Multi-Stage Deep Packet Inspection for Lightweight Devices
First Claim
1. A method of inspecting packets to detect an attempt at subverting an information processing system, comprising:
- (a) determining if a first signature of a received packet matches a signature of a known worm or virus;
(b) determining if a second signature of the received packet matches a signature of a known application;
(c) determining if a third signature of the received packet matches a signature of a known intrusion packet; and
(d) if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method for the multi-stage analysis of incoming packets. Three stages are used, each of which addresses a particular category of threat by examining the headers and/or payload of each packet (“deep packet inspection”). The first stage detects incoming viruses or worms. The second stage detects malicious applications. The third stage detects attempts at intrusion. These three stages operate in sequence, but in alternative embodiments of the invention, they may be applied in a different order. These three stages are followed by a fourth stage that acts as a verification stage. If any of the first three stages detects a possible attack, then the packet or packets that have been flagged are routed to a central verification facility. In an embodiment of the invention, the verification facility is a server, coupled with a database. Here, suspect packets are compared to entries in the database to more comprehensively determine whether or not the packets represent an attempt to subvert the information processing system.
-
Citations
25 Claims
-
1. A method of inspecting packets to detect an attempt at subverting an information processing system, comprising:
-
(a) determining if a first signature of a received packet matches a signature of a known worm or virus; (b) determining if a second signature of the received packet matches a signature of a known application; (c) determining if a third signature of the received packet matches a signature of a known intrusion packet; and (d) if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for inspecting packets to detect an attempt at subverting an information processing system, comprising:
a device embedded in an information processing component, said embedded device including; a first processor; and a first memory in communication with said first processor, said first memory for storing a first plurality of processing instructions for directing said first processor to (a) determine if a first signature of a received packet matches a signature of a known worm or virus; (b) determine if a second signature of the received packet matches a signature of a known application; (c) determine if a third signature of the received packet matches a signature of a known intrusion packet; and (d) if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis. - View Dependent Claims (11, 12, 13, 14, 15)
-
16. A computer program product comprising a computer useable medium having control logic stored therein for causing a computer to detect an attempt at subverting an information processing system, the control logic comprising:
-
a first computer readable program code means for causing the computer to determine if a first signature of a received packet matches a signature of a known worm or virus; a second computer readable program code means for causing the computer to determine if a second signature of the received packet matches a signature of a known application; a third computer readable program code means for causing the computer to determine if a third signature of the received packet matches a signature of a known intrusion packet; and a fourth computer readable program code means for causing the computer to send the received packet to a central verification facility for further analysis, if a match is found in any of the above determinations. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification