Method, computer-readable medium, and node for detecting exploits based on an inbound signature of the exploit and an outbound signature in response thereto
First Claim
1. A method of detecting an intrusion at a node of a network, comprising:
- reading a first packet received by the node;
determining a first signature of the first packet;
comparing the first signature with a signature file comprising a first machine-readable logic representative of a first packet signature;
determining the first signature corresponds with the first machine readable logic;
reading a second packet generated by the node in response to reception of the first packet;
determining a second signature of the second packet;
comparing the second signature with the signature file further comprising a second machine-readable logic representative of second packet signature; and
determining the second signature corresponds with the second machine readable logic.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting an intrusion at a node of a network comprising reading a first packet received by the node, determining a first signature of the first packet, comparing the first signature with a signature file comprising a first machine-readable logic representative of a first packet signature, determining the first signature corresponds with the first machine readable logic, reading a second packet generated by the node in response to reception of the first packet, determining a second signature of the second packet, comparing the second signature with the signature file further comprising a second machine-readable logic representative of second packet signature, and determining the second signature corresponds with the second machine readable logic is provided. A computer-readable medium and a node for detecting an exploit based upon an outbound signature generated in response to an inbound signature of the exploit are also provided.
-
Citations
22 Claims
-
1. A method of detecting an intrusion at a node of a network, comprising:
-
reading a first packet received by the node;
determining a first signature of the first packet;
comparing the first signature with a signature file comprising a first machine-readable logic representative of a first packet signature;
determining the first signature corresponds with the first machine readable logic;
reading a second packet generated by the node in response to reception of the first packet;
determining a second signature of the second packet;
comparing the second signature with the signature file further comprising a second machine-readable logic representative of second packet signature; and
determining the second signature corresponds with the second machine readable logic. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-readable medium having stored thereon a set of instructions to be executed, the set of instructions, when executed by a processor, cause the processor to perform a computer method of:
-
reading a first packet;
determining a first signature of the first packet;
comparing the first signature with a first instruction set comprising a first set of machine readable logic representative of a first packet signature;
determining the first signature corresponds with the first set of machine readable logic;
reading a second packet;
determining a second signature of the second packet;
comparing the second signature with a second instruction set comprising a second set of machine readable logic representative of a second packet signature; and
determining the second signature corresponds with the second set of machine readable logic. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A node of a network operable to detect an intrusion thereof, comprising:
-
a central processing unit;
a memory module for storing data in machine readable format for retrieval and execution by a central processing unit; and
an operating system comprising a network stack comprising a protocol driver, a media access control driver and a network filter service provider bound to the protocol driver and the media access control driver, the network filter service provider operable to receive a first packet and to determine a first signature of the first packet and compare the first signature with a first instruction set comprising a first set of machine readable logic representative of a first packet signature and to determine a correspondence with the first set of machine readable logic, the network filter service provider further operable to receive a second packet and to determine a second signature of the second packet and compare the second signature with a second instruction set comprising a second set of machine readable logic representative of a second packet signature and to determine a correspondence with the second set of machine readable logic, the processor operable to execute a directive comprised of machine readable instructions upon determination, by the network filter service provider, of a correspondence between the first signature and the first instruction set and correspondence between the second signature and the second instruction set. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A method of detecting an intrusion at a node of a network, comprising:
-
reading a packet by the node;
determining a signature of the packet;
comparing the signature with a signature file comprising a machine-readable logic representative of a packet signature; and
determining the signature corresponds with the machine readable logic. - View Dependent Claims (20, 21, 22)
-
Specification