Abstract: Systems and methods are provided for generating samples of network traffic and characterizing the samples to easily identify exploits. A first embodiment of the present disclosure can generate traffic between a sample generator and the target computing device based on a particular exploit. The traffic can be a plurality of samples of the exploit using an exploit script. The method can provide for collecting and storing the plurality of samples. These samples can then be used to characterize the exploit by identifying invariant portions and variable portions of the samples. The method can further provide for removing any artifacts from the samples. Regular expressions can be constructed based on the samples. Each regular expression can be tested and ranked according to metrics of efficiency and accuracy.

Abstract: The present disclosure provides a means for compressing Non-deterministic Finite Automata (NFA) for faster matching during Deep Packet Inspection (DPI) when a Network Intrusion Detection System (NIDS) is evaluating traffic to find suspicious network traffic. The present disclosure accomplishes this through four primary components. First, it provides a time-efficient method for accurately comparing two regular expressions so that common prefixes can be identified. Second, it provides a time-efficient method for grouping regular expressions by their common prefixes. Third, it provides a method for subgrouping within groups by longest common prefixes in order to maximize compression. Finally, it provides a method for building a compressed NFA using heuristics derived from the length of the common prefix to a subgroup.

Abstract: Event processing is a vital aspect of modern information systems, but is poorly supported and homogenous in nature. The present disclosure recognizes that any detector speaks a language of events. This language of events can be translated into a “Universal Language” such that events from multiple arbitrary detectors may be compared together. The present disclosure uses regular expressions to explore possible relations and patterns across events and across time. The present disclosure further describes a hierarchical architecture such that the events from peer detectors are aggregated and collated and only conglomerate events, those events matching inter- or intra-detector behaviors, are propagated upstream in the hierarchy.

Abstract: Event processing is a vital aspect of modern information systems, but is poorly supported and homogenous in nature. The present disclosure recognizes that any detector speaks a language of events. This language of events can be translated into a “Universal Language” such that events from multiple arbitrary detectors may be compared together. The present disclosure uses regular expressions to explore possible relations and patterns across events and across time. The present disclosure further describes a hierarchical architecture such that the events from peer detectors are aggregated and collated and only conglomerate events, those events matching inter- or intra-detector behaviors, are propagated upstream in the hierarchy.

Abstract: The present disclosure provides a means for compressing Non-deterministic Finite Automata (NFA) for faster matching during Deep Packet Inspection (DPI) when a Network Intrusion Detection System (NIDS) is evaluating traffic to find suspicious network traffic. The present disclosure accomplishes this through four primary components. First, it provides a time-efficient method for accurately comparing two regular expressions so that common prefixes can be identified. Second, it provides a time-efficient method for grouping regular expressions by their common prefixes. Third, it provides a method for subgrouping within groups by longest common prefixes in order to maximize compression. Finally, it provides a method for building a compressed NFA using heuristics derived from the length of the common prefix to a subgroup.