Intrusion prevention system in a communication network and method and apparatus therefor
By matching and mapping the destination host attributes and CVEs of IPS rules in the communication network, the problems of low rule set processing efficiency and insufficient adaptation in traditional IPS systems are solved, achieving more efficient intrusion prevention and network performance improvement.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CAMBIUM NETWORKS
- Filing Date
- 2025-12-31
- Publication Date
- 2026-07-03
AI Technical Summary
Traditional IPS systems are inefficient when processing large rule sets, leading to a decline in network performance. Furthermore, they are difficult to adapt to the unique characteristics of communication networks, resulting in rule redundancy and insufficient protection.
By retrieving the host attributes and port number of each open port in the communication network, the target host attributes of the IPS rules are matched, and the rules are adapted based on the matching results. At the same time, the CPE and associated CVE of the running service are determined, and the CVE of the IPS rules are mapped to adapt the rules.
It improves the accuracy of IPS rules and network performance, reduces rule redundancy, ensures coverage of newly detected services and vulnerabilities, and avoids unnecessary rule application.
Smart Images

Figure CN122339720A_ABST
Abstract
Description
Technical Field
[0001] This disclosure generally relates to security in communication networks, and more specifically, but not exclusively, to intrusion prevention systems, methods, and apparatus for communication networks. Background Technology
[0002] Intrusion Prevention Systems (IPS) are cybersecurity tools that monitor and analyze network traffic to detect and prevent malicious activity in communication networks. These systems work by comparing incoming and outgoing network packets in the communication network against predefined IPS rules that identify suspicious behavior. Deploying IPS systems at the network boundary protects organizations from a range of network threats. IPS systems can block potential attacks or alert administrators about such attacks based on predefined IPS rules. Predefined IPS rules are typically provided in the form of rule sets. Each rule set can be large, as it can include rules for different services and vulnerabilities and be further updated periodically to accommodate emerging threats. The effectiveness of an IPS system depends on the accuracy and relevance of the rule sets applied to the communication network.
[0003] A major challenge of traditional IPS systems is their inefficiency in handling large rule sets. Applying the full spectrum of available rules consumes considerable system memory, increasing latency and slowing down network performance. This increased latency and performance degradation force network administrators to manually remove irrelevant rules from the rule set based on their knowledge of the network. However, this manual process is time-consuming and error-prone. Furthermore, many administrators lack the expertise to properly adapt rule sets according to the characteristics of their network. Consequently, most IPS deployments are either plagued by rule redundancy leading to performance degradation or are at risk of inadequate protection due to the use of incomplete or non-customized rule sets.
[0004] In some traditional IPS systems, rule sets can be categorized to optimize them, allowing users to choose between different security levels. While these traditional IPS systems offer some level of customization, they may still require manual effort to refine the rule sets to suit specific services and vulnerabilities present in the communication network. Furthermore, traditional IPS systems may not be adaptable to the communication network, meaning that the rule sets often contain irrelevant IPS rules, wasting computational resources and lacking coverage of newly detected services and vulnerabilities.
[0005] The purpose of this invention is to alleviate the problems of the prior art. Summary of the Invention
[0006] According to a first aspect of this disclosure, a method for preventing intrusion in a communication network is provided. The method may include retrieving at least one host attribute and port number of an associated host for each of a set of open ports within the communication network. The method may further include matching a destination host attribute in an Intrusion Prevention System (IPS) rule with at least one host attribute associated with each of the set of open ports in the communication network. The method may further include adapting the IPS rule based on the matching result. The method may further include selectively applying the IPS rule in the communication network based on the adaptation.
[0007] According to a second aspect of this disclosure, a method for preventing intrusion in a communication network is provided. The method may include, for each of a set of open ports within the communication network, determining a Common Platform Enumeration (CPE) of a service running on the corresponding open port and a set of Common Vulnerabilities and Exposures (CVEs) associated with the CPE. The method may also include mapping the CVEs associated with Intrusion Prevention System (IPS) rules to the set of CVEs determined for each open port in the set of open ports. The method may further include adapting IPS rules based on the mapping result. The method may further include selectively applying IPS rules in the communication network based on the adaptation.
[0008] According to a third aspect of this disclosure, a network device is provided. The network device may include a processor and a memory communicatively connected to the processor and including processor instructions, which, when executed by the processor, cause the processor to retrieve at least one host attribute and port number of an associated host for each of a set of open ports within a communication network. The processor may also match the destination host attribute associated with each of the set of open ports in the communication network. The processor may also adapt IPS rules based on the matching results. The processor may also selectively apply IPS rules in the communication network based on the adaptation.
[0009] Further features of this disclosure will become clear from the following description of preferred embodiments of this disclosure, which are given by way of example only. Attached Figure Description
[0010] This disclosure is best understood by referring to the following description taken in conjunction with the accompanying drawings, in which the same parts may be referred to by the same reference numerals.
[0011] Figure 1 A communication network is described, in which systems for preventing intrusion can be deployed;
[0012] Figure 2 A network device according to an embodiment of the present disclosure is described, which is configured to prevent intrusion in a communication network;
[0013] Figure 3 A table illustrating an embodiment of the present disclosure depicts the process of matching a destination host attribute in an intrusion prevention system (IPS) rule with at least one host attribute associated with each open port within a communication network;
[0014] Figure 4 A table illustrating an embodiment of the present disclosure depicts the process of mapping public vulnerabilities and exposures (CVEs) associated with IPS rules to a set of CVEs determined for each open port within a communication network;
[0015] Figure 5 The illustration shows a flowchart of an exemplary method for preventing intrusion in a communication network according to an embodiment of the present disclosure;
[0016] Figure 6 A flowchart illustrating an exemplary method for adapting IPS rules according to embodiments of the present disclosure is shown;
[0017] Figure 7 A flowchart illustrating another exemplary method for preventing intrusion in a communication network according to an embodiment of the present disclosure is shown.
[0018] Figure 8 A flowchart illustrating another exemplary method for adapting IPS rules according to an embodiment of the present disclosure is shown. Detailed Implementation
[0019] The following description is presented to enable those skilled in the art to make and use this disclosure, and is provided in the context of a particular application and its requirements. Various modifications to the embodiments will be apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of this disclosure. Furthermore, numerous details are set forth in the following description for illustrative purposes. However, those skilled in the art will recognize that the invention may be practiced without using these specific details. In other examples, well-known structures and apparatuses are shown in block diagram form so as not to obscure the description of this disclosure with unnecessary detail. Thus, this disclosure is not intended to be limited to the embodiments shown, but is to be accorded the broadest scope consistent with the principles and features disclosed herein.
[0020] Exemplary embodiments are described with reference to the accompanying drawings. The same reference numerals are used throughout the drawings to denote the same or similar parts, whenever convenient. While examples and features of the disclosed principles have been described herein, modifications, adaptations, and other implementations are possible without departing from the spirit and scope of the disclosed embodiments. The following specific embodiments are intended to be considered merely exemplary, wherein the true scope and spirit are indicated by the appended claims.
[0021] Figure 1 A communication network 100 is described, in which a system for preventing intrusion can be deployed. The communication network 100 may be configured as a local area network (LAN) and may include a network device 102. The network device 102 may represent any network infrastructure responsible for network security and business management within the LAN. The network device 102 may be, for example, a firewall device, router, switch, dedicated IPS, gateway, or any similar network infrastructure. In this embodiment, the network device 102 may enforce intrusion prevention system (IPS) rules to monitor, adapt, and selectively apply security measures within the communication network 100. The network device 102 is communicatively connected to a network switch 106, which acts as an intermediary or bridge between multiple terminal devices 108 and the network device 102.
[0022] Multiple terminal devices 108 may include, but are not limited to, printers 108a, laptops 108b, servers 108c, smartphones 108d, Internet of Things (IoT) devices 108e, mobile phones 108f, or tablets 108g. Network switch 106 may include multiple switch ports ( Figure 1 (not shown in the diagram), and can be communicatively connected to each of the multiple terminal devices 108 via one or more of the multiple switch ports, either directly via a wired connection or via a wireless access point (AP) 110 (e.g., wireless AP 110a and wireless AP 110b). The wireless AP 110 monitors and manages the multiple terminal devices 108 and acts as a gateway for inbound traffic. The wireless AP 110 also provides a gateway for service flows and ensures that IPS rules are applicable to both wired and wireless hosts. Furthermore, the communication network 100 may also include, but is not limited to, virtual entities (…). Figure 1 (not shown) (such as virtual machines (VMs), containers, and virtual servers in the cloud) and applications ( Figure 1 (not shown in the image) (such as web applications, cloud-based applications, and microservices).
[0023] On the other hand, network device 102 can also be communicatively connected to the Internet 104. Thus, although network switch 106, together with multiple terminal devices 108 and wireless access points 110, can form a LAN connected to network device 102, the Internet 104 can form a wide area network (WAN). In other words, when network switch 106 controls multiple terminal devices 108 to access network device 102, network device 102 uses IPS rules to further control communication between multiple terminal devices 108 and external networks such as the Internet 104.
[0024] Figure 2A network device 200 according to an embodiment of the present disclosure is depicted, configured to prevent intrusion in a communication network 202. The network device 200 may be, for example, a firewall device, a router, a switch, a dedicated intrusion prevention system (IPS), or a gateway communicatively connected to a network switch 106.
[0025] Each of the multiple terminal devices 108, virtual entities, and applications within the communication network 202 can be referred to as a host. For example, a host can be a Structured Query Language (SQL) server, a Simple Mail Transfer Protocol (SMTP) server, a Domain Name System (DNS) server, a Hypertext Transfer Protocol (HTTP) server, a Telnet server, or any other terminal device, virtual entity, or application. Each host has one or more open ports through which it communicates with external services within the communication network 202. These open ports serve as potential entry points for data exchange but also as potential vectors for network intrusion. For example, open ports could be open port 1433 (SQL) for an SQL server, open port 25 (SMTP) for an SMTP server, open port 53 (DNS) for a DNS server, open port 80 (HTTP) for an HTTP server, and open port 23 (Telnet) for a Telnet server.
[0026] Each open port runs a specific service, and for each service, there exists a corresponding Common Platform Enumeration (CPE), which provides a standardized method for identifying the software, operating system, or hardware executed or running on the host. Examples of such services and corresponding ports may include database management and query execution services running on open port 1433 (SQL), email sending and receiving services running on open port 25 (SMTP), domain name resolution services running on open port 53 (DNS), network traffic processing and network content delivery services running on open port 80 (HTTP), and remote command-line services running on open port 23 (Telnet). Furthermore, examples of CPEs used for specific services may include "cpe: / a:microsoft:sql_server:2019" for database management and query execution services, "cpe: / a:postfix:postfix:3.4.14" for sending and receiving email communications services, "cpe: / a:isc:bind:9.11.36" for domain name resolution services, "cpe: / a:apache:http_server:2.4.51" for network traffic processing and network content delivery services, and "cpe: / a:sun:solaris_telnetd:11" for remote command-line services. Clearly, the above CPEs are for illustrative purposes only.
[0027] In addition, each CPE has one or more Public Vulnerabilities and Exposures (CVEs) associated with it. These CVEs identify known vulnerabilities in a given service. For example, the CPE "cpe: / a:microsoft:sql_server:2019" may have an associated CVE, "CVE-2020-0618", which addresses a remote code execution vulnerability in SQL Server. Similarly, the CPE "cpe: / a:postfix:postfix:3.4.14" may have an associated CVE, "CVE-2020-10188", which addresses a vulnerability in Postfix where a problem handling certain configurations could allow an attacker to execute arbitrary commands. Furthermore, the CPE "cpe: / a:isc:bind:9.11.36" may have an associated CVE, "CVE-2020-8622," which addresses a denial-of-service vulnerability in a DNS server. Similarly, the CPE "cpe: / a:apache:http_server:2.4.51" may have an associated CVE, "CVE-2021-41773," which addresses a path traversal vulnerability in an HTTP server. The CPE "cpe: / a:sun:solaris_telnetd:11" may have an associated CVE, "CVE-2019-7283," which relates to a remote code execution vulnerability in a Telnet server. These CVEs represent potential security weaknesses that attackers could exploit. Therefore, these CVEs should be considered when applying IPS rules to detect and prevent malicious activity within the communication network 202.
[0028] Network device 200 serves as the primary security component in communication network 202, whereby network device 200 applies intrusion prevention technologies by scanning for vulnerabilities and adapting IPS rules. For this purpose, network device 200 may include processor 204 and memory 206. Examples of processor 204 may include, but are not limited to, Intel. ® Itanium ® Or Itanium 2 processor or AMD ® Opteron ® or Athlon MP ® Processor, Motorola ® Series processors, Nvidia ®The FortiSOC™ system-on-chip processor or other future processors. Memory 206 can be non-volatile or volatile memory. Examples of non-volatile memory include, but are not limited to, flash memory, read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), and electrically erasable programmable read-only memory (EEPROM). Examples of volatile memory include, but are not limited to, dynamic random access memory (DRAM) and static random access memory (SRAM).
[0029] In this embodiment, memory 206 may store instructions that, when executed by processor 204, enable processor 204 to prevent intrusion into communication network 202, as discussed in more detail below. Memory 206 may also include port scanning module 208, port scanning database 210, attribute matching module 212, rule adaptation module 214, and rule application module 216.
[0030] Network device 200 may also include a local IPS rule data store 218. This local IPS rule data store 218 may store a repository of intrusion prevention system (IPS) rules. In addition to the local IPS rule data store 218, network device 200 may also communicate via the Internet 104 with a global IPS rule data store 220 stored in the cloud 222. The global IPS rule data store 220 may include a nearly complete list of IPS rules that have been updated based on newly identified security threats. The local IPS rule data store 218 can be periodically updated by synchronizing with the global IPS rule data store 220.
[0031] The port scanning module 208 can perform port scanning within the communication network 202 to retrieve at least one host attribute of an associated host and the port number of each open port in a set of open ports within the communication network 202. In embodiments, the at least one host attribute may include, but is not limited to, the type of the associated host, the brand of the associated host, the operating system (OS) of the associated host, and the OS version of the associated host. Additionally, while performing port scanning, the port scanning module 208 can also, for each open port in the set of open ports, determine the CPE used to run the service on the corresponding open port and a set of CVEs associated with that CPE.
[0032] In some embodiments, the port scanning module 208 may periodically perform port scans on each of a set of open ports within the communication network 202 to retrieve at least one host attribute, port number, CPE for the service running on the corresponding open port, and a set of CVEs associated with the CPE. Based on the results of the port scans on each of the set of open ports within the communication network 202, the port scanning module 208 may then store at least one host attribute and port number, the CPE for the service running on the corresponding open port, and the set of CVEs associated with the CPE in the port scanning database 210.
[0033] To adapt to IPS rules in the repository, attribute matching module 212 can extract destination host attributes from the IPS rules. An IPS rule could be, for example, “alert udp $EXTERNAL_NET any ->$SQL_SERVER 1433 (msg:"SQLServer potential unauthorized access"; flow:to_server; content:"SELECT";metadata:ruleset community; reference:cve,2020-1234; classtype:attempted-user; sid:500001; rev:1;)”. In this example, 'SQL_SERVER' refers to the destination host, and 'EXTERNAL_NET' refers to the WAN. The direction of network traffic in the above example is from the WAN to SQL_SERVER. In other words, this IPS rule is associated with all SQL Servers in a given communication network. In some embodiments, attribute matching module 212 can also extract at least one host attribute associated with each open port in a set of open ports from port scan database 210.
[0034] The attribute matching module 212 can also match the destination host attribute in the IPS rule with at least one host attribute associated with each open port in a set of open ports in the communication network 202. The attribute matching module 212 can determine whether a match is found between the destination host attribute in the IPS rule and at least one host attribute associated with an open port in this set of open ports. The attribute matching module 212 can send the matching result to the rule adaptation module 214. One possible matching result is that the destination host attribute in the IPS rule matches at least one host attribute associated with at least one open port in this set of open ports in the communication network 202. Alternatively, the result may be that the destination host attribute in the IPS rule does not match at least one host attribute associated with each open port in this set of open ports in the communication network 202.
[0035] Therefore, the rule adaptation module 214 adapts the IPS rule based on the result. In an embodiment, when the destination host attribute in the IPS rule does not match at least one host attribute associated with each of the open ports in this set of open ports in the communication network 202, the rule removal module 224 may remove the IPS rule from the IPS rule repository to adapt the IPS rule. Alternatively, when the destination host attribute matches at least one host attribute associated with at least one port from this set of open ports in the communication network 202, the simplification module 226 may simplify the IPS rule to adapt it. To simplify the IPS rule, the destination host attribute in the IPS rule may be replaced with the IP address of each of the at least one open port. When adapting the IPS rule, the rule application module 216 may then selectively apply the IPS rule in the communication network 202 based on the adaptation. In other words, if the IPS rule is removed, it is obviously not applicable to the communication network. However, if the IPS rule is simplified to include certain specific IP addresses, the IPS rule is applied only to those IP addresses. What will be clear is that, although a single IPS rule is referenced, an adaptation process is performed for each IPS rule in the library of IPS rules.
[0036] Additionally, in some embodiments, the attribute matching module 212 may extract a set of CVEs determined for each open port in a set of open ports from the port scan database 210. The attribute matching module 212 may also extract CVEs associated with IPS rules. In some embodiments, CVEs associated with IPS rules may be extracted based on the Snort identifier (SID) in the IPS rules. The attribute matching module 212 may also map the CVEs associated with IPS rules to a set of CVEs determined for each open port in a set of open ports.
[0037] The attribute matching module 212 can send the mapping results to the rule adaptation module 214. The result could be that the CVE associated with the IPS rule does not match any of the CVEs in the set determined for each open port in this set of open ports in the communication network. Alternatively, the result could be that the CVE associated with the IPS rule matches at least one CVE in the set determined for at least one open port in this set of open ports.
[0038] Therefore, the rule adaptation module 214 adapts the IPS rule based on the result. In an embodiment, when the CVE associated with an IPS rule does not match each of the CVEs determined for each of the open ports in the communication network 202, the rule removal module 224 may remove the IPS rule from the IPS rule repository. Alternatively, when the CVE associated with an IPS rule matches at least one of the CVEs determined for at least one port in the open ports in the communication network 202, the simplification module 226 may simplify the IPS rule to adapt it. To simplify the IPS rule, the destination host attribute in the IPS rule may be replaced with the IP address of each of the at least one open port. When adapting the IPS rule, the rule application module 216 may then selectively apply the IPS rule in the communication network 202 based on the adaptation. In other words, if an IPS rule is removed, it obviously will not be applied to the communication network 202. However, if the IPS rule is simplified to include certain specific IP addresses, the IPS rule will only be applied to those IP addresses. What will be clear is that, although a single IPS rule is referenced, an adaptation process is performed for each IPS rule in the library of IPS rules.
[0039] Figure 3 Table 300, according to an exemplary embodiment of the present disclosure, illustrates the process of matching a destination host attribute in an IPS rule with at least one host attribute associated with each open port within the communication network 202. Combined with Figure 2 illustrate Figure 3 .
[0040] Table 300 may include six columns, each representing a different stage in the IPS rule adaptation process. These columns are labeled as IPS rule column 302, destination host attribute column 304, host attribute column 306, open port column 308, IP address column 310, and adapted IPS rule column 312. Each row in Table 300 corresponds to a specific scenario in which the IPS rules are applied to the communication network 202 after they have been adapted as needed.
[0041] IPS rule column 302 lists the original IPS rules. These IPS rules are predefined and include formatted "alerts" followed by specific instructions. For example, an IPS rule might direct external network traffic "$EXTERNAL_NET any" to a specific host attribute (such as SQL Server) on a specified port (e.g., port 1433 for SQL Server). IPS rules also describe the nature of a potential attack, "Potential Unauthorized Access to SQL Server," and include metadata such as the protected service, content matching criteria, reference code, "Attempted User" classification type, and Snort identifier (SID).
[0042] Destination Host Attribute column 304 identifies the intended target of the IPS rule within the communication network 202, such as an SQL server, SMTP server, or Telnet server. Clearly, Destination Host Attribute column 304 includes details of the destination host attributes defined in the corresponding IPS rule, as given in IPS Rule column 302.
[0043] Host attribute column 306 lists the host attributes identified by port scanning module 208 during port scanning in communication network 202. These host attributes correspond to the type of server or service running on the detected host. For example, during port scanning, an SQL server, SMTP server, DNS server, and HTTP server can be identified as being present in communication network 202, each associated with a different open port.
[0044] Open Ports column 308 shows the open ports associated with the hosts identified from the port scan. These open ports are vulnerabilities through which data can flow to or from the hosts. For example, after performing a port scan in communication network 202, the following hosts were found: an SQL server hosted on port 1433 (SQL), an SMTP server hosted on open port 25 (SMTP), a DNS server hosted on port 53, and an HTTP server hosted on port 80. In summary, the only applications hosted in communication network 202 include the SQL server, SMTP server, DNS server, and HTTP server. It will be clear that, for ease of illustration, only four of these services (or applications) are considered to be hosted in communication network 202.
[0045] In addition, IP address column 310 indicates the specific IP address assigned to each open port. These IP addresses allow network device 200 to determine the precise location of each open port within communication network 202. For example, open port 1433 hosting the SQL server has the IP address "192.168.1.2", while open port 25 hosting the SMTP server has the IP address "192.168.1.3".
[0046] The adapted IPS rule column 312 includes adapted versions of the IPS rules. As discussed earlier, the rule adaptation module 214 adapts IPS rule-based matches between the destination host attribute in the IPS rule and the host attribute associated with the open port detected during port scanning. When a match is found, the IPS rule is adapted to replace the destination host attribute associated with the IPS rule with the IP address of the open port.
[0047] For example, if an IPS rule is configured for a SQL server, the adapted rule will now replace the destination "$SQL_Server" in the IPS rule with the IP address of the open port of the SQL server hosted in communication network 202. Therefore, $SQL_Server is replaced with "192.168.1.2". This adaptation ensures that the IPS rule targets only the associated host accurately and precisely, thus improving the accuracy of intrusion prevention. As depicted in the first cell of column 312 of the adapted IPS rule, after identifying the presence of a SQL server hosted on port 1433 with IP address 192.168.1.2 in communication network 202, the IPS rule adapts from the original "alert udp $EXTERNAL_NET any -> $SQL_Server" to "alert udp $EXTERNAL_NET any -> 192.168.1.2". This adapted IPS rule now applies only to the SQL server in communication network 202 and prevents any unauthorized access to port 1433.
[0048] Similarly, in the second cell of the adapted IPS rule column 312, as given in IPS rule column 302, the IPS rule configured for the SMTP server is suitable to apply only to the SMTP server within communication network 202. Initially, the IPS rule specifies "$EXTERNAL_NET any -> $SMTP_Server 25" to prevent mail relay attacks. After scanning communication network 202, it is determined that only one SMTP server is hosted on port 25 with the IP address 192.168.1.3. Therefore, the IPS rule is suitable for "alert udp $EXTERNAL_NET any ->192.168.1.3 25". As a result, the IPS rule is applied only to the SMTP server in communication network 202. Further, as depicted in the third cell of the adapted IPS rule column 312, the IPS rule configured for the Telnet server as given in IPS rule column 302 can be completely removed because there is no Telnet server hosted in communication network 202. In other words, it is determined that the IPS rule is irrelevant to the communication network. Therefore, the unnecessary application of such IPS rules in communication network 202 is completely avoided.
[0049] Figure 4 Table 400, illustrating an exemplary embodiment of the present disclosure, depicts the process of mapping CVEs associated with IPS rules to a set of CVEs determined for each open port within the communication network 202. (In conjunction with...) Figure 2 illustrate Figure 4 Table 400 shows how network device 200 matches CVEs referenced in IPS rules with CVEs found on open ports during port scanning to adapt IPS rules based on specific vulnerabilities existing in communication network 202.
[0050] Table 400 may include six columns, each representing a different stage in the process of mapping CVEs and accordingly adapting IPS rules. These columns are labeled as IPS rule column 402, CVEs in IPS rule column 404, CVEs in open port column 406, CVEs in open port column 408, IP address column 410, and adapted IPS rule column 412. Each row in Table 400 corresponds to a specific scenario in which the IPS rules are applied to the communication network 202 after comparing the CVEs from the IPS rules with the CVEs identified for services or applications hosted on open ports discovered during port scanning.
[0051] IPS rule column 402 lists the IPS rules. Each IPS rule is associated with a specific alert format for external network traffic (i.e., "$external_NET any") targeting certain applications or services in the communications network 202, such as SQL servers, SMTP servers, or Telnet servers hosted on specific ports (e.g., port 1433 for SQL servers). IPS rules describe the potential attacks they are designed to detect, such as unauthorized access, mail relay attacks, or brute-force login attempts. These IPS rules may include metadata fields, including but not limited to a CVE reference associated with each rule, the nature and classification of the attack (e.g., "attempted-user" or "attempted-recon"), and a unique Snort identifier (SID) for each rule.
[0052] The CVEs in IPS rule column 404 list the specific CVEs referenced in each IPS rule within this set of IPS rules. These CVEs represent known vulnerabilities that the IPS rule is designed to detect and prevent. For example, an IPS rule configured to prevent unauthorized access to a SQL server might reference CVE "2020-1234," while an IPS rule configured to prevent mail relay attacks against an SMTP server might reference CVE "2021-5678." Furthermore, an IPS rule configured to perform brute-force attacks on a Telnet server might reference CVE "2019-3456."
[0053] Open Ports column 406 lists the open ports identified during a port scan performed by port scanning module 208. These open ports host services or applications running in communication network 202 (e.g., SQL server, SMTP server, or Telnet server), and each service or application represents a potential vulnerability. For example, an SQL server might be hosted on port 1433, an SMTP server on port 25, a DNS server on port 53, and an HTTP server on port 80.
[0054] The CVEs used for open port column 408 display the CVE associated with each open port, based on the CPE of the service running on those ports. These CVEs are extracted from port scan database 210 and mapped to their corresponding open ports. For example, port 1433 hosting the SQL server might have CVE "2020-1234", while port 25 hosting the SMTP server might be associated with CVE "2021-5678". This mapping allows network device 200 to associate specific vulnerabilities that may be associated with open ports detected in communication network 202.
[0055] IP address column 410 indicates the specific IP address of each open port identified during port scanning. This allows network device 200 to pinpoint the exact location of each open port within communication network 202. For example, port 1433 hosting an SQL server might have an IP address of 192.168.1.2, while port 25 hosting an SMTP server might have an IP address of 192.168.1.3. Each IP address identifies an open port hosting a specific service.
[0056] After rule adaptation module 214 maps CVEs from IPS rules to CVEs associated with an opening, the adapted IPS rule column 412 presents the final version of the IPS rule. When a CVE in an IPS rule is found to match a CVE identified for a particular open port, the IPS rule is adapted to include the IP address of that open port. For example, if the original IPS rule references CVE "2020-1234", and a match for that CVE is found in the list of CVEs associated with open ports detected in communication network 202, the matching CVE may be associated with open port 1433 having the IP address "192.168.1.2". Therefore, the IPS rule can be adapted to replace "$SQL_Server" with the IP address "192.168.1.2", and the adapted IPS rule will therefore specify the IP address of the open port (e.g., "$EXTERNAL_NET any -> 192.168.1.2"). This adaptation ensures that the IPS rule applies only to the specific port. It will be clear that multiple such CVE mappings can be detected. Therefore, in this case, to adapt to IPS rules, "$SQL_Server" can be replaced with multiple IP addresses.
[0057] As described in the first cell of Adapted IPS Rule 412, the IPS rule configured for the SQL server with a potential unauthorized access threat (CVE "2020-1234") given in IPS Rule 402 is adapted from the original "alert udp $EXTERNAL_NET any -> $SQL_Server 1433" to "alert udp $EXTERNAL_NET any -> 192.168.1.2 1433". This then identifies a SQL server in communication network 202 associated with the same CVE in the IPS rule, hosted on port 1433 with the IP address 192.168.1.2. This adapted IPS rule now applies only to the SQL server in communication network 202 and prevents unauthorized access to port 1433.
[0058] Similarly, in the second cell of the adapted IPS rule column 412, the IPS rule configured for the SMTP server with a potential mail relay attack (CVE "2021-5678") given in IPS rule column 402 is adapted from the original "alert udp $EXTERNAL_NET any -> $SMTP_Server 25" to "alert udp $EXTERNAL_NET any -> 192.168.1.3 25". This then identifies an SMTP server in communication network 202 associated with the same CVE in the IPS rule, hosted on port 25 with the IP address 192.168.1.3. The adapted IPS rule is now applied only to the SMTP server in communication network 202, preventing unauthorized access to port 25.
[0059] Furthermore, as depicted in the third cell of the adapted IPS rule column 412, the IPS rule configured for the Telnet server as given in IPS rule column 402 can be completely removed because no Telnet server is hosted in communication network 202. In other words, it is determined that this IPS rule is irrelevant to communication network 202. This completely avoids the unnecessary application of such IPS rules in communication network 202.
[0060] Figure 5 A flowchart illustrating an exemplary method for preventing intrusion in a communication network according to an embodiment of this disclosure is shown. Figure 5 Combination Figure 2 and Figure 3 The following explanation is provided. In step 502, network device 200 may obtain at least one host attribute and port number of the associated host for each open port in a set of open ports within the communication network 202. At step 504, network device 200 may match the destination host attribute in the Intrusion Prevention System (IPS) rule with at least one host attribute associated with each open port in this set of open ports in the communication network. At step 506, network device 200 may adapt the IPS rule based on the matching result. This will combine... Figure 6 Further details. At step 508, network device 200 may selectively apply IPS rules in communication network 202 based on an adaptation.
[0061] Figure 6 A flowchart illustrating an exemplary method for adapting IPS rules based on matching results, as described in embodiments of this disclosure, is shown. Figure 2 , Figure 3 and Figure 5 illustrate Figure 6At step 602, network device 200 may perform a check to determine whether the destination host attribute matches at least one host attribute.
[0062] If the destination host attribute in the IPS rule does not match at least one host attribute associated with each open port in a set of open ports in the communication network 202, then at step 604, the network device 200 can adapt the IPS rule by removing it from the IPS rule repository. However, if the destination host attribute in the IPS rule matches at least one host attribute associated with at least one open port in a set of open ports in the communication network 202, then at step 606, the network device 200 can adapt the IPS rule by simplifying it. Simplifying the IPS rule can be done by replacing the destination host attribute in the IPS rule with the Internet Protocol (IP) address of each of the at least one port at step 608.
[0063] Figure 7 A flowchart illustrating another exemplary method for preventing intrusion in a communication network according to an embodiment of the present disclosure is shown. (In conjunction with...) Figure 2 and Figure 4 illustrate Figure 7 At step 702, network device 200 may determine a CPE and a set of CVEs associated with each open port in a set of open ports of the communication network 202, the CPE being used to run a service on the corresponding open port. Simultaneously with step 702, at step 704, network device 200 may extract the CVEs associated with the IPS rules from the IPS rules, which include the IPS rules. Subsequently, at step 706, network device 200 may map the CVEs associated with the IPS rules to the set of CVEs determined for each open port in the set of open ports. Subsequently, at step 708, network device 200 may adapt the IPS rules based on the mapping result. This will combine... Figure 8 Further details are provided. Subsequently, at step 710, network device 200 may selectively apply IPS rules in communication network 202 based on an adaptation.
[0064] Figure 8 A flowchart illustrating another exemplary method for adapting IPS rules based on mapping results, according to an embodiment of the present disclosure, is shown. Figure 8 Combination Figure 2 , Figure 4 and Figure 5 The following explanation is provided. At step 802, network device 200 may perform a check to determine whether there is a mapping between the CVE associated with the IPS rule and at least one of the CVEs in this set.
[0065] If the CVE associated with the IPS rule does not map to at least one CVE in the set of CVEs determined for each open port in the set of open ports, then at step 804, network device 200 can adapt the IPS rule by removing it from the IPS rule repository. However, if the CVE associated with the IPS rule maps to at least one CVE in the set of CVEs determined for each open port in the set of open ports, then at step 806, network device 200 can adapt the IPS rule by simplifying it. Simplifying the IPS rule can be done by replacing the destination host attribute in the IPS rule with the Internet Protocol (IP) address of each of the at least one port in the set of open ports at step 808.
[0066] As those skilled in the art will understand, the techniques described in the various embodiments discussed above are not conventional, or conventional, or well understood in the art.
[0067] Traditional Intrusion Prevention Systems (IPS) do not allow for the specific simplification of IPS rules tailored to the unique characteristics of communication networks. These systems apply broad-spectrum IPS rules covering different services and vulnerabilities, often resulting in rule redundancy and excessive memory consumption. This degrades network performance by increasing latency. While some IPS systems offer categorized rule sets for different security levels, they may still require manual intervention to remove irrelevant IPS rules—a time-consuming and error-prone process dependent on administrator expertise. Furthermore, traditional systems cannot adapt IPS rules based on actual network attributes, leading to the application of irrelevant IPS rules and the inability to address newly detected services or vulnerabilities.
[0068] The techniques discussed in this disclosure for preventing intrusions in communication networks address these challenges by retrieving at least one host attribute and port number for each open port within the network. The destination host attribute of the IPS rule is then matched against the host attribute of the opening. Based on this result, the IPS rule is deleted or removed. If a match is found, the rule is deleted by replacing the destination host attribute with the IP address of the open port, and then the rule is selectively applied.
[0069] The disclosed technology also involves determining a Common Platform Enumeration (CPE) for each service running on an open port and associating Common Vulnerabilities and Exposures (CVEs) with the CPE, allowing IPS rules to be adapted by mapping CVEs associated with the IPS rule to CVEs on the open port. If no CVE mapping is found, the IPS rule is removed. Alternatively, the IPS rule can be deleted, the target host attribute replaced with the IP address of the open port, and the rule can be selectively applied.
[0070] The above embodiments should be understood as illustrative examples of this disclosure. It should be understood that any feature described with respect to any embodiment may be used alone or in combination with other described features, and may also be used in combination with one or more features of any other embodiment or any combination of any other embodiment. Furthermore, equivalents and modifications not described above may be employed without departing from the scope of this disclosure as defined in the appended claims.
[0071] It should be understood that, for clarity, embodiments of this disclosure have been described above with reference to different functional units and processors. However, it will be clear that any suitable distribution of functionality among different functional units, processors, or domains may be used without departing from this disclosure. For example, a function shown to be performed by a separate processor or controller may be performed by the same processor or controller. Therefore, references to specific functional units are to be regarded only as references to suitable means for providing the described functionality, and not as indications of a strict logical or physical structure or organization.
[0072] Although this disclosure has been described in conjunction with some embodiments, it is not intended to limit it to the specific forms set forth herein. Rather, the scope of this disclosure is limited only by the claims. Furthermore, while features may appear to be described in conjunction with specific embodiments, those skilled in the art will recognize that different features of the described embodiments can be combined according to this disclosure.
[0073] Furthermore, although listed separately, multiple means, elements, or process steps may be implemented, for example, by a single unit or processor. Moreover, although individual features may be included in different claims, these features may be advantageously combined, and their inclusion in different claims does not imply that such a combination is infeasible and / or advantageous. Furthermore, including a feature in one class of claims does not imply a limitation on that class, but rather that the feature may be equally applicable to other claim classes, as appropriate.
Claims
1. A method (500) for preventing intrusion in a communication network, the method (500) comprising: For each open port in a set of open ports within the communication network (202), retrieve at least one host attribute and port number of the host associated with (502); Match the destination host attribute in the intrusion prevention system (IPS) rule with at least one host attribute associated with each of the set of open ports in the communication network (202) (504). Based on the matching result, adapt (506) the IPS rule; and Based on the adaptation, the IPS rules (508) are selectively applied in the communication network (202).
2. The method (500) according to claim 1, wherein, Adapting (506) the IPS rule includes: removing the IPS rule from the IPS rule repository (604) if the destination host attribute in the IPS rule does not match at least one host attribute associated with each of the open ports in the set of open ports in the communication network (202).
3. The method (500) according to claim 1, wherein, Adapting (506) the IPS rule includes: simplifying (606) the IPS rule based on the matching of the destination host attribute with at least one host attribute associated with at least one open port from the set of open ports in the communication network (202).
4. The method (500) according to claim 3, wherein, Simplifying the IPS rule (606) includes replacing (608) the destination host attribute in the IPS rule with the Internet Protocol (IP) address of each of the at least one open port.
5. The method (500) according to claim 1, wherein, The search includes: for each of the set of open ports, identifying the common platform enumeration (CPE) of the service running on the corresponding open port, and a set of common vulnerabilities and exposures (CVEs) associated with the CPE.
6. The method (500) according to claim 5, wherein, The matching also includes mapping the CVE associated with the IPS rule to the set of CVEs determined for each of the set of open ports when the destination host attribute in the IPS rule matches at least one host attribute associated with at least one open port from the set of open ports.
7. The method (500) according to claim 6, wherein, Adapting the IPS rule includes removing the IPS rule if no mapping is formed between the CVE associated with the IPS rule and each CVE in the set of CVEs determined for each open port in the set of open ports.
8. The method (500) according to claim 6, wherein, Adapting the IPS rules includes: simplifying the IPS rules based on the mapping between the CVE associated with the IPS rules and at least one CVE in the set of CVEs determined for at least one open port in the set of open ports.
9. The method (500) according to claim 8, wherein, Simplifying the IPS rules includes replacing the destination host attribute in the IPS rules with the IP address of each of the at least one open port.
10. A method (700) for preventing intrusion in a communication network, the method (700) comprising: For each open port in a set of open ports within the communication network (202), determine (702) the common platform enumeration (CPE) of the service running on the corresponding open port and a set of common vulnerabilities and exposures (CVE) associated with the CPE. Map the CVE associated with the Intrusion Prevention System (IPS) rule to the set of CVEs determined for each open port in the set of open ports (706). Based on the mapping result, adapt the IPS rule (708); and Based on the adaptation, the IPS rules (710) are selectively applied in the communication network (202).
11. The method (700) according to claim 10, further comprising: Extract (704) the CVE associated with the IPS rule from the IPS rule that includes the CVE.
12. The method (700) according to claim 10, further comprising: Extract the CVE associated with the IPS rule based on the Snouter Identifier (SID) in the IPS rule.
13. The method (700) according to claim 10, wherein, Adapting (708) the IPS rule includes: removing the IPS rule (804) if no mapping is formed between the CVE associated with the IPS rule and each CVE in the set of CVEs determined for each open port in the set of open ports.
14. The method (700) according to claim 10, wherein, Adapting (708) the IPS rule includes: simplifying (802) the IPS rule based on the mapping between the CVE associated with the IPS rule and at least one CVE in the set of CVEs determined for at least one open port from the set of open ports.
15. The method (700) according to claim 14, wherein, Simplifying the IPS rule (802) includes replacing (808) the destination host attribute in the IPS rule with the Internet Protocol (IP) address of each of the at least one open port.
16. A network device (200), comprising: Processor (204); as well as A memory (206) communicatively connected to the processor (204) and including processor instructions that, when executed by the processor (204), cause the processor (204) to: For each open port in a set of open ports within the communication network (202), retrieve at least one host attribute and port number of the associated host; Match the destination host attribute in the intrusion prevention system (IPS) rule with at least one host attribute associated with each of the set of open ports in the communication network (202); Based on the matching results, adapt the IPS rules; and Based on the adaptation, the IPS rules are selectively applied in the communication network (202).
17. The network device (200) according to claim 16, wherein, In order to adapt to the IPS rule, the processor instruction further causes the processor (204) to remove the IPS rule from the IPS rule repository if the destination host attribute in the IPS rule does not match at least one host attribute associated with each of the set of open ports in the communication network (202).
18. The network device (200) according to claim 16, wherein, To adapt to the IPS rules, the processor instructions further cause the processor (204) to simplify the IPS rules based on the matching of the destination host attribute with at least one host attribute associated with at least one open port from the set of open ports in the communication network (202).
19. The network device (200) according to claim 18, wherein, in order to simplify the IPS rules, the processor instructions further cause the processor (204) to replace the destination host attribute in the IPS rules with the Internet Protocol (IP) address of each of the at least one open port.
20. A network device (200), comprising: Processor (204); as well as A memory (206) communicatively connected to the processor (204) and including processor instructions that, when executed by the processor (204), cause the processor (204) to: For each open port in a set of open ports within the communication network (202), identify a common platform enumeration (CPE) for services to run on the corresponding open port and a set of common vulnerabilities and exposures (CVEs) associated with the CPE. Map the CVE associated with the Intrusion Prevention System (IPS) rules to the set of CVEs determined for each open port in the set of open ports; Based on the mapping results, adapt the IPS rules; and Based on the adaptation, the IPS rules are selectively applied in the communication network (202).
21. The network device (200) according to claim 20, wherein, In order to adapt to the IPS rule, the processor instruction further causes the processor (204) to remove the IPS rule if no mapping is formed between the CVE associated with the IPS rule and each of the CVEs in the set of CVEs determined for each of the set of open ports.
22. The network device (200) according to claim 20, wherein, To adapt to the IPS rules, the processor instructions further cause the processor (204) to simplify the IPS rules based on the mapping between the CVE associated with the IPS rules and at least one CVE in the set of CVEs determined for at least one open port from the set of open ports.
23. The network device (200) according to claim 22, wherein, To streamline the IPS rules, the processor instructions further cause the processor (204) to replace the destination host attribute in the IPS rules with the Internet Protocol (IP) address of each of the at least one open port.