Multi-Stage Deep Packet Inspection for Lightweight Devices

US 20080313738A1
Filed: 10/12/2007
Published: 12/18/2008
Est. Priority Date: 06/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method of inspecting packets to detect an attempt at subverting an information processing system, comprising:

(a) determining if a first signature of a received packet matches a signature of a known worm or virus;

(b) determining if a second signature of the received packet matches a signature of a known application;

(c) determining if a third signature of the received packet matches a signature of a known intrusion packet; and

(d) if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for the multi-stage analysis of incoming packets. Three stages are used, each of which addresses a particular category of threat by examining the headers and/or payload of each packet (“deep packet inspection”). The first stage detects incoming viruses or worms. The second stage detects malicious applications. The third stage detects attempts at intrusion. These three stages operate in sequence, but in alternative embodiments of the invention, they may be applied in a different order. These three stages are followed by a fourth stage that acts as a verification stage. If any of the first three stages detects a possible attack, then the packet or packets that have been flagged are routed to a central verification facility. In an embodiment of the invention, the verification facility is a server, coupled with a database. Here, suspect packets are compared to entries in the database to more comprehensively determine whether or not the packets represent an attempt to subvert the information processing system.

Citations

25 Claims

1. A method of inspecting packets to detect an attempt at subverting an information processing system, comprising:
- (a) determining if a first signature of a received packet matches a signature of a known worm or virus;
  
  (b) determining if a second signature of the received packet matches a signature of a known application;
  
  (c) determining if a third signature of the received packet matches a signature of a known intrusion packet; and
  
  (d) if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said steps (a) through (d) are performed in a device embedded in an information processing component.
  - 3. The method of claim 2, wherein said embedded device comprises a cable modem.
  - 4. The method of claim 2, wherein said information processing component comprises a router.
  - 5. The method of claim 1, wherein said step (a) comprises:
    - (i) determining the first signature on the basis of the received packet;
      
      (ii) comparing the first signature to the signature of the known worm or virus; and
      
      (iii) if the first signature is equal to the signature of the known worm or virus, setting an alert flag.
  - 6. The method of claim 1, wherein said step (b) comprises:
    - (i) determining the second signature on the basis of the received packet;
      
      (ii) comparing the second signature to the signature of the known application; and
      
      (iii) if the second signature is equal to the signature of the known application, setting an alert flag.
  - 7. The method of claim 1, wherein said step (c) comprises:
    - (i) determining the third signature on the basis of the received packet;
      
      (ii) comparing the third signature to the signature of the known intrusion packet; and
      
      (iii) if the third signature is equal to the signature of the known intrusion packet, setting an alert flag.
  - 8. The method of claim 1, further comprising:
    - (e) receiving the received packet at the central verification facility;
      
      (f) comparing the received packet to a database entry; and
      
      (g) if the received packet matches the database entry, outputting an indication of the match.
  - 9. The method of claim 1, further comprising:
    - (e) receiving, from the central verification facility, an indication that the received packet matches a database entry; and
      
      (f) responding to the indication.

10. A system for inspecting packets to detect an attempt at subverting an information processing system, comprising:
- a device embedded in an information processing component, said embedded device including;
  
  a first processor; and
  
  a first memory in communication with said first processor, said first memory for storing a first plurality of processing instructions for directing said first processor to(a) determine if a first signature of a received packet matches a signature of a known worm or virus;
  
  (b) determine if a second signature of the received packet matches a signature of a known application;
  
  (c) determine if a third signature of the received packet matches a signature of a known intrusion packet; and
  
  (d) if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein said embedded device comprises a cable modem.
  - 12. The system of claim 10, wherein said information processing component comprises a router.
  - 13. The system of claim 10, further comprising:
    - a central verification facility in communication with said embedded device, said central verification facility including;
      
      a database;
      
      a second processor in connection with said database; and
      
      a second memory in communication with said second processor, said second memory for storing a second plurality of processing instructions for directing said second processor to;
      
      compare the received packet to a database entry; and
      
      if the received packet matches the database entry, output an indication of the match.
  - 14. The system of claim 13, wherein said central verification facility comprises:
    - a server that comprises said second processor; and
      
      a database, accessible by the server, that stores said database entry.
  - 15. The system of claim 13, wherein said first plurality of processing instructions further directs said first processor to:
    - receive, from the central verification facility, the indication that the received packet matches the database entry; and
      
      respond to the indication.

16. A computer program product comprising a computer useable medium having control logic stored therein for causing a computer to detect an attempt at subverting an information processing system, the control logic comprising:
- a first computer readable program code means for causing the computer to determine if a first signature of a received packet matches a signature of a known worm or virus;
  
  a second computer readable program code means for causing the computer to determine if a second signature of the received packet matches a signature of a known application;
  
  a third computer readable program code means for causing the computer to determine if a third signature of the received packet matches a signature of a known intrusion packet; and
  
  a fourth computer readable program code means for causing the computer to send the received packet to a central verification facility for further analysis, if a match is found in any of the above determinations.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The computer program product of claim 16, wherein the computer is in a device embedded in an information processing component.
  - 18. The computer program product of claim 17, wherein said embedded device comprises a cable modem.
  - 19. The computer program product of claim 16, wherein said first computer readable program code means comprises means for causing the computer to:
    - determine the first signature on a basis of the received packet;
      
      compare the first signature to the signature of the known worm or virus; and
      
      if the first signature is equal to the signature of the known worm or virus, set an alert flag.
  - 20. The computer program product of claim 16, wherein said second computer readable program code means comprises means for causing the computer to:
    - determine the second signature on a basis of the received packet;
      
      compare the second signature to the signature of the known application; and
      
      if the second signature is equal to the signature of the known application, set an alert flag.
  - 21. The computer program product of claim 16, wherein said third computer readable program code means comprises means for causing the computer to:
    - determine the third signature on a basis of the received packet;
      
      compare the third signature to the signature of the known intrusion packet; and
      
      if the third signature is equal to the signature of the known intrusion packet, set an alert flag.
  - 22. The computer program product of claim 16, further comprising:
    - a fifth computer readable program code means for causing the computer to receive, from the central verification facility, an indication that the received packet matches a database entry; and
      
      a sixth computer readable program code means for causing the computer to respond to the indication.
  - 23. The computer program product of claim 22, wherein said sixth computer readable program code means comprises means for terminating a data stream that comprises the received packet.
  - 24. The computer program product of claim 22, wherein said sixth computer readable program code means comprises means for causing the computer to add a source internet protocol (IP) address of the received packet to a blacklist.
  - 25. The computer program product of claim 22, wherein said sixth computer readable program code means comprises means for causing the computer to inform a central monitoring system of a subversion attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies General IP PTE Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Enderby, Russell

Granted Patent

US 7,853,689 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 2221/2115   Third party

H04L 63/1416   Event detection, e.g. attac...

Multi-Stage Deep Packet Inspection for Lightweight Devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-Stage Deep Packet Inspection for Lightweight Devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links