Method and apparatus for detecting intrusions on a computer system

US 20060117386A1
Filed: 01/13/2006
Published: 06/01/2006
Est. Priority Date: 06/13/2001
Status: Active Grant

First Claim

Patent Images

1. A method of detecting intrusions on a computer, comprising:

identifying an internet protocol field range describing fields within internet protocol packets received by a computer;

establishing a connectivity range describing a distribution of network traffic received by said computer;

determining an internet protocol field threshold and a connectivity threshold from said internet protocol field range and said connectivity range, respectively;

during the operation of said computer, calculating values for said internet protocol field range and said connectivity range; and

comparing said values to said internet protocol field threshold and said connectivity threshold so as to identify an intrusion on said computer;

wherein a plurality of said internet protocol field ranges are provided including an IP address range and a packet length and a plurality of said internet protocol field thresholds are provided including an IP address range threshold and a packet length threshold.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting intrusions on a computer includes the step of identifying an internet protocol field range describing fields within internet protocol packets received by a computer. A connectivity range is also established which describes a distribution of network traffic received by the computer. An internet protocol field threshold and a connectivity threshold are then determined from the internet protocol field range and connectivity range, respectively. During the operation of the computer, values are calculated for the internet protocol field range and connectivity range. These values are compared to the internet protocol metric threshold and connectivity metric threshold so as to identify an intrusion on the computer.

136 Citations

23 Claims

1. A method of detecting intrusions on a computer, comprising:
- identifying an internet protocol field range describing fields within internet protocol packets received by a computer;
  
  establishing a connectivity range describing a distribution of network traffic received by said computer;
  
  determining an internet protocol field threshold and a connectivity threshold from said internet protocol field range and said connectivity range, respectively;
  
  during the operation of said computer, calculating values for said internet protocol field range and said connectivity range; and
  
  comparing said values to said internet protocol field threshold and said connectivity threshold so as to identify an intrusion on said computer;
  
  wherein a plurality of said internet protocol field ranges are provided including an IP address range and a packet length and a plurality of said internet protocol field thresholds are provided including an IP address range threshold and a packet length threshold.

2. A method of detecting intrusions on a computer, comprising:
- identifying a plurality of internet protocol field ranges describing fields within internet protocol packets received by a computer, the internet protocol field ranges including;
  
  an IP address range, and a packet length;
  
  determining a plurality internet protocol field thresholds including;
  
  an IP address range threshold, and a packet length threshold. comparing the internet protocol field ranges to the internet protocol field thresholds; and
  
  identifying an intrusion on the computer based on the comparison.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 22)
- - 3. The method of claim 2, further comprising establishing a traffic level of network traffic received by the computer.
  - 4. The method of claim 3, further comprising determining a connectivity threshold.
  - 5. The method of claim 4, further comprising comparing the connectivity threshold with the traffic level.
  - 6. The method of claim 2, further comprising flagging packets that are identified as being an intrusion on the computer.
  - 7. The method of claim 6, wherein the flagging is based on manually entered rules.
  - 8. The method of claim 2, wherein the packet length threshold is applied to TCP packets.
  - 9. The method of claim 2, wherein the packet length threshold is applied to UDP packets.
  - 10. The method of claim 2, wherein the packet length threshold is applied to ICMP packets.
  - 11. The method of claim 2, wherein a first packet length threshold is applied to TCP packets and UDP packets, and a second packet length threshold is applied to ICMP packets.
  - 12. The method of claim 2, wherein the packet length threshold is an upper packet length threshold.
  - 13. The method of claim 2, wherein the packet length threshold is a lower packet length threshold.
  - 14. The method of claim 2, wherein the internet protocol field ranges include a protocol data unit (PDU) length, and the internet protocol field thresholds include a PDU length threshold.
  - 15. The method of claim 2, wherein an intrusion is identified upon the detection of overlapping fragmentation offsets.
  - 16. The method of claim 2, wherein an intrusion is identified upon the detection of an unknown IP protocol.
  - 17. The method of claim 16, wherein the detection of the unknown IP protocol is performed based on a protocol identification field.
  - 18. The method of claim 2, wherein an intrusion is identified based on a set of TCP code bits.
  - 19. The method of claim 2, wherein an intrusion is identified based on IP packet destination ports.
  - 20. The method of claim 2, wherein the IP address range and the IP address range threshold include destination addresses.
  - 22. The method of claim 2, wherein an intrusion is identified utilizing a graphical user interface.

21. A computer program product for detecting intrusions on a computer, comprising:
- computer code for identifying a plurality of internet protocol field ranges describing fields within internet protocol packets received by a computer, the internet protocol field ranges including;
  
  an IP address range, and a packet length;
  
  computer code for determining a plurality internet protocol field thresholds including;
  
  an IP address range threshold, and a packet length threshold. computer code for comparing the internet protocol field ranges to the internet protocol field thresholds; and
  
  computer code for identifying an intrusion on the computer based on the comparison.

23. A method of preventing intrusions on a computer, comprising:
- receiving a plurality of packets utilizing a network;
  
  detecting an intrusion based on an inspection of the packets; and
  
  taking action for preventing the intrusion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Gong, Fengmin, Gupta, Ramesh M., Raman, Ananth, Vissamsetti, Srikant, Jain, Parveen K., Amidon, Keith E., Haeffele, Steve M.

Granted Patent

US 7,823,204 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Method and apparatus for detecting intrusions on a computer system

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for detecting intrusions on a computer system

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others