System for high speed network intrusion detection

US 20040107361A1
Filed: 11/29/2002
Published: 06/03/2004
Est. Priority Date: 11/29/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method of intrusion detection in a packet based network, the network including a network interface card for receiving data units, placing the received data units into predetermined memory locations, and for generating interrupts when data units are received, the method comprising:

receiving an interrupt from the network interface card;

determining if a data unit in a predetermined memory location is indicative of a network intrusion;

determining if a subsequent data unit is present in an adjacent predetermined memory location;

determining if the subsequent data unit, if present, is indicative of a network intrusion; and

clearing the interrupt if a subsequent data unit is not present.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network intrusion detection system for detection of an intrusion through the analysis of data units on a network connection is described herein. The network intrusion detection system provides enhanced memory performance through an interrupt handling routine that minimises calls to the operating system, and mitigates the performance overhead of copying data units from one memory location to another. Data units received from an external network are placed into a ring buffer for in place analysis to reduce data transfer overhead.

Citations

23 Claims

1. A method of intrusion detection in a packet based network, the network including a network interface card for receiving data units, placing the received data units into predetermined memory locations, and for generating interrupts when data units are received, the method comprising:
- receiving an interrupt from the network interface card;
  
  determining if a data unit in a predetermined memory location is indicative of a network intrusion;
  
  determining if a subsequent data unit is present in an adjacent predetermined memory location;
  
  determining if the subsequent data unit, if present, is indicative of a network intrusion; and
  
  clearing the interrupt if a subsequent data unit is not present.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further including, prior to clearing the interrupt, the steps of:
    - waiting a predetermined time interval;
      
      determining if a subsequent data unit is present in the adjacent predetermined memory location; and
      
      determining if the subsequent data unit, if present, is indicative of a network intrusion.
  - 3. The method of claim 1, further including the step of generating an alert if it is determined that a data unit is indicative of a network intrusion.
  - 4. The method of claim 1, wherein the step of determining if a data unit is indicative of a network intrusion includes comparing the payload of the data unit to a plurality of known intrusion signatures to determine if a match is present.
  - 5. The method of claim 4, wherein the step of comparing the payload of the data unit includes performing a Boyer-Moore comparison of the data unit payload to the plurality of known intrusion signatures.
  - 6. The method of claim 1, wherein the step of determining if a data unit is indicative of a network intrusion includes verifying the checksum of the data unit.
  - 7. The method of claim 6, further including the step of incrementing an illegal data unit counter when the checksum of a data unit is invalid.
  - 8. The method of claim 1, wherein the step of determining if a data unit is indicative of a network intrusion includes inspecting the data unit to determine if the data unit is indicative of a port scan.
  - 9. The method of claim 1, further including the step of reassembling a data unit from fragments prior to examining the reassembled data unit.

10. A network intrusion detection system, for detecting network intrusions from an external network, having a database of signatures indicative of network intrusions, the network intrusion detection system comprising:
- a ring buffer of memory elements, for storing a plurality of data units;
  
  a network interface card, operatively connected to both the external network for receiving data units, and the ring buffer for transferring the received data units into the memory elements of the ring buffer, for generating an interrupt when a data unit is transferred to an otherwise empty ring buffer; and
  
  an analysis engine, operatively connected to the database for retrieving the signatures, operatively connected to the network interface card for receiving interrupts, and operatively connected to the ring buffer for retrieving data units from the memory elements, for determining, upon receipt of an interrupt from the network interface card, if a retrieved data unit is indicative of a network intrusion using the database signatures, for retrieving a subsequent data unit from the ring buffer, if one is available, upon completion of the prior determination, for determining if the subsequent retrieved data unit is indicative of a network intrusion using the database signatures, and for clearing the interrupt received from the network interface card when no further subsequent data units are available from the ring buffer.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 11. The network intrusion detection system of claim 10, wherein the analysis engine includes:
    - a delayed data unit retriever, for retrieving a subsequent data unit from the ring buffer, if one is available, after waiting a fixed time interval, a delayed intrusion detector for determining if the subsequent retrieved data unit is indicative of a network intrusion using the database signatures, and a delayed interrupt handler for clearing the interrupt received from the network interface card, after waiting the fixed time interval, if no subsequent data units are available from the ring buffer.
  - 12. The network intrusion detection system of claim 10, wherein the analysis engine includes an alarm generator for generating an alarm when a retrieved data unit is indicative of a network intrusion.
  - 13. The network intrusion detection system of claim 10, wherein the analysis engine includes a checksum validator for validating the checksum of a retrieved data unit.
  - 14. The network intrusion detection system of claim 13, wherein the analysis engine further includes an illegal packet counter for tracking the number of retrieved data units with invalid checksums.
  - 15. The network intrusion detection system of claim 10, wherein the database of signatures contains strings indicative of a network intrusion when present in the payload of a data unit.
  - 16. The network intrusion detection system of claim 15, wherein the analysis engine includes a comparator for comparing the database strings to the payload of retrieved data units.
  - 17. The network intrusion detection system of claim 16 wherein the comparator is a Boyer-Moore comparator.
  - 18. The network intrusion detection system of claim 16, wherein the comparator include means to compare the payload of retrieved data units to database strings using 64 bit registers and MMX instructions.
  - 19. The network intrusion detection system of claim 10, wherein the analysis engine includes a fragment detector for determining if the retrieved data unit is a data unit fragment.
  - 20. The network intrusion detection system of claim 19, wherein the analysis engine includes a fragment reassembler for reassembling a fragmented data unit.
  - 21. The network intrusion detection system of claim 10, further including a second network interface card, operatively connected to an internal network for receiving data units, operatively connected a second the ring buffer for transferring the received data units into the memory elements of the second ring buffer, and operatively connected to a second analysis engine for providing interrupts when a data unit is transferred to the second ring buffer.
  - 22. The network intrusion detection system of claim 21, further including a tap operatively connecting the internal and external networks to the two network interface cards.
  - 23. The network intrusion detection system of claim 22, wherein the first and second network interface cards operate in simplex mode, each card receiving data units from one of the internal network and the external network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Infinity Technology Solutions
Original Assignee
Infinity Technology Solutions
Inventors
Thompson, Matthew A., Redan, Michael C.

Application Number

US10/305,950
Publication Number

US 20040107361A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 69/16   Implementation or adaptatio...

H04L 69/166   IP fragmentation; TCP segme...

System for high speed network intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System for high speed network intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links