Method and system for adaptive network security using intelligent packet analysis

US 6,499,107 B1
Filed: 12/29/1998
Issued: 12/24/2002
Est. Priority Date: 12/29/1998
Status: Expired due to Term

First Claim

Patent Images

1. A computer implemented method for adaptive network security using intelligent packet analysis, comprising:

monitoring network data traffic;

analyzing the network data traffic to assess network information;

prioritizing a plurality of analysis tasks based upon the network information, the analysis tasks to be performed on the monitored network data traffic in order to identify attacks upon the network;

wherein the plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures; and

disabling a particular attack signature based upon an assigned priority of the particular attack signature.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for adaptive network security using intelligent packet analysis are provided. The method comprises monitoring network data traffic. The network data traffic is analyzed to assess network information. A plurality of analysis tasks are prioritized based upon the network information. The analysis tasks are to be performed on the monitored network data traffic in order to identify attacks upon the network.

Citations

54 Claims

1. A computer implemented method for adaptive network security using intelligent packet analysis, comprising:
- monitoring network data traffic;
  
  analyzing the network data traffic to assess network information;
  
  prioritizing a plurality of analysis tasks based upon the network information, the analysis tasks to be performed on the monitored network data traffic in order to identify attacks upon the network;
  
  wherein the plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures; and
  
  disabling a particular attack signature based upon an assigned priority of the particular attack signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, further comprising disabling a particular analysis task based upon an assigned priority of the particular analysis task.
  - 3. The method of claim 2, further comprising:
4. The method of claim 3, further comprising re-enabling the particular analysis task if the processor utilization drops below a second defined threshold.
5. The method of claim 2, further comprising:
- monitoring memory utilization; and
  
  performing the disabling step if the memory utilization exceeds a third defined threshold.
6. The method of claim 5, further comprising re-enabling the particular analysis task if the memory utilization drops below a fourth defined threshold.
7. The method of claim 1, wherein the prioritizing step comprises:
- determining a probable success of a particular attack upon the network based upon the network information; and
  
  assigning a priority to the particular analysis task intended to detect the particular attack.
8. The method of claim 1, further comprising:
- comparing the network information to existing network information to determine updated network information; and
  
  repeating the prioritizing step using the updated network information.
9. The method of claim 1, further comprising:
- prioritizing a plurality of system services based upon the network information; and
  
  disabling a particular system service based upon an assigned priority of the particular system service.
10. The method of claim 1, wherein the analyzing step comprises determining a device coupled to the network.
11. The method of claim 1, wherein the analyzing step comprises determining an operating system of a device coupled to the network.
12. The method of claim 1, wherein the analyzing step comprises determining a service of a device available to the network.
13. The method of claim 1, wherein the analyzing step further comprises identifying a potential vulnerability of a device on the network.
14. The method of claim 1, further comprising maintaining the network information in a network map.
15. The method of claim 1, wherein the plurality of analysis tasks includes protocol analysis on the monitored traffic.
16. The method of claim 15, wherein the plurality of analysis tasks includes checksum verification.
17. The method of claim 15, wherein the plurality of analysis tasks includes IP fragment reassembly.
18. The method of claim 15, wherein the plurality of analysis tasks include TCP stream reassembly.
19. The method of claim 15, wherein the plurality of analysis tasks includes timeout calculations.

20. A computer method for adaptive network security using intelligent packet analysis, comprising:
- monitoring network data traffic;
  
  analyzing the network data traffic to assess network information;
  
  prioritizing a plurality of protocol analyses to be performed on monitored traffic from the network, the protocol analyses for identifying attacks upon the network;
  
  monitoring a processor utilization;
  
  monitoring memory utilization;
  
  disabling a particular protocol analysis based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
  
  disabling a particular protocol analysis based upon an assigned priority if the memory utilization exceeds a third defined threshold.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 21. The method of claim 20, wherein the analyzing step comprises determining the existence of a device coupled to the network from a packet of monitored network data traffic.
  - 22. The method of claim 20, wherein the analyzing step comprises determining an operating system running on a device coupled to the network from the monitored network data traffic.
  - 23. The method of claim 20, wherein the analyzing step comprises determining a service of a device coupled to the network from the monitored network data traffic.
  - 24. The method of claim 20, further comprising identifying potential vulnerabilities of each device discovered to be coupled to the network.
  - 25. The method of claim 20, further comprising re-enabling a disabled protocol analysis if the processor utilization drops below a second defined threshold.
  - 26. The method of claim 20, further comprising re-enabling a protocol analysis if the memory utilization drops below a fourth defined threshold.
  - 27. The method of claim 20, wherein the plurality of protocol analyses includes checksum verification.
  - 28. The method of claim 20, wherein the plurality of protocol analyses includes IP fragment reassembly.
  - 29. The method of claim 20, wherein the plurality of protocol analyses includes TCP stream reassembly.
  - 30. The method of claim 20, wherein the plurality of protocol analyses includes timeout calculations.
  - 31. The method of claim 20, further comprising:
32. The method of claim 20, further comprising:
- prioritizing a plurality of system services based upon the network information; and
  
  disabling a particular system service based upon an assigned priority of the particular system service.

33. A computer implemented method for adaptive network security using intelligent packet analysis, comprising:
- monitoring network data traffic;
  
  analyzing the network data traffic to assess network information;
  
  prioritizing a plurality of comparisons between monitored network data traffic and a plurality attack signatures based upon the network information, the attack signatures for identifying attacks upon the network;
  
  monitoring a processor utilization;
  
  monitoring memory utilization;
  
  disabling a particular attack signature based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
  
  disabling a particular attack signature based upon an assigned priority if the memory utilization exceeds a third defined threshold.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 34. The method of claim 33, wherein the prioritizing step comprises:
35. The method of claim 33, wherein the analyzing step comprises determining the existence of a device coupled to the network from monitored network data traffic.
36. The method of claim 33, wherein the analyzing step comprises determining an operating system type of a device coupled to the network from monitored network data traffic.
37. The method of claim 33, wherein the analyzing step comprises determining a service of a device coupled to the network from a packet monitored network data traffic.
38. The method of claim 33, further comprising identifying potential vulnerabilities of each device discovered to be coupled to the network.
39. The method of claim 33, further comprising re-enabling a disabled comparison if the processor utilization drops below a second defined threshold.
40. The method of claim 33, further comprising re-enabling a disabled comparison if the memory utilization drops below a fourth defined threshold.
41. The method of claim 33, further comprising maintaining the network information in a network map.
42. The method of claim 33, further comprising:
- comparing the network information to existing network information to determine updated network information; and
  
  repeating the prioritizing step using the updated network information.
43. The method of claim 33, further comprising:
- prioritizing a plurality of system services based upon the network information; and
  
  disabling a particular system service based upon an assigned priority of the particular system service.

44. A system for adaptive network security using intelligent packet analysis, comprising:
- an analysis engine coupled to a network, the analysis engine for analyzing network data traffic to assess network information;
  
  a protocol engine coupled to the network, the protocol engine for performing a plurality of protocol analyses on the network data traffic to identify attacks upon the network;
  
  a signature engine coupled to the network, the signature engine for comparing the network data traffic to a plurality of attack signatures to identify attacks upon the network; and
  
  a priority engine coupled to the analysis engine, the protocol engine, and the signature engine, the priority engine for prioritizing the plurality of protocol analyses and the plurality of attack signatures based upon the network information.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 45. The system of claim 44, further comprising a network map coupled to the analysis engine and the priority engine;
46. The system of claim 44, wherein the priority engine is further operable to disable a particular analysis task based upon an assigned priority of the particular analysis task.
47. The system of claim 44, wherein the priority engine is further operable to:
- monitor a processor utilization; and
  
  disable the particular analysis task if the processor utilization exceeds a first defined threshold.
48. The system of claim 47, wherein the priority engine is further operable to re-enable the particular analysis task if the processor utilization drops below a second defined threshold.
49. The system of claim 44, wherein the priority engine is further operable to:
- monitor memory utilization; and
  
  disable the particular analysis task if the memory utilization exceeds a third defined threshold.
50. The system of claim 49, wherein the priority engine is further operable to re-enable the particular analysis task if the memory utilization drops below a fourth defined threshold.
51. The system claim 44, wherein the priority engine is further operable to:
- determine a probable success of a particular attack upon the network based upon the network information; and
  
  assign a priority to the particular analysis task intended to detect the particular attack.
52. The system of claim 44, wherein the network information comprises:
- a device coupled to the network;
  
  an operating systems running on the device; and
  
  services available on the device.
53. The system of claim 52, wherein the network information further comprises a potential vulnerability of the device on the network.
54. The system of claim 44, wherein the priority engine is further operable to prioritize a plurality of system services based upon the network information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Systems, Inc., Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wiley, Kevin L., Teal, Daniel M., Gleichauf, Robert E.
Primary Examiner(s)
Hayes, Gail
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US09/223,071
Time in Patent Office

1,456 Days
Field of Search

713/200, 713/201, 709/223, 709/224, 709/229, 709/225, 709/100, 709/102, 709/103, 709/104, 709/226, 705/8, 705/9
US Class Current

726/23
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 43/0817   by checking functioning

H04L 43/18   Protocol analysers

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

Method and system for adaptive network security using intelligent packet analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for adaptive network security using intelligent packet analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links