System and method for network intrusion detection of covert channels based on off-line network traffic
First Claim
1. A system for network intrusion detection, comprising:
- one or more servers configured to receive off-line network traffic, said off-line network traffic having a predefined format capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures, wherein each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection; and
a plurality of covert channel processors configured to analyze said off-line network traffic, said analysis comprising determining whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures.
0 Assignments
0 Petitions
Accused Products
Abstract
A network intrusion detection system and method is configured to receive off-line network traffic. The off-line network traffic with a predefined format, PCAP file, is capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures. Each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection. A plurality of covert channel processors are configured to analyze off-line network traffic. The analysis determines whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures. The covert channels are employed in at least one standard layer of the standard protocol stack and the off-line network data traffic comprises at least one standard protocol stack having multiple standard layers.
-
Citations
18 Claims
-
1. A system for network intrusion detection, comprising:
-
one or more servers configured to receive off-line network traffic, said off-line network traffic having a predefined format capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures, wherein each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection; and a plurality of covert channel processors configured to analyze said off-line network traffic, said analysis comprising determining whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for network intrusion detection, comprising:
-
receiving off-line network traffic, said off-line network traffic having a predefined format capable of indicating existence of a plurality of covert channels associated with a corresponding plurality of covert channel signatures, wherein each covert channel comprises a tool that communicates messages by deviating from a standard protocol to avoid detection; and determining whether the off-line network traffic deviates from the standard protocol based on one or more covert channel signatures. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification