Browse Prior Art Database

Method for Flow Control within a Server/Client Intrusion Detection Infrastructure

IP.com Disclosure Number: IPCOM000015218D
Original Publication Date: 2002-Jan-28
Included in the Prior Art Database: 2003-Jun-20
Document File: 3 page(s) / 49K

Publishing Venue

IBM

Abstract

Intrusion detections systems, which monitor internet and intranet systems, provide a real-time notification if an attack is detected. The majority of these systems are client/server based with multiple clients per server. The clients are the detection points that funnel the results of the observation back to the server which correlates the results. In a large attack, two problems can occur when the client or set of clients sends a significant volume of attack alert messages to the server:

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 3

Method for Flow Control within a Server/Client Intrusion Detection Infrastructure

   Intrusion detections systems, which monitor internet and intranet systems, provide a real-time notification if an attack is detected. The majority of these systems are client/server based with multiple clients per server. The clients are the detection points that funnel the results of the observation back to the server which correlates the results. In a large attack, two problems can occur when the client or set of clients sends a significant volume of attack alert messages to the server:

     The server is overwhelmed, causing the intrusion detection tool itself to fail during an attack Significant alert messages are missed due to the overwhelming of the server or the increase in processing time due to the volume of alert messages that need to be processed. Disclosed is a method that dynamically limits the volume of messages to the server in a predetermined way, by the addition, in each client, of a system that classifies messages which are sent to the correlation point into egress queues. Once classified, various methods can be used to empty the queues. This disclosure identifies a method in which the egress queues are serviced in a leaky bucket fashion to provide a user controllable maximum egress rate with user controlled policing of the flow-by-flow type classification during periods of significant or highly variable traffic. The system operator or the central correlation system sets the maximum desired egress flow rate out of the intrusion detection client so as not to "overrun" the Central Correlation system. The operator of the system determines the distribution of service across all egress queues. An example queue service embodiment is shown in the following figure and can be described as: service an egress queue based on an assigned fraction of service for that queue. The assigned fraction of service is the proportion of total allowable service or capacity that the user desires to be devoted to a particular queue. In the following figure, Y is the least common denominator of the fractions of service. As an example, if Q.1 was assigned a maximum of 1/2 of the total possible output flow, Q.2 was assigned a maximum of 1/3 of the total possible output flow, Q.3 was assigned a maximum of 1/6 of the total possible output flow, then Y = 6 (the LCD of {1/2, 1/3, 1/6}). N is the number of egress queues, Q.x is the xth egress Queue.

The egress queues service rates (rate that alerts are removed from the queue and sent out of the client t...