Method and apparatus for intercepting performance metric packets for improved security and intrusion detection

US 20020161755A1
Filed: 04/30/2001
Published: 10/31/2002
Est. Priority Date: 04/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method of gathering information about a connection between a sender and a recipient in a network comprising the steps of:

generating an information query by the sender;

sending the information query to the recipient;

receiving the information query at a border device of the recipient;

processing the information query at the border device to provide selected information requested by the information query to the sender.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in which a border device of a destination network located outside of a recipient personal computer or network intercepts a performance measurement packet for a specified recipient in order to relieve problems that arise when performance metric packets are interpreted as harmful to a recipient network or server. A border device intercepts the performance metric packet and returns requested information to the sender while masking the source address of the response as the original destination address of the original recipient or the network number of that recipient. The sender of the packet receives ample information on the performance metrics to the perimeter of the recipient for use in its application and the recipient network is protected as well by masking the IP addresses in use on the its network. The method is applicable in both existing performance metric protocols and is adaptable to a new protocol which would also additionally assist in identifying the purpose of the performance metric packets and protecting the destination network from outside interference. The number of performance metrics queried by some applications could also be reduced through the use of CIDR network block tables. These tables would be referenced to determine if a previous response was cached from this network block or to allow for a longer cache time-out due to the static nature of CIDR blocks.

Citations

20 Claims

1. A method of gathering information about a connection between a sender and a recipient in a network comprising the steps of:
- generating an information query by the sender;
  
  sending the information query to the recipient;
  
  receiving the information query at a border device of the recipient;
  
  processing the information query at the border device to provide selected information requested by the information query to the sender.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein:
    - the selected information provided to the sender includes identification information that is different than that of the border device.
  - 3. The method of claim 1 further comprising the steps of:
    - storing at least a portion of the selected information sent from the border device to the sender at the sender when a destination address of the information query corresponds to a predetermined group of addresses stored at the sender; and
      
      utilizing the stored selected information from the response whenever an information query is generated including any of the predetermined group of addresses stored at the sender.
  - 4. The method of claim 3, further comprising the steps of:
    - deleting the stored selected information after a predetermined period of time.

5. A method of gathering information about a connection between a sender and a recipient in a network comprising the steps of:
- generating an information query by the sender;
  
  sending the information query to the recipient; and
  
  receiving the information query at a border device of the recipient;
  
  processing the information query at the border device according to a plurality of predetermined rules, wherein said predetermined rules provide for one of;
  
  providing selected information requested by the information query in a response to the information query to be sent to the sender;
  
  discarding the information query; and
  
  passing the information query through the border device to the recipient for response.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5 wherein:
    - one of said plurality of predetermined rules provides for discarding the information query when the information query is of a size larger than a predetermined range of allowable sizes.
  - 7. The method of claim 5, wherein:
    - one rule of said plurality of predetermined rules provides for passing the information query through the border unit to the recipient for response when the information query includes predetermined identification information.
  - 8. The method of claim 5, further comprising the steps of:
    - storing at least the selected information of the response provided from the border device when a destination address of the information query to which the response was generated corresponds to any of a plurality of predetermined addresses stored at the sender; and
      
      using the stored selected information of the response whenever an information query including any of the plurality of predetermined addresses stored at the sender is generated rather than sending the information query to the recipient.
  - 9. The method according to claim 8, wherein:
    - the stored selected information is deleted after a predetermined period of time passes.

10. A border device positioned between a sender and a recipient for use in gathering information regarding a connection between the sender and the recipient in a network, the border device comprising:
- a receiver for receiving an information query from the sender addressed to the recipient;
  
  a processor for processing the information query on behalf of the recipient to generate a response to said information query including selected information; and
  
  a transmitter for sending the response including the selected information to the sender.
- View Dependent Claims (11, 12, 14, 15, 16, 17, 18, 20)
- - 11. The border device of claim 10, wherein:
    - the response to the information query includes identification information that differs from identification information of the border device.
  - 12. The border device of claim 10, wherein:
    - the border device responds to information queries for a plurality of recipients.
  - 14. The method of claim 13, wherein:
    - when the predetermined rules provide for generating the response packet to the performance measurement packet including performance metric information, the response includes identification information that is different than identification information of the border device.
  - 15. The method of claim 13, wherein:
    - one of the predetermined rules provides for discarding the performance measurement packet when a size of the performance measurement packet exceeds a range of allowable sizes.
  - 16. The method of claim 13, wherein:
    - one rule of the plurality of predetermined rules provides for passing the performance measurement packet through the border unit to the recipient when the performance measurement packet includes predetermined identification information.
  - 17. The method according to claim 13, further comprising the steps of:
    - storing at least the performance metric information of the response packet generated by the border device in response to the performance measurement packet when a destination address of the performance measurement packet corresponds to one of a plurality of predetermined addresses stored at the sender; and
      
      using the stored performance metric information of the response packet whenever a performance measurement packet including any of the plurality of predetermined addresses stored at the sender is generated by the sender rather than sending the performance measurement packet to the recipient.
  - 18. The method according to claim 17, further comprising the step of:
    - deleting the stored performance metric information after a predetermined period of time.
  - 20. The method according to claim 19, wherein:
    - the plurality of predetermined addresses is a group of Classless Inter-Domain Routing addresses.

13. A method of gathering performance measurement information regarding a connection between a sender and a recipient in a network comprising the steps of:
- generating an a performance measurement packet by the sender;
  
  sending the performance measurement packet to the recipient;
  
  receiving the performance measurement packet at a border device of the recipient; and
  
  processing the performance measurement packet at the border device according to a plurality of predetermined rules, wherein said predetermined rules provide for one of;
  
  generating a response packet to the performance measurement packet providing performance metric information to be sent to the sender;
  
  discarding the performance measurement packet and passing the performance measurement packet to the recipient.

19. A method of gathering information about a connection between a sender and a recipient in a network comprising the steps of:
- generating an information query by the sender;
  
  sending the information query to the recipient;
  
  receiving a response to the information query including selected information from the recipient by the sender;
  
  storing at least the selected information of the response for a predetermined period of time when the destination address of the information query is one of a plurality of predetermined addresses stored at the sender, such that when a subsequent information query includes a destination address corresponding to any of the plurality of predetermined addresses, the stored selected information of the response is used without sending the subsequent information query to the recipient; and
  
  wherein said predetermined period of time is different from a period of time for which the selected information of the response is stored when the destination address of the information query is an address other than one of the plurality of predetermined addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Kathleen M. Moriarty
Inventors
Moriarty, Kathleen M.

Granted Patent

US 7,124,173 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/4
CPC Class Codes

H04L 43/08   Monitoring or testing based...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0236   Filtering by address, proto...

H04L 63/1441   Countermeasures against mal...

H04L 67/1001   for accessing one among a p...

H04L 67/101   based on network conditions

Method and apparatus for intercepting performance metric packets for improved security and intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for intercepting performance metric packets for improved security and intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links