Method and system for adaptive network security using intelligent packet analysis
First Claim
Patent Images
1. Logic for adaptive network security using intelligent packet analysis, the logic encoded in media and operable to:
- monitor network data traffic;
analyze the network data traffic to assess network information;
prioritize a plurality of analysis tasks based upon the network information, the analysis tasks to be performed on the monitored network data traffic in order to identify attacks upon the network, the plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures; and
disable a particular attack signature based upon an assigned priority of the particular attack signature.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system for adaptive network security using intelligent packet analysis are provided. The method comprises monitoring network data traffic. The network data traffic is analyzed to assess network information. A plurality of analysis tasks are prioritized based upon the network information. The analysis tasks are to be performed on the monitored network data traffic in order to identify attacks upon the network.
230 Citations
46 Claims
-
1. Logic for adaptive network security using intelligent packet analysis, the logic encoded in media and operable to:
-
monitor network data traffic;
analyze the network data traffic to assess network information;
prioritize a plurality of analysis tasks based upon the network information, the analysis tasks to be performed on the monitored network data traffic in order to identify attacks upon the network, the plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures; and
disable a particular attack signature based upon an assigned priority of the particular attack signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
monitor a processor utilization; and
disable a particular attack signature based upon an assigned priority of the particular attack signature if the processor utilization exceeds a first defined threshold.
-
-
4. The logic of claim 3 further operable to re-enable the particular analysis task if the processor utilization drops below a second defined threshold.
-
5. The logic of claim 2 further operable to monitor memory utilization and, wherein, the logic operable to disable a particular analysis task based upon an assigned priority of the particular analysis task comprises the logic operable to disable a particular analysis task based upon an assigned priority of the particular analysis task if the memory utilization exceeds a third defined threshold.
-
6. The logic of claim 5 further operable to re-enable the particular analysis task if the memory utilization drops below a fourth defined threshold.
-
7. The logic of claim 1, wherein the logic operable to prioritize a plurality of analysis tasks based upon the network information comprises the logic operable to:
-
determine a probable success of a particular attack upon the network based upon the network information; and
assign a priority to the particular analysis task intended to detect the particular attack.
-
-
8. The logic of claim 1, wherein the logic operable to analyze the network data traffic to assess network information comprises the logic operable to determine a device coupled to the network.
-
9. The logic of claim 1, wherein the logic operable to analyze the network data traffic to assess network information comprises the logic operable to determine an operating system of a device coupled to the network.
-
10. The logic of claim 1, wherein the logic operable to analyze the network data traffic to assess network information comprises the logic operable to determine a service of a device available to the network.
-
11. The logic of claim 1, wherein the logic operable to analyze the network data traffic to assess network information comprises the logic operable to identify a potential vulnerability of a device on the network.
-
12. The logic of claim 1 further operable to maintain the network information in a network map.
-
13. The logic of claim 1, wherein the plurality of analysis tasks includes protocol analysis on the monitored traffic.
-
14. The logic of claim 13, wherein the plurality of analysis tasks includes checksum verification.
-
15. The logic of claim 13, wherein the plurality of analysis tasks includes IP fragment reassembly.
-
16. The logic of claim 13, wherein the plurality of analysis tasks include TCP stream reassembly.
-
17. The logic of claim 13, wherein the plurality of analysis tasks includes timeout calculations.
-
18. The logic of claim 1 further operable to:
-
compare the network information to existing network information to determine updated network information; and
prioritize the plurality of analysis tasks based upon the updated network information.
-
-
19. The logic of claim 1 further operable to:
-
prioritize a plurality of system services based upon the network information; and
disable a particular system service based upon an assigned priority of the particular system service.
-
-
20. A computer implemented system for adaptive network security using intelligent packet analysis, comprising:
-
means for monitoring network data traffic;
means for analyzing the network data traffic to assess network information;
means for prioritizing a plurality of analysis tasks based upon the network information, the analysis tasks to be performed on the monitored network data traffic in order to identify attacks upon the network, the plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures; and
means for disabling a particular attack signature based upon an assigned priority of the particular attack signature.
-
-
21. Logic for adaptive network security using intelligent packet analysis, the logic encoded in media and operable to:
-
monitor network data traffic, the network data traffic comprising packets;
analyze the network data traffic to assess network information;
prioritize a plurality of analysis tasks based upon the network information, the analysis tasks to be performed on the monitored network data traffic in order to identify attacks upon the network, the plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures; and
disable a particular attack signature based upon an assigned priority of the particular attack signature.
-
-
22. Logic for adaptive network security using intelligent packet analysis, the logic encoded in media and operable to:
-
monitor network data traffic;
analyze the network data traffic to assess network information;
prioritize a plurality of protocol analyses to be performed on monitored traffic from the network, the protocol analyses for identifying attacks upon the network;
monitor a processor utilization;
monitor memory utilization;
disable a particular protocol analysis based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
disable a particular protocol analysis based upon an assigned priority if the memory utilization exceeds a third defined threshold. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
compare the network information to existing network information to determine updated network information; and
prioritize the plurality of analysis tasks based upon the updated network information.
-
-
34. The logic of claim 22 further operable to:
-
prioritize a plurality of system services based upon the network information; and
disable a particular system service based upon an assigned priority of the particular system service.
-
-
35. Logic for adaptive network security using intelligent packet analysis, the logic encoded in media and operable to:
-
monitor network data traffic;
analyze the network data traffic to assess network information;
prioritize a plurality of comparisons between monitored network data traffic and a plurality attack signatures based upon the network information, the attack signatures for identifying attacks upon the network;
monitor a processor utilization;
monitor memory utilization;
disable a particular attack signature based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
disable a particular attack signature based upon an assigned priority if the memory utilization exceeds a third defined threshold. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
determine a likelihood of success of a potential attack based upon the network information; and
prioritize an attack signature of the potential attack according to the determined likelihood of success.
-
-
37. The logic of claim 35, wherein the logic operable to analyze the network data traffic to assess network information comprises the logic operable to determine the existence of a device coupled to the network from monitored network data traffic.
-
38. The logic of claim 35, wherein the logic operable to analyze the network data traffic to assess network information comprises the logic operable to determine an operating system type of a device coupled to the network from monitored network data traffic.
-
39. The logic of claim 35, wherein the logic operable to analyze the network data traffic to assess network information comprises the logic operable to determine a service of a device coupled to the network from a packet monitored network data traffic.
-
40. The logic of claim 35 further operable to identify potential vulnerabilities of each device discovered to be coupled to the network.
-
41. The logic of claim 35 further operable to re-enable a disabled comparison if the processor utilization drops below a second defined threshold.
-
42. The logic of claim 35 further operable to re-enable a disabled comparison if the memory utilization drops below a fourth defined threshold.
-
43. The logic of claim 35 further operable to maintain the network information in a network map.
-
44. The logic of claim 35 further operable to:
-
compare the network information to existing network information to determine updated network information; and
prioritize the plurality of analysis tasks based upon the updated network information.
-
-
45. The logic of claim 35 further operable to:
-
prioritize a plurality of system services based upon the network information; and
disable a particular system service based upon an assigned priority of the particular system service.
-
-
46. Logic for adaptive network security using intelligent packet analysis, the logic encoded in media and operable to:
-
monitor network data traffic, the network data traffic comprising packets;
analyze the network data traffic to assess network information;
prioritize a plurality of protocol analyses to be performed on monitored traffic from the network, the protocol analyses for identifying attacks upon the network;
monitor a processor utilization;
monitor memory utilization;
disable a particular protocol analysis based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
disable a particular protocol analysis based upon an assigned priority if the memory utilization exceeds a third defined threshold.
-
Specification