Intrusion detection in a data center environment

US 20060095968A1
Filed: 03/25/2005
Published: 05/04/2006
Est. Priority Date: 10/28/2004
Status: Active Grant

First Claim

Patent Images

1. In a network environment having a plurality of traffic sources, a system for monitoring traffic on at least a portion of said plurality of traffic sources comprising:

means for copying traffic from each of said plurality of traffic sources;

a plurality of intrusion detection systems, at least one of which is associated with each of said plurality of traffic sources; and

means for redirecting the copied traffic from each of said plurality of traffic sources to said associated one of said plurality of intrusion detection systems.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection system (IDS) is capable of identifying the source of traffic, filtering the traffic to classify it as either safe or suspect and then applying sophisticated detection techniques such as stateful pattern recognition, protocol parsing, heuristic detection or anomaly detection either singularly or in combination based on the traffic type. In a network environment, each traffic source is provided with at least one IDS sensor that is dedicated to monitoring a specific type of traffic such as RPC, HTTP, SMTP, DNS, or others. Traffic from each traffic source is filtered to remove known safe traffic to improve efficiency and increase accuracy by keeping each IDS sensor focused on a specific traffic type.

Citations

20 Claims

1. In a network environment having a plurality of traffic sources, a system for monitoring traffic on at least a portion of said plurality of traffic sources comprising:
- means for copying traffic from each of said plurality of traffic sources;
  
  a plurality of intrusion detection systems, at least one of which is associated with each of said plurality of traffic sources; and
  
  means for redirecting the copied traffic from each of said plurality of traffic sources to said associated one of said plurality of intrusion detection systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1 further comprising means for filtering the copied traffic.
  - 3. The system of claim 2 wherein said means for filtering comprises an access control list that forwards selected traffic to said associated intrusion detection system.
  - 4. The system of claim 3 wherein said filter comprises an access control list that distinguishes traffic type.
  - 5. The system of claim 4 wherein said redirecting means includes means for sending traffic to one of said plurality of intrusion detection system based on traffic type.
  - 6. The system of claim 1 wherein said sources of traffic comprises a plurality of VLANs and protocols greater than two and said plurality of intrusion detection systems comprise at least one intrusion detection system for each of said plurality of VLANs and protocols.
  - 7. The system of claim 1 further comprising means for associating at least one intrusion detection system with each traffic source and for redirecting said copied traffic to one of said intrusion detection systems based on traffic type.
  - 8. The system of claim 7 wherein said intrusion detection system further comprises means for applying various detection techniques to a selected type of traffic.
  - 9. The system of claim 8 wherein said plurality of intrusion detection systems associated with a traffic source include a plurality of intrusion detection sensors for monitoring at least two types of traffic.
  - 10. The system of claim 9 wherein each of said plurality of intrusion detection sensors are adapted to monitor traffic of one of the following types of traffic:
    - RPC, HTTP, DNS, MAC or SMTP.
  - 11. The system of claim 10 wherein said intrusion detection sensors associated with each of said plurality of traffic sources comprises an comprise a single virtualized IDS sensor.

12. In a network having at least three subnets, a system for selectively monitoring traffic on each of said subnets comprising:
- a plurality of intrusion detection systems;
  
  a switch adapted to identify traffic to be copied;
  
  a VLAN adapted to receive said copied traffic; and
  
  a switch associated with said VLAN adapted for performing a hierarchal determination the traffic source and the traffic type and for selectively sending said traffic to a selected one of said intrusion detection systems based on the traffic source and the traffic type.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12 further comprising means for filtering safe traffic from the copied traffic.
  - 14. The system of claim 13 wherein said filtering means comprises a network switch configured for executing a VACL REDIRECT command on said traffic.
  - 15. The system of claim 14 wherein said means for filtering comprises an access control list that redirects selected traffic to said associated intrusion detection system.

16. In a network having at least three subnets, a method for selectively monitoring traffic on each of said selective comprising:
- configuring a first switch for copying traffic from each of said subnets;
  
  sending a copy of said copied traffic to a virtual local area network;
  
  determining the source and destination of said traffic;
  
  determining traffic type (layer 4 protocol and layer 4 port);
  
  based on said determining steps, filtering said traffic to remove safe traffic; and
  
  redirecting the filtered traffic to an intrusion detection system.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 wherein said redirecting step further comprising the steps of associating at least one intrusion detection system with each traffic source.
  - 18. The method of claim 17 wherein said redirecting step further comprises the step of associating at least one intrusion detection system for each type of traffic to be monitored for a selected traffic source.
  - 19. The method of claim 16 wherein said configuring step comprises configuring a switch with a VACL command for each traffic source to be monitored.
  - 20. The method of claim 16 wherein said determining steps and said filtering step comprises configuring a second switch with a VACL REDIRECT command.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Portolani, Maurizio, Arregoces, Mauricio, Stevenson, Timothy W.

Granted Patent

US 7,610,375 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Intrusion detection in a data center environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection in a data center environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links