Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session
First Claim
1. A method performed in an intrusion detection/prevention system for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp, comprising:
- (A) identifying a timestamp policy of plural timestamp policies, the timestamp policy corresponding to a target associated with the segments in a TCP connection;
(B) identifying a baseline timestamp based on a three way handshake in the TCP connection;
(C) monitoring segments in the TCP connection; and
(D) filtering the segments in the TCP connection as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp.
3 Assignments
0 Petitions
Accused Products
Abstract
A method performed in an intrusion detection/prevention system, a system or a device for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable. The TCP connection can include TCP segments beginning with a three way handshake. A TCP segment can include a field for a timestamp. A timestamp policy of plural timestamp policies is identified, the timestamp policy corresponding to a target associated with the segments in a TCP connection. A baseline timestamp is identified based on a three way handshake in the TCP connection. Segments in the TCP connection are monitored. The segments in the TCP connection are filtered as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp.
-
Citations
20 Claims
-
1. A method performed in an intrusion detection/prevention system for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp, comprising:
-
(A) identifying a timestamp policy of plural timestamp policies, the timestamp policy corresponding to a target associated with the segments in a TCP connection; (B) identifying a baseline timestamp based on a three way handshake in the TCP connection; (C) monitoring segments in the TCP connection; and (D) filtering the segments in the TCP connection as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system for detecting or preventing intrusion, comprising:
-
(A) a unit configured to facilitate determining a kind of host associated with a target, in response to an indication of the target in segments in a transmission control protocol (TCP) connection; and (B) a segment filtering unit configured to facilitate identifying a timestamp policy of plural timestamp policies, the timestamp policy corresponding to the target associated with the segments in the TCP connection, the timestamp policy indicating whether the segments are to be filtered out or retained for the target by comparing the timestamp of the segments to a baseline timestamp, the baseline timestamp being based on a three way handshake in the TCP connection, and providing the segments in the TCP connection if retained. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable medium comprising instructions for execution by a computer, the instructions including a computer-implemented method performed in an intrusion detection/prevention system, for analyzing segments in a transmission control protocol (TCP) connection in a communication network, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp and a field for a sequence number, the instructions for implementing:
-
(A) monitoring a plurality of segments in a TCP connection; and (B) filtering the segments in the TCP connection as indicated in a timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp and by evaluating sequence numbers identified in the segments to determine whether the timestamp is valid for the target relative to the timestamps of prior segments in the sequence according to the sequence numbers. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification