Abstract: A node of a network for managing an intrusion protection system, the node comprising a memory module for storing data in machine-readable format for retrieval and execution by a central processing unit and an operating system comprising a network stack comprising a protocol driver and a media access control driver and operable to execute an intrusion protection system management application, the management application operable to receive text-file input from an input device, the text-file defining a network-exploit rule and comprising at least one field is provided. A method of distributing command and security updates in a network having an intrusion protection system comprising generating a text-file defining a network-exploit rule and specifying at least one field selected from the group consisting of an ENABLED field value and a SEVERITY level field value during generation of the text-file is provided.

Abstract: An intrusion detection system for customizing a security policy that detects an attempt to exploit a vulnerability is provided. A security policy contains criteria and a procedure. The criteria specify attributes of a security event that may be an exploitation, and the procedure specifies instructions to be performed that indicate when a security event may be an exploitation. When the criteria and the procedure both indicate that a security event may be an exploitation, then the security event matches the security policy and an appropriate action is taken. The intrusion detection system allows a user to modify the criteria to customize the security policy.

Abstract: A network having a intrusion protection system comprising a network medium, a management node connected to the network medium and running an intrusion prevention system management application, and a plurality of nodes connected to the network medium and running an instance of an intrusion protection system application, at least one of the nodes having an identification assigned thereto based on a logical assignment grouping one or more of the plurality of nodes, each node sharing the identification being commonly vulnerable to at least one network exploit is provided. A method of transmitting a command and security update message to a subset of nodes of a plurality of network nodes comprising generating an update message by a management node of the network, addressing the update message to a network address shared by the subset of nodes, transmitting the update message, and receiving and processing the update message by the subset of nodes is provided.

Abstract: A method of preventing intrusions on a node of a network comprising monitoring, by a first layer of an intrusion prevention system, application data of applications running at on the node, monitoring, by a second layer of the intrusion prevention system, transport layer data of the node, and monitoring, by a third layer of the intrusion prevention system, network layer data of the node is provided. A computer-readable medium having stored thereon a set of instructions to be executed, the set of instructions, when executed by a processor, cause the processor to perform a computer method of monitoring application layer data, by a first layer of an intrusion prevention system comprised of the instructions, of a node of a network, the node comprising the processor, monitoring transport layer data, by a second layer of the intrusion prevention system, of the node of the network; and monitoring network layer data, by a third layer of an intrusion prevention system, of the node of the network is provided.

Abstract: A method of detecting an intrusion at a node of a network comprising reading a first packet received by the node, determining a first signature of the first packet, comparing the first signature with a signature file comprising a first machine-readable logic representative of a first packet signature, determining the first signature corresponds with the first machine readable logic, reading a second packet generated by the node in response to reception of the first packet, determining a second signature of the second packet, comparing the second signature with the signature file further comprising a second machine-readable logic representative of second packet signature, and determining the second signature corresponds with the second machine readable logic is provided. A computer-readable medium and a node for detecting an exploit based upon an outbound signature generated in response to an inbound signature of the exploit are also provided.

Abstract: A node of a network maintaining an instance of an intrusion prevention system, the node comprising a memory module for storing data in machine-readable format for retrieval and execution by a central processing unit and an operating system comprising a network stack comprising a protocol driver, a media access control driver and an instance of the intrusion prevention system implemented as an intermediate driver and bound to the protocol driver and the media access control driver, the intrusion prevention system comprising an associative process engine and an input/output control layer, the input/output control layer operable to receive at least one of a plurality of machine-readable network-exploit signatures from a database and provide the at least one machine-readable network-exploit signatures to the associative process engine, the associative process engine operable to compare a packet with the at least one machine-readable network-exploit signature and determine a correspondence between the packet and t

Abstract: A method of preventing intrusions on a node of a network comprising monitoring, by a first layer of an intrusion prevention system, application data of applications running at on the node, monitoring, by a second layer of the intrusion prevention system, transport layer data of the node, and monitoring, by a third layer of the intrusion prevention system, network layer data of the node is provided. A computer-readable medium having stored thereon a set of instructions to be executed, the set of instructions, when executed by a processor, cause the processor to perform a computer method of monitoring application layer data, by a first layer of an intrusion prevention system comprised of the instructions, of a node of a network, the node comprising the processor, monitoring transport layer data, by a second layer of the intrusion prevention system, of the node of the network; and monitoring network layer data, by a third layer of an intrusion prevention system, of the node of the network is provided.

Abstract: A node of a network running an intrusion detection system, the node comprising a central processing unit, a memory module for storing data in machine readable format for retrieval and execution by the central processing unit, a database for storing a plurality of machine-readable network-exploit signatures, an operating system comprising a network stack comprising a protocol driver, a media access control driver and an instance of the intrusion detection system implemented as an intermediate driver and bound to the protocol driver and the media access control driver is provided. A method of filtering data at a node of a network comprising binding an intrusion prevention system directly to a media access control driver of a network stack of a node of the network is provided.

Abstract: A method of analyzing packets at a node of a network by an intrusion prevention system executed by the node, comprising reading the packet by the intrusion prevention system, comparing the packet with a machine-readable signature file, determining the packet has a packet signature that corresponds with the machine-readable signature file, and determining the machine-readable signature file has an associated squelch comprising a squelch threshold and a squelch period is provided. A computer-readable medium having stored thereon a set of instructions to be executed, the set of instructions that, when executed by a processor, cause the processor to perform a computer method of reading a packet, comparing the packet with a machine-readable signature file, determining the packet has a packet signature that corresponds with the machine-readable signature file, and determining the machine-readable signature file has an associated squelch comprising a squelch threshold and a squelch period is provided.

Abstract: A mobile device operable in a mobile telecommunications network comprising a memory module for storing data in machine readable format for retrieval and execution by a central processing unit and an operating system operable to execute an intrusion detection application stored in the memory module is provided.

Abstract: A method of identifying data comprised in a network exploit comprising receiving a packet by an intrusion prevention system maintained by a node of a network, the intrusion prevention system bound to a media access control driver and a protocol driver, invoking a signature analysis algorithm by the intrusion prevention system, and comparing the packet by the intrusion prevention system with a first rule set comprising a rule logically defining a packet signature is provided.

Abstract: A node of a network for managing an intrusion protection system, the node comprising a memory module for storing data in machine-readable format for retrieval and execution by a central processing unit and an operating system comprising a network stack comprising a protocol driver and a media access control driver and operable to execute an intrusion protection system management application, the management application operable to receive text-file input from an input device, the text-file defining a network-exploit rule and comprising at least one field is provided. A method of distributing command and security updates in a network having an intrusion protection system comprising generating a text-file defining a network-exploit rule and specifying at least one field selected from the group consisting of an ENABLED field value and a SEVERITY level field value during generation of the text-file is provided.

Abstract: A network having a intrusion protection system comprising a network medium, a management node connected to the network medium and running an intrusion prevention system management application, and a plurality of nodes connected to the network medium and running an instance of an intrusion protection system application, at least one of the nodes having an identification assigned thereto based on a logical assignment grouping one or more of the plurality of nodes, each node sharing the identification being commonly vulnerable to at least one network exploit is provided. A method of transmitting a command and security update message to a subset of nodes of a plurality of network nodes comprising generating an update message by a management node of the network, addressing the update message to a network address shared by the subset of nodes, transmitting the update message, and receiving and processing the update message by the subset of nodes is provided.

Abstract: In accordance with an embodiment of the present invention, a method of detecting network-intrusions at a first node of a network comprising identifying a frame as an intrusion by an intrusion detection application, archiving event-data associated with the frame, and decoding the event-data by a decode engine, the decode engine integrated within the intrusion detection application is provided. In accordance with another embodiment of the present invention, a computer-readable medium having stored thereon a set of instructions to be executed, the set of instructions, when executed by a processor, cause the processor to perform a computer method of identifying, by an intrusion detection application, a frame of data as intrusion-related, and decoding the intrusion-related data.