时将测试序列的字符转换为大写字母。 测试显示，具有16位元素的状态转换表优于具有32位元素的状态转换表，并且不会使用Aho-Corasick算法降低入侵检测系统的功能。

公开(公告)号：US07313695B2

公开(公告)日：2007-12-25

申请号：US10806434

申请日：2004-03-23

申请人： Marc A. Norton ,  Daniel J. Roelker

发明人： Marc A. Norton ,  Daniel J. Roelker

IPC分类号： G06F9/00

CPC分类号： G06F21/577

摘要： The threat probability of events generated by a security device on a computer network is assessed by comparing the threat probability to a global threat probability. An abstract data type is used to describe how the events are combined to form a threat. If an event matches an unpopulated member of an instance of an abstract data type, the event is added to the instance and the probability of the instance is computed. If the probability of the instance is greater than a global threat probability, a dynamic threat assessment event is generated. A system for dynamically assessing threats to computers and computer networks system includes at least one security device that generates events, an event collection database, policy configuration information, and a dynamic threat assessment engine.

摘要翻译： 通过将威胁概率与全局威胁概率进行比较来评估安全设备在计算机网络上产生的事件的威胁概率。 抽象数据类型用于描述事件如何组合以形成威胁。 如果事件与抽象数据类型的实例的未填充成员相匹配，则将事件添加到实例，并计算实例的概率。 如果实例的概率大于全局威胁概率，则会生成动态威胁评估事件。 用于动态评估对计算机和计算机网络系统的威胁的系统包括至少一个生成事件的安全设备，事件收集数据库，策略配置信息和动态威胁评估引擎。