Method And System For Network Intrusion Detection, Related Network And Computer Program Product

US 20070214504A1
Filed: 03/30/2004
Published: 09/13/2007
Est. Priority Date: 03/30/2004
Status: Active Grant

First Claim

Patent Images

1-38. -38. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols. The system includes a monitoring module configured for monitoring data flows in the network, a protocol identification engine configured for detecting information on the application layer protocols involved in the monitored data flows, and an intrusion detection module configured for operating based on the information on application layer protocols detected. Intrusion detection is thus provided independently of any predefined association between the network ports and the application layer protocols.

Citations

77 Claims

1-38. -38. (canceled)

39. A method of providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols, comprising the steps of:
- monitoring data flows in said network;
  
  detecting information on said application layer protocols involved in said monitored data flows; and
  
  providing intrusion detection on said monitored data flows based on application layer protocols detected.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 77)
- - 40. The method of claim 39, wherein said intrusion detection is provided independently of any predefined association between said network ports and said application layer protocols.
  - 41. The method of claim 39, wherein said step of detecting information on application layer protocols comprises passive observation of network traffic.
  - 42. The method of claim 39, wherein said step of detecting information on application layer protocols comprises using signature-matching techniques.
  - 43. The method of claim 39, wherein said step of detecting information on application layer protocols in said data flows comprises the step of identifying at least one protocol in a given data flow.
  - 44. The method of claim 39, wherein said step of providing intrusion detection comprises signature-based detection of misuse by matching at least one of a given data packet and data flow regardless of the service ports involved, based on said information on application layer protocols.
  - 45. The method of claim 39, comprising providing intrusion detection based on a plurality of predefined sets of analysis tasks and misuse signatures for a plurality of said protocols, and comprises selecting out of said plurality a set related to at least one protocol in a given data flow and at least one of the steps of:
    - performing over said data flow the selected set of analysis tasks; and
      
      performing signature matching over said data flow against the selected set of misuse signatures.
  - 46. The method of claim 39, wherein said steps of detecting information on application layer protocols and providing intrusion detection are performed within the same functional module and employing the same functional blocks of packet capture, preprocessing and signature matching.
  - 47. The method of claims 42, wherein said signature-matching is performed by comparing monitored traffic with a set of protocol detection signatures having the following characteristics:
    - the set of signatures is specified in a language similar to the signature language used to specify misuse signatures in said network intrusion detection system, and each said signature specifies a respective protocol that is detected if the signature is triggered.
  - 48. The method of claim 47, wherein each said signature is designed to attempt to match a pattern that is unique to a given protocol and at the same time is frequently used in said protocol.
  - 49. The method of claim 47, comprising the step of using at least one of the signatures identifying behavior frequently present in server responses and signatures identifying common client request-server reply behavior.
  - 50. The method of claim 47, comprising leaving out signatures exclusively matching a pattern in client behavior.
  - 51. The method of claim 39, wherein said step of detecting information on application layer protocols involved in said data flows comprises characterizing and classifying data flows related to each server application in said network.
  - 52. The method of claim 51, wherein said step of characterizing and classifying data flows comprises monitoring features from the group of:
    - packet size, packet arrival times, TCP flags and header information.
  - 53. The method of claim 51, wherein said step of characterizing and classifying data flows comprises classifying data flows and services into a number of flow classes.
  - 54. The method of claim 51, wherein said step of characterizing and classifying data flows comprises at least one of discriminating between interactive and non-interactive traffic and identifying specific protocols.
  - 55. The method of claim 39, wherein said step of detecting information on application layer protocols in said data flows comprises producing a map of associations between application layer protocols and network ports present in said network, and said step of providing intrusion detection is performed on said associated network ports.
  - 56. The method of claim 39, wherein said step of providing intrusion detection based on said information on application layer protocols comprises the steps of:
    - establishing a network policy, and generating a security event whenever a protocol is detected in violation of said network policy.
  - 77. A computer program product loadable in the memory of at least one computer and comprising software code portions capable of performing the steps of claim 39, when the product is run on a computer.

57. A system for providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols, comprising:
- a monitoring module configured for monitoring data flows in said network;
  
  a protocol identification engine configured for detecting information on application layer protocols in said monitored data flows; and
  
  an intrusion detection module designed for operating on said monitored data flows based on said information on application layer protocols detected.
- View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
- - 58. The system of claim 57, wherein said intrusion detection module operates independently of any predefined association between said network ports and said application layer protocols.
  - 59. The system of claim 57, wherein said monitoring module is a module configured for passive observation of network traffic.
  - 60. The system of claim 59, wherein said module is a sniffer.
  - 61. The system of claim 57, wherein said protocol identification engine comprises a signature-matching feature.
  - 62. The system of claim 57, wherein said protocol identification engine is configured for detecting information on application layer protocols in said data flows by identifying at least one protocol in a given data flow.
  - 63. The system of claim 57, wherein said intrusion detection module is configured for providing intrusion detection by signature-based detection of misuse by matching at least one of a given data packet and data flow regardless of the service ports involved, based on said information on application layer protocols.
  - 64. The system of claim 57, wherein said intrusion detection module is configured for providing intrusion detection based on a plurality of predefined sets of analysis tasks and misuse signatures for a plurality of said protocols, said intrusion detection module being further configured for selecting out of said plurality a set related to at least one protocol in a given data flow and carrying out at least one of the steps of:
    - performing over said data flow the selected set of analysis tasks, and performing signature matching over said data flow against the selected set of misuse signatures.
  - 65. The system of claim 57, wherein said protocol identification engine and said intrusion detection module are integrated to a common functional module and employ a common set of functional blocks of packet capture, preprocessing and signature matching.
  - 66. The system of claim 61, comprising a configuration for performing said signature-matching by comparing monitored traffic with a set of protocol detection signatures having the following characteristics:
    - the set of signatures is specified in a language similar to the signature language used to specify misuse signatures in said network intrusion detection system, and each said signature specifies a respective protocol that is detected if the signature is triggered.
  - 67. The system of claim 66, wherein each said signature is designed to attempt to match a pattern that is unique to a given protocol and at the same time is frequently used in said protocol.
  - 68. The system of claim 66, comprising a configuration for using at least one of the signatures identifying behavior frequently present in server responses and signatures identifying common client request-server reply behavior.
  - 69. The system of claim 66, comprising a configuration for leaving out signatures exclusively matching a pattern in client behavior.
  - 70. The system of claim 57, wherein said protocol identification engine is configured for detecting information on application layer protocols in said data flows by characterizing and classifying data flows related to each server application in said network.
  - 71. The system of claim 70, wherein said protocol identification engine is configured for monitoring features from the group of:
    - packet size, packet arrival times, TCP flags and header information.
  - 72. The system of claim 70, wherein said protocol identification engine is configured for characterizing and classifying data flows by classifying data-flows and services into a number of flow classes.
  - 73. The system of claim 70, wherein said protocol identification engine is configured for characterizing and classifying data by at least one of discriminating between interactive and non-interactive traffic and identifying specific protocols.
  - 74. The system of claim 58, wherein said protocol identification engine is configured for producing a map of associations between application layer protocols and network ports present in said network, and said intrusion detection module provides intrusion detection on said associated network ports.
  - 75. The system of claim 57, wherein said intrusion detection module is configured for:
    - establishing a network policy, and generating a security event whenever a protocol is detected in violation of said network policy.
  - 76. A communication network comprising the system according to claim 57, associated therewith.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
III Holdings 1, LLC (Intellectual Ventures LLC)
Original Assignee
Telecom Italia S.p.A.
Inventors
Abeni, Paolo, Milani Comparetti, Paolo

Granted Patent

US 8,042,182 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Method And System For Network Intrusion Detection, Related Network And Computer Program Product

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

77 Claims

Specification

Solutions

Use Cases

Quick Links

Method And System For Network Intrusion Detection, Related Network And Computer Program Product

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

77 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links