System and method for providing enhanced network security

US 20040030931A1
Filed: 08/12/2003
Published: 02/12/2004
Est. Priority Date: 08/12/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing enhance network security, comprising:

receiving data traffic at a network device for processing;

reviewing the data traffic and comparing the data traffic against predetermined criteria;

determining whether the data traffic matches the criteria;

calling an external handler script to process the data traffic if it is determined that the data traffic matches the criteria; and

passing the data traffic as conventional traffic if it is determined that the data traffic does not match the criteria.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing enhance network security is disclosed. In particular, data traffic is initially presented to a network device for processing. In response, the device reviews the data traffic and compares the data traffic against predetermined criteria. Next, it is determined whether the data traffic matches the criteria and, if so, a handler script is called to process the data traffic in accordance with its identification. If the data traffic does not match the criteria, the process ends and the data traffic is passed as conventional traffic. Because information regarding the data traffic is initially reviewed passively, the process of the present invention is able to operate using very little in the way of processor resources. Only when traffic identification information is passed to the handler script is an action actually performed on the traffic. Additionally, by providing a handler script outside the confines of the traffic analyzing program, changes to the handling of identified traffic may be modified without requiring a recompilation of the entire system.

69 Citations

View as Search Results

30 Claims

1. A method for providing enhance network security, comprising:
- receiving data traffic at a network device for processing;
  
  reviewing the data traffic and comparing the data traffic against predetermined criteria;
  
  determining whether the data traffic matches the criteria;
  
  calling an external handler script to process the data traffic if it is determined that the data traffic matches the criteria; and
  
  passing the data traffic as conventional traffic if it is determined that the data traffic does not match the criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - loading predetermined configuration data into a processor of the network device, wherein configuration data includes the predetermined criteria;
      
      reading stored IP address data into a linked list file within the processor, wherein the stored IP address data represents information regarding previously analyzed IP addresses;
      
      generating a log of data traffic in substantially real-time;
      
      analyzing the log of data traffic in substantially real-time;
      
      parsing the log of data traffic at predetermined intervals to extract new entries;
      
      comparing the extracted new entries to the stored IP address data and the configuration data; and
      
      calling the external handler script to process the data traffic if it is determined that the data traffic matches the criteria.
  - 3. The method of claim 2, wherein the predetermined criteria includes criteria for blocking and unblocking network access to an IP address and further comprising:
    - calling the external handler script to block or unblock the data traffic if it is determined that the data traffic matches a previously blocked IP address from the stored IP address data.
  - 4. The method of claim 2, further comprising:
    - storing IP ADDRESS data for the received data traffic in the stored IP address data;
      
      storing a COUNT value data in the stored IP address data representative of the number of times the address has been identified;
      
      storing a TIME value data in the stored IP address data representing the time that the IP address was added;
      
      storing a BLOCKED value data in the stored IP address data indicating whether the identified address has been blocked; and
      
      storing a BTIME value data in the stored IP address data representing the time the address was blocked.
  - 5. The method of claim 2, wherein loading predetermined configuration data into a processor of the network device further comprises:
    - loading a configuration file into system memory of the network device;
      
      setting a plurality of configuration values based upon the configuration file; and
      
      printing the configuration values to an output log.
  - 6. The method of claim 5, wherein setting a plurality of configuration values further comprises:
    - setting a LOGFILE value relating to the path to the watched log file;
      
      setting a SAVEFILE value relating to the path to the save file;
      
      setting a SCRIPT value relating to the path to the external script used to block/unblock addresses;
      
      setting a MAXAGE value defining the maximum age of an IP address block;
      
      setting a MAXCOUNT value defining the number of failures from an IP address which result in blockage;
      
      setting a BLOCKTIME value relating to the duration of an IP address block; and
      
      setting a TIMEVAL delay value relating to a delay between successive checks of the log file.
  - 7. The method of claim 2, further comprising:
    - reading a new log file into system memory of the network device;
      
      comparing a size of the new log file against a size of the previously analyzed log file;
      
      placing the last line of the new log file is placed into a buffer if the new log file is larger than the previous log file;
      
      examining the contents of the buffer;
      
      extracting the IP address from the contents of the buffer;
      
      searching the stored IP address data for the currently extracted IP address;
      
      adding the IP address information to the stored IP address data, if the currently extracted IP address is not found in the stored IP address data;
      
      incrementing a COUNT value associated with the matching stored IP address if the currently extracted IP address is found in the stored IP address data;
      
      comparing the incremented COUNT value to a MAXCOUNT value read in during the configuration; and
      
      calling the external handler script to block the identified IP address if the COUNT value is greater than or equal to the MAXCOUNT value.
  - 8. The method of claim 7, further comprising:
    - setting a BLOCKED value for the identified IP address to indicate that the address is blocked; and
      
      setting a BTIME for the identified IP address value to indicate the time at which the block was initiated.
  - 9. The method of claim 8, further comprising:
    - reading the stored IP address data into a buffer;
      
      determining whether an IP address entry is currently blocked;
      
      performing the following steps if it is determined that the IP address entry is not currently blocked;
      
      comparing an age of the IP addresses entry with a MAXAGE value read in during configuration;
      
      removing the IP address entry from the stored IP address data if the entry'"'"'s age is greater equal to MAXAGE;
      
      performing the following steps if it is determined that the IP address entry is currently blocked;
      
      comparing the duration of the block is compared against the BLOCKTIME value read in during configuration; and
      
      calling the external handler script to unblock the identified IP address entry and permit traffic from the address to flow through the network device if the duration is greater than or equal to BLOCKTIME.
  - 10. The method of claim 9, further comprising storing a TIME value data in the stored IP address data representing the time that the IP address was added;
    - storing a BTIME value data in the stored IP address data representing the time the address was blocked. determining the age of an IP address entry by subtracting the entry'"'"'s TIME value from the current time of the check; and
      
      determining a block'"'"'s duration by subtracting the entry'"'"'s BTIME value from the current time of the check.

11. A system for providing enhance network security, comprising:
- means for receiving data traffic at a network device for processing;
  
  means for reviewing the data traffic and comparing the data traffic against predetermined criteria;
  
  means for determining whether the data traffic matches the criteria;
  
  means for calling an external handler script to process the data traffic if it is determined that the data traffic matches the criteria; and
  
  means for passing the data traffic as conventional traffic if it is determined that the data traffic does not match the criteria.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 12. The system of claim 11, further comprising:
    - means for loading predetermined configuration data into a processor of the network device, wherein configuration data includes the predetermined criteria;
      
      means for reading stored IP address data into a linked list file within the processor, wherein the stored IP address data represents information regarding previously analyzed IP addresses;
      
      means for generating a log of data traffic in substantially real-time;
      
      means for analyzing the log of data traffic in substantially real-time;
      
      means for parsing the log of data traffic at predetermined intervals to extract new entries;
      
      means for comparing the extracted new entries to the stored IP address data and the configuration data; and
      
      means for calling the external handler script to process the data traffic if it is determined that the data traffic matches the criteria.
  - 13. The system of claim 12, wherein the predetermined criteria includes criteria for blocking and unblocking network access to an IP address and further comprising:
    - means for calling the external handler script to block or unblock the data traffic if it is determined that the data traffic matches a previously blocked IP address from the stored IP address data.
  - 14. The system of claim 12, further comprising:
    - means for storing IP ADDRESS data for the received data traffic in the stored IP address data;
      
      means for storing a COUNT value data in the stored IP address data representative of the number of times the address has been identified;
      
      means for storing a TIME value data in the stored IP address data representing the time that the IP address was added;
      
      means for storing a BLOCKED value data in the stored IP address data indicating whether the identified address has been blocked; and
      
      means for storing a BTIME value data in the stored IP address data representing the time the address was blocked.
  - 15. The system of claim 12, wherein the means for loading predetermined configuration data into a processor of the network device further comprise:
    - means for loading a configuration file into system memory of the network device;
      
      means for setting a plurality of configuration values based upon the configuration file; and
      
      means for printing the configuration values to an output log.
  - 16. The system of claim 15, wherein the means for setting a plurality of configuration values further comprise:
    - means for setting a LOGFILE value relating to the path to the watched log file;
      
      means for setting a SAVEFILE value relating to the path to the save file;
      
      means for setting a SCRIPT value relating to the path to the external script used to block/unblock addresses;
      
      means for setting a MAXAGE value defining the maximum age of an IP address block;
      
      means for setting a MAXCOUNT value defining the number of failures from an IP address which result in blockage;
      
      means for setting a BLOCKTIME value relating to the duration of an IP address block; and
      
      means for setting a TIMEVAL delay value relating to a delay between successive checks of the log file.
  - 17. The system of claim 12, further comprising:
    - means for reading a new log file into system memory of the network device;
      
      means for comparing a size of the new log file against a size of the previously analyzed log file;
      
      means for placing the last line of the new log file is placed into a buffer if the new log file is larger than the previous log file;
      
      means for examining the contents of the buffer;
      
      means for extracting the IP address from the contents of the buffer;
      
      means for searching the stored IP address data for the currently extracted IP address;
      
      means for adding the IP address information to the stored IP address data, if the currently extracted IP address is not found in the stored IP address data;
      
      means for incrementing a COUNT value associated with the matching stored IP address if the currently extracted IP address is found in the stored IP address data;
      
      means for comparing the incremented COUNT value to a MAXCOUNT value read in during the configuration; and
      
      means for calling the external handler script to block the identified IP address if the COUNT value is greater than or equal to the MAXCOUNT value.
  - 18. The system of claim 17, further comprising:
    - means for setting a BLOCKED value for the identified IP address to indicate that the address is blocked; and
      
      means for setting a BTIME for the identified IP address value to indicate the time at which the block was initiated.
  - 19. The system of claim 18, further comprising:
    - means for reading the stored IP address data into a buffer;
      
      means for determining whether an IP address entry is currently blocked;
      
      means for performing the following steps if it is determined that the IP address entry is not currently blocked;
      
      comparing an age of the IP addresses entry with a MAXAGE value read in during configuration;
      
      removing the IP address entry from the stored IP address data if the entry'"'"'s age is greater equal to MAXAGE;
      
      means for performing the following steps if it is determined that the IP address entry is currently blocked;
      
      comparing the duration of the block is compared against the BLOCKTIME value read in during configuration; and
      
      calling the external handler script to unblock the identified IP address entry and permit traffic from the address to flow through the network device if the duration is greater than or equal to BLOCKTIME.
  - 20. The system of claim 19, further comprising means for storing a TIME value data in the stored IP address data representing the time that the IP address was added;
    - means for storing a BTIME value data in the stored IP address data representing the time the address was blocked. means for determining the age of an IP address entry by subtracting the entry'"'"'s TIME value from the current time of the check; and
      
      means for determining a block'"'"'s duration by subtracting the entry'"'"'s BTIME value from the current time of the check.
  - 22. The computer-readable medium of claim 11, further comprising:
    - one or more instructions for loading predetermined configuration data into a processor of the network device, wherein configuration data includes the predetermined criteria;
      
      one or more instructions for reading stored IP address data into a linked list file within the processor, wherein the stored IP address data represents information regarding previously analyzed IP addresses;
      
      one or more instructions for generating a log of data traffic in substantially real-time;
      
      one or more instructions for analyzing the log of data traffic in substantially real-time;
      
      one or more instructions for parsing the log of data traffic at predetermined intervals to extract new entries;
      
      one or more instructions for comparing the extracted new entries to the stored IP address data and the configuration data; and
      
      one or more instructions for calling the external handler script to process the data traffic if it is determined that the data traffic matches the criteria.
  - 23. The computer-readable medium of claim 12, wherein the predetermined criteria includes criteria for blocking and unblocking network access to an IP address and further comprising:
    - one or more instructions for calling the external handler script to block or unblock the data traffic if it is determined that the data traffic matches a previously blocked IP address from the stored IP address data.
  - 24. The computer-readable medium of claim 12, further comprising:
    - one or more instructions for storing IP ADDRESS data for the received data traffic in the stored IP address data;
      
      one or more instructions for storing a COUNT value data in the stored IP address data representative of the number of times the address has been identified;
      
      one or more instructions for storing a TIME value data in the stored IP address data representing the time that the IP address was added;
      
      one or more instructions for storing a BLOCKED value data in the stored IP address data indicating whether the identified address has been blocked; and
      
      one or more instructions for storing a BTIME value data in the stored IP address data representing the time the address was blocked.
  - 25. The computer-readable medium of claim 12, wherein the one or more instructions for loading predetermined configuration data into a processor of the network device further comprise:
    - one or more instructions for loading a configuration file into system memory of the network device;
      
      one or more instructions for setting a plurality of configuration values based upon the configuration file; and
      
      one or more instructions for printing the configuration values to an output log.
  - 26. The computer-readable medium of claim 15, wherein the one or more instructions for setting a plurality of configuration values further comprise:
    - one or more instructions for setting a LOGFILE value relating to the path to the watched log file;
      
      one or more instructions for setting a SAVEFILE value relating to the path to the save file;
      
      one or more instructions for setting a SCRIPT value relating to the path to the external script used to block/unblock addresses;
      
      one or more instructions for setting a MAXAGE value defining the maximum age of an IP address block;
      
      one or more instructions for setting a MAXCOUNT value defining the number of failures from an IP address which result in blockage;
      
      one or more instructions for setting a BLOCKTIME value relating to the duration of an IP address block; and
      
      one or more instructions for setting a TIMEVAL delay value relating to a delay between successive checks of the log file.
  - 27. The computer-readable medium of claim 12, further comprising:
    - one or more instructions for reading a new log file into system memory of the network device;
      
      one or more instructions for comparing a size of the new log file against a size of the previously analyzed log file;
      
      one or more instructions for placing the last line of the new log file is placed into a buffer if the new log file is larger than the previous log file;
      
      one or more instructions for examining the contents of the buffer;
      
      one or more instructions for extracting the IP address from the contents of the buffer;
      
      one or more instructions for searching the stored IP address data for the currently extracted IP address;
      
      one or more instructions for adding the IP address information to the stored IP address data, if the currently extracted IP address is not found in the stored IP address data;
      
      one or more instructions for incrementing a COUNT value associated with the matching stored IP address if the currently extracted IP address is found in the stored IP address data;
      
      one or more instructions for comparing the incremented COUNT value to a MAXCOUNT value read in during the configuration; and
      
      one or more instructions for calling the external handler script to block the identified IP address if the COUNT value is greater than or equal to the MAXCOUNT value.
  - 28. The computer-readable medium of claim 17, further comprising:
    - one or more instructions for setting a BLOCKED value for the identified IP address to indicate that the address is blocked; and
      
      one or more instructions for setting a BTIME for the identified IP address value to indicate the time at which the block was initiated.
  - 29. The computer-readable medium of claim 18, further comprising:
    - one or more instructions for reading the stored IP address data into a buffer;
      
      one or more instructions for determining whether an IP address entry is currently blocked;
      
      one or more instructions for performing the following steps if it is determined that the IP address entry is not currently blocked;
      
      comparing an age of the IP addresses entry with a MAXAGE value read in during configuration;
      
      removing the IP address entry from the stored IP address data if the entry'"'"'s age is greater equal to MAXAGE;
      
      one or more instructions for performing the following steps if it is determined that the IP address entry is currently blocked;
      
      comparing the duration of the block is compared against the BLOCKTIME value read in during configuration; and
      
      calling the external handler script to unblock the identified IP address entry and permit traffic from the address to flow through the network device if the duration is greater than or equal to BLOCKTIME.
  - 30. The computer-readable medium of claim 19, further comprising one or more instructions for storing a TIME value data in the stored IP address data representing the time that the IP address was added;
    - one or more instructions for storing a BTIME value data in the stored IP address data representing the time the address was blocked. one or more instructions for determining the age of an IP address entry by subtracting the entry'"'"'s TIME value from the current time of the check; and
      
      one or more instructions for determining a block'"'"'s duration by subtracting the entry'"'"'s BTIME value from the current time of the check.

21. A computer-readable medium incorporating one or more instructions for providing enhance network security, the instructions comprising:
- one or more instructions for receiving data traffic at a network device for processing;
  
  one or more instructions for reviewing the data traffic and comparing the data traffic against predetermined criteria;
  
  one or more instructions for determining whether the data traffic matches the criteria;
  
  one or more instructions for calling an external handler script to process the data traffic if it is determined that the data traffic matches the criteria; and
  
  one or more instructions for passing the data traffic as conventional traffic if it is determined that the data traffic does not match the criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alexander G. Chamandy, Sean P. Davis
Original Assignee
Alexander G. Chamandy, Sean P. Davis
Inventors
Davis, Sean P., Chamandy, Alexander G.

Application Number

US10/638,313
Publication Number

US 20040030931A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/35   involving non-standard use ...

H04L 63/14   for detecting or protecting...

System and method for providing enhanced network security

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing enhanced network security

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links