Method and apparatus for tracing packets
DCFirst Claim
1. In a network including a plurality of hosts and a plurality of routers for facilitating the transmission of packets, a system for determining the point of entry of a malicious packet into said network using a representation of said malicious packet, said system comprising:
- an intrusion detection system for detecting entry of said malicious packet into said network; and
a source-path isolation server responsive to operation of said intrusion detection system, for isolating said malicious packet;
whereby said point of entry of said malicious packet is determined.
7 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A system and method for performing source path isolation in a network. The system comprises an intrusion detection system (IDS), a source path isolation server (SS1) and at least one router configured to operate as a source path isolation router (SR1) operating within an autonomous system. When IDS detects a malicious packet, a message is sent to SS1. SS1 in turn generates a query message (QM) containing at least a portion of the malicious packet. Then, QM is sent to participating routers located one hop away. SR1 uses the query message to determine if it has observed the malicious packet by comparing it with locally stored information about packets having passed through SR1. SR1 sends a reply to SS1, and SS1 uses the reply to identify the ingress point into the network of the malicious packet.
80 Citations
34 Claims
-
1. In a network including a plurality of hosts and a plurality of routers for facilitating the transmission of packets, a system for determining the point of entry of a malicious packet into said network using a representation of said malicious packet, said system comprising:
-
an intrusion detection system for detecting entry of said malicious packet into said network; and
a source-path isolation server responsive to operation of said intrusion detection system, for isolating said malicious packet;
whereby said point of entry of said malicious packet is determined. - View Dependent Claims (2, 3, 4)
-
-
5. In a network carrying a plurality of packets at least one of said packets being a target packet, said network including at least one network component, a detection device and a server, a method for determining a point of entry of a target packet into said network, said method comprising:
-
at said server, receiving said target packet from said detection device;
sending a query message identifying said target packet to a first component of said at least one network component;
receiving a reply containing information about said target packet from said first component;
processing said reply to extract said information; and
using said information in a manner that said point of entry shall ultimately be determined. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. In a network carrying a plurality of packets, said plurality of packets including a target packet having entered through an intrusion location, a query packet, and a reply packet generated in response to said query packet, said network including a network component having a first memory and a server having a second memory, said server comprising:
-
a bus communicatively coupled to said network;
said second memory communicatively coupled to said bus for storing data and machine-readable instructions; and
a processor communicatively coupled to said bus executing said machine-readable instructions for causing said server to place a query packet onto said network for transmission to said network component, said query packet being generated in response to detecting said target packet and further including information about said target packet, said processor further executing said machine-readable instructions to process said reply packet to identify said intrusion location. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A communication medium for transporting data in a network, said network including a network component for generating a representation of an intruding packet, a server, and an intrusion detection device, said communication medium comprising:
-
media for carrying a query message comprising information about at least a portion of said intruding packet, said query message being created by said server in response to a triggering event indicating said intruding packet was detected by said intrusion detection device; and
media for carrying a reply generated by said network component in response to said query message, said network component matching said representation to said information in said query message and indicating a match therebetween;
whereby said match indicates said intruding packet has been encountered. - View Dependent Claims (26, 27)
-
-
28. In a network carrying a plurality of packets, a computer-readable data signal embodied in a transmission medium used to identify an intrusion location of a target packet, said network including a server and a network component having memory storing a like plurality of packet representations, each of said representations corresponding respectively to each one of said plurality of packets, said data signal comprising:
-
a header portion comprising an address of said network component; and
a body portion comprising at least a portion of said target packet, said body portion being compared to each of said packet representations wherein a match between said at least a portion of said target packet and one said packet representations indicates said network component encountered said target packet. - View Dependent Claims (29)
-
-
30. In a network carrying a plurality of packets, said plurality of packets including a target packet having entered said network through an intrusion location, a computer-readable storage medium containing executable code for instructing a processor to generate a query in response to a triggering event, said network including a network component having memory storing representations of encountered packets, said executable code instructing said processor to perform operations comprising:
-
processing said triggering event to extract said first information about said target packet;
generating said query for placement onto said network, said query including second information about at least a portion of said target packet;
sending said query to said network component;
receiving a reply from said network component;
processing said reply; and
using said reply to facilitate identification of said intrusion location. - View Dependent Claims (31, 32, 33)
-
-
34. In a network carrying a plurality of packets, said network including a network component having memory storing first information about a subset of said plurality of packets having passed through said network component and a processor for computing a first representation of a target packet and a second representation of a member of said subset of said plurality of packets, said memory for also storing second information about an intrusion location of said target packet in said network, said memory comprising:
-
a data structure stored in said memory, said data structure including information resident in a database used by a source path isolation program for determining said intrusion location, said data structure including;
a network component identification attribute corresponding to location of said network component;
a target packet attribute uniquely identifying said target packet; and
a reply packet attribute associated with all members of said subset including at least one of said member, said reply packet attribute being associated with said network component identification attribute to identify origin of said reply packet, said reply packet indicating said member was encountered if said first representation matches said second representation.
-
Specification