FACILITATING A USER TO DETECT DESIRED ANOMALIES IN DATA FLOWS OF NETWORKS

US 20070043851A1
Filed: 08/16/2005
Published: 02/22/2007
Est. Priority Date: 08/16/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting anomalous packets received according to a protocol having a definition of permissible sequences of packets, said method being performed in a device, said method comprising:

enabling a user to specify said permissible sequences of packets as a configurable data;

receiving a plurality of packets according to said protocol;

determining whether said plurality of packets are consistent with said definition of permissible sequences; and

concluding that an anomaly is detected if said plurality of packets are not consistent with said definition of permissible sequences specified as said configurable data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A detection system in which a user can indicate the permissible sequences of packets (e.g., by virtue of a state transition table), and the detection system detects packets which are inconsistent with such permissible sequences. As a result, all anomalies (which are inconsistent with the user specified normal behavior) may be reliably detected.

Citations

16 Claims

1. A method of detecting anomalous packets received according to a protocol having a definition of permissible sequences of packets, said method being performed in a device, said method comprising:
- enabling a user to specify said permissible sequences of packets as a configurable data;
  
  receiving a plurality of packets according to said protocol;
  
  determining whether said plurality of packets are consistent with said definition of permissible sequences; and
  
  concluding that an anomaly is detected if said plurality of packets are not consistent with said definition of permissible sequences specified as said configurable data.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein said protocol comprises an application layer protocol.
  - 3. The method of claim 1, wherein said configurable data represents a state machine containing a set of states, permissible packet content in each state, and a next state corresponding to each permissible content for a state, wherein said packet content is defined to be contained in packets received by said device.

4. A method of processing packets in a device, said method comprising:
- enabling a user to provide data indicating a plurality of acceptable states for a protocol, a set of acceptable inputs at each of said plurality of acceptable states, and a next state corresponding to a combination of a first acceptable state and a corresponding input, wherein said next state and said corresponding input are respectively comprised in said plurality of acceptable states and said set of acceptable inputs, and each acceptable input corresponds to a packet according to said protocol with a corresponding content;
  
  receiving a first packet according to said protocol when in a present state, wherein said present state is contained in said plurality of acceptable states;
  
  examining the content of said first packet to determine whether the content of said first packet forms an acceptable input for said present state; and
  
  determining that receiving said first packet is an anomaly if the content of said first packet does not form said acceptable input for said present state.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 5. The method of claim 4, wherein said configurable data is provided in a configuration file.
  - 6. The method of claim 4, further comprising enabling said user to specify a desired action when said anomaly is determined.
  - 7. The method of claim 6, wherein said action comprises logging information related to said first packet and said present state in a log.
  - 8. The method of claim 6, wherein said device comprises a switch, wherein said desired action comprising dropping said first packet.
  - 9. The method of claim 8, further comprising forwarding said first packet if said anomaly is determined not to be present.
  - 10. The method of claim 4, wherein said configuration data contains an offset value and a content value, wherein said examining compares data in said first packet at said offset value with said content value to determine whether said anomaly is present.
  - 11. The method of claim 10, wherein said configuration data contains a user defined program logic to determine the data in said first packet to be compared if said first packet is defined according to a format by which the location of desired fields vary.
  - 12. The method of claim 10, wherein said configuration data specifies a time out duration, a second action and a count associated with a second state, wherein said second action is performed if said second state is reached count number of times.
  - 13. The method of claim 4, further comprising:
    - setting said present state to equal a next state corresponding to the combination of said present state and said content of said first packet if the content of said first packet forms said acceptable input; and
      
      performing said receiving, said examining and said determining.
  - 14. The method of claim 4, wherein said protocol comprises an application layer protocol.

15. A computer readable medium carrying one or more sequences of instructions for causing a network device to detect anomalous packets received according to a protocol having a definition of permissible sequences of packets, wherein execution of said one or more sequences of instructions by a plurality of processors contained in said network device causes said one or more processors to perform the actions of:
- enabling a user to specify said permissible sequences of packets as a configurable data;
  
  receiving a plurality of packets according to said protocol;
  
  determining whether said plurality of packets are consistent with said definition of permissible sequences; and
  
  concluding that an anomaly is detected if said plurality of packets are not consistent with said definition of permissible sequences specified as said configurable data.
- View Dependent Claims (16)
- - 16. The computer readable medium of claim 15, wherein said configurable data represents a state machine containing a set of states, permissible packet content in each state, and a next state corresponding to each permissible content for a state, wherein said packet content is defined to be contained in packets received by said device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel USA Marketing Incorporated (Nokia Corporation)
Original Assignee
NetDevices, Inc (Nokia Corporation)
Inventors
Pote, Parag, Yellamraju, Venkata Siva

Application Number

US11/161,759
Publication Number

US 20070043851A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

FACILITATING A USER TO DETECT DESIRED ANOMALIES IN DATA FLOWS OF NETWORKS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

FACILITATING A USER TO DETECT DESIRED ANOMALIES IN DATA FLOWS OF NETWORKS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links