Inline intrusion detection

US 20060161983A1
Filed: 01/20/2005
Published: 07/20/2006
Est. Priority Date: 01/20/2005
Status: Active Grant

First Claim

Patent Images

1. A method for inline intrusion detection, comprising:

receiving a packet at a network gateway;

storing the packet and assigning an identifier to the packet;

transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;

analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature; and

communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for inline intrusion detection includes receiving a packet at a network gateway, storing the packet, and assigning an identifier to the packet. The method also includes transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system and analyzing the copy of the packet by the intrusion detection system to determine whether the packet includes an attack signature and communicating a reply message from the intrusion detection system to the network gateway. The reply message includes the identifier and is indicative of the results of the analysis. The size of the reply message is less than the size of the packet.

Citations

37 Claims

1. A method for inline intrusion detection, comprising:
- receiving a packet at a network gateway;
  
  storing the packet and assigning an identifier to the packet;
  
  transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;
  
  analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature; and
  
  communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the reply message comprises an indication of whether the packet contained an attack signature.
  - 3. The method of claim 1, wherein the reply message comprises an indication of a determined disposition of the packet.
  - 4. The method of claim 3, wherein the reply message comprises an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 5. The method of claim 1, and further comprising, in response to the reply message taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 6. The method of claim 1, and further comprising, in response to the reply message, dropping, by the network gateway, the packet and any related packet.
  - 7. The method of claim 1, and further comprising setting a timer upon transmission of the packet from the network gateway to the intrusion detection system.
  - 8. The method of claim 7, and further comprising allowing, by the network gateway, the packet to pass from the network gateway to a protected network upon expiration of the timer.
  - 9. The method of claim 7, and further comprising dropping, by the network gateway, the packet upon expiration of the timer.
  - 10. The method of claim 1, wherein transmitting the copy and the packet and the identifier comprises modifying a header of the packet to include the identifier.
  - 11. The method of claim 4, wherein allowing the packet to pass from the network gateway to a protected network after modifying the packet comprises modifying the header of the packet.
  - 12. The method of claim 4, wherein allowing the packet to pass from the network gateway to a protected network after modifying the packet comprises modifying a body of the packet to remove any material indicative of an attack signature.

13. Logic embodied in a computer-readable medium operable to perform the steps of:
- receiving a packet at a network gateway;
  
  storing the packet and assigning an identifier to the packet;
  
  transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;
  
  analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature; and
  
  communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The logic of claim 13, wherein the reply message comprises an indication of whether the packet contained an attack signature.
  - 15. The logic of claim 13, wherein the reply message comprises an indication of a determined disposition of the packet.
  - 16. The logic of claim 15, wherein the reply message comprises an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 17. The logic of claim 13, wherein the logic is further operable to, in response to the reply message, take an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 18. The logic of claim 13, wherein the logic is further operable to, in response to the reply message, drop the packet and any related packet.
  - 19. The logic of claim 13, wherein the logic is further operable to set a timer upon transmission of the packet from the network gateway to the intrusion detection system.
  - 20. The logic of claim 19, wherein the logic is further operable to allow the packet to pass from the network gateway to a protected network upon expiration of the timer.
  - 21. The logic of claim 19, wherein the logic is further operable to drop the packet upon expiration of the timer.
  - 22. The logic of claim 13, wherein transmitting the copy and the packet and the identifier comprises modifying a header of the packet to include the identifier.
  - 23. The logic of claim 16, wherein allowing the packet to pass from the network gateway to a protected network after modifying the packet comprises modifying a header of the packet.
  - 24. The logic of claim 16, wherein allowing the packet to pass from the network gateway to a protected network after modifying the packet comprises modifying a body of the packet to remove any material indicative of an attack signature.

25. A system comprising:
- means for receiving a packet at a network gateway;
  
  means for storing the packet and assigning an identifier to the packet;
  
  means for transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;
  
  means for analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature; and
  
  means for communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet.

26. An apparatus, comprising:
- a communication link;
  
  a network gateway operable to;
  
  receive a packet at a network gateway;
  
  store the packet and assign an identifier to the packet; and
  
  transmit a copy of the packet and the identifier from the network gateway to an intrusion detection system; and
  
  the network intrusion detection system coupled to the network gateway by the communication link and operable to;
  
  analyze the copy of the packet to determine whether the packet includes an attack signature; and
  
  communicate a reply message including the identifier from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 27. The apparatus of claim 26, wherein the reply message comprises an indication of whether the packet contained an attack signature.
  - 28. The apparatus of claim 26, wherein the reply message comprises an indication of a determined disposition of the packet.
  - 29. The apparatus of claim 28, wherein the reply message comprises an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 30. The apparatus of claim 26, wherein the network gateway is further operable to, in response to the reply message, take an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 31. The apparatus of claim 26, wherein the network gateway is further operable to, in response to the reply message, drop the packet and any related packet.
  - 32. The apparatus of claim 26, wherein the network gateway is further operable to set a timer upon transmission of the packet from the network gateway to the intrusion detection system.
  - 33. The apparatus of claim 32, wherein the network gateway is further operable to allow the packet to pass from the network gateway to a protected network upon expiration of the timer.
  - 34. The apparatus of claim 32, wherein the network gateway is further operable to drop the packet from the network gateway upon expiration of the timer.
  - 35. The apparatus of claim 26, wherein the network gateway is further operable to transmit the copy of the packet and the identifier by modifying a header of the packet to include the identifier.
  - 36. The apparatus of claim 29, wherein the network gateway is further operable to allow the packet to pass from the network gateway to a protected network after modifying the packet by modifying a header of the packet.
  - 37. The apparatus of claim 29, wherein the network gateway is further operable to allow the packet to pass from the network gateway to a protected network after modifying the packet by modifying a body of the packet to remove any material indicative of an attack signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Richardson, Aaron S., Cothrell, Scott A.

Granted Patent

US 7,725,938 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Inline intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Inline intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links