Programmable context aware firewall with integrated intrusion detection system

US 20050229246A1
Filed: 03/31/2004
Published: 10/13/2005
Est. Priority Date: 03/31/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving at least one protocol state machine definition for a network protocol, said protocol state machine definition including a plurality of protocol state rules;

parsing the at least one protocol state machine definition to form a set of parsed protocol state rules, said parsed protocol state rules including at least one condition and at least one action associated with the condition;

storing a set of filters in a filter database;

receiving a network flow, said flow including a plurality of packets; and

applying the parsed protocol state rules to the plurality of packets in the network flow;

wherein the at least one action comprises the instantiation of a filter from the set of filters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A context-aware firewall and intrusion detection system receives a definition of a Protocol State Machine (PSM) that defines the expected behavior of any protocol (FTP, HTTP, etc.). The PSM provides rules for detecting flows that deviate from the defined protocol behavior and taking appropriate actions. PSMs are comprised of rule groups define behavior of a protocol. The rules include conditions and actions that may be executed if the conditions are satisfied, The actions include dynamically adding filters to be applied to the network flow, saving results for use in later executed rules, and activating and deactivating rules. Thus, these firewalls are capable of selective and intelligent Processing based on flow state information and control payload.

174 Citations

25 Claims

1. A method comprising:
- receiving at least one protocol state machine definition for a network protocol, said protocol state machine definition including a plurality of protocol state rules;
  
  parsing the at least one protocol state machine definition to form a set of parsed protocol state rules, said parsed protocol state rules including at least one condition and at least one action associated with the condition;
  
  storing a set of filters in a filter database;
  
  receiving a network flow, said flow including a plurality of packets; and
  
  applying the parsed protocol state rules to the plurality of packets in the network flow;
  
  wherein the at least one action comprises the instantiation of a filter from the set of filters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15)
- - 2. The method of claim 1, wherein the protocol state rules include rules for analyzing a context for the network flow.
  - 3. The method of claim 2, wherein the context for the network flow includes an application layer context.
  - 4. The method of claim 1 wherein the filter comprises a dynamic filter that is instantiated for the duration of the network flow.
  - 5. The method of claim 1, wherein the filter comprises a static filter that is applied during an initiation of the network flow.
  - 6. The method of claim 1, wherein the at least one action comprises saving the result of the at least one action for use in a later executed rule in the set of parsed protocol state rules.
  - 7. The method of claim 1, wherein the at least one action comprises deactivating a rule in the set of parsed protocol state rules.
  - 8. The method of claim 1, wherein the at least one action comprises activating a rule in the set of parsed protocol state rules.
  - 15. The system of claim 8, wherein the at least one action deactivates a rule in the set of parsed protocol state rules.

9. A system comprising:
- a parser operable to parse at least one protocol state machine definition for a network protocol to a set of parsed protocol state rules, said protocol state machine definition including a plurality of protocol state rules, said parsed protocol state rules including at least one condition and at least one action associated with the condition;
  
  a filter database operable to store a set of filters in a filter database; and
  
  a protocol analysis engine operable to receive a network flow, said flow including a plurality of packets; and
  
  apply the parsed protocol state rules to the plurality of packets in the network flow;
  
  wherein the at least one action comprises the instantiation of a filter from the set of filters.
- View Dependent Claims (10, 11, 12, 13, 14, 16, 17)
- - 10. The system of claim 9, wherein the protocol state rules include rules to analyze a context for the network flow.
  - 11. The system of claim 10, wherein the context for the network flow includes an application layer context.
  - 12. The system of claim 9 wherein the filter comprises a dynamic filter that is instantiated for the duration of the network flow.
  - 13. The system of claim 9, wherein the filter comprises a static filter that is applied during an initiation of the network flow.
  - 14. The system of claim 9, wherein the at least one action comprises saves the result of the at least one action for use in a later executed rule in the set of parsed protocol state rules.
  - 16. The system of claim 9, wherein the at least one action comprises activates a rule in the set of parsed protocol state rules.
  - 17. The system of claim 9, wherein the protocol analysis engine is further operable to maintain a state table for the network flow.

18. A machine readable medium having machine executable instructions for performing a method comprising:
- receiving at least one protocol state machine definition for a network protocol, said protocol state machine definition including a plurality of protocol state rules;
  
  parsing the at least one protocol state machine definition to form a set of parsed protocol state rules, said parsed protocol state rules including at least one condition and at least one action associated with the condition;
  
  storing a set of filters in a filter database;
  
  receiving a network flow, said flow including a plurality of packets; and
  
  applying the parsed protocol state rules to the plurality of packets in the network flow;
  
  wherein the at least one action comprises the instantiation of a filter from the set of filters.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The machine readable medium of claim 18, wherein the protocol state rules include rules for analyzing a context for the network flow.
  - 20. The machine readable medium of claim 19, wherein the context for the network flow includes an application layer context.
  - 21. The machine readable medium of claim 18 wherein the filter comprises a dynamic filter that is instantiated for the duration of the network flow.
  - 22. The machine readable medium of claim 18, wherein the filter comprises a static filter that is applied during an initiation of the network flow.
  - 23. The machine readable medium of claim 18, wherein the at least one action comprises saving the result of the at least one action for use in a later executed rule in the set of parsed protocol state rules.
  - 24. The machine readable medium of claim 18, wherein the at least one action comprises deactivating a rule in the set of parsed protocol state rules.
  - 25. The machine readable medium of claim 18, wherein the at least one action comprises activating a rule in the set of parsed protocol state rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Rajagopal, Priya, Sahita, Ravi, Parmar, Pankaj N.

Application Number

US10/815,539
Publication Number

US 20050229246A1
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

H04L 63/1441 Countermeasures against mal...

Programmable context aware firewall with integrated intrusion detection system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

174 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Programmable context aware firewall with integrated intrusion detection system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links