Dynamic packet filter utilizing session tracking

US 6,816,455 B2
Filed: 05/09/2001
Issued: 11/09/2004
Est. Priority Date: 05/09/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method of filtering an input packet stream, said method comprising the steps of:

establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;

opening a new session upon receipt of a socket not previously stored in said session database;

recognizing a session associated with a received packet in accordance with its associated socket;

establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used sessions are stored the tail and least recently used sessions are stored at the head;

processing the session data corresponding to said received packet in accordance with a plurality of predefined rules to generate processing results; and

deciding whether to allow or deny said received packet in accordance with said processing results.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A novel and useful dynamic packet filter that can be incorporated in a hardware based firewall suitable for use in portable computing devices such as cellular telephones and wireless connected PDAs adapted to connect to the Internet. The invention performs dynamic packet filtering on packets received over an input packet stream. The dynamic filter checks dynamic protocol behavior using information extracted from the received packet. Sessions are created and stored in a session database to track the state of communications between the source and destination. Recognition of a session is accelerated by use of a hash table to quickly determine the corresponding session record in the session database. Session related data is read from the session database and the received packet is checked against a set of rules to determine whether to allow or deny the packet.

Citations

40 Claims

1. A method of filtering an input packet stream, said method comprising the steps of:
- establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
  
  opening a new session upon receipt of a socket not previously stored in said session database;
  
  recognizing a session associated with a received packet in accordance with its associated socket;
  
  establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used sessions are stored the tail and least recently used sessions are stored at the head;
  
  processing the session data corresponding to said received packet in accordance with a plurality of predefined rules to generate processing results; and
  
  deciding whether to allow or deny said received packet in accordance with said processing results.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, further comprising the step of updating the contents of said session database in accordance with said processing results.
  - 3. The method according to claim 1, wherein said step of deciding comprises allowing said received packet if said received packet does not violate any of said plurality of predefined rules.
  - 4. The method according to claim 1, wherein said step of deciding comprises denying said received packet if said received packet is in violation of one or more of said plurality of predefined rules.
  - 5. The method according to claim 1, further comprising the step a removing unused sessions from said session database.
  - 6. The method according to claim 1, wherein in the vent said LRU List is full, the session at the head is deleted and a new session is added to the tail.
  - 7. The method according to claim 1, further comprising the step of removing sessions whose associated timestamps have exceeded a predetermined threshold.
  - 8. The method according to claim 1, further comprising the step of establishing a hole table comprising a plurality of records each representing a unique subset of incomplete socket information.
  - 9. The method according to claim 1, wherein said step of opening a new session comprises the steps of:
10. The method according to claim 1, wherein said step of recognizing a session comprises the steps of:
- calculating a hash value on the socket associated with the session to be recognized;
  
  looking up a hash pointer in a hash table using hash result as an index;
  
  retrieving socket data from said session database in accordance with said hush pointer; and
  
  recognizing said session if the retrieved socket matches the socket associated with the received session.
11. The method according to claim 1, wherein said step of processing the session data comprises tracking the state of a transmission control protocol (TCP) opening handshake if the session comprises a TCP opening session.
12. The method according to claim 1, wherein said step of processing the session data comprises tracking the state of a transmission control protocol (TCP) closing handshake if the session comprises a TCP closing session.
13. The method according to claim 1, wherein said step of processing the session data comprises tracking the sequence and acknowledge of said session against a window if said session comprises a transmission control protocol (TCP) session.

14. A method of monitoring the state of a communications session, said method comprising the steps of:
- establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
  
  recognizing a session in accordance with a first hash calculation on the socket associated with a received packet;
  
  establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used sessions are stored at the tail and least recently used sessions are stored at the head;
  
  recognizing a hole session in accordance with a second hash calculation on a partial socket associated with said received packet;
  
  reading session data from said session database, said session data associated with either a recognized session or a recognized hole session;
  
  tracking a connection state of said session and checking said state against a plurality of rules to determine whether to allow or deny said received pack; and
  
  writing updated session data back into said session database.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The method according to claim 14, wherein said step of determining to allow or deny comprises allowing said received packet if said received packet does not violate any of said plurality of rules.
  - 16. The method according to claim 14, wherein said step of determining to allow or deny comprises denying said received packet if said received packet is in violation of one or more of said plurality of rules.
  - 17. The method according to claim 14, further comprising the step of removing unused sessions from said session database.
  - 18. The method according to claim 14, further comprising the step of removing sessions whose associated timestamps have exceeded a predetermined threshold.
  - 19. The method according to claim 14, wherein said step of opening a new session comprises the steps of:
20. The method according to claim 14, wherein said step of recognizing a session comprises the steps of:
- calculating said first hash value on the socket associated with the session to be recognized;
  
  looking up a hash pointer in a hash table using said first hush result as an index;
  
  retrieving socket data from said session database in accordance with said hash pointer; and
  
  recognizing said session if the retrieved socket matches the socket associated with the received session.
21. The method according to claim 14, wherein said step of recognizing a hole session comprises the steps of:
- calculating said second hash value on said partial socket associated with the session to be recognized;
  
  looking up a hash pointer in a hash table using said second hash result as an index;
  
  retrieving partial socket data from said session database in accordance with said hash pointer; and
  
  recognizing said hole session if the retrieved partial socket matches the partial socket associated with the received session.
22. The method according to claim 14, wherein said step of tracking said connection state comprises tracking a transmission control protocol (TCP) opening handshake if the session comprises a TCP opening session.
23. The method according to claim 14, wherein said step of tracking said connection state comprises tracking a transmission control protocol (TCP) closing handshake if the session comprises a TCP closing session.
24. The method according to claim 14, wherein said step of tracking said connection state comprises tracking the sequence and acknowledge of said session against a window if said session comprises a transmission control protocol (TCP) session.

25. A dynamic filter for filtering an input packet stream, comprisingsession database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
- a session recognition module adapted to search said session database for a session whose associated socket matches that of a received packet;
  
  a session management module adapted to maintain said session database including adding, deleting and modifying sessions in said session database, and adapted to establish and maintain a least recently used (LRU) doubly linked list for tracking session use having a head and tail wherein most recently used sessions are stored at the tail and least recently used sessions are stored at the head; and
  
  a main filter module operative to track a connection state of the session corresponding to a receive packet and checking said connection state against a plurality of rules to determine whether to allow or deny said received packet.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 26. The dynamic filter according to claim 25, wherein said main filter is adapted to write modified session data back into said session database after the determination is made whether to allow or deny said receive packet.
  - 27. The dynamic filter according to claim 25, wherein said main filter is adapted to allow said received packet if said received packet does not violate any of said plurality of rules.
  - 28. The dynamic filter according to claim 25, wherein said main filter is adapted deny said received packet if said received packet is in violation of one or more of said plurality of rules.
  - 29. The dynamic filter according to claim 25, wherein said session management module is adapted to remove unused sessions from said session database.
  - 30. The dynamic filter according to claim 25, wherein said session management module is adapted to remove sessions whose associated timestamps have exceeded a predetermined threshold.
  - 31. The dynamic filter according to claim 25, further comprising a hole table consisting of a plurality of records each representing a unique subset of incomplete socket information.
  - 32. The dynamic filter according to claim 25, wherein said session management module comprises session opening means adapted to:
33. The dynamic filter according to claim 25, wherein said session recognition module comprises means adapted to:
- calculate a hash value on the socket associated with the session to be recognized;
  
  look up a hash pointer in a hash table using hash result as an index;
  
  retrieve socket data from said session database in accordance with said hash pointer; and
  
  recognize said session if the retrieved socket matches the socket associated with the received session.
34. The dynamic filter according to claim 25, wherein said main filter comprises means for tracking the state of a transmission control protocol (TCP) opening handshake if the session comprises a TCP opening session.
35. The dynamic filter according to claim 25, wherein said main filter comprises means for tracking the state of a transmission control protocol (TCP) closing handshake if the session comprises a TCP closing session.
36. The dynamic filter according to claim 25, wherein said main filter comprises means for tracking the sequence and acknowledge of said session against a window if said session comprises a transmission control protocol (TCP) session.
37. The dynamic filter according to claim 25, wherein said dynamic filter is implemented in a field programmable gate array (FPGA).
38. The dynamic filter according to claim 25, wherein said dynamic filter is implemented in an application specific integrated circuit (ASIC).

39. A digital computing apparatus, comprising:
- communication means adapted to connect said apparatus to a wide area network (WAN);
  
  memory means comprising volatile and non-volatile memory, said non-volatile memory adapted to store one or more application programs;
  
  a processor coupled to said memory means and said communication means for executing said one or more application programs; and
  
  a dynamic packet filter for filtering an input packet stream, comprising;
  
  a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
  
  a session recognition module adapted to search said session database for a session whose associated socket matches that of a received packet;
  
  a session management module adapted to both maintain said session database including adding, deleting and modifying sessions in said session database and to establish and maintain a least recently used (LRU) doubly linked list for tracking session use having a head and tail wherein most recently used sessions are stored at the tail and least recently used sessions are stored at the head; and
  
  a main filter module operative to track a connection state of the session corresponding to a receive packet and checking said connection state against a plurality of rules to determine whether to allow or deny said received packet.

40. A computer readable storage medium having a computer program embodied thereon for causing a suitably programmed system to search for a plurality of strings by performing the following steps when such program is executed on said system;
- establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
  
  opening a new session upon receipt of a socket not previously stored in said session database;
  
  recognizing a session associated with a received packet in accordance with its associated socket;
  
  establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used sessions are stored at the tail and least recently used sessions are stored at the head;
  
  processing the session data corresponding to said received packet in accordance with a plurality of predefined rules to generate processing results; and
  
  deciding whether to allow or deny said received packet in accordance with said processing results.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
Zezak, Moshe, Daniely, Gady, Goldberg, Ronen, Shohat, Drory
Primary Examiner(s)
Hsu, Alpus H.
Assistant Examiner(s)
RYMAN, DANIEL J

Application Number

US09/851,768
Publication Number

US 20040013112A1
Time in Patent Office

1,280 Days
Field of Search

709/224-225, 709/238, 709/227, 713/201, 713/152, 370/389, 370/230, 370/401, 711/118
US Class Current

370/230
CPC Class Codes

H04L 63/0254 Stateful filtering

Dynamic packet filter utilizing session tracking

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic packet filter utilizing session tracking

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links