Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session

US 20080209518A1
Filed: 02/28/2007
Published: 08/28/2008
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method performed in an intrusion detection/prevention system for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp, comprising:

(A) identifying a timestamp policy of plural timestamp policies, the timestamp policy corresponding to a target associated with the segments in a TCP connection;

(B) identifying a baseline timestamp based on a three way handshake in the TCP connection;

(C) monitoring segments in the TCP connection; and

(D) filtering the segments in the TCP connection as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method performed in an intrusion detection/prevention system, a system or a device for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable. The TCP connection can include TCP segments beginning with a three way handshake. A TCP segment can include a field for a timestamp. A timestamp policy of plural timestamp policies is identified, the timestamp policy corresponding to a target associated with the segments in a TCP connection. A baseline timestamp is identified based on a three way handshake in the TCP connection. Segments in the TCP connection are monitored. The segments in the TCP connection are filtered as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp.

Citations

20 Claims

1. A method performed in an intrusion detection/prevention system for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp, comprising:
- (A) identifying a timestamp policy of plural timestamp policies, the timestamp policy corresponding to a target associated with the segments in a TCP connection;
  
  (B) identifying a baseline timestamp based on a three way handshake in the TCP connection;
  
  (C) monitoring segments in the TCP connection; and
  
  (D) filtering the segments in the TCP connection as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, whereina plurality of targets including the target are provided, a target being associated with a kind of host, respective kinds of hosts being associated with respective timestamp policies;
    - andthe timestamp policy is associated with the kind of host associated with the target.
  - 3. The method according to claim 1, wherein the timestamp in the next segment which is received properly according to the timestamp policy becomes the baseline timestamp.
  - 4. The method according to claim 1, wherein, if the timestamp in the three way handshake is zero, the timestamp in the first TCP segment expected after the handshake becomes the baseline timestamp if properly received.
  - 5. The method according to claim 1, wherein the monitoring is performed in accordance with a TCP layer.
  - 6. The method according to claim 1, wherein the segments are formatted according to a TCP layer format.
  - 7. The method according to claim 1, wherein the filtering further comprises evaluating sequence numbers identified in the segments to determine whether the timestamp is valid for the target, relative to the timestamps of prior segments in the sequence.

8. A computer system for detecting or preventing intrusion, comprising:
- (A) a unit configured to facilitate determining a kind of host associated with a target, in response to an indication of the target in segments in a transmission control protocol (TCP) connection; and
  
  (B) a segment filtering unit configured to facilitate identifying a timestamp policy of plural timestamp policies, the timestamp policy corresponding to the target associated with the segments in the TCP connection, the timestamp policy indicating whether the segments are to be filtered out or retained for the target by comparing the timestamp of the segments to a baseline timestamp, the baseline timestamp being based on a three way handshake in the TCP connection, and providing the segments in the TCP connection if retained.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system according to claim 8, further comprising an intrusion detection/prevention unit to detect an intrusion in the segments, wherein the segment filtering unit provides the filtered segments to the intrusion detection/prevention unit.
  - 10. The computer system according to claim 8, further comprising a receiving unit configured to facilitate receiving segments in the TCP connection, wherein the segments are received in accordance with a TCP layer.
  - 11. The computer system according to claim 8, whereina plurality of targets including the target are provided, a target being associated with a kind of host, respective kinds of hosts being associated with respective timestamp policies;
    - andthe timestamp policy which is identified corresponds to the kind of host associated with the target.
  - 12. The computer system according to claim 8, wherein the timestamp in the next segment which is received properly according to the timestamp policy becomes the baseline timestamp.
  - 13. The computer system according to claim 8, wherein, if the timestamp in the three way handshake is zero, the timestamp in the first TCP segment expected after the handshake becomes the baseline timestamp if properly received.
  - 14. The computer system according to claim 8, wherein the segment filtering unit is further configured to evaluate sequence numbers identified in the segments to determine whether the timestamp is valid for the target, relative to the timestamps of prior segments in the sequence.

15. A computer-readable medium comprising instructions for execution by a computer, the instructions including a computer-implemented method performed in an intrusion detection/prevention system, for analyzing segments in a transmission control protocol (TCP) connection in a communication network, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp and a field for a sequence number, the instructions for implementing:
- (A) monitoring a plurality of segments in a TCP connection; and
  
  (B) filtering the segments in the TCP connection as indicated in a timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp and by evaluating sequence numbers identified in the segments to determine whether the timestamp is valid for the target relative to the timestamps of prior segments in the sequence according to the sequence numbers.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium according to claim 15, further comprising instructions for identifying a kind of host associated with the target, and selecting the timestamp policy which is associated with the kind of host from plural timestamp policies associated with respective kinds of hosts.
  - 17. The computer-readable medium according to claim 15, further comprising instructions for setting the baseline timestamp to the timestamp in the next segment which is received properly according to the timestamp policy.
  - 18. The computer-readable medium according to claim 15, further comprising instructions for setting the baseline timestamp to the timestamp in the first TCP segment expected after the handshake if properly received, if the timestamp in the three way handshake is zero.
  - 19. The computer-readable medium according to claim 15, further comprising instructions for setting the baseline timestamp to the timestamp in the three way handshake, if the timestamp in the three way handshake is non-zero.
  - 20. The computer-readable medium according to claim 15, further comprising instructions for receiving the segments in the TCP connection, wherein the segments are received in accordance with a TCP layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Novak, Judy Hollis, Sturges, Steven

Granted Patent

US 8,069,352 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links