NETWORK INTRUSION DETECTION APPARATUS
First Claim
1. A system of intrusion detection in a network comprising:
- a flow processing facility that is configured to detect and process intrusions in network data flowing through the facility, the facility comprising at least one network processor module having at least one processor, a plurality of network ports for connecting network devices for communicating network data, and instructions to cause the at least one processor to recognize one or more data packets in the network data that contain data, including profile information, for processing by an application executing on the flow processing facility by applying a policy to the data, and directing a portion of the network data to at least one flow processor module for executing the application based on the profile information and the policy;
the at least one flow processor module having at least one processor and at least one memory for storing the application for execution by the at least one flow processor module processor, the at least one flow processor module including instructions to receive the portion of the network data from the at least one network processor module, to process the data in the one or more data packets for detecting intrusions, thereby providing one or more data packets with processed data, and to return the one or more data packets with processed data to the at least one network processor module for facilitating prevention of a detected intrusion from being propagated to the network; and
at least one control processor module in communication with the at least one flow processor module and the at least one network processor module, and having at least one control processor module processor, and instructions for causing the at least one control processor module processor to manage the applications in the flow processor module memories.
13 Assignments
0 Petitions
Accused Products
Abstract
A method and system for distributing flows between a multiple processors. The flows can be received from an external source such as a network, by a front-end processor that recognizes the flow and the associated request, and identifies at least one internal applications processor to process the request/flow. The front-end processor utilizes a flow scheduling vector related to the identified applications processor(s), and the flow scheduling vector can be based on intrinsic data from the applications processor(s) that can include CPU utilization, memory utilization, packet loss, and queue length or buffer occupation. In some embodiments, applications processors can be understood to belong to a group, wherein applications processors within a group can be configured identically. A flow schedule vector can be computed for the different applications processor groups.
62 Citations
17 Claims
-
1. A system of intrusion detection in a network comprising:
-
a flow processing facility that is configured to detect and process intrusions in network data flowing through the facility, the facility comprising at least one network processor module having at least one processor, a plurality of network ports for connecting network devices for communicating network data, and instructions to cause the at least one processor to recognize one or more data packets in the network data that contain data, including profile information, for processing by an application executing on the flow processing facility by applying a policy to the data, and directing a portion of the network data to at least one flow processor module for executing the application based on the profile information and the policy; the at least one flow processor module having at least one processor and at least one memory for storing the application for execution by the at least one flow processor module processor, the at least one flow processor module including instructions to receive the portion of the network data from the at least one network processor module, to process the data in the one or more data packets for detecting intrusions, thereby providing one or more data packets with processed data, and to return the one or more data packets with processed data to the at least one network processor module for facilitating prevention of a detected intrusion from being propagated to the network; and at least one control processor module in communication with the at least one flow processor module and the at least one network processor module, and having at least one control processor module processor, and instructions for causing the at least one control processor module processor to manage the applications in the flow processor module memories. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of intrusion detection in a network, comprising:
-
providing a flow processing facility in-line in a network; configuring the flow processing facility to detect intrusions received by the flow processing facility by recognizing with a network processor module of the flow processing facility one or more data packets in a data flow that contain data, including profile information, for processing by an application executing on the flow processing facility by applying a policy to the data; directing the one or more data packets associated with a data flow that includes detected intrusions from the network processor module to at least one application processor module, based on the profile information and the policy, to process the data thereby providing one or more data packets with processed data; and executing the application on the at least one application processor module, thereby taking an action on the one or more data packets with processed data such that the data flow of the detected intrusion is not propagated to the network. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
Specification