Active network defense system and method

US 20050044422A1
Filed: 08/31/2004
Published: 02/24/2005
Est. Priority Date: 11/07/2002
Status: Active Grant

First Claim

Patent Images

1. A network defense system, comprising:

a state manager functionality connected in-line with respect to a data flow of packets, the state manager functionality operable to track sessions currently in existence on the data flow and save historical packet related data; and

an algorithmic filter operable to perform a statistical analysis on the tracked sessions and historical packet related data to determine whether packets in the data flow across multiple sessions present a threat to a protected network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.

172 Citations

94 Claims

1. A network defense system, comprising:
- a state manager functionality connected in-line with respect to a data flow of packets, the state manager functionality operable to track sessions currently in existence on the data flow and save historical packet related data; and
  
  an algorithmic filter operable to perform a statistical analysis on the tracked sessions and historical packet related data to determine whether packets in the data flow across multiple sessions present a threat to a protected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86)
- - 2. The network defense system of claim 1 further including a packet handler also connected in-line with respect to the data flow of packets and operable responsive to the presence of a threat to block threatening packets.
  - 3. The network defense system of claim 2 wherein the packet handler is further operable responsive to the presence of a threat to terminate threatening sessions.
  - 4. The network defense system of claim 1 wherein the threat to the protected network comprises a threat with respect to a plurality of sessions taken from the group consisting of:
    - address sweep attacks, port scan attacks and denial of service attacks.
  - 5. The network defense system of claim 1 wherein the algorithmic filter operable to perform a statistical analysis on the tracked sessions and historical packet related data is further operable to determine whether packets in the data flow across multiple sessions are suspicious.
  - 6. The network defense system of claim 5 further including:
    - a trigger filter also connected in-line with respect to the data flow of packets and operable responsive to the algorithmic filter suspicion determination to filter the suspicious packets in the data flow against criteria designed for detecting threatening packets across multiple sessions; and
      
      a packet handler also connected in-line with respect to the data flow of packets and operable responsive to the detected threat to block the threatening packets.
  - 7. The network defense system of claim 6 wherein the trigger filter is further operable to filter packets in the data flow against criteria designed for detecting threatening packets in individual sessions.
  - 8. The network defense system of claim 7 wherein the trigger filter is still further operable to determine whether packets in the data flow in individual sessions are suspicious, the packet handler being further operable to extract the suspicious packets from the data flow for further examination.
  - 9. The network defense system of claim 8 further including:
    - a threat verifier that receives the extracted packets and implements a filtering operation thereon that is more comprehensive than that performed by the in-line trigger filter for the purpose of resolving whether the suspicious extracted packets are threatening.
  - 10. The network defense system of claim 9 wherein the threat verifier is further operable to return suspicious extracted packets to the data flow in event they are determined not to be threatening.
  - 11. The network defense system of claim 9 further including:
    - a risk assessor operable to examine the suspicious extracted packets and determine whether they present a certain risk to identifiable assets that are present within the network.
  - 12. The network defense system of claim 1 further including a flow controller also connected in-line with respect to the data flow of packets and operable to regulate the passage of packets along the data flow.
  - 13. The network defense system of claim 1 wherein:
    - the state manager functionality is implemented in hardware; and
      
      the algorithmic filter is implemented in software.
  - 75. The network defense system of claim 1 wherein the system is capable of performing stateful inspections of the data flow of packets at line speeds.
  - 76. The network defense system of claim 1 wherein the state manager is further operable to ensure whether individual packets in the data flow are associated with a recognized session.
  - 77. The network defense system of claim 1 wherein the historical packet related data includes a nature of passing packet traffic.
  - 78. The network defense system of claim 77 wherein the historical packet related data further includes information about the packet traffic in individual sessions.
  - 79. The network defense system of claim 78 wherein the historical packet related data further includes information about the packet traffic across multiple different sessions.
  - 80. The network defense system of claim 6 wherein the packet handler is implemented in hardware.
  - 81. The network defense system of claim 9 wherein the threat verifier uses protocol decoders and regular expression matching for determining whether the suspicious extracted packets are threatening.
  - 82. The network defense system of claim 81 wherein the threat verifier is implemented in software.
  - 83. The network defense system of claim 11 wherein the determination is made by an asset database maintained by the system.
  - 84. The network defense system of claim 83 wherein said asset database contains information on each of the machines and devices present within the network defense system as well as their interconnection and operational relationship to each other.
  - 85. The network defense system of claim 12 wherein the flow controller is further operable to regulate the passage of packets along the data flow based on certain programmable or configurable priorities.
  - 86. The network defense system of claim 85 wherein the flow controller is implemented in hardware.

14. A method for defending a network, comprising the steps of:
- tracking sessions currently in existence on a data flow of packets;
  
  collecting historical packet related data with respect to those sessions; and
  
  algorithmically filtering the tracked sessions and collected historical packet related data to determine based on statistical analysis whether packets in the data flow across multiple sessions present a threat to the network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 87, 88, 89, 90, 91, 92, 93, 94)
- - 15. The method of claim 14 further including the step of handling packets in the data flow of packets by blocking threatening packets in response to the presence of a determined threat.
  - 16. The method of claim 15 wherein the step of handling further comprises the step of terminating threatening sessions in response to the presence of a determined threat.
  - 17. The method of claim 14 wherein the threat to the protected network comprises a threat with respect to a plurality of sessions taken from the group consisting of:
    - address sweep attacks, port scan attacks and denial of service attacks.
  - 18. The method of claim 14 further including the step of determining from the statistical analysis whether packets in the data flow across multiple sessions present a suspicion of a threat to the network.
  - 19. The method of claim 18 further including the steps of:
    - filtering packets in the data flow of packets in operable response to the suspicion of a threat against criteria designed for detecting threatening packets across multiple sessions; and
      
      handling packets in the data flow of packets by blocking threatening packets in response to the presence of a detected threat.
  - 20. The method of claim 19 wherein the step of filtering packets further includes the step of filtering packets in the data flow against criteria designed for detecting threatening packets in individual sessions.
  - 21. The method of claim 20 wherein the step of filtering packets still further includes the step of determining whether packets in the data flow in individual sessions are suspicious, the step of handling further including the step of extracting the suspicious packets from the data flow for further examination.
  - 22. The method of claim 21 further including the steps of:
    - verifying the threat with respect to the extracted packets by implementing a filtering operation thereon that is more comprehensive than that performed in the step of filtering packets for the purpose of resolving whether the suspicious extracted packets are threatening.
  - 23. The method of claim 22 wherein the step of verifying the threat further includes the step of returning suspicious extracted packets to the data flow in event they are determined not to be threatening.
  - 24. The method of claim 22 further including the step of:
    - assessing risk with respect to the suspicious extracted packets by determining whether they present a certain risk to identifiable assets that are present within the network.
  - 25. The method of claim 14 further including step of controlling flow by regulating the passage of packets along the data flow.
  - 87. The method of claim 14 further including the step of ensuring whether individual packets in the data flow are associated with a recognized session.
  - 88. The method of claim 14 wherein the step of collecting historical packet related data includes a nature of passing packet traffic.
  - 89. The method of claim 88 wherein the step of collecting historical packet related data further includes information about the packet traffic in individual sessions.
  - 90. The method of claim 89 wherein the step of collecting historical packet related data further includes information about the packet traffic across multiple different sessions.
  - 91. The method of claim 22 wherein the step of verifying further includes the step of using protocol decoders and regular expression matching for determining whether the suspicious extracted packets are threatening.
  - 92. The method of claim 24 wherein the step of determining is made by an asset database.
  - 93. The method of claim 92 wherein the asset database contains information on each of the machines and devices present within the network as well as their interconnections and operational relationship to each other.
  - 94. The method of claim 25 wherein the step of controlling flow further includes the step of regulating the passage of packets along the data flow based on certain programmable or configurable priorities.

26. A system for defending a network, comprising:
- a state manager functionality connected in-line with respect to a data flow of packets, the state manager functionality operable to track information concerning multiple sessions currently in existence on the data flow;
  
  an algorithmic filter operable to perform a statistical analysis on the information to determine whether packets in the data flow across multiple sessions present a threat to the network;
  
  a trigger filter also connected in-line with respect to the data flow of packets and operable to filter packets in the data flow against criteria designed for detecting threatening packets in individual sessions; and
  
  a packet handler also connected in-line with respect to the data flow of packets and operable responsive to algorithmic and trigger filter detected threats to block the threatening packets.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 27. The system of claim 26 further including a flow controller also connected in-line with respect to the data flow of packets and operable to regulate the passage of packets along the data flow.
  - 28. The system of claim 26 wherein the algorithmic filter is further operable to determine from the statistical analysis whether packets in the data flow across multiple sessions present a suspicion of a threat to the network, and wherein the trigger filter is further operable responsive to the suspicion determination to filter suspicious packets in the data flow against criteria designed for detecting threatening packets across multiple sessions.
  - 29. The system of claim 26 wherein the packet handler is further operable responsive to the presence of a threat to terminate threatening sessions.
  - 30. The system of claim 26 wherein the threat to the protected network comprises a threat with respect to a plurality of sessions taken from the group consisting of:
    - address sweep attacks, port scan attacks and denial of service attacks.
  - 31. The system of claim 26 wherein the trigger filter is still further operable extract packets from the data flow in the event the trigger filter determines them to be suspicious.
  - 32. The system of claim 31 further including:
    - a threat verifier that receives the extracted packets and implements a filtering operation thereon that is more comprehensive than that performed by the in-line trigger filter for the purpose of resolving whether the suspicious extracted packets are threatening.
  - 33. The system of claim 32 wherein the threat verifier is further operable to return suspicious extracted packets to the data flow in event they are determined not to be threatening.
  - 34. The system of claim 33 further including:
    - a risk assessor operable to examine the suspicious extracted packets and determine whether they present a certain risk to identifiable assets that are present within the network.
  - 35. The system of claim 26 wherein the information analyzed by the algorithmic filter comprises session tracking data concerning the association of packets to established certain sessions.
  - 36. The system of claim 26 wherein the information analyzed by the algorithmic filter comprises historical packet related data across multiple sessions.
  - 37. The system of claim 26 wherein the filtering criteria comprise header and content matching criteria.
  - 38. The system of claim 26 wherein the filtering criteria comprise multi-packet content matching criteria.
  - 39. The system of claim 26 wherein the algorithmic filter implements statistical threshold filtering.

40-74. -74. (Canceled).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
TippingPoint Technologies, Inc. (Open Text Corporation)
Inventors
Smith, Brian, Cox, Dennis, Willebeek-Lemair, Marc, Cantrell, Craig, Kolbly, Donovan, McHale, John

Granted Patent

US 7,451,489 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 43/028   by filtering

H04L 43/0888   Throughput

H04L 43/16   Threshold monitoring

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0442   wherein the sending and rec...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Active network defense system and method

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

172 Citations

94 Claims

Specification

Solutions

Use Cases

Quick Links

Active network defense system and method

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

94 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links