Method, computer-readable medium, and node for detecting exploits based on an inbound signature of the exploit and an outbound signature in response thereto

US 20030101353A1
Filed: 10/31/2001
Published: 05/29/2003
Est. Priority Date: 10/31/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting an intrusion at a node of a network, comprising:

reading a first packet received by the node;

determining a first signature of the first packet;

comparing the first signature with a signature file comprising a first machine-readable logic representative of a first packet signature;

determining the first signature corresponds with the first machine readable logic;

reading a second packet generated by the node in response to reception of the first packet;

determining a second signature of the second packet;

comparing the second signature with the signature file further comprising a second machine-readable logic representative of second packet signature; and

determining the second signature corresponds with the second machine readable logic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting an intrusion at a node of a network comprising reading a first packet received by the node, determining a first signature of the first packet, comparing the first signature with a signature file comprising a first machine-readable logic representative of a first packet signature, determining the first signature corresponds with the first machine readable logic, reading a second packet generated by the node in response to reception of the first packet, determining a second signature of the second packet, comparing the second signature with the signature file further comprising a second machine-readable logic representative of second packet signature, and determining the second signature corresponds with the second machine readable logic is provided. A computer-readable medium and a node for detecting an exploit based upon an outbound signature generated in response to an inbound signature of the exploit are also provided.

Citations

22 Claims

1. A method of detecting an intrusion at a node of a network, comprising:
- reading a first packet received by the node;
  
  determining a first signature of the first packet;
  
  comparing the first signature with a signature file comprising a first machine-readable logic representative of a first packet signature;
  
  determining the first signature corresponds with the first machine readable logic;
  
  reading a second packet generated by the node in response to reception of the first packet;
  
  determining a second signature of the second packet;
  
  comparing the second signature with the signature file further comprising a second machine-readable logic representative of second packet signature; and
  
  determining the second signature corresponds with the second machine readable logic.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1, further comprising executing a directive associated with the first machine readable logic upon determining the first signature corresponds with the first machine readable logic.
  - 3. The method according to claim 1, further comprising executing a directive associated with the second machine readable logic upon determining the second signature corresponds with the second machine readable logic.
  - 4. The method according to claim 3, wherein executing a directive associated with the second machine readable logic further comprises discarding the second packet.
  - 5. The method according to claim 4, wherein discarding the second packet further comprises discarding the packet at the network layer of the network stack of the node.
  - 6. The method according to claim 1, wherein reading a second packet generated by the node in response to reception of the first packet further comprises reading a second packet generated by a network stack of an operating system of the node.

7. A computer-readable medium having stored thereon a set of instructions to be executed, the set of instructions, when executed by a processor, cause the processor to perform a computer method of:
- reading a first packet;
  
  determining a first signature of the first packet;
  
  comparing the first signature with a first instruction set comprising a first set of machine readable logic representative of a first packet signature;
  
  determining the first signature corresponds with the first set of machine readable logic;
  
  reading a second packet;
  
  determining a second signature of the second packet;
  
  comparing the second signature with a second instruction set comprising a second set of machine readable logic representative of a second packet signature; and
  
  determining the second signature corresponds with the second set of machine readable logic.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer-readable medium according to claim 7, further comprising an instruction set that, when executed by the processor, causes the processor to perform the computer method of executing, upon determining the first signature corresponds with the first instruction set, a directive comprised of machine-readable instructions, the first instruction set comprising the directive.
  - 9. The computer-readable medium according to claim 7, further comprising an instruction set that, when executed by the processor, causes the processor to perform the computer method of executing, upon determining the second signature corresponds with the second instruction set, a directive comprised of machine-readable instructions, the second instruction set comprising the directive.
  - 10. The computer-readable medium according to claim 9, wherein executing a directive comprised of machine-readable instructions further comprises executing a directive that causes the processor to discard the second packet.
  - 11. The computer-readable medium according to claim 10, wherein executing a directive that causes the processor to discard the second packet further comprises discarding a packet at a network layer of a network stack.
  - 12. The computer-readable medium according to claim 7, wherein comparing the first signature with a first instruction set comprising a first set of machine readable logic representative of a packet signature further comprises performing a binary pattern comparison with the first signature and the first set of machine readable logic.
  - 13. The computer-readable medium according to claim 7, wherein comparing the second signature with a second instruction set comprising a second set of machine readable logic representative of a packet signature further comprises performing a binary pattern comparison with the second signature and the second set of machine readable logic.

14. A node of a network operable to detect an intrusion thereof, comprising:
- a central processing unit;
  
  a memory module for storing data in machine readable format for retrieval and execution by a central processing unit; and
  
  an operating system comprising a network stack comprising a protocol driver, a media access control driver and a network filter service provider bound to the protocol driver and the media access control driver, the network filter service provider operable to receive a first packet and to determine a first signature of the first packet and compare the first signature with a first instruction set comprising a first set of machine readable logic representative of a first packet signature and to determine a correspondence with the first set of machine readable logic, the network filter service provider further operable to receive a second packet and to determine a second signature of the second packet and compare the second signature with a second instruction set comprising a second set of machine readable logic representative of a second packet signature and to determine a correspondence with the second set of machine readable logic, the processor operable to execute a directive comprised of machine readable instructions upon determination, by the network filter service provider, of a correspondence between the first signature and the first instruction set and correspondence between the second signature and the second instruction set.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The node according to claim 14, wherein execution of the directive causes the network filter service provider to discard the second packet.
  - 16. The node according to claim 14, wherein the first packet is received by the node and the second packet is generated by the node.
  - 17. The node according to claim 14, wherein the first packet is generated by the node and the second packet is received by the node.
  - 18. The node according to claim 14, wherein the network filter service provider further comprises a pattern matching algorithm, the comparison of the first signature with the first instruction set and the comparison of the second signature with the second instruction set performed by the pattern matching algorithm.

19. A method of detecting an intrusion at a node of a network, comprising:
- reading a packet by the node;
  
  determining a signature of the packet;
  
  comparing the signature with a signature file comprising a machine-readable logic representative of a packet signature; and
  
  determining the signature corresponds with the machine readable logic.
- View Dependent Claims (20, 21, 22)
- - 20. The method according to claim 19, wherein the packet is received by the node.
  - 21. The method according to claim 19, wherein the packet is generated by the node and generation of the packet is made in response to reception of a first packet received by the node.
  - 22. The method according to claim 19, wherein the packet is generated by the node, an evaluation made that the packet is a probe packet upon determining the signature corresponds with the machine readable logic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Tarquini, Richard Paul, Schertz, Richard Louis, Gales, George Simon

Application Number

US10/003,815
Publication Number

US 20030101353A1
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1416 Event detection, e.g. attac...

Method, computer-readable medium, and node for detecting exploits based on an inbound signature of the exploit and an outbound signature in response thereto

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method, computer-readable medium, and node for detecting exploits based on an inbound signature of the exploit and an outbound signature in response thereto

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links