Search

US-12627680-B2 - Managing and deploying custom intrusion detection system signature policies

US12627680B2US 12627680 B2US12627680 B2US 12627680B2US-12627680-B2

Abstract

Methods and systems for deploying intrusion detection system (IDS) policies to IDS programs are disclosed. Each IDS instance can monitor a data feed (e.g., comprising computer network traffic) in accordance with a set of “signatures” or “rules” associated with its policy, and can issue alerts if any elements of that network traffic match those signatures or rules. An intrusion signature management module can receive IDS signatures from one or more signature sources and store those signatures in a filesystem. The intrusion signature management module can produce rule files based on these IDS signatures, e.g., containing subsets of the received IDS signatures. These rule files can be provided to a version control server, and can later be accessed by an orchestration module. The orchestration module can deploy these rule files to their respective IDS programs, enabling those IDS programs to monitor their respective data feeds in accordance with the rule files.

Inventors

  • Christophe Leung
  • Kyle Rabago-Banjo
  • Grant Blankenship

Assignees

  • VISA INTERNATIONAL SERVICE ASSOCIATION

Dates

Publication Date
20260512
Application Date
20231020

Claims (20)

  1. 1 . A method for managing a plurality of data feeds with a plurality of intrusion detection system programs using a computer system comprising an orchestration module and an intrusion signature management module, comprising: receiving, by the intrusion signature management module from one or more signature sources, a first plurality of intrusion detection signatures; creating, by the intrusion signature management module, a rule file comprising a second plurality of intrusion detection signatures and corresponding to a policy, wherein the second plurality of intrusion detection signatures are derived from the first plurality of intrusion detection signatures; providing, by the intrusion signature management module, to a version control server, the rule file; obtaining, by the orchestration module, the rule file from the version control server; and updating, by the orchestration module, an intrusion detection system program associated with a data feed with the rule file, wherein the intrusion detection system program is configured to monitor the data feed according to the policy corresponding to the rule file.
  2. 2 . The method of claim 1 , wherein the intrusion detection system program is configured to issue an alert if an element of data associated with the data feed matches an enabled intrusion detection signature of the second plurality of intrusion detection signatures.
  3. 3 . The method of claim 2 wherein the policy defines, in association with each intrusion detection signature of the second plurality of intrusion detection signatures, a status flag, the policy thereby defining a plurality of status flags associated with the second plurality of intrusion detection signatures, wherein the intrusion detection system program is configured to evaluate whether an intrusion detection signature is enabled or disabled based on a corresponding status flag.
  4. 4 . The method of claim 1 , wherein: the plurality of intrusion detection system programs are configured to operate on one or more server computers, such that one or more intrusion detection system programs of the plurality of intrusion detection system programs operate on each server computer of the one or more server computers; and each intrusion detection system program of the plurality of intrusion detection system programs is configured to manage a corresponding data feed of the plurality of data feeds by evaluating a plurality of instances of network traffic associated with that data feed, wherein each instance of network traffic was either transmitted or received by a server computer operating the intrusion detection system program.
  5. 5 . The method of claim 1 , wherein the intrusion detection system program is a first intrusion detection system program, wherein the rule file is a first rule file, wherein the policy is a first policy, wherein the data feed is a first data feed, and wherein the method further comprises: creating, by the intrusion signature management module, a second rule file comprising a third plurality of intrusion detection signatures and corresponding to a second policy, wherein the third plurality of intrusion detection signatures are derived from the first plurality of intrusion detection signatures, wherein the second rule file is different from the first rule file; providing, by the intrusion signature management module, to the version control server, the second rule file; obtaining, by the orchestration module, the second rule file from the version control server; and updating, by the orchestration module, a second intrusion detection system program associated with a second data feed with the second rule file, wherein the second intrusion detection system program is configured to monitor the second data feed according to the second policy corresponding to the second rule file.
  6. 6 . The method of claim 5 , further comprising: generating, by the intrusion signature management module, a first target associated with the first rule file, wherein the first target comprises an identifier of the first intrusion detection system program; providing, by the intrusion signature management module, to the version control server, the first target; generating, by the intrusion signature management module, a second target associated with the second rule file, wherein the second target comprises an identifier of the second intrusion detection system program; providing, by the intrusion signature management module, to the version control server, the second target; and obtaining, by the orchestration module, the first target and the second target, wherein the orchestration module updates the first intrusion detection system program associated with the first data feed based on the first target and updates the second intrusion detection system program associated with the second data feed based on the second target.
  7. 7 . The method of claim 1 , wherein the intrusion detection system program is a first intrusion detection system program, wherein the rule file is a first rule file, wherein the policy is a first policy, wherein the data feed is a first data feed, and wherein the method further comprises: receiving, by the intrusion signature management module from the one or more signature sources, a fourth plurality of intrusion detection signatures; creating, by the intrusion signature management module, a third rule file comprising a fifth plurality of intrusion detection signatures and corresponding to a third policy, wherein the fifth plurality of intrusion detection signatures are derived from the fourth plurality of intrusion detection signatures, wherein the third rule file is different from the first rule file; providing, by the intrusion signature management module, to the version control server, the third rule file; obtaining, by the orchestration module, the third rule file from the version control server; and updating, by the orchestration module, a third intrusion detection system program associated with a third data feed with the third rule file, wherein the third intrusion detection system program is configured to monitor the third data feed according to the third policy corresponding to the third rule file.
  8. 8 . The method of claim 1 , wherein the one or more signature sources include one or more internal signature sources associated with the computer system and one or more external signature sources that are not associated with the computer system.
  9. 9 . The method of claim 1 , wherein the one or more signature sources include a user operating an application associated with the intrusion signature management module.
  10. 10 . The method of claim 1 , wherein the one or more signature sources include a filesystem associated with the intrusion signature management module and/or the version control server.
  11. 11 . The method of claim 1 , wherein the second plurality of intrusion detection signatures comprises the first plurality of intrusion detection signatures.
  12. 12 . The method of claim 1 , wherein the second plurality of intrusion detection signatures comprise a subset of the first plurality of intrusion detection signatures.
  13. 13 . The method of claim 1 , further comprising storing, by the intrusion signature management module, the first plurality of intrusion detection signatures, the second plurality of intrusion detection signatures, the rule file, and/or the policy in a filesystem associated with the intrusion signature management module.
  14. 14 . The method of claim 13 , further comprising indexing, by the intrusion signature management module, one or more intrusion detection signatures of the first plurality of intrusion detection signatures and/or the second plurality of intrusion detection signatures based on one or more signature identifiers, one or more names, one or more class types, one or more timestamps, one or more common vulnerability and exposure identifiers, one or more targets, and/or one or more address groups.
  15. 15 . The method of claim 1 , wherein the intrusion signature management module comprises an intrusion signature management computer, and wherein the orchestration module comprises an orchestration computer.
  16. 16 . The method of claim 1 , wherein receiving the first plurality of intrusion detection signatures by the intrusion signature management module from the one or more signature sources comprises: retrieving the first plurality of intrusion detection signatures from the version control server, wherein the version control server received the first plurality of intrusion detection signatures from the one or more signature sources.
  17. 17 . The method of claim 1 , wherein providing the rule file to the version control server, by the intrusion signature management module comprises: storing the rule file in a filesystem associated with the intrusion signature management module, wherein the version control server is configured to retrieve the rule file from the filesystem.
  18. 18 . The method of claim 1 , wherein the rule file corresponds to an additional policy and wherein the intrusion detection system program is configured to monitor the data feed according to the additional policy in addition to the policy.
  19. 19 . A method comprising: receiving, by a computer system, from one or more signature sources, a first plurality of intrusion detection signatures; creating, by the computer system, a rule file comprising a second plurality of intrusion detection signatures and corresponding to a policy, wherein the second plurality of intrusion detection signatures are derived from the first plurality of intrusion detection signatures; and providing, by the computer system, to a version control server, the rule file, wherein an orchestration module is configured to obtain the rule file from the version control server and update an intrusion detection system program associated with a data feed with the rule file, wherein the intrusion detection system program is configured to monitor the data feed according to the policy corresponding to the rule file.
  20. 20 . A computer system comprising: a processor; and a non-transitory computer readable medium coupled to the processor, the non-transitory computer readable medium comprising code or instructions, executable by the processor for performing a method comprising: receiving a first plurality of intrusion detection signatures from one or more signature sources; creating a rule file comprising a second plurality of intrusion detection signatures and corresponding to a policy, wherein the second plurality of intrusion detection signatures are derived from the first plurality of intrusion detection signatures; and providing to a version control server, the rule file, wherein an orchestration module is configured to obtain the rule file from the version control server and update an intrusion detection system program associated with a data feed with the rule file, wherein the intrusion detection system program is configured to monitor the data feed according to the policy corresponding to the rule file.

Description

CROSS-REFERENCES TO RELATED APPLICATIONS This application is a non-provisional and claims the benefit of U.S. Provisional Patent Application No. 63/419,114, entitled “MANAGING AND DEPLOYING CUSTOM INTRUSION DETECTION SYSTEM SIGNATURE POLICIES,” filed on Oct. 25, 2022, which is hereby incorporated by reference in its entirety for all purposes. BACKGROUND An Intrusion Detection System (IDS) can refer to a system and associated methods and software that can be used to detect “intrusions”, i.e., unauthorized access to computer systems or networks of computers. An instance of an IDS program (which may be referred to as an “IDS instance”) can run on a computer system (e.g., a server computer), and monitor network traffic involving that computer system. Such network traffic could include the transmission and receipt of data over a physical interface (such as an Ethernet port) on that computer system. The IDS program can attempt to identify elements of network traffic in its “data feed” (or “network feed”) that match predefined “signatures” of known malicious network traffic. Such malicious network traffic can comprise network traffic that relates to intrusion attempts, such as network traffic attempting to load a trojan or other malicious software onto a computer or network. Upon identifying network traffic matching a signature (or “rule”), the IDS program can issue an alert, e.g., to a security team, a log file, etc., which can enable mitigation and prevention of such intrusions. A “signature” can comprise some data or characteristics of network traffic that enables identification or classification of that network traffic. As an example, some intrusion attempts involve attempting to steal data from a system by attempting an out-of-bounds array access. Such attacks may be characterized by an attempt to index an array at an unusually high value or set of values, and a signature can be based off network packet data that relates to such an out-of-bounds index attempt. A “policy” which can be defined by a “rule file,” can provide a list of signatures that an IDS program can use to evaluate network traffic. While an IDS is named for its use in detecting intrusions, IDS can be used to evaluate any variety of communications or network traffic. For example, in addition to monitoring ingoing network traffic (e.g., from a network such as the Internet to a local network or individual computer system), an IDS can also monitor outgoing network traffic, e.g., from a computer system in a network to a server on the Internet. An IDS could monitor such outgoing traffic for security reasons, such as determining if users are attempting to access websites that are known to host malware or other malicious software. Alternatively, an IDS could monitor such outgoing traffic for productivity reasons, such as determining if employees are attempting to access non-work-related websites using company computer systems. IDS in large networks may involve deploying a large number of IDS programs to monitor network traffic. Some computer systems or servers in such a network may have multiple communication interfaces, and may therefore run multiple IDS instances to monitor network traffic on those interfaces, and such network traffic may vary considerably across different interfaces or computer systems. A conventional deployment method is to create a single master policy and deploy it to each IDS instance in the network, such that each IDS program is evaluating network traffic and comparing it against the same set of signatures. This conventional deployment method is often used because it is difficult to manage and deploy multiple policies to large numbers of IDS programs. Unfortunately, this conventional deployment method has some downsides. A single uniform policy may not be appropriate for all IDS programs in a network, due to different IDS programs receiving different network feeds. As an example, a signature designed to detect an end-user interaction (such as visiting a banned website) may not be relevant to an IDS program that monitors server-related network traffic, and is a potential source of false alerts. As a result, this conventional deployment method can result in a high false positive alert rate, limiting its usefulness. Embodiments address these and other problems, individually and collectively. SUMMARY Embodiments of the present disclosure are directed to methods and systems for managing and deploying custom intrusion detection signatures to IDS programs. As described above, conventional IDS involves deploying a single uniform policy to multiple different IDS instances, in part due to the difficulty in managing and deploying multiple policies to multiple IDS instances. Embodiments however, enable efficient management and deployment of different IDS policies and rule files to different IDS programs, enabling the management and use of IDS in large and complex networks. Some embodiments provide an application with an easy to use graphi