Browse Prior Art Database

Method for Flow Control within a Server/Client Intrusion Detection Infrastructure

IP.com Disclosure Number: IPCOM000015218D
Original Publication Date: 2002-Jan-28
Included in the Prior Art Database: 2003-Jun-20
Document File: 3 page(s) / 49K

Publishing Venue

IBM

Abstract

Intrusion detections systems, which monitor internet and intranet systems, provide a real-time notification if an attack is detected. The majority of these systems are client/server based with multiple clients per server. The clients are the detection points that funnel the results of the observation back to the server which correlates the results. In a large attack, two problems can occur when the client or set of clients sends a significant volume of attack alert messages to the server: The server is overwhelmed, causing the intrusion detection tool itself to fail during an attack Significant alert messages are missed due to the overwhelming of the server or the increase in processing time due to the volume of alert messages that need to be processed. Disclosed is a method that dynamically limits the volume of messages to the server in a predetermined way, by the addition, in each client, of a system that classifies messages which are sent to the correlation point into egress queues. Once classified, various methods can be used to empty the queues. This disclosure identifies a method in which the egress queues are serviced in a leaky bucket fashion to provide a user controllable maximum egress rate with user controlled policing of the flow-by-flow type classification during periods of significant or highly variable traffic. The system operator or the central correlation system sets the maximum desired egress flow rate out of the intrusion detection client so as not to "overrun" the Central Correlation system. The operator of the system determines the distribution of service across all egress queues. An example queue service embodiment is shown in the following figure and can be described as: service an egress queue based on an assigned fraction of service for that queue. The assigned fraction of service is the proportion of total allowable service or capacity that the user desires to be devoted to a particular queue. In the following figure, Y is the least common denominator of the fractions of service. As an example, if Q.1 was assigned a maximum of 1/2 of the total possible output flow, Q.2 was assigned a maximum of 1/3 of the total possible output flow, Q.3 was assigned a maximum of 1/6 of the total possible output flow, then Y 6 (the LCD of {1/2, 1/3, 1/6}). N is the number of egress queues, Q.x is the xth egress Queue. The egress queues service rates (rate that alerts are removed from the queue and sent out of the client to the central correlation system) are set by the intrusion detection system flow control function. This rate is characterized in this writing as a transmit opportunity, TO, and is a point in time that the next alert can be transmitted such that the rate of transmission does not exceed the maximum desired transmission rate. TO 1/maximum_desired_transmission_rate. For example: If the maximum desired transmission rate was 100 alerts per second, TO .01 seconds. The fraction of service for a queue is the fraction of the total maximum desired transmission rate from the intrusion detection system that is desired for the queue.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 3

Method for Flow Control within a Server/Client Intrusion Detection Infrastructure

   Intrusion detections systems, which monitor internet and intranet systems, provide a real-time notification if an attack is detected. The majority of these systems are client/server based with multiple clients per server. The clients are the detection points that funnel the results of the observation back to the server which correlates the results. In a large attack, two problems can occur when the client or set of clients sends a significant volume of attack alert messages to the server:

     The server is overwhelmed, causing the intrusion detection tool itself to fail during an attack Significant alert messages are missed due to the overwhelming of the server or the increase in processing time due to the volume of alert messages that need to be processed. Disclosed is a method that dynamically limits the volume of messages to the server in a predetermined way, by the addition, in each client, of a system that classifies messages which are sent to the correlation point into egress queues. Once classified, various methods can be used to empty the queues. This disclosure identifies a method in which the egress queues are serviced in a leaky bucket fashion to provide a user controllable maximum egress rate with user controlled policing of the flow-by-flow type classification during periods of significant or highly variable traffic. The system operator or the central correlation system sets the maximum desired egress flow rate out of the intrusion detection client so as not to "overrun" the Central Correlation system. The operator of the system determines the distribution of service across all egress queues. An example queue service embodiment is shown in the following figure and can be described as: service an egress queue based on an assigned fraction of service for that queue. The assigned fraction of service is the proportion of total allowable service or capacity that the user desires to be devoted to a particular queue. In the following figure, Y is the least common denominator of the fractions of service. As an example, if Q.1 was assigned a maximum of 1/2 of the total possible output flow, Q.2 was assigned a maximum of 1/3 of the total possible output flow, Q.3 was assigned a maximum of 1/6 of the total possible output flow, then Y = 6 (the LCD of {1/2, 1/3, 1/6}). N is the number of egress queues, Q.x is the xth egress Queue.

The egress queues service rates (rate that alerts are removed from the queue and sent out of the client t...