Parallel intrusion detection sensors with load balancing for high speed networks
First Claim
1. A method of detecting unauthorized access on a network as indicated by signature analysis of packet traffic on the network, comprising the steps of:
- providing a plurality of intrusion detection sensors at a network entry point associated with an internetworking device;
balancing the packet load to said sensors, such that said packets are distributed at least at a session-based level;
detecting signatures indicated by said packets delivered to said sensors;
delivering packets indicating a composite signature from multiple sessions to a network analyzer;
detecting composite signatures delivered to said network analyzer;
using the results of said detecting steps to determine unauthorized access to said network.
1 Assignment
0 Petitions
Accused Products
Abstract
Various embodiments of a method and system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).
384 Citations
25 Claims
-
1. A method of detecting unauthorized access on a network as indicated by signature analysis of packet traffic on the network, comprising the steps of:
-
providing a plurality of intrusion detection sensors at a network entry point associated with an internetworking device;
balancing the packet load to said sensors, such that said packets are distributed at least at a session-based level;
detecting signatures indicated by said packets delivered to said sensors;
delivering packets indicating a composite signature from multiple sessions to a network analyzer;
detecting composite signatures delivered to said network analyzer;
using the results of said detecting steps to determine unauthorized access to said network. - View Dependent Claims (2, 3, 4)
-
-
5. A method of detecting unauthorized access on a network as indicated by signature analysis of packet traffic on the network via a router, comprising the steps of:
-
providing a plurality of intrusion detection sensors between said router and a local network;
balancing the packet load to said sensors, such that said packets are distributed at least at a session-based level;
detecting signatures indicated by said packets delivered to said sensors;
delivering packets indicating a composite signature from multiple sessions to a network analyzer;
detecting composite signatures delivered to said network analyzer;
using the results of said detecting steps to determine unauthorized access to said network. - View Dependent Claims (6)
-
-
7. A method of using a switch to detect unauthorized access on a network as indicated by signature analysis of packet traffic on the network via the switch, comprising the steps of:
-
providing a plurality of intrusion detection sensors within said switch;
balancing the packet load to said sensors, such that said packets are distributed at least at a session-based level;
detecting signatures indicated by said packets delivered to said sensors;
delivering packets indicating a composite signature from multiple sessions to a network analyzer;
detecting composite signatures delivered to said network analyzer;
using the results of said detecting steps to determine unauthorized access to said network. - View Dependent Claims (8, 9, 10)
-
-
11. An intrusion detection system for use with a network router that delivers traffic to a local network, comprising:
-
a plurality of intrusion detection sensors connected to a communications link between said router and said local network, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed by said router to said sensors on at least a session-based level; and
a network analyzer operable to receive packets indicating a composite signature from multiple sessions and to analyze signatures indicated by said packets delivered to it. - View Dependent Claims (12)
-
-
13. An improved switch for providing intrusion detection for switched network traffic, the improvement comprising:
-
a plurality of intrusion detection sensors integrated within said switch, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed within said switch;
a load balancing unit for distributing packets on at least a session-based level to said sensors; and
a network analyzer operable to receive packets indicating a composite signature from multiple sessions and to detect signatures indicated by said packets delivered to it. - View Dependent Claims (14, 15, 16, 17)
-
-
18. An improved switch for providing intrusion detection for switched network traffic, the improvement comprising:
-
a plurality of intrusion detection sensors integrated within said switch, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed within said switch;
an arbitration bus linking each said sensor for communicating arbitration control signals among said sensors, said arbitration control signals operable to distribute packets to said sensors on at least a session-based level;
an arbitration circuit associated with each said sensor for generating said arbitration signals; and
a network analyzer operable to receive packets indicating a composite signature from multiple sessions and to detect signatures indicated by said packets delivered to it. - View Dependent Claims (19)
-
-
20. A method of detecting unauthorized access on a network, comprising the steps of:
-
providing a plurality of intrusion detection sensors at a network entry point associated with an internetworking device;
balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
detecting signatures indicated by said packets delivered to said sensors;
delivering packets indicating a composite signature to an analyzer;
detecting a composite signature delivered to said analyzer;
using the results of said detecting steps to determine unauthorized access to said network.
-
-
21. A method of detecting unauthorized access on a network, comprising the steps of:
-
providing a plurality of intrusion detection sensors between a router and a local network;
balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
detecting signatures indicated by said packets delivered to said sensors;
delivering packets indicating a composite signature to an analyzer;
detecting a composite signature delivered to said analyzer;
using the results of said detecting steps to determine unauthorized access to said network.
-
-
22. A method of using a switch to detect unauthorized access on a network, comprising the steps of:
-
providing a plurality of intrusion detection sensors within said switch;
balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
detecting signatures indicated by said packets delivered to said sensors;
delivering packets indicating a composite signature to an analyzer;
detecting a composite signature delivered to said analyzer;
using the results of said detecting steps to determine unauthorized access to said network.
-
-
23. An intrusion detection system for use with a network router that delivers traffic to a local network, comprising:
-
a plurality of intrusion detection sensors connected to a communications link between said router and said local network, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed by said router to said sensors on a packet-based level; and
an analyzer operable to receive packets indicating a composite signature and to detect a composite signature indicated by said packets received.
-
-
24. A switch for providing intrusion detection for switched network traffic, the switch comprising:
-
a plurality of intrusion detection sensors integrated within said switch, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed within said switch;
a load balancing unit for distributing packets on a packet-based level to said sensors; and
an analyzer operable to receive packets indicating a composite signature and to detect a composite signature indicated by said packets received.
-
-
25. A switch for providing intrusion detection for switched network traffic, the switch comprising:
-
a plurality of intrusion detection sensors integrated within said switch, each said sensor operable to operate in parallel to perform signature analysis on packet traffic distributed within said switch;
an arbitration bus linking each said sensor for communicating arbitration control signals among said sensors, said arbitration control signals operable to distribute packets to said sensors on a packet-based level;
an arbitration circuit associated with each said sensor for generating said arbitration signals; and
an analyzer operable to receive packets indicating a composite signature and to detect a composite signature indicated by said packets received.
-
Specification