Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using regexp's To Search IDS Data -- Patented

Posted by timothy on from the oh-sure dept.

MiniGhost writes "Well... the USPTO is at it again! A recent search of their online patent database reveals a new patent issued on Nov 26, 2002. Apparently cisco has been issued patent #6,487,666, titled 'Intrusion detection signature analysis using regular expressions and logical operators.' So now they are claiming patent rights on the use of regular expressions and logical operators for IDS usage. It's only a matter of time before some corporation patents the stick man now!!"

20 of 43 comments (clear)

  1. So by CableModemSniper · · Score: 2, Funny

    this must be why the slashdot search sucks so much. They can't use regexprs to do it!

    --
    Why not fork?
    1. Re:So by TerryAtWork · · Score: 2

      Its not /. search that sucks so much as SourceForge....

      --
      It's Christmas everyday with BitTorrent.
  2. Cisco is a bunch of weasels by LWolenczak · · Score: 2

    I'm sorry... but I know there is prior art...... I wrote some stuff using grep four years ago to sift through packets that had set off portsentry. Seriously.... I have a book I got about six months ago... I think its a CERT book... I don't really remember, but it discusses doing that kind of stuff. I wonder what cisco is going to try to do with all this? Hit the linux ids developing people with a DMCA violation/suit or some crazy shit like that? It will only make sense because linux is getting to be way more powerful then pix.

    I wonder how cisco plans to abuse this patent... besides... lets start collecting prior art so the patent can be challenged...

    And there will be Joy...

  3. Jurassic Grep by 4of12 · · Score: 2

    Hmmm...patents on search technology...hmmm...

    Do you think I could patent the same technology that the USPTO uses to search patents?

    I'd love to have them pay me royalties on the use of "a technology for the search of patents by persons looking through paper or microfilm or computer indexed catalogs of all patents".

    Really, though. With all the backlog and what not, what would happen if one of the IT persons at the USPTO came up with an innovative idea for searching patents? Suppose a company did?

    [I've been developing a patent searching tool lately that I call grep in case you were wondering.]

    --
    "Provided by the management for your protection."
  4. Not quite... by malakai · · Score: 5, Informative
    So now they are claiming patent rights on the use of regular expressions and logical operators for IDS usage.

    That's not the patent. If you read the patent, what they've done is created an abstraction for describing intrusion signatures, and integrated this into regulara and logical expressions. What they are really patenting are the new regular expression identifiers used to reprsent their pre-determined "signature events". This boils down to packet types, sequence of packet types, and other specific events they deem necessary to identify an intrusion. These events and the "view" at which they look at the sequence of packets is what's so key to this patent.

    They could have hooked this into SQL like experssion, and patented it as extension objects to SQL. But Regular expressions obviously work much better.

    This is a rather simple, yet great, idea. It should have been done before, yet it wasn't. Kudos to the people who thought about, and imo, they deserve a patent on it.

    They are _not_ patenting Regular Expressions or Regular Experssion that run against packet data. Again, it's the fudemental "signature" events they are patenting. Much like a new programming language patenting some proprietary classes.

    -malakai

    --
    -Malakai
    A Dragon Lives in my Garage
    1. Re:Not quite... by Twirlip+of+the+Mists · · Score: 4, Insightful

      I'm glad there are still people out there who evaluate the merits of patents based on reading them, rather than based merely on the titles. Bravo.

      You, sir, just made my friends list.

      --

      I write in my journal
    2. Re:Not quite... by MacAndrew · · Score: 2

      Thank you also! Sometimes a surface reading is highly misleading, or a misinterpretation easy to make. I'll look for more on this. (I guess I, too, could read the patent, but that's too much like work.)

      In the spirit of Slashdot I do have to say you are an fscking moron of questionable parentage -- but you understand it's nothing personal. :)

    3. Re:Not quite... by Alsee · · Score: 2

      I read the patent and I am a programmer. I am not a patent lawyer nor an IDS specialist. If there is something actually new and interesting that I missed, someone PLEASE tell me. It was a pain trying to read it, and it looks like total crap to me.

      As far as I can tell the patent is on combining regular expressions with logical operators.

      RedEx(packet_looks_suspicious) AND NOT RexEx(good_packet_that_somtimes_looks_supicious)

      This is absurd. RegEx's are a basic to IDS. Programming is little more than combining things with logical operators. They elaborate with further claims on doing this in MEMORY (what a novel concept!) and using it to control a PROGRAM (Holy innovations Batman!).

      I guarantee that regular expressions have been combined with logical operators a million times before, and I'd be shocked if it has never been used IDS before.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
    4. Re:Not quite... by Alsee · · Score: 2

      Just clearing up a double typo:

      RegEx(packet_looks_suspicious) AND NOT RegEx(good_packet_that_somtimes_looks_supicious)

      I meant RegEx - regular expressions.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  5. Patent Schmatent. by immanis · · Score: 2, Funny

    Cisco can have my regexps when they pry then from my cold, dead hands.

    Wait, I have carpal.

    Cisco can have my regexps when they pry then from my dead hands.

    --

    best web host ever

  6. Grep, Awk, some Shell and /var/log/* by jsimon12 · · Score: 2

    Hmmm, from what I read if I write a shell script that uses grep, awk and maybe a little sed to hash my /var/log directory I am in violation of their patent?!?!?!?! Give me a break, as stated before the USPTO needs a massive overhaul, not to mention someone needs to question the ethics of those who patent common procedures.

  7. THE SUBMISSION IS NOT ACCURATE... by shaitand · · Score: 2

    If you read the patent that is linked they are not patenting the use of regular expressions in any way shape or form. They have a patent on searching technology "similar" to regular expressions.

    1. Re:THE SUBMISSION IS NOT ACCURATE... by mhesseltine · · Score: 2

      You're kind of new here aren't you. This is par for the course. Welcome to /.

      --
      Overrated / Underrated : Moderation :: Anonymous Coward : Posting
  8. oops.. by zoloto · · Score: 2, Funny

    you typed all that with one hand? damn you're good!

    no, i don't mb either :P

  9. really now by spikedvodka · · Score: 2, Interesting

    READ THE DAMN PATENT!
    (yes, I know that you'll need to copy the patent number into the seach box, becuase the link is wrong, or just Use the link provided here)

    Now also, they aren't pattenting the use of regexps in searching logs, they're pattenting the use of Regexps in conjunction with logical operations in **Generating** alerts. What i'd be interested in seeing is how this impacts of what snort is doing, and has been doing for quite some time now.

    --
    I will not give in to the terrorists. I will not become fearful.
    1. Re:really now by Black+Copter+Control · · Score: 2
      What i'd be interested in seeing is how this impacts of what snort is doing, and has been doing for quite some time now.

      If it does, then snort is the prior art. The more specific requirements are: using regexpreessions to identify

      • a packet type.
      • a sequence of packets.
      • a signature-related event.
      The last two claims entail compiling the ruleset and keeping it in memory. If snort does all of this (I think it does), then the next questions are:

      1: was it done before Jan 15, 2002, or was the possibility of doing so done (publicly) before Jan 15, 2002? If that occured, then Snort (or the snort mailing list where the possibility was explored) would be the prior art that eats this patent.

      Yes, discussing the possibility counts as prior art. The best example of that was when the patent for waterbeds was wiped out by Heinlien's description in "Stranger in a Strange Land".

      --
      OS Software is like love: The best way to make it grow is to give it away.
  10. It is a pretty broad patent... by parabyte · · Score: 2
    To find out what a patent is about and who will be affected, you have to read the first claim, find possibly other independet claims and ask yourself what kind of system will have all of these properties mentioned in one of these independent claims.

    In this particular case you have just four criterias in claim 1, and the are pretty unspecific, so it it is a patent possibly dangerous to many people. There are two additional independent claims 4 and 7, which you can view as different additional claims that were put into the patent to widen it's scope. The rest of the patent just clarifies and specializes these independent claims.

    It is the examiner's job to narrow the claims as much as possible, and the applicant usually want to have them as wide as possible. Here, definitely the applicants did a better job than the examiner.

    From what I see, there is no real invention here, but that is true for most of the so called IT-Patents, and this one is not a particularly bad example, it is merely a typical patent you often have to write because the competition does it too.

    p.

    --
    Without order, nothing can exist. Without chaos, nothing can be created.
  11. Re:Question: by Lord+Bitman · · Score: 2

    "simultaneously handling multiple objects for use in developing
    chemical substitutes for products commonly used to cook"?
    No...

    Maybe you mean "^s\w+ing$" my "[dc]\w+k$"? But that doesnt make sense... why would they want a patent on stewing your duck?

    --
    -- 'The' Lord and Master Bitman On High, Master Of All
  12. Re:Question: by Hubert_Shrump · · Score: 2

    It's a pretty important duck. Or at least, that is what he'd have be believe.

    But nonetheless, as soon as this is resolved, he gets the pot.

    --
    Keep your packets off my GNU/Girlfriend!
  13. Re:New National Motto! by invenustus · · Score: 2

    ngrep and every program that uses it come to mind.

    --
    grep -ri 'should work' /usr/src/linux | wc -l