Network security system and method

US 20050182950A1
Filed: 10/13/2004
Published: 08/18/2005
Est. Priority Date: 02/13/2004
Status: Abandoned Application

First Claim

Patent Images

1. A network security system, comprising:

a packet-dedicated processor for primarily performing hardware filtering on static attacks of network traffic; and

a host system provided with a software filter for secondarily performing software filtering on dynamic attacks of network traffic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a network security system and method. The network security system includes a packet-dedicated processor for primarily performing hardware filtering on static attacks of network traffic, and a host system provided with a software filter for secondarily performing software filtering on dynamic attacks of network traffic. In the network security method, hardware filtering is performed on static network traffic attacks, software filtering is performed on dynamic network traffic attacks based on an analysis the results of the hardware filtering and packet streams generated by incoming packets for a predetermined time, and intrusion prevention information is provided to an administrator based on the accumulation and an analysis of the results of the software filtering.

Citations

27 Claims

1. A network security system, comprising:
- a packet-dedicated processor for primarily performing hardware filtering on static attacks of network traffic; and
  
  a host system provided with a software filter for secondarily performing software filtering on dynamic attacks of network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The network security system as set forth in claim 1, wherein the hardware filtering is performed by performing pattern matching on incoming packets based on defined security rules.
  - 3. The network security system as set forth in claim 1, wherein the software filtering is performed by selectively transmitting processing results of the packet-dedicated processor to the software filter and analyzing packet streams that are generated for a predetermined time.
  - 4. The network security system as set forth in claim 3, wherein the processing results of the packet-dedicated processor comprise information on blocking results related to packets incoming to the packet-dedicated processor, information on packets primarily filtered out by the packet-dedicated processor, information on all the packets incoming to the packet-dedicated processor and header information of all packets.
  - 5. The network security system as set forth in claim 1, further comprising a remote management system for creating security rules that will be applied to the packet-dedicated processor and the software filter and transmitting the security rules on-line.
  - 6. The network security system as set forth in claim 1, further comprising a network traffic analysis system for receiving network traffic information from the packet-dedicated processor and the software filter, accumulating and analyzing the network traffic information, and providing intrusion prevention information to an administrator.
  - 7. The network security system as set forth in claim 1, wherein the packet-dedicated processor comprises:
    - an Ethernet controller (PHY) for inputting/outputting packets to/from a network and a gateway;
      
      an In-Line Controller (ILC) for analyzing the packets input from the PHY, transmitting header information to a Header Search Engine (HSE) and contents to a Pattern Search Engine (PSE), and detection and blocking packets, which violate the security rules, based on analysis results obtained in the HSE and the PSE;
      
      the PSE for performing content search based on values set by the ILC and transmitting results of the search to the ILC;
      
      the HSE for performing packet header search based on values set by the ILC and transmitting the results of the search to the ILC;
      
      Static Random Access Memory (SRAM, action info Database) for storing processing methods corresponding to the results of the search, and transmitting a processing method, which corresponds to the results of the search input from the ILC, to the ILC; and
      
      a Peripheral Component Interconnect (PCI) controller for receiving information to set search conditions, which will be used in the PSE and the HSE, and information, which will be used in the SRAM, from the host system, and reporting processing results and status by transmitting the packet processing results and statistical information data to the host system.
  - 8. The network security system as set forth in claim 7, wherein the PSE is formed of an Application Specific Integrated Circuit (ASIC) and stores the search conditions for searching incoming packets.
  - 9. The network security system as set forth in claim 8, wherein the search conditions are comparison information for determining whether the incoming packets are normal packets or not.
  - 10. The network security system as set forth in claim 7, wherein the SRAM stores information on countermeasures against network traffic attacks.
  - 11. The network security system as set forth in claim 10, wherein the countermeasure information includes information for determining whether to pass or block the packets filtered in the packet-dedicated processor.
  - 12. The network security system as set forth in claim 1, wherein the software filter provided on the host system comprises:
    - a packet processing module for receiving blocking result information and packet information from the packet-dedicated processor through a Direct Memory Access (DMA) memory region, and a countermeasure management module for receiving blocking result information from the packet processing module and issuing an alarm to an administrator;
      
      a dynamic attack filter for receiving packet information from the packet processing module and performing dynamic attack filtering and a scheduled blocking filter;
      
      a traffic processing module for transmitting information, which is received from the packet processing module to analyze traffic attacks, to the network traffic analysis system;
      
      a countermeasure management module for transmitting the blocking result information to a data transmission/reception module to notify the administrator of the blocking result information;
      
      the data transmission/reception module for transmitting results to the remote management system through a Transmission Control Protocol/Internet Protocol (TCP/IP) socket;
      
      a configuration management module for performing functions of status initiation of the packet-dedicated processor and drive mode; and
      
      a policy management module for downloading static security rules that are detection and blocking criteria on the packet-dedicated processor and performing an on-line policy changing function in real time.
  - 13. The network security system as set forth in claim 12, wherein the data transmission/reception module receives security rules and configuration management information defined by the remote management system, and transmits the security rules and the configuration management information to the configuration management module and the policy management module.
  - 14. The network security system as set forth in claim 12, wherein the packet processing module selectively receives information on blocking results related to packets incoming to the packet-dedicated processor, information on packets primarily filtered out by the packet-dedicated processor, information on all the packets incoming to the packet-dedicated processor and header information of all packets from the packet-dedicated processor as processing results according to a user'"'"'s setting.
  - 15. The network security system as set forth in claim 12, wherein the dynamic attack blocking filter and the scheduled blocking filter accumulate input packet information and analyze the variation of traffic based on previously defined dynamic attack security rules and scheduled blocking rules, and transmit the block rules to the countermeasure management module to be transmitted to the packet-dedicated processor if the traffic is determined to be abnormal traffic and exceeds a threshold value.
  - 16. The network security system as set forth in claim 5, wherein the remote management system comprises:
    - a data transmission/reception module for receiving log information from a blocking system;
      
      an intrusion blocking log management module for transmitting the received log information to a database system to be stored therein;
      
      a configuration management module for defining configuration management information for the blocking system;
      
      a policy management module for defining blocking related security rules for the blocking system; and
      
      a report management module for providing formalized reports on statistical information and blocking logs to the administrator using blocking information accumulated in the database system.
  - 17. The network security system as set forth in claim 16, wherein the policy management module defines filtering rules for statistic network traffic attacks and filtering rules for dynamic network traffic attacks.
  - 18. The network security system as set forth in claim 16, wherein the remote management system further comprises a user authentication management module for managing user authentication information of the remote management system and the blocking system and performing a user authentication function to allow access only to authorized users of the remote management system.
  - 19. The network security system as set forth in claim 6, wherein the network traffic analysis system comprises:
    - a data transmission/reception module for receiving traffic information from the blocking system, and storing the traffic information in a database system;
      
      a service-based traffic analysis module or packet size-based traffic analysis module for providing traffic distribution information to an administrator using accumulated traffic information;
      
      a policy management module for analyzing abnormal traffic that may be generated by unknown attacks; and
      
      a report management module for providing formalized reports on statistical information and abnormal traffic-related information to the administrator using the traffic information accumulated in the database system.
  - 20. The network security system as set forth in claim 19, wherein the policy management module establishes rules for distinguishing the abnormal traffic from normal traffic, analyzes the packets and notifies the administrator of abnormal traffic related information.
  - 21. The network security system as set forth in claim 19, further comprising a traffic load variation analysis module for providing a real-time variation of the traffic information transmitted from the blocking system to the administrator.

22. A network security system, comprising:
- a blocking system connected to a gateway of a network in transparent mode to prevent traffic attacks on the network;
  
  a remote management system for creating security rules to be applied to the blocking system and transmitting the security rules to the blocking system on-line; and
  
  a network traffic analysis system for receiving network traffic information from the blocking system, accumulating and analyzing the network traffic information, and proving intrusion prevention information to an administrator.

23. A network security method, comprising the steps of;
- performing hardware filtering on static network traffic attacks;
  
  performing software filtering on dynamic network traffic attacks based on an analysis of results of the hardware filtering and packet streams generated by incoming packets for a predetermined time; and
  
  providing intrusion prevention information to an administrator based on accumulation and an analysis of results of the software filtering.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The method as set forth in claim 23, further comprising the step of transmitting information on setup of static security rules and dynamic security rules, data management of block logs, and other security management on-line.
  - 25. The method as set forth in claim 23, wherein the step of performing hardware filtering comprises the steps of:
    - receiving packets from a network and a gateway;
      
      analyzing header and contents information of the packets based on set security rules in real time; and
      
      searching for and blocking packets, which violate the security rules, in real time regardless of packet shape and size.
  - 26. The method as set forth in claim 23, wherein the step of performing software filtering comprises the steps of:
    - receiving results of the hardware filtering and packet information;
      
      issuing an alarm to the administrator using the results of the hardware filtering and performing dynamic attack filtering using the packet information; and
      
      transmitting results of the dynamic attack filtering results to the remote management system.
  - 27. The method as set forth in claim 26, wherein the dynamic attack filtering is performed by accumulating the packet information and analyzing a variation of traffic for a predetermined time based on predefined dynamic attack security rules and scheduled blocking rules, and transmitting the blocking rules to a countermeasure management module to be transmitted to a packet-dedicated processor if it is determined that the traffic is abnormal traffic and exceeds a threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LG CNS Company Limited (LG Corporation)
Original Assignee
LG N-Systems Company Limited (LG Corporation)
Inventors
Ryu, Yeon-Sik, Hong, O-Young, Son, So-Ra, Lee, Sang-Woo, Pyo, Seung-Jong

Application Number

US10/962,560
Publication Number

US 20050182950A1
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

Network security system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Network security system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links