Using regexp's To Search IDS Data -- Patented

← Back to Stories (view on slashdot.org)

Using regexp's To Search IDS Data -- Patented

Posted by timothy on Monday December 9, 2002 @07:56AM from the oh-sure dept.

MiniGhost writes "Well... the USPTO is at it again! A recent search of their online patent database reveals a new patent issued on Nov 26, 2002. Apparently cisco has been issued patent #6,487,666, titled 'Intrusion detection signature analysis using regular expressions and logical operators.' So now they are claiming patent rights on the use of regular expressions and logical operators for IDS usage. It's only a matter of time before some corporation patents the stick man now!!"

43 comments

Min score:

Reason:

Sort:

New National Motto! by unterderbrucke · 2002-12-09 07:58 · Score: 1

"The Nation of No Common Sense (whatsoever)"
1. Re:New National Motto! by k_stamour · 2002-12-09 10:23 · Score: 1
  
  Is it me or is Cisco becoming MS like? Also, what other non-Cisco IDS systems might this effect? (financially/Legally)
  
  --
  Julius Caesar - Act I, Scene i: "What mean'st thou by that? Mend me, thou saucy fellow!"
2. Re:New National Motto! by invenustus · 2002-12-11 18:21 · Score: 2
  
  ngrep and every program that uses it come to mind.
  
  --
  grep -ri 'should work' /usr/src/linux | wc -l
So by CableModemSniper · 2002-12-09 07:59 · Score: 2, Funny

this must be why the slashdot search sucks so much. They can't use regexprs to do it!

--
Why not fork?
1. Re:So by Anonymous Coward · 2002-12-09 20:27 · Score: 0
  
  you hafta order by score not by date
2. Re:So by TerryAtWork · 2002-12-11 04:51 · Score: 2
  
  Its not /. search that sucks so much as SourceForge....
  
  --
  It's Christmas everyday with BitTorrent.
Stick man? by jeffy124 · 2002-12-09 08:05 · Score: 1

+-----+ | \o/ | | | | | - | | / \ | +-----+ Ha! How 'bout a stick man in a box! Sure beats having to deal with the lameness filter, AND I can now claim prior art whenever the need arises.

--
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
1. Re:Stick man? by Lord+Bitman · 2002-12-09 08:11 · Score: 1
  
  "ZzzzzzzZzzzzz" is hit by the lameness filter and a stick man in a box gets through? BOOOooo!
  
  --
  -- 'The' Lord and Master Bitman On High, Master Of All
2. Re:Stick man? by gwynnebaer · 2002-12-09 08:14 · Score: 1
  
  That's strange, I see a cyclops with a long nose, closed lips, and a goatee. Maybe I can patent it both ways and say it's different.
Cisco is a bunch of weasels by LWolenczak · 2002-12-09 08:14 · Score: 2

I'm sorry... but I know there is prior art...... I wrote some stuff using grep four years ago to sift through packets that had set off portsentry. Seriously.... I have a book I got about six months ago... I think its a CERT book... I don't really remember, but it discusses doing that kind of stuff. I wonder what cisco is going to try to do with all this? Hit the linux ids developing people with a DMCA violation/suit or some crazy shit like that? It will only make sense because linux is getting to be way more powerful then pix.

I wonder how cisco plans to abuse this patent... besides... lets start collecting prior art so the patent can be challenged...

And there will be Joy...
1. Re:Cisco is a bunch of weasels by MiniGhost · 2002-12-09 08:17 · Score: 1
  
  One would really wonder if they even will. I mean regular expressions have been used for parsing log files for decades. It's nothing new. And I know have been used for quite a while as well.
Pay attention... by Anonymous Coward · 2002-12-09 08:15 · Score: 0

...to the fact that the id# ends with the number of the beast! Evil!
Jurassic Grep by 4of12 · 2002-12-09 08:18 · Score: 2

Hmmm...patents on search technology...hmmm...

Do you think I could patent the same technology that the USPTO uses to search patents?

I'd love to have them pay me royalties on the use of "a technology for the search of patents by persons looking through paper or microfilm or computer indexed catalogs of all patents".

Really, though. With all the backlog and what not, what would happen if one of the IT persons at the USPTO came up with an innovative idea for searching patents? Suppose a company did?

[I've been developing a patent searching tool lately that I call grep in case you were wondering.]

--
"Provided by the management for your protection."
1. Re:Jurassic Grep by Anonymous Coward · 2002-12-10 16:12 · Score: 0
  
  they're a government agency, the patent wouldn't apply to them unless a seperate company licenses the technology.
Not quite... by malakai · 2002-12-09 08:18 · Score: 5, Informative

So now they are claiming patent rights on the use of regular expressions and logical operators for IDS usage.

That's not the patent. If you read the patent, what they've done is created an abstraction for describing intrusion signatures, and integrated this into regulara and logical expressions. What they are really patenting are the new regular expression identifiers used to reprsent their pre-determined "signature events". This boils down to packet types, sequence of packet types, and other specific events they deem necessary to identify an intrusion. These events and the "view" at which they look at the sequence of packets is what's so key to this patent.

They could have hooked this into SQL like experssion, and patented it as extension objects to SQL. But Regular expressions obviously work much better.

This is a rather simple, yet great, idea. It should have been done before, yet it wasn't. Kudos to the people who thought about, and imo, they deserve a patent on it.

They are _not_ patenting Regular Expressions or Regular Experssion that run against packet data. Again, it's the fudemental "signature" events they are patenting. Much like a new programming language patenting some proprietary classes.

-malakai

--
-Malakai
A Dragon Lives in my Garage
1. Re:Not quite... by Twirlip+of+the+Mists · 2002-12-09 08:21 · Score: 4, Insightful
  
  I'm glad there are still people out there who evaluate the merits of patents based on reading them, rather than based merely on the titles. Bravo.
  
  You, sir, just made my friends list.
  
  --
  
  I write in my journal
2. Re:Not quite... by MeanMF · 2002-12-09 09:13 · Score: 1
  
  This really does sound like a good way to build attack signatures into your intrusion detection system. It makes the task of creating and adding new signatures much easier. Too bad Cisco had to come up with it... Their software is generally a real pain in the ass to deal with.
3. Re:Not quite... by MacAndrew · 2002-12-09 09:24 · Score: 2
  
  Thank you also! Sometimes a surface reading is highly misleading, or a misinterpretation easy to make. I'll look for more on this. (I guess I, too, could read the patent, but that's too much like work.)
  
  In the spirit of Slashdot I do have to say you are an fscking moron of questionable parentage -- but you understand it's nothing personal. :)
4. Re:Not quite... by Yuan-Lung · 2002-12-09 10:30 · Score: 1
  
  I am glad to know that... what would the world be like if a man can't grep his log without wihout paying a loyalty?
5. Re:Not quite... by miu · 2002-12-09 10:39 · Score: 1
  
  They are _not_ patenting Regular Expressions or Regular Experssion that run against packet data. Again, it's the fudemental "signature" events they are patenting. Much like a new programming language patenting some proprietary classes.
  I've used packet content and state signatures to generate events for proxies or FSM transitions for quite some time. A match-event pairing seems a natural way to achieve this.
  I agree it is not like they are patenting 'grep', but this is a new application of an old idea, rather than a new idea.
  
  --
  
  [Set Cain on fire and steal his lute.]
6. Re:Not quite... by Anonymous Coward · 2002-12-09 11:02 · Score: 0
  
  They patented the idea of giving names (sorry, "signatures") to regexps or groups of regexps. It was done before.
  
  Patenting programming classes is beyond what the patent office have ever done.
7. Re:Not quite... by Alsee · 2002-12-09 12:45 · Score: 2
  
  I read the patent and I am a programmer. I am not a patent lawyer nor an IDS specialist. If there is something actually new and interesting that I missed, someone PLEASE tell me. It was a pain trying to read it, and it looks like total crap to me.
  
  As far as I can tell the patent is on combining regular expressions with logical operators.
  
  RedEx(packet_looks_suspicious) AND NOT RexEx(good_packet_that_somtimes_looks_supicious)
  
  This is absurd. RegEx's are a basic to IDS. Programming is little more than combining things with logical operators. They elaborate with further claims on doing this in MEMORY (what a novel concept!) and using it to control a PROGRAM (Holy innovations Batman!).
  
  I guarantee that regular expressions have been combined with logical operators a million times before, and I'd be shocked if it has never been used IDS before.
  
  -
  
  --
  - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
8. Re:Not quite... by Alsee · 2002-12-09 12:47 · Score: 2
  
  Just clearing up a double typo:
  
  RegEx(packet_looks_suspicious) AND NOT RegEx(good_packet_that_somtimes_looks_supicious)
  
  I meant RegEx - regular expressions.
  
  -
  
  --
  - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Shhhhh! by Anonymous Coward · 2002-12-09 08:18 · Score: 0

It's only a matter of time before some corporation patents the stick man now!!

Quit giving them obvious ideas!!
Patent Schmatent. by immanis · 2002-12-09 08:19 · Score: 2, Funny

Cisco can have my regexps when they pry then from my cold, dead hands.

Wait, I have carpal.

Cisco can have my regexps when they pry then from my dead hands.

--
best web host ever
Grep, Awk, some Shell and /var/log/* by jsimon12 · 2002-12-09 08:34 · Score: 2

Hmmm, from what I read if I write a shell script that uses grep, awk and maybe a little sed to hash my /var/log directory I am in violation of their patent?!?!?!?! Give me a break, as stated before the USPTO needs a massive overhaul, not to mention someone needs to question the ethics of those who patent common procedures.
I'm off to file a patent form... by jpsst34 · 2002-12-09 08:44 · Score: 1, Funny

...for the most widely used thing in the world. If an action can be patented, and it can, then I aim to patent masturbation - in all forms - male, female, mutual, etc. Everybody does it. Those who admit will have to pay royalties to me, and those who don't admit it will be sued because they are liars and are not paying royalties.

1. patent masturbation
2. hope porn sites exist on the internet
3. wait...
4. wait...
5. not yet!
6. just a minute
7. Profit!!!!!!!!

Ahhhh. Now give me royalties.

--
How are you going to keep them down on the farm once they've seen Karl Hungus?
stick man by Pentagon13 · 2002-12-09 08:49 · Score: 1

only a matter of time before some corporation patents the stick man now!
I believe Roger Myers already has the copyright on the stick man, except he called it Manic Mailman.
THE SUBMISSION IS NOT ACCURATE... by shaitand · 2002-12-09 08:50 · Score: 2

If you read the patent that is linked they are not patenting the use of regular expressions in any way shape or form. They have a patent on searching technology "similar" to regular expressions.
1. Re:THE SUBMISSION IS NOT ACCURATE... by mhesseltine · 2002-12-09 11:23 · Score: 2
  
  You're kind of new here aren't you. This is par for the course. Welcome to /.
  
  --
  Overrated / Underrated : Moderation :: Anonymous Coward : Posting
Shennanigans! by Anonymous Coward · 2002-12-09 09:52 · Score: 0

I think it's about time for everybody to declare Shennanigans! on IP patents. You know what? Ideas aren't very hard to come up with you know. In fact, all it requires is thinking, which is what the human brain does in its spare time. In fact, the term "Intellectual Property" seems to be an oxymoron. Property implies ownership, and just because you thought of it first doesn't mean you own an idea. As soon as you've let that idea escape your little noggin (And don't fool yourself: Your brain is miniscule. Tiny in fact, compared to the lump of rock that it's sitting on), it's no longer yours! Somebody else's brain has interpreted it, and now has its own version of it. Gah! I'm fed up with money-grubbing corporations.
Bwahahahahaha by __aafkqj3628 · 2002-12-09 10:28 · Score: 1

Don't worry, I'll get to that stick man first!!!

I'm curious though, does this US patent effect me in New Zealand?
1. Re:Bwahahahahaha by meowsqueak · 2002-12-10 12:00 · Score: 1
  
  I can't speak for this particular patent, but a US patent will only affect you if you are operating within the US jurisdiction (for example exporting goods to the USA). US patents generally will not affect you in NZ unless they have taken out a patent there also.
  
  My understanding is that there is no such thing as a 'global' patent - you have to register your invention in every country you have an interest in. It gets quite costly.
oops.. by zoloto · 2002-12-09 10:47 · Score: 2, Funny

you typed all that with one hand? damn you're good!

no, i don't mb either :P
Question: by Hubert_Shrump · 2002-12-09 10:50 · Score: 1, Flamebait

Do they have a patent on ^s.*ing$ my ^[dc].*k$ ?

--
Keep your packets off my GNU/Girlfriend!
1. Re:Question: by Lord+Bitman · 2002-12-11 10:36 · Score: 2
  
  "simultaneously handling multiple objects for use in developing
  chemical substitutes for products commonly used to cook"?
  No...
  
  Maybe you mean "^s\w+ing$" my "[dc]\w+k$"? But that doesnt make sense... why would they want a patent on stewing your duck?
  
  --
  -- 'The' Lord and Master Bitman On High, Master Of All
2. Re:Question: by Hubert_Shrump · 2002-12-11 10:56 · Score: 2
  
  It's a pretty important duck. Or at least, that is what he'd have be believe.
  
  But nonetheless, as soon as this is resolved, he gets the pot.
  
  --
  Keep your packets off my GNU/Girlfriend!
really now by spikedvodka · 2002-12-10 02:52 · Score: 2, Interesting

READ THE DAMN PATENT!
(yes, I know that you'll need to copy the patent number into the seach box, becuase the link is wrong, or just Use the link provided here)

Now also, they aren't pattenting the use of regexps in searching logs, they're pattenting the use of Regexps in conjunction with logical operations in **Generating** alerts. What i'd be interested in seeing is how this impacts of what snort is doing, and has been doing for quite some time now.

--
I will not give in to the terrorists. I will not become fearful.
1. Re:really now by idontgno · 2002-12-10 16:23 · Score: 1
  
  Thanks for the link. The patent itself seems, to me, to be both interesting, and not novel. It doesn't seem to be a threat to using REs in most contexts, either, for all you awk/grep/perl freaks (my brothas!) out there.
  But signature REs and logical expressions? Most signature-based stream matching works that way. Antivirus, pre-existing IDS, even (as many have pointed out) most perl log-analysis tools. I suspect that this should wither at the first touch of prior art. Assuming someone with more courage than money gets to be the lucky first victim.
  Hmmm... I can't recall right away. What's Cisco's general history with repect to IP issues? Something about U-Cal-Berkeley copyrights comes to mind for some reason...
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
2. Re:really now by Black+Copter+Control · 2002-12-15 21:18 · Score: 2
  What i'd be interested in seeing is how this impacts of what snort is doing, and has been doing for quite some time now.
  If it does, then snort is the prior art. The more specific requirements are: using regexpreessions to identify
  
  a packet type.
  
  a sequence of packets.
  
  a signature-related event.
  
  The last two claims entail compiling the ruleset and keeping it in memory. If snort does all of this (I think it does), then the next questions are:
  1: was it done before Jan 15, 2002, or was the possibility of doing so done (publicly) before Jan 15, 2002? If that occured, then Snort (or the snort mailing list where the possibility was explored) would be the prior art that eats this patent.
  Yes, discussing the possibility counts as prior art. The best example of that was when the patent for waterbeds was wiped out by Heinlien's description in "Stranger in a Strange Land".
  --
  OS Software is like love: The best way to make it grow is to give it away.
it's worse than the poster thought... by Anonymous Coward · 2002-12-10 12:46 · Score: 0

They patented using a lexer/parser state machine combo to detect [network] events. Where's the innovation? This is insulting.
The above examples use various identifiers and logical symbols to illustrate the use of regular expressions and logical operators. It should be understood that any other type of "token", such as those already familiar to computer programmers, could be used. These additional tokens include a vast variety of reserved words, numerical constants, strings, and punctuation.
The use of regular expressions to represent signatures permits a compiler or other lexical analyzer to be written. In general, a process can be written for both recognizing and evaluating the above-described identifiers, special symbols, or other tokens.
Hello? Please tell me they didn't realize they were trying to patent using flex/bison.
Crappy moderators! That's FUNNY! by cryofan2 · 2002-12-10 13:05 · Score: 1

it's not flamebait--it's funny!

--
Sig:
Navy nuke sub lifestyle?
It is a pretty broad patent... by parabyte · 2002-12-11 05:12 · Score: 2

To find out what a patent is about and who will be affected, you have to read the first claim, find possibly other independet claims and ask yourself what kind of system will have all of these properties mentioned in one of these independent claims.
In this particular case you have just four criterias in claim 1, and the are pretty unspecific, so it it is a patent possibly dangerous to many people. There are two additional independent claims 4 and 7, which you can view as different additional claims that were put into the patent to widen it's scope. The rest of the patent just clarifies and specializes these independent claims.
It is the examiner's job to narrow the claims as much as possible, and the applicant usually want to have them as wide as possible. Here, definitely the applicants did a better job than the examiner.
From what I see, there is no real invention here, but that is true for most of the so called IT-Patents, and this one is not a particularly bad example, it is merely a typical patent you often have to write because the competition does it too.
p.

--
Without order, nothing can exist. Without chaos, nothing can be created.