Systems and methods for point of ingress traceback of a network attack

US 7,200,105 B1
Filed: 01/11/2002
Issued: 04/03/2007
Est. Priority Date: 01/12/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

receiving packets at the node;

computing one or more signatures for each of the received packets;

aggregating the computed one or more signatures in a first memory to produce one or more signature vectors, wherein the computed one or more signatures are aggregated over a collection interval R;

archiving the one or more signature vectors in a second memory;

providing the archived one or more signature vectors to an agent for determining a point of ingress for the packet when it entered a network; and

randomly zeroing out a fraction of the one or more signature vectors that are older than P seconds.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus (520) for archiving signatures associated with packets received at a node in a network includes a first memory (620), a second memory (625), a signature tap (610), a multiplexer (615), and a controller (630). The signature tap (610) receives packets at the node and computes one or more signatures for each of the received packets. The multiplexer (615) aggregates the computed one or more signatures in the first memory (620) to produce one or more signature vectors. The controller (630) archives the one or more signature vectors in the second memory (625).

Citations

32 Claims

1. A method, comprising:
- receiving packets at the node;
  
  computing one or more signatures for each of the received packets;
  
  aggregating the computed one or more signatures in a first memory to produce one or more signature vectors, wherein the computed one or more signatures are aggregated over a collection interval R;
  
  archiving the one or more signature vectors in a second memory;
  
  providing the archived one or more signature vectors to an agent for determining a point of ingress for the packet when it entered a network; and
  
  randomly zeroing out a fraction of the one or more signature vectors that are older than P seconds.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein computing the one or more signatures for each of the received packets further comprises:
    - computing one or more cyclical redundancy checking values for each of the received packets.
  - 3. The method of claim 1, wherein computing the one or more signatures for each of the received packets further comprises:
    - computing one or more hash values for each of the received packets.
  - 4. The method of claim 1, wherein computing the one or more signatures for each of the received packets further comprises:
    - computing one or more CRC-32 values for each of the received packets.
  - 5. The method of claim 1, wherein the second memory comprises a ring buffer.
  - 6. The method of claim 1, wherein archiving the one or more signature vectors comprises:
    - storing the one or more signature vectors in the second memory indexed by the collection interval.
  - 7. The method of claim 1, wherein archiving the one or more signature vectors comprises:
    - storing a fraction of the one or more signature vectors in the second memory.
  - 8. The method of claim 1, further comprising:
    - discarding signature vectors of the archived one or more signature vectors that are older than P seconds.
  - 9. The method of claim 1, further comprising:
    - archiving the merged bits in the second memory for a period equaling a multiple of the collection interval R.
  - 10. The method of claim 9, wherein the multiple of the collection interval R comprises 10*R.
  - 11. The method of claim 1, wherein the second memory comprises a DRAM.

12. An apparatus for archiving signatures associated with packets received at a node in a network, comprising:
- a first memory;
  
  a second memory;
  
  a signature tap configured to;
  
  receive packets at the node;
  
  compute one or more signatures for each of the received packets;
  
  a multiplexer configured to;
  
  aggregate, over a collection interval R, the computed one or more signatures in the first memory to produce one or more signature vectors; and
  
  a controller configured to;
  
  archive the one or more signature vectors in the second memory; and
  
  randomly zero out a fraction of the one or more signature vectors that are older than P seconds.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The apparatus of claim 12, the one or more signature vectors comprising one or more cyclical redundancy checking values.
  - 14. The apparatus of claim 12, the one or more signature vectors comprising one or more hash values.
  - 15. The apparatus of claim 12, the one or more signature vectors comprising one or more CRC-32 values.
  - 16. The apparatus of claim 12, wherein the second memory comprises a ring buffer.
  - 17. The apparatus of claim 12, the controller further configured to:
    - store the one or more signature vectors in the second memory indexed by the collection interval.
  - 18. The apparatus of claim 12, the controller further configured to:
    - store a fraction of the one or more signature vectors in the second memory.
  - 19. The apparatus of claim 12, the controller further configured to:
    - discard signature vectors of the archived one or more signature vectors that are older than P seconds.
  - 20. The apparatus of claim 12, the controller further configured to:
    - archive the merged bits in the second memory for a period equaling a multiple of the collection interval R.
  - 21. The apparatus of claim 20, wherein the multiple of the collection interval R comprises 10*R.
  - 22. The apparatus of claim 12, wherein the second memory comprises a DRAM.

23. A system, comprising:
- a first memory;
  
  a second memory;
  
  one or more signature taps configured to;
  
  receive packets at the node, andcompute one or more signatures for each of the received packets;
  
  a multiplexer configured to;
  
  use each of the one or more signatures as addresses for addressing bit locations in the first memory,set memory bits in the addresses of the first memory corresponding to each of the one or more signatures; and
  
  a controller configured to archive a signature vector comprising a block of memory bits from the first memory in the second memory.

24. A system, comprising:
- a first memory;
  
  a second memory;
  
  a signature tap to determine at least one signature for each packet of a plurality of received packets;
  
  a multiplexer to store, over a collection interval, the determined at least one signature for each of the plurality of received packets in the first memory to produce a signature vector that comprises a block of a plurality of signatures for at least a portion of the plurality of received packets; and
  
  a controller configured to archive the signature vector in the second memory after an expiration of the collection interval.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The system of claim 24, the at least one signature comprising a cyclical redundancy checking value.
  - 26. The system of claim 24, the at least one signature comprising a hash value.
  - 27. The system of claim 24, the at least one signature comprising a CRC-32 value.
  - 28. The system of claim 24, wherein the second memory comprises a ring buffer.
  - 29. The system of claim 24, the controller further configured to:
    - archive the one or more signature vectors in the second memory indexed by the collection interval.
  - 30. The system of claim 24, the controller further configured to:
    - archive a fraction of the one or more signature vectors in the second memory.
  - 31. The system of claim 24, the controller further configured to:
    - discard signature vectors of the archived one or more signature vectors that are older than P seconds.
  - 32. The system of claim 24, wherein the second memory comprises a DRAM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
BBN Technologies Corporation (Rtx Corporation)
Inventors
Milliken, Walter Clark, Sanchez, Luis A., Snoeren, Alex C.
Primary Examiner(s)
Kizou, Hassan
Assistant Examiner(s)
Wong, Warner

Application Number

US10/044,073
Time in Patent Office

1,908 Days
Field of Search

714752-768, 714/776, 711/216
US Class Current

370/216
CPC Class Codes

H04L 2463/146 Tracing the source of attacks

H04L 63/1416 Event detection, e.g. attac...

Systems and methods for point of ingress traceback of a network attack

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for point of ingress traceback of a network attack

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links