Device, system and method for analysis of fragments in a transmission control protocol (TCP) session

US 20080037587A1
Filed: 08/10/2006
Published: 02/14/2008
Est. Priority Date: 08/10/2006
Status: Active Grant

First Claim

Patent Images

1. A method performed in an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:

(A) monitoring a plurality of segments in a transmission; and

(B) reassembling data in the segments in the transmission in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.

Citations

24 Claims

1. A method performed in an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:
- (A) monitoring a plurality of segments in a transmission; and
  
  (B) reassembling data in the segments in the transmission in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, where there are provided plural segment reassembly policies including the segment reassembly policy, wherein the segment reassembly policy corresponds to a destination associated with the segments in the transmission.
  - 3. The method according to claim 2, whereina plurality of destinations including the destination are provided, a destination being associated with a kind of host, respective kinds of host being associated with respective segment reassembly policies, andthe segment reassembly policy is associated with the kind of host associated with the destination.
  - 4. The method according to claim 1, wherein the segment reassembly policy includes evaluating an urgent indication in the segments.
  - 5. The method according to claim 1, wherein the monitoring is performed in accordance with a TCP layer.
  - 6. The method according to claim 1, wherein the segments are formatted according to a TCP layer format.
  - 7. The method according to claim 1, whereinthe segments can be one of non-overlapped, comprehensively overlapped, partially overlapped, and completely overlapped.

8. A computer-readable medium comprising instructions for execution by a computer, the instructions including a computer-implemented method for analyzing segments in a transmission in a communication network, a transmission including a plurality of segments in the same transmission control protocol (TCP) session and associated with the same destination, where segments can be one of non-overlapped, partially overlapped, and completely overlapped, the instructions for implementing:
- (A) identifying at least one segment reassembly policy of plural segment reassembly policies, the at least one segment reassembly policy corresponding to a destination associated with segments in a transmission; and
  
  (B) providing data in the segments in the transmission in an order indicated by the at least one segment reassembly policy, the at least one segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium according to claim 8, further comprising instructions for:
    - reassembling the segments in the order indicated by the at least one segment reassembly policy; and
      
      providing the reassembled segments to an intrusion detection/protection system.
  - 10. The computer-readable medium according to claim 8, further comprising instructions for receiving the segments in the session, whereinthe receiving is performed in accordance with a TCP layer, andthe providing data in the segments includes applying the TCP layer format to the segments.
  - 11. The computer-readable medium according to claim 8, whereina plurality of destinations including the destination are provided, a destination being associated with a kind of host, respective kinds of host being associated with respective segment reassembly policies, andthe at least one segment reassembly policy which is identified is associated with the kind of host associated with the destination.
  - 12. The computer-readable medium according to claim 8, wherein the at least one segment reassembly policy includes evaluating an urgent indication in the segments.
  - 13. A computer system configured with the computer-readable medium of claim 8.
  - 14. A communication network comprising at least one computer system configured with the computer-readable medium of claim 8.

15. A computer system for at least one of detecting and preventing intrusion, comprising:
- (A) a unit configured to facilitate determining a kind of host associated with a destination, in response to an indication of the destination in segments in a transmission control protocol (TCP) session;
  
  (B) a segment reassembly unit configured to facilitate identifying at least one segment reassembly policy of plural segment reassembly policies, the at least one segment reassembly policy corresponding to the kind of host associated with the segments in the transmission; and
  
  (C) an order providing unit configured to facilitate providing data in the segments in the transmission in an order indicated by the at least one segment reassembly policy.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The computer system according to claim 15, further comprising a reassembler to reassemble the segments in the order indicated by the at least one segment reassembly policy.
  - 17. The computer system according to claim 16, further comprising an intrusion detection/prevention unit to detect an intrusion in the reassembled segments, whereinthe reassembler provides the reassembled segments to the intrusion detection/prevention unit.
  - 18. The computer system according to claim 15, further comprising a receiving unit configured to facilitate receiving segments in the transmission, whereinthe segments are received in accordance with a TCP layer.
  - 19. The computer system according to claim 15, wherein the order providing unit further determines the order of the data in the segments according to a TCP layer format.
  - 20. The computer system according to claim 15, wherein the destination is indicated as a destination address and destination port in the segments.
  - 21. The computer system according to claim 15, whereina plurality of destinations including the destination are provided, a destination being associated with a kind of host, respective kinds of host corresponding to respective segment reassembly policies, andthe at least one segment reassembly policy which is identified corresponds to the kind of host associated with the destination.
  - 22. The computer system according to claim 15, whereinthe segments can be one of non-overlapped, partially overlapped, comprehensively overlapped, and completely overlapped,and the segment reassembly policy indicates an order specific to at least comprehensively overlapped segments.
  - 23. The computer system according to claim 15, wherein the segment reassembly policy includes evaluating an urgent indication in the segments.

24. A method performed in an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:
- (A) monitoring a plurality of segments in a transmission; and
  
  (B) reassembling data in the segments in the transmission in an order indicated by a segment reassembly policy, the segment reassembly policy including an evaluation of an urgent indication in the segments.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Novak, Judy Hollis, Roesch, Martin Frederick, Sturges, Steven

Granted Patent

US 7,701,945 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/474
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

H04L 69/16   Implementation or adaptatio...

H04L 69/166   IP fragmentation; TCP segme...

Device, system and method for analysis of fragments in a transmission control protocol (TCP) session

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system and method for analysis of fragments in a transmission control protocol (TCP) session

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links