Parallel intrusion detection sensors with load balancing for high speed networks

US 6,954,775 B1
Filed: 12/30/2002
Issued: 10/11/2005
Est. Priority Date: 01/15/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A system for detecting network intrusion, comprising:

an internetworking device coupled with a network, and being operable to receive a plurality of packets;

a plurality of intrusion detection sensors coupled for communication with the internetworking device, wherein the plurality of intrusion detection sensors operate in parallel;

a load balancer being operable to determine a distribution of the plurality of packets to one or more of the plurality of intrusion detection sensors; and

an analyzer being operable to detect a composite signature of more than one of the plurality of packets, the composite signature being associated with an unauthorized attempt at access to the network contained in more than one session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of a method and system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).

157 Citations

View as Search Results

14 Claims

1. A system for detecting network intrusion, comprising:
- an internetworking device coupled with a network, and being operable to receive a plurality of packets;
  
  a plurality of intrusion detection sensors coupled for communication with the internetworking device, wherein the plurality of intrusion detection sensors operate in parallel;
  
  a load balancer being operable to determine a distribution of the plurality of packets to one or more of the plurality of intrusion detection sensors; and
  
  an analyzer being operable to detect a composite signature of more than one of the plurality of packets, the composite signature being associated with an unauthorized attempt at access to the network contained in more than one session.
- View Dependent Claims (2)
- - 2. The system of claim 1, wherein the at least one sensor comprises a detection engine operable to examine a header and payload of the at least one of the plurality of packets.

3. A system for detecting network intrusion, comprising:
- means for receiving a plurality of packets at an internetworking device coupled with a network;
  
  means for distributing the plurality of packets to a plurality of intrusion detection sensors operating in parallel, in accordance with a load balancing technique;
  
  means for detecting a composite signature of more than one of the plurality of packets; and
  
  means for determining whether the composite signature is associated with unauthorized access to the network.

4. A system of detecting unauthorized access on a network having a plurality of intrusion detection sensors at a network entry point associated with an internetworking device as indicated by signature analysis of packet traffic on the network, comprising:
- means for balancing a packet load to said sensors, such that said packets are distributed at least at a session-based level;
  
  means for detecting signatures indicated by said packets delivered to said sensors;
  
  means for delivering packets indicating a composite signature from multiple sessions to a network analyzer;
  
  means for detecting composite signatures delivered to said network analyzer; and
  
  means for using the results of said detecting steps to determine unauthorized access to said network.

5. A system of detecting unauthorized access on a network having a plurality of intrusion detection sensors at a network entry point associated with an internetworking device, comprising:
- means for balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  means for detecting signatures indicated by said packets delivered to said sensors;
  
  means for delivering packets indicating a composite signature to an analyzer;
  
  means for detecting a composite signature delivered to said analyzer; and
  
  means for using the results of said detecting steps to determine unauthorized access to said network.

6. A system of detecting unauthorized access on a network having a plurality of intrusion detection sensors between a router and a local network, comprising:
- means for balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  means for detecting signatures indicated by said packets delivered to said sensors;
  
  means for delivering packets indicating a composite signature to an analyzer;
  
  means for detecting a composite signature delivered to said analyzer; and
  
  means for using the results of said detecting steps to determine unauthorized access to said network.

7. A system of using a switch to detect unauthorized access on a network, having means for providing a plurality of intrusion detection sensors within a switch, comprising:
- means for balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  means for detecting signatures indicated by said packets delivered to said sensors;
  
  means for delivering packets indicating a composite signature to an analyzer;
  
  means for detecting a composite signature delivered to said analyzer; and
  
  means for using the results of said detecting steps to determine unauthorized access to said network.

8. Logic encoded in media for detecting network intrusion, the logic being operable to perform the following steps:
- receiving a plurality of packets at an internetworking device coupled with a network;
  
  distributing the plurality of packets to one or more of a plurality of intrusion detection sensors operating in parallel, in accordance with a load-balancing technique;
  
  detecting a composite signature of more than one the plurality of packets; and
  
  determining whether the composite signature is associated with unauthorized access to the network.

9. Logic encoded in media for detecting network intrusion of a network having a plurality of intrusion detection sensors at a network entry point associated with an internetworking device, the logic being operable to perform the following steps:
- balancing a packet load to said sensors, such that said packets are distributed at least at a session-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature from multiple sessions to a network analyzer;
  
  detecting composite signatures delivered to said network analyzer; and
  
  using the results of said detecting steps to determine unauthorized access to said network.

10. Logic encoded in media for detecting network intrusion of a network having a plurality of intrusion detection sensors at a network entry point associated with an internetworking device, the logic being operable to perform the following steps:
- balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature to an analyzer;
  
  detecting the composite signature delivered to said analyzer; and
  
  using the results of said detecting steps to determine unauthorized access to said network.

11. Logic encoded in media for detecting network intrusion on a network having a plurality of intrusion detection sensors coupled with a router and a local network, the logic being operable to perform the following steps:
- balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature to an analyzer;
  
  detecting the composite signature delivered to said analyzer; and
  
  using the results of said detecting steps to determine unauthorized access to said network.

12. Logic encoded in media for detecting network intrusion of a network having a plurality of intrusion detection sensors coupled with a switch, the logic being operable to perform the following steps:
- balancing a packet load to said sensors, such that packets are distributed at a packet-based level;
  
  detecting signatures indicated by said packets delivered to said sensors;
  
  delivering packets indicating a composite signature to an analyzer;
  
  detecting the composite signature delivered to said analyzer; and
  
  using the results of said detecting steps to determine unauthorized access to said network.

13. A system for detecting network intrusion, comprising:
- a router coupled with an external network and a local network, and being operable to receive a plurality of packets from the external network and route the plurality of packets to the local network, and wherein the plurality of packets constitute at least one session;
  
  a plurality of intrusion detection sensors arranged to operate in parallel and coupled between the router and the local network, and wherein the plurality of intrusion detection sensors are operable to detect a first signature contained in one of the plurality of packets, the first signature being associated with unauthorized access to the local network, and wherein the unauthorized access to the local network is associated with a malicious intent attack, a denial of service attack, an evasion attempt attack, or IP spoofing;
  
  a load balancer being operable to determine a distribution of the plurality of packets to one or more of the plurality of intrusion detection sensors, wherein the distribution of the plurality of packets results in each of the plurality of intrusion detection sensors receiving an equal number of packets;
  
  a session analyzer being operable to detect a second signature contained in more than one of the plurality of packets from a single session; and
  
  a network analyzer being operable to detect a third signature contained in more than one of the plurality of packets from more than one session.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the detection of the composite signature comprises performing a signature analysis selected from the group consisting of checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, and TCP stream assembly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Shanklin, Steven D., Lathem, Gerald S.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US10/334,206
Time in Patent Office

1,016 Days
Field of Search

713/200, 713/201, 713176-177, 713151-154, 713161-163, 713/166, 713/168, 713/194, 713/165, 713/180, 709105-106, 709223-225, 709/238, 709200-203, 709/227, 709/235, 709/229, 709/240
US Class Current

718/105
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/1001   for accessing one among a p...

Parallel intrusion detection sensors with load balancing for high speed networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

157 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Parallel intrusion detection sensors with load balancing for high speed networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links