Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Patents Your Rights Online

Using regexp's To Search IDS Data -- Patented 43

MiniGhost writes "Well... the USPTO is at it again! A recent search of their online patent database reveals a new patent issued on Nov 26, 2002. Apparently cisco has been issued patent #6,487,666, titled 'Intrusion detection signature analysis using regular expressions and logical operators.' So now they are claiming patent rights on the use of regular expressions and logical operators for IDS usage. It's only a matter of time before some corporation patents the stick man now!!"
This discussion has been archived. No new comments can be posted.

Using regexp's To Search IDS Data -- Patented

Comments Filter:
  • "The Nation of No Common Sense (whatsoever)"
  • So (Score:2, Funny)

    this must be why the slashdot search sucks so much. They can't use regexprs to do it!
  • +-----+
    | \o/ |
    | | |
    | - |
    | / \ |
    +-----+

    Ha! How 'bout a stick man in a box! Sure beats having to deal with the lameness filter, AND I can now claim prior art whenever the need arises.
  • I'm sorry... but I know there is prior art...... I wrote some stuff using grep four years ago to sift through packets that had set off portsentry. Seriously.... I have a book I got about six months ago... I think its a CERT book... I don't really remember, but it discusses doing that kind of stuff. I wonder what cisco is going to try to do with all this? Hit the linux ids developing people with a DMCA violation/suit or some crazy shit like that? It will only make sense because linux is getting to be way more powerful then pix.

    I wonder how cisco plans to abuse this patent... besides... lets start collecting prior art so the patent can be challenged...

    And there will be Joy...

  • Hmmm...patents on search technology...hmmm...

    Do you think I could patent the same technology that the USPTO uses to search patents?

    I'd love to have them pay me royalties on the use of "a technology for the search of patents by persons looking through paper or microfilm or computer indexed catalogs of all patents".

    Really, though. With all the backlog and what not, what would happen if one of the IT persons at the USPTO came up with an innovative idea for searching patents? Suppose a company did?

    [I've been developing a patent searching tool lately that I call grep in case you were wondering.]

  • Not quite... (Score:5, Informative)

    by malakai ( 136531 ) on Monday December 09, 2002 @04:18PM (#4846083) Journal
    So now they are claiming patent rights on the use of regular expressions and logical operators for IDS usage.

    That's not the patent. If you read the patent, what they've done is created an abstraction for describing intrusion signatures, and integrated this into regulara and logical expressions. What they are really patenting are the new regular expression identifiers used to reprsent their pre-determined "signature events". This boils down to packet types, sequence of packet types, and other specific events they deem necessary to identify an intrusion. These events and the "view" at which they look at the sequence of packets is what's so key to this patent.

    They could have hooked this into SQL like experssion, and patented it as extension objects to SQL. But Regular expressions obviously work much better.

    This is a rather simple, yet great, idea. It should have been done before, yet it wasn't. Kudos to the people who thought about, and imo, they deserve a patent on it.

    They are _not_ patenting Regular Expressions or Regular Experssion that run against packet data. Again, it's the fudemental "signature" events they are patenting. Much like a new programming language patenting some proprietary classes.

    -malakai

    • Re:Not quite... (Score:4, Insightful)

      by Twirlip of the Mists ( 615030 ) <twirlipofthemists@yahoo.com> on Monday December 09, 2002 @04:21PM (#4846102)
      I'm glad there are still people out there who evaluate the merits of patents based on reading them, rather than based merely on the titles. Bravo.

      You, sir, just made my friends list.
    • This really does sound like a good way to build attack signatures into your intrusion detection system. It makes the task of creating and adding new signatures much easier. Too bad Cisco had to come up with it... Their software is generally a real pain in the ass to deal with.
    • Thank you also! Sometimes a surface reading is highly misleading, or a misinterpretation easy to make. I'll look for more on this. (I guess I, too, could read the patent, but that's too much like work.)

      In the spirit of Slashdot I do have to say you are an fscking moron of questionable parentage -- but you understand it's nothing personal. :)
    • I am glad to know that... what would the world be like if a man can't grep his log without wihout paying a loyalty?

    • They are _not_ patenting Regular Expressions or Regular Experssion that run against packet data. Again, it's the fudemental "signature" events they are patenting. Much like a new programming language patenting some proprietary classes.

      I've used packet content and state signatures to generate events for proxies or FSM transitions for quite some time. A match-event pairing seems a natural way to achieve this.

      I agree it is not like they are patenting 'grep', but this is a new application of an old idea, rather than a new idea.

    • I read the patent and I am a programmer. I am not a patent lawyer nor an IDS specialist. If there is something actually new and interesting that I missed, someone PLEASE tell me. It was a pain trying to read it, and it looks like total crap to me.

      As far as I can tell the patent is on combining regular expressions with logical operators.

      RedEx(packet_looks_suspicious) AND NOT RexEx(good_packet_that_somtimes_looks_supicious)

      This is absurd. RegEx's are a basic to IDS. Programming is little more than combining things with logical operators. They elaborate with further claims on doing this in MEMORY (what a novel concept!) and using it to control a PROGRAM (Holy innovations Batman!).

      I guarantee that regular expressions have been combined with logical operators a million times before, and I'd be shocked if it has never been used IDS before.

      -
      • Just clearing up a double typo:

        RegEx(packet_looks_suspicious) AND NOT RegEx(good_packet_that_somtimes_looks_supicious)

        I meant RegEx - regular expressions.

        -
  • Cisco can have my regexps when they pry then from my cold, dead hands.

    Wait, I have carpal.

    Cisco can have my regexps when they pry then from my dead hands.

  • Hmmm, from what I read if I write a shell script that uses grep, awk and maybe a little sed to hash my /var/log directory I am in violation of their patent?!?!?!?! Give me a break, as stated before the USPTO needs a massive overhaul, not to mention someone needs to question the ethics of those who patent common procedures.
  • ...for the most widely used thing in the world. If an action can be patented, and it can [slashdot.org], then I aim to patent masturbation - in all forms - male, female, mutual, etc. Everybody does it. Those who admit will have to pay royalties to me, and those who don't admit it will be sued because they are liars and are not paying royalties.

    1. patent masturbation
    2. hope porn sites exist on the internet
    3. wait...
    4. wait...
    5. not yet!
    6. just a minute
    7. Profit!!!!!!!!


    Ahhhh. Now give me royalties.
  • only a matter of time before some corporation patents the stick man now!

    I believe Roger Myers already has the copyright on the stick man, except he called it Manic Mailman [snpp.com].

  • If you read the patent that is linked they are not patenting the use of regular expressions in any way shape or form. They have a patent on searching technology "similar" to regular expressions.
  • Don't worry, I'll get to that stick man first!!!

    I'm curious though, does this US patent effect me in New Zealand?
    • I can't speak for this particular patent, but a US patent will only affect you if you are operating within the US jurisdiction (for example exporting goods to the USA). US patents generally will not affect you in NZ unless they have taken out a patent there also.

      My understanding is that there is no such thing as a 'global' patent - you have to register your invention in every country you have an interest in. It gets quite costly.

  • Question: (Score:1, Flamebait)

    Do they have a patent on ^s.*ing$ my ^[dc].*k$ ?

  • really now (Score:2, Interesting)

    by spikedvodka ( 188722 )
    READ THE DAMN PATENT!
    (yes, I know that you'll need to copy the patent number into the seach box, becuase the link is wrong, or just Use the link provided here [uspto.gov])

    Now also, they aren't pattenting the use of regexps in searching logs, they're pattenting the use of Regexps in conjunction with logical operations in **Generating** alerts. What i'd be interested in seeing is how this impacts of what snort is doing, and has been doing for quite some time now.
    • Thanks for the link. The patent itself seems, to me, to be both interesting, and not novel. It doesn't seem to be a threat to using REs in most contexts, either, for all you awk/grep/perl freaks (my brothas!) out there.

      But signature REs and logical expressions? Most signature-based stream matching works that way. Antivirus, pre-existing IDS, even (as many have pointed out) most perl log-analysis tools. I suspect that this should wither at the first touch of prior art. Assuming someone with more courage than money gets to be the lucky first victim.

      Hmmm... I can't recall right away. What's Cisco's general history with repect to IP issues? Something about U-Cal-Berkeley copyrights comes to mind for some reason...

    • What i'd be interested in seeing is how this impacts of what snort is doing, and has been doing for quite some time now.

      If it does, then snort is the prior art. The more specific requirements are: using regexpreessions to identify

      • a packet type.
      • a sequence of packets.
      • a signature-related event.
      The last two claims entail compiling the ruleset and keeping it in memory. If snort does all of this (I think it does), then the next questions are:

      1: was it done before Jan 15, 2002, or was the possibility of doing so done (publicly) before Jan 15, 2002? If that occured, then Snort (or the snort mailing list where the possibility was explored) would be the prior art that eats this patent.

      Yes, discussing the possibility counts as prior art. The best example of that was when the patent for waterbeds was wiped out by Heinlien's description in "Stranger in a Strange Land".

  • To find out what a patent is about and who will be affected, you have to read the first claim, find possibly other independet claims and ask yourself what kind of system will have all of these properties mentioned in one of these independent claims.

    In this particular case you have just four criterias in claim 1, and the are pretty unspecific, so it it is a patent possibly dangerous to many people. There are two additional independent claims 4 and 7, which you can view as different additional claims that were put into the patent to widen it's scope. The rest of the patent just clarifies and specializes these independent claims.

    It is the examiner's job to narrow the claims as much as possible, and the applicant usually want to have them as wide as possible. Here, definitely the applicants did a better job than the examiner.

    From what I see, there is no real invention here, but that is true for most of the so called IT-Patents, and this one is not a particularly bad example, it is merely a typical patent you often have to write because the competition does it too.

    p.

CCI Power 6/40: one board, a megabyte of cache, and an attitude...

Working...