Active network defense system and method
First Claim
1. A network defense system, comprising:
- a state manager functionality connected in-line with respect to a data flow of packets, the state manager functionality operable to track sessions currently in existence on the data flow and save historical packet related data; and
an algorithmic filter operable to perform a statistical analysis on the tracked sessions and historical packet related data to determine whether packets in the data flow across multiple sessions present a threat to a protected network.
6 Assignments
0 Petitions
Accused Products
Abstract
An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.
172 Citations
94 Claims
-
1. A network defense system, comprising:
-
a state manager functionality connected in-line with respect to a data flow of packets, the state manager functionality operable to track sessions currently in existence on the data flow and save historical packet related data; and
an algorithmic filter operable to perform a statistical analysis on the tracked sessions and historical packet related data to determine whether packets in the data flow across multiple sessions present a threat to a protected network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86)
-
-
14. A method for defending a network, comprising the steps of:
-
tracking sessions currently in existence on a data flow of packets;
collecting historical packet related data with respect to those sessions; and
algorithmically filtering the tracked sessions and collected historical packet related data to determine based on statistical analysis whether packets in the data flow across multiple sessions present a threat to the network. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 87, 88, 89, 90, 91, 92, 93, 94)
-
-
26. A system for defending a network, comprising:
-
a state manager functionality connected in-line with respect to a data flow of packets, the state manager functionality operable to track information concerning multiple sessions currently in existence on the data flow;
an algorithmic filter operable to perform a statistical analysis on the information to determine whether packets in the data flow across multiple sessions present a threat to the network;
a trigger filter also connected in-line with respect to the data flow of packets and operable to filter packets in the data flow against criteria designed for detecting threatening packets in individual sessions; and
a packet handler also connected in-line with respect to the data flow of packets and operable responsive to algorithmic and trigger filter detected threats to block the threatening packets. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40-74. -74. (Canceled).
Specification