MONITORING APPARATUS AND METHOD THEREFOR

US 20080301810A1
Filed: 06/03/2008
Published: 12/04/2008
Est. Priority Date: 06/04/2007
Status: Abandoned Application

First Claim

Patent Images

1. A monitoring apparatus for detection of a malicious attack in a communications network, the apparatus comprising:

a pattern matching engine arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;

a data store operably coupled to the pattern matching engine, the data store being arranged to retain identification data to enable the pattern matching engine to identify the characteristic of the malicious attack; and

an alert generator arranged to generate an alert in response to an identification of the characteristic of the malicious attack;

whereinthe data store is remotely updatable.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A monitoring apparatus for detection of a malicious attack in a communications network comprises a pattern matching engine (406), a data store (408) and an alert generator (410, 412). The pattern matching engine (406) is arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream. The data store (408) is operably coupled to the pattern matching engine and the data store (408) is arranged to retain identification data to enable the pattern matching engine to identify the characteristic of the malicious attack. The alert generator (410, 412) is arranged to generate an alert in response to an identification of the characteristic of the malicious attack. The data store (408) is remotely updatable.

Citations

31 Claims

1. A monitoring apparatus for detection of a malicious attack in a communications network, the apparatus comprising:
- a pattern matching engine arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;
  
  a data store operably coupled to the pattern matching engine, the data store being arranged to retain identification data to enable the pattern matching engine to identify the characteristic of the malicious attack; and
  
  an alert generator arranged to generate an alert in response to an identification of the characteristic of the malicious attack;
  
  whereinthe data store is remotely updatable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. An apparatus as claimed in claim 1, further comprising a data updating entity operably coupled to the data store and arranged to receive a plurality of datagrams comprising replacement identification data.
  - 3. An apparatus as claimed in claim 2, wherein the data updating entity is arranged to store the replacement identification data in place of the identification data.
  - 4. An apparatus as claimed in claim 2, wherein the pattern matching engine is arranged to cease identifying the characteristic of the malicious attack in response to receipt of a datagram of the plurality of datagrams comprising the replacement identification data.
  - 5. An apparatus as claimed in claim 4, wherein the pattern matching engine is arranged to revert to identifying the characteristic of the malicious attack upon confirmed replacement of the identification data with the replacement identification data.
  - 6. An apparatus as claimed in claim 1, further comprising:
    - a sub-channel injector entity for supporting a sub-channel within a main channel, the main channel supporting receipt of the bit stream.
  - 7. An apparatus as claimed in claim 6, wherein the sub-channel is arranged to be used for communication of acknowledgement data responsive to a datagram comprising a part of the replacement data.
  - 8. An apparatus as claimed in claim 7, wherein the data updating entity is operably coupled to the sub-channel injector entity and is arranged to generate the acknowledgement data and communicate the acknowledgement data to the sub-channel injector entity.
  - 9. A processing resource for a network element, the resource comprising the monitoring apparatus as claimed in claim 1.
  - 10. An interface card for a network element comprising the processing resource as claimed in claim 9.
  - 11. A communications system comprising the monitoring apparatus as claimed in claim 1.

12. A method of detecting a malicious attack in a communications network, the method comprising:
- receiving a bit stream;
  
  identifying a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;
  
  accessing identification data stored by a data store to enable identification of the characteristic of the malicious attack; and
  
  generating an alert in response to an identification of the characteristic of the malicious attack; and
  
  recognising a received datagram containing replacement identification data indicative of a need to update the data store.
- View Dependent Claims (28)
- - 28. A computer program element embodied on a computer readable medium, comprising computer program code means to make a computer execute the method of claim 12.

13. A monitoring apparatus for detection of a malicious attack in a communications network, the apparatus comprising:
- a pattern matching engine arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;
  
  an alert generator arranged to generate an alert in response to an identification of the characteristic of the malicious attack; and
  
  an alert processing entity operably coupled to the alert generator, the alert processing entity being arranged to receive the alert constituting alert information and limit communication of the alert information for receipt by an alert information collection unit.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 30, 31)
- - 14. An apparatus as claimed in claim 13, wherein the alert information collection unit is not collocated with the alert processing entity within the topology of the communications network.
  - 15. An apparatus as claimed in claim 13, wherein the alert processing entity is arranged to generate a digest of alert information received in respect of a plurality of alerts generated by the alert generator.
  - 16. An apparatus as claimed in claim 15, wherein the digest comprises one or more of the following parameters:
    - a used port number, a duration of a plurality of packets constituting the malicious attack, an identity of a link being monitored, location of the monitoring apparatus in the communications network, data identifying a type of the characteristic detected, a rate of receipt of datagrams containing a same type of the characteristic detected, a number of sources of datagrams containing the characteristic detected, a number of destinations of datagrams containing the characteristic detected, and/or datagram length.
  - 17. An apparatus as claimed in claim 14, wherein the alert processing unit is arranged to communicate the alert information in response to receipt of multiple receipts of the alert exceeding a predetermined threshold.
  - 18. An apparatus as claimed in claim 13, further comprising:
    - a sub-channel injector entity for supporting a sub-channel within a main channel, the main channel supporting receipt of the bit stream.
  - 19. An apparatus as claimed in claim 18, wherein the sub-channel injector is operably coupled to the alert processing entity, the alert processing entity being arranged to use the sub-channel to communicate the alert information.
  - 20. A processing resource for a network element, the resource comprising the monitoring apparatus as claimed in claim 13.
  - 21. An interface card for a network element comprising the processing resource as claimed in claim 20.
  - 22. A communications system comprising the monitoring apparatus as claimed in claim 13, the system further comprising:
    - an alert information collection unit remotely located from the monitoring apparatus at a monitoring station;
      
      whereinthe monitoring station is arranged to communicate instruction data to the monitoring apparatus in response to receipt of the alert information.
  - 23. A system as claimed in claim 22, wherein the instruction data identifies an action to be taken by the monitoring apparatus in relation to the at least one datagram baring the characteristic of the malicious attack.
  - 24. A system as claimed in claim 23, wherein the action at least mitigates and/or neutralises an intended effect of the malicious attack.
  - 25. A system as claimed in claim 22, wherein the response to the receipt of the alert information is automated.
  - 26. A system as claimed in claim 22, wherein the monitoring station is arranged to communicate the alert information to a user, the monitoring station providing the user with freedom to select and initiate communication of the instruction data.
  - 30. An apparatus as claimed in claim 13, wherein the alert information causes the monitoring apparatus to take an action, the action at least mitigating and/or neutralising an intended effect of the malicious attack.
  - 31. An apparatus as claimed in claim 13, wherein the alert information causes the monitoring apparatus to drop a packet relating to the malicious attack.

27. A method of detecting a malicious attack in a communications network, the method comprising:
- receiving a bit stream;
  
  identifying a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream;
  
  generating an alert in response to an identification of the characteristic of the malicious attack;
  
  recognising a received datagram containing replacement identification data indicative of a need to update the data store; and
  
  processing the alert constituting alert information and limiting communication of the alert information for receipt by an alert information collection unit.
- View Dependent Claims (29)
- - 29. A computer program code element embodied on a computer readable medium, comprising computer program code means to make a computer execute the method of claim 27.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JDS Uniphase Corporation (Lumentum Holdings Inc.)
Original Assignee
Agilent Technologies, Inc.
Inventors
Lehane, Andrew, Curran-Gray, Martin

Application Number

US12/132,438
Publication Number

US 20080301810A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 2463/146   Tracing the source of attacks

H04L 63/02   for separating internal fro...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

MONITORING APPARATUS AND METHOD THEREFOR

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

MONITORING APPARATUS AND METHOD THEREFOR

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links