System and method for intrusion detection data collection using a network protocol stack multiplexor
First Claim
1. A system for intrusion detection data collection using a protocol stack multiplexor, comprising:
- a hierarchical protocol stack defined within kernel memory space and comprising a plurality of communicatively interfaced protocol layers, each such protocol layer comprising one or more procedures for processing data packets;
a data frame processed through the protocol stack, the data frame comprising a plurality of recursively encapsulated data packets which are each encoded with a protocol recognized by one of the protocol layers; and
a protocol stack multiplexor collecting data directly from the protocol stack from at least one of the processed data packets, comprising;
an interface interfacing directly into at least one such protocol layer through redirected references to the data packet processing procedures comprised within the at least one such protocol layer; and
a logical reference to the processed data packets obtained from the interfaced protocol layer, the logical reference referring to a memory block in the kernel memory space within which the processed data packets are stored and provided to an intrusion detection analyzer executing within user memory space.
11 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting network intrusions using a protocol stack multiplexor is described. A network protocol stack includes a plurality of hierarchically structured protocol layers. Each such protocol layer includes a read queue and a write queue for staging transitory data packets and a set of procedures for processing the transitory data packets in accordance with the associated protocol. A protocol stack multiplexor is interfaced directly to at least one such protocol layer through a set of redirected pointers to the processing procedures of the interfaced protocol layer. A data packet collector references at least one of the read queue and the write queue for the associated protocol layer. A data packet exchanger communicates a memory reference to each transitory data packet from the referenced at least one of the read queue and the write queue for the associated protocol layer. An analysis module receives the communicated memory reference and performs intrusion detection based thereon.
-
Citations
29 Claims
-
1. A system for intrusion detection data collection using a protocol stack multiplexor, comprising:
-
a hierarchical protocol stack defined within kernel memory space and comprising a plurality of communicatively interfaced protocol layers, each such protocol layer comprising one or more procedures for processing data packets;
a data frame processed through the protocol stack, the data frame comprising a plurality of recursively encapsulated data packets which are each encoded with a protocol recognized by one of the protocol layers; and
a protocol stack multiplexor collecting data directly from the protocol stack from at least one of the processed data packets, comprising;
an interface interfacing directly into at least one such protocol layer through redirected references to the data packet processing procedures comprised within the at least one such protocol layer; and
a logical reference to the processed data packets obtained from the interfaced protocol layer, the logical reference referring to a memory block in the kernel memory space within which the processed data packets are stored and provided to an intrusion detection analyzer executing within user memory space. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for intrusion detection data collection using a protocol stack multiplexor, comprising:
-
defining a hierarchical protocol stack within kernel memory space and comprising a plurality of communicatively interfaced protocol layers, each such protocol layer comprising one or more procedures for processing data packets;
processing a data frame through the protocol stack, the data frame comprising a plurality of recursively encapsulated data packets which are each encoded with a protocol recognized by one of the protocol layers; and
collecting data directly from the protocol stack from at least one of the processed data packets using a protocol stack multiplexor, comprising;
interfacing directly into at least one such protocol layer through redirected references to the data packet processing procedures comprised within the at least one such protocol layer;
obtaining a logical reference to the processed data packets from the interfaced protocol layer, the logical reference referring to a memory block in the kernel memory space within which the processed data packets are stored; and
providing the logical reference to an intrusion detection analyzer executing within user memory space. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A storage medium for intrusion detection data collection using a protocol stack multiplexor, comprising:
-
defining a hierarchical protocol stack within kernel memory space and comprising a plurality of communicatively interfaced protocol layers, each such protocol layer comprising one or more procedures for processing data packets;
processing a data frame through the protocol stack, the data frame comprising a plurality of recursively encapsulated data packets which are each encoded with a protocol recognized by one of the protocol layers; and
collecting data directly from the protocol stack from at least one of the processed data packets using a protocol stack multiplexor, comprising;
interfacing directly into at least one such protocol layer through redirected references to the data packet processing procedures comprised within the at least one such protocol layer;
obtaining a logical reference to the processed data packets from the interfaced protocol layer, the logical reference referring to a memory block in the kernel memory space within which the processed data packets are stored; and
providing the logical reference to an intrusion detection analyzer executing within user memory space. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A system for detecting network intrusions using a protocol stack multiplexor, comprising:
-
a network protocol stack comprising a plurality of hierarchically structured protocol layers, each such protocol layer comprising a read queue and a write queue for staging transitory data packets and a set of procedures for processing the transitory data packets in accordance with the associated protocol;
a protocol stack multiplexor interfaced directly to at least one such protocol layer through a set of redirected pointers to the processing procedures of the interfaced protocol layer, further comprising;
a data packet collector referencing at least one of the read queue and the write queue for the associated protocol layer; and
a data packet exchanger communicating a memory reference to each transitory data packet from the referenced at least one of the read queue and the write queue for the associated protocol layer; and
an analysis module receiving the communicated memory reference and performing intrusion detection based thereon. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A method for detecting network intrusions using a protocol stack multiplexor, comprising:
-
executing a network protocol stack comprising a plurality of hierarchically structured protocol layers, each such protocol layer comprising a read queue and a write queue for staging transitory data packets and a set of procedures for processing the transitory data packets in accordance with the associated protocol;
interfacing a protocol stack multiplexor directly to at least one such protocol layer through a set of redirected pointers to the processing procedures of the interfaced protocol layer, further comprising;
referencing at least one of the read queue and the write queue for the associated protocol layer; and
communicating a memory reference to each transitory data packet from the referenced at least one of the read queue and the write queue for the associated protocol layer; and
receiving the communicated memory reference into an analysis module and performing intrusion detection based thereon. - View Dependent Claims (26, 27, 28, 29)
-
Specification