Parallel intrusion detection sensors with load balancing for high speed networks
First Claim
1. A system for detecting network intrusion, comprising:
- an internetworking device coupled with a network, and being operable to receive a plurality of packets;
a plurality of intrusion detection sensors coupled for communication with the internetworking device, wherein the plurality of intrusion detection sensors operate in parallel;
a load balancer being operable to determine a distribution of the plurality of packets to one or more of the plurality of intrusion detection sensors; and
an analyzer being operable to detect a composite signature of more than one of the plurality of packets, the composite signature being associated with an unauthorized attempt at access to the network contained in more than one session.
1 Assignment
0 Petitions
Accused Products
Abstract
Various embodiments of a method and system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).
-
Citations
14 Claims
-
1. A system for detecting network intrusion, comprising:
-
an internetworking device coupled with a network, and being operable to receive a plurality of packets; a plurality of intrusion detection sensors coupled for communication with the internetworking device, wherein the plurality of intrusion detection sensors operate in parallel; a load balancer being operable to determine a distribution of the plurality of packets to one or more of the plurality of intrusion detection sensors; and an analyzer being operable to detect a composite signature of more than one of the plurality of packets, the composite signature being associated with an unauthorized attempt at access to the network contained in more than one session. - View Dependent Claims (2)
-
-
3. A system for detecting network intrusion, comprising:
-
means for receiving a plurality of packets at an internetworking device coupled with a network; means for distributing the plurality of packets to a plurality of intrusion detection sensors operating in parallel, in accordance with a load balancing technique; means for detecting a composite signature of more than one of the plurality of packets; and means for determining whether the composite signature is associated with unauthorized access to the network.
-
-
4. A system of detecting unauthorized access on a network having a plurality of intrusion detection sensors at a network entry point associated with an internetworking device as indicated by signature analysis of packet traffic on the network, comprising:
-
means for balancing a packet load to said sensors, such that said packets are distributed at least at a session-based level; means for detecting signatures indicated by said packets delivered to said sensors; means for delivering packets indicating a composite signature from multiple sessions to a network analyzer; means for detecting composite signatures delivered to said network analyzer; and means for using the results of said detecting steps to determine unauthorized access to said network.
-
-
5. A system of detecting unauthorized access on a network having a plurality of intrusion detection sensors at a network entry point associated with an internetworking device, comprising:
-
means for balancing a packet load to said sensors, such that packets are distributed at a packet-based level; means for detecting signatures indicated by said packets delivered to said sensors; means for delivering packets indicating a composite signature to an analyzer; means for detecting a composite signature delivered to said analyzer; and means for using the results of said detecting steps to determine unauthorized access to said network.
-
-
6. A system of detecting unauthorized access on a network having a plurality of intrusion detection sensors between a router and a local network, comprising:
-
means for balancing a packet load to said sensors, such that packets are distributed at a packet-based level; means for detecting signatures indicated by said packets delivered to said sensors; means for delivering packets indicating a composite signature to an analyzer; means for detecting a composite signature delivered to said analyzer; and means for using the results of said detecting steps to determine unauthorized access to said network.
-
-
7. A system of using a switch to detect unauthorized access on a network, having means for providing a plurality of intrusion detection sensors within a switch, comprising:
-
means for balancing a packet load to said sensors, such that packets are distributed at a packet-based level; means for detecting signatures indicated by said packets delivered to said sensors; means for delivering packets indicating a composite signature to an analyzer; means for detecting a composite signature delivered to said analyzer; and means for using the results of said detecting steps to determine unauthorized access to said network.
-
-
8. Logic encoded in media for detecting network intrusion, the logic being operable to perform the following steps:
-
receiving a plurality of packets at an internetworking device coupled with a network; distributing the plurality of packets to one or more of a plurality of intrusion detection sensors operating in parallel, in accordance with a load-balancing technique; detecting a composite signature of more than one the plurality of packets; and determining whether the composite signature is associated with unauthorized access to the network.
-
-
9. Logic encoded in media for detecting network intrusion of a network having a plurality of intrusion detection sensors at a network entry point associated with an internetworking device, the logic being operable to perform the following steps:
-
balancing a packet load to said sensors, such that said packets are distributed at least at a session-based level; detecting signatures indicated by said packets delivered to said sensors; delivering packets indicating a composite signature from multiple sessions to a network analyzer; detecting composite signatures delivered to said network analyzer; and using the results of said detecting steps to determine unauthorized access to said network.
-
-
10. Logic encoded in media for detecting network intrusion of a network having a plurality of intrusion detection sensors at a network entry point associated with an internetworking device, the logic being operable to perform the following steps:
-
balancing a packet load to said sensors, such that packets are distributed at a packet-based level; detecting signatures indicated by said packets delivered to said sensors; delivering packets indicating a composite signature to an analyzer; detecting the composite signature delivered to said analyzer; and using the results of said detecting steps to determine unauthorized access to said network.
-
-
11. Logic encoded in media for detecting network intrusion on a network having a plurality of intrusion detection sensors coupled with a router and a local network, the logic being operable to perform the following steps:
-
balancing a packet load to said sensors, such that packets are distributed at a packet-based level; detecting signatures indicated by said packets delivered to said sensors; delivering packets indicating a composite signature to an analyzer; detecting the composite signature delivered to said analyzer; and using the results of said detecting steps to determine unauthorized access to said network.
-
-
12. Logic encoded in media for detecting network intrusion of a network having a plurality of intrusion detection sensors coupled with a switch, the logic being operable to perform the following steps:
-
balancing a packet load to said sensors, such that packets are distributed at a packet-based level; detecting signatures indicated by said packets delivered to said sensors; delivering packets indicating a composite signature to an analyzer; detecting the composite signature delivered to said analyzer; and using the results of said detecting steps to determine unauthorized access to said network.
-
-
13. A system for detecting network intrusion, comprising:
-
a router coupled with an external network and a local network, and being operable to receive a plurality of packets from the external network and route the plurality of packets to the local network, and wherein the plurality of packets constitute at least one session; a plurality of intrusion detection sensors arranged to operate in parallel and coupled between the router and the local network, and wherein the plurality of intrusion detection sensors are operable to detect a first signature contained in one of the plurality of packets, the first signature being associated with unauthorized access to the local network, and wherein the unauthorized access to the local network is associated with a malicious intent attack, a denial of service attack, an evasion attempt attack, or IP spoofing; a load balancer being operable to determine a distribution of the plurality of packets to one or more of the plurality of intrusion detection sensors, wherein the distribution of the plurality of packets results in each of the plurality of intrusion detection sensors receiving an equal number of packets; a session analyzer being operable to detect a second signature contained in more than one of the plurality of packets from a single session; and a network analyzer being operable to detect a third signature contained in more than one of the plurality of packets from more than one session. - View Dependent Claims (14)
-
Specification