Parallel intrusion detection sensors with load balancing for high speed networks

US 6,578,147 B1
Filed: 01/15/1999
Issued: 06/10/2003
Est. Priority Date: 01/15/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of detecting unauthorized access on a network as indicated by signature analysis of packet traffic on the network, comprising the steps of:

providing a plurality of intrusion detection sensors at a network entry point associated with an internetworking device;

balancing the packet load to said sensors, such that said packets are distributed at least at a session-based level;

detecting signatures indicated by said packets delivered to said sensors;

delivering packets indicating a composite signature from multiple sessions to a network analyzer;

detecting composite signatures delivered to said network analyzer;

using the results of said detecting steps to determine unauthorized access to said network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of a method and system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).

384 Citations

25 Claims

1. A method of detecting unauthorized access on a network as indicated by signature analysis of packet traffic on the network, comprising the steps of:
- providing a plurality of intrusion detection sensors at a network entry point associated with an internetworking device;
  
  balancing the packet load to said sensors, such that said packets are distributed at least at a session-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature from multiple sessions to a network analyzer;
  
  detecting composite signatures delivered to said network analyzer;
  
  using the results of said detecting steps to determine unauthorized access to said network.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein said internetworking device is a router, and wherein said sensors are attached between said router and a local network.
  - 3. The method of claim 1, wherein said internetworking device is a switch, and wherein said sensors are integrated into said switch.
  - 4. The method of claim 1, wherein said balancing step is performed by distributing said packets at a packet-based level, and further comprising the steps of delivering packets indicating a composite signature to a session analyzer and of using said session analyzer to detect signatures indicated by packets delivered to it.

5. A method of detecting unauthorized access on a network as indicated by signature analysis of packet traffic on the network via a router, comprising the steps of:
- providing a plurality of intrusion detection sensors between said router and a local network;
  
  balancing the packet load to said sensors, such that said packets are distributed at least at a session-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature from multiple sessions to a network analyzer;
  
  detecting composite signatures delivered to said network analyzer;
  
  using the results of said detecting steps to determine unauthorized access to said network.
- View Dependent Claims (6)
- - 6. The method of claim 5, wherein said balancing step is performed by distributing said packets at a packet-based level, and further comprising the steps of delivering packets indicating a composite signature to a session analyzer and of using said session analyzer to detect signatures indicated by packets delivered to it.

7. A method of using a switch to detect unauthorized access on a network as indicated by signature analysis of packet traffic on the network via the switch, comprising the steps of:
- providing a plurality of intrusion detection sensors within said switch;
  
  balancing the packet load to said sensors, such that said packets are distributed at least at a session-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature from multiple sessions to a network analyzer;
  
  detecting composite signatures delivered to said network analyzer;
  
  using the results of said detecting steps to determine unauthorized access to said network.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, wherein said balancing step is performed by distributing said packets at a packet-based level, and further comprising the steps of delivering packets indicating a composite signature to a session analyzer and of using said session analyzer to detect signatures indicated by packets delivered to it.
  - 9. The method of claim 7, wherein said balancing step is performed by a load balancing unit of said switch.
  - 10. The method of claim 7, wherein said balancing step is performed by an arbitration circuit at each said sensor and an arbitration control bus linking said sensors.

11. An intrusion detection system for use with a network router that delivers traffic to a local network, comprising:
- a plurality of intrusion detection sensors connected to a communications link between said router and said local network, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed by said router to said sensors on at least a session-based level; and
  
  a network analyzer operable to receive packets indicating a composite signature from multiple sessions and to analyze signatures indicated by said packets delivered to it.
- View Dependent Claims (12)
- - 12. The system of claim 11, wherein said router distributes said packets at a packet-based level, and further comprising a session analyzer that receives packets indicating signatures from different packets of the same session and detects signatures indicated by said packets delivered to it.

13. An improved switch for providing intrusion detection for switched network traffic, the improvement comprising:
- a plurality of intrusion detection sensors integrated within said switch, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed within said switch;
  
  a load balancing unit for distributing packets on at least a session-based level to said sensors; and
  
  a network analyzer operable to receive packets indicating a composite signature from multiple sessions and to detect signatures indicated by said packets delivered to it.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The switch of claim 13, wherein said load balancing unit distributes said packets at a packet-based level, and further comprising a session analyzer that receives packets indicating signatures from different packets of the same session and detects signatures indicated by said packets delivered to it.
  - 15. The switch of claim 13, further comprising a bus that carries network traffic within said switch to ports of said switch and wherein said sensors are directly connected to said bus.
  - 16. The switch of claim 13, wherein said load balancing unit operates by receiving packets and re-transmitting them to said sensors.
  - 17. The switch of claim 13, wherein said load balancing unit operates by delivering control signals to said sensors.

18. An improved switch for providing intrusion detection for switched network traffic, the improvement comprising:
- a plurality of intrusion detection sensors integrated within said switch, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed within said switch;
  
  an arbitration bus linking each said sensor for communicating arbitration control signals among said sensors, said arbitration control signals operable to distribute packets to said sensors on at least a session-based level;
  
  an arbitration circuit associated with each said sensor for generating said arbitration signals; and
  
  a network analyzer operable to receive packets indicating a composite signature from multiple sessions and to detect signatures indicated by said packets delivered to it.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein said arbitration bus distributes said packets at a packet-based level, and further comprising a session analyzer that receives packets indicating signatures from different packets of the same session and detects signatures indicated by said packets delivered to it.

20. A method of detecting unauthorized access on a network, comprising the steps of:
- providing a plurality of intrusion detection sensors at a network entry point associated with an internetworking device;
  
  balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature to an analyzer;
  
  detecting a composite signature delivered to said analyzer;
  
  using the results of said detecting steps to determine unauthorized access to said network.

21. A method of detecting unauthorized access on a network, comprising the steps of:
- providing a plurality of intrusion detection sensors between a router and a local network;
  
  balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature to an analyzer;
  
  detecting a composite signature delivered to said analyzer;
  
  using the results of said detecting steps to determine unauthorized access to said network.

22. A method of using a switch to detect unauthorized access on a network, comprising the steps of:
- providing a plurality of intrusion detection sensors within said switch;
  
  balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature to an analyzer;
  
  detecting a composite signature delivered to said analyzer;
  
  using the results of said detecting steps to determine unauthorized access to said network.

23. An intrusion detection system for use with a network router that delivers traffic to a local network, comprising:
- a plurality of intrusion detection sensors connected to a communications link between said router and said local network, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed by said router to said sensors on a packet-based level; and
  
  an analyzer operable to receive packets indicating a composite signature and to detect a composite signature indicated by said packets received.

24. A switch for providing intrusion detection for switched network traffic, the switch comprising:
- a plurality of intrusion detection sensors integrated within said switch, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed within said switch;
  
  a load balancing unit for distributing packets on a packet-based level to said sensors; and
  
  an analyzer operable to receive packets indicating a composite signature and to detect a composite signature indicated by said packets received.

25. A switch for providing intrusion detection for switched network traffic, the switch comprising:
- a plurality of intrusion detection sensors integrated within said switch, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed within said switch;
  
  an arbitration bus linking each said sensor for communicating arbitration control signals among said sensors, said arbitration control signals operable to distribute packets to said sensors on a packet-based level;
  
  an arbitration circuit associated with each said sensor for generating said arbitration signals; and
  
  an analyzer operable to receive packets indicating a composite signature and to detect a composite signature indicated by said packets received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Lathem, Gerald S., Shanklin, Steven D.
Primary Examiner(s)
Hayes, Gail
Assistant Examiner(s)
Ha, Leynna

Application Number

US09/232,276
Time in Patent Office

1,607 Days
Field of Search

709/224, 709/223, 709/228, 709/240, 709/242, 709/105, 709/103
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 67/1001 for accessing one among a p...

Parallel intrusion detection sensors with load balancing for high speed networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

384 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Parallel intrusion detection sensors with load balancing for high speed networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

384 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links