Vulnerability-based IPS Patent

["Kyle Quest" <Kyle.Quest () networkengines com>]

Hello everybody :-)

I came across an interesting patent application today.
It's called "Proactive containment of network security attacks",
publication # US 2006-0059558 A1 / filed September 15 2004.
The invention described by this patent is the work of John Selep 
and Mauricio Sanchez from Hewlett Packard.

This patent application claims that Mr. Selep and Mr. Sanchez
invented a vulnerability-based system that's capable of stopping
attacks without relying on specific exploit signatures. In other 
words, they are trying to patent an IPS that uses vulnerability
signatures. If everything goes well soon companies like NFR, ISS, TippingPoint, SourceFire, TopLayer, etc will be 
paying licensing 
fees to HP. 

I would assume that ISS and NFR would be most interested in
investigating this patent application because they've been
doing things described in the application claims the longest
out of all IPS/IDS vendors (researching vulnerabilities, 
creating vulnerability based fingerprints that use proper protocol 
and data decoding instead of simple exploit oriented pattern-matching 
based signatures, and then distributing updates to the customers).   

When I read the patent I couldn't believe my eyes. For somebody who's
been in the security/IPS industry for a while it was like seeing
somebody trying to patent the wheel. John Selep is a product marketing
manager, so it's possible he doesn't know much about security and the intrusion prevention industry, but Mauricio 
Sanchez is a 
network security architect at HP... It's hard to believe that he didn't 
know about a technology that's been out for many years.

By the way, Mr. Sanchez has a number of other patent applications.
The most questionable of the other applications is called
"Virus/worm throttle threshold settings" (publication # US 2005/0265233 A1).
I bet most anomaly / behavior IPS vendors will have something to say
about this. Once again, get ready to pay up to HP soon...


I know that most IPS vendors have people subscribed to this list
and I'm sure I'm not the only one who has something to say about this.
This could cost a lot of money to your companies guys. Do you want
to go through the same pain RIM went through battling NTP?

Kyle

P.S.
Here's a link to the questionable IPS patent: http://tinyurl.com/eo4oz


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------