Field
Embodiments of the present invention generally relate to Intrusion Prevention Systems (IPS). In particular, embodiments of the present invention relate to filtering of metadata signatures for pattern matching in high performance IPS.
Description of the Related Art
Electronic communication over a network or over a series of networks is a critical enabling technology for a diverse range of commercial and social interactions. Recent rapid expansion of the Internet has triggered widespread use of applications that offer services such as sending and receiving electronic messages, querying of large online information databases and software, music and video distribution. As more systems are connected to these networks and more services are utilized, the amount of traffic being carried on the networks increases. Furthermore, once connected to a network, a system is vulnerable to malicious attacks from other connected systems.
Network intrusion detection systems (IDS) aim to analyze packets in a network, detect malicious packets and inform other systems or users of the detections. Network intrusion prevention systems (IPS), on the other hand, aim to analyze packets in a network, detect malicious packets, inform other systems or users of the detections and, in addition, remove all malicious packets from the network. Potentially malicious attacks are detected within IDS and IPS systems by matching network traffic to IDS/IPS rules/signatures. To ensure that systems are protected against all previously encountered malicious attacks, signatures that detect newly discovered attacks are always appended to the previous set of signatures, wherein each signature includes one or more patterns against which the incoming packets are matched.
Modern IPS includes a signature database that stores thousands of signatures that are used for intrusion detection/prevention. Such a signature database can include rules describing packet characteristics, derived properties, signature patterns, relationships between the characteristics and signature patterns, and relationships between rules. Exemplary packet characteristics can include packet headers, protocol identifiers and traffic flow identifiers or properties. Derived properties may include calculated cyclic redundancy check (CRC) values, destination routes, and the like. Existing signature databases are growing extremely fast as more and more security holes and attacks are being discovered on daily basis, and new IPS signatures are being added to these database. In implementation, IPS refers to one or more signature databases in order to detect and prevent network intrusions dynamically as they occur or to conduct post-mortem analysis after an intrusion has occurred. A typical dynamic network IPS can include a monitoring component that is able to capture network packets as the packets pass through the IPS, an inference component for determining whether the captured traffic is representative of malicious activity by finding a match in the signature database, and a response component configured to react appropriately to the detection of an intrusion. Typical responses may include generation and transmission of a simple e-mail message to a system administrator, or an auto corrective action, for instance temporarily blocking traffic flowing from an offender's Internet protocol (IP) address.
Conventional IPS technology can incorporate a variety of methodologies for determining whether malicious activity has occurred or is occurring. Prior art solutions include different detection methodologies for intrusion detection, for instance, simple pattern matching, stateful pattern matching, protocol decode based matching, heuristic-based matching, among others. Pattern matching is considered to be the most primitive of the detection methodologies employed in a typical IPS, and is based on inspecting traffic to identify a fixed sequence of bytes in a single packet. The fixed sequence of bytes, referred to in the art as a “signature”, when identified within inspected traffic, can trigger an alarm. Typical patterns used by an IPS can broadly be classified as fixed-string patterns such as “ABC” at any location, regular expression based patterns (also referred to as Perl Compatible Regular Expressions (PCREs)) such as “[0-9][A-Z]{3}”, and metadata patterns such as “Destination Port=443”.
In metadata based pattern matching, IPS detects intrusion based on metadata information/attributes available in a data packet, wherein the metadata attributes can include meaningful information or parameters extracted or derived from a data packet header. Such metadata may consist of, for instance, one or a combination of source or destination ports, packet size, sequence number, source or destination IP address, special service types or protocols, Transmission Control Protocol (TCP) flags or other fields from TCP, User Datagram Protocol (UDP) or Internet Control Message Protocol (ICMP) packet headers. Most existing IPS are focused on filtering and pre-matching of fixed-string patterns and limited types of regular expression patterns. While there are many known filtering algorithms for fixed-string patterns, very few exist for metadata signatures and those employing traditional protocol/service/flow based sensor trees are inefficient.
Therefore, there exists a need for systems and methods for filtering of metadata signatures for pattern matching in high performance IPS.