Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram
First Claim
Patent Images
1. A method to detect unauthorized reconnaissance or scanning of a computer network comprising:
- monitoring communications within the network;
detecting a predefined sequential triplet of TCP/IP protocol set packets flowing within said communications, each of the predefined sequential triplet packets comprising a source address field, a target device address field, a source port field and a target device port field, comprising;
providing a histogram in which states of the predefined sequence of packets are maintained, the histogram including a table partitioned into a first field in which source addresses of network devices are kept and a second field concatenated to the first field;
dynamically updating said histogram as selected ones of the predefined sequence of packets is detected by initializing or incrementing a state code field in response to an order in which packets in the predefined sequence of packets are detected;
concatenating a source address field, a target device address field, a source port field and a target device port field of a packet of the predefined sequential triplet into the table first and second fields as an ordered four-tuples;
hashing the ordered four-tuple; and
using the hashed ordered four-tuple as a histogram location index;
observing an initial SYN packet originating from a source address;
detecting a next sequential SYN/ACK packet issuing from a target device address in response to the SYN packet; and
detecting a last sequential RST packet originating from the source address in response to the SYN/ACK packet; and
issuing an alert indicating unauthorized scanning if the predefined sequence of packets are each relevant to the source address and if the state code field has an alert value.
2 Assignments
0 Petitions
Accused Products
Abstract
A detection and response system that generates an Alert if unauthorized scanning is detected on a computer network that includes a look-up table to record state value corresponding to the sequence in which SYN, SYN/ACK and RST packets are observed. A set of algorithms executed on a processing engine adjusts the state value in response to observing the packets. When the state value reaches a predetermined value indicating that all three packets have been seen, the algorithm generates an Alert.
-
Citations
19 Claims
-
1. A method to detect unauthorized reconnaissance or scanning of a computer network comprising:
-
monitoring communications within the network; detecting a predefined sequential triplet of TCP/IP protocol set packets flowing within said communications, each of the predefined sequential triplet packets comprising a source address field, a target device address field, a source port field and a target device port field, comprising; providing a histogram in which states of the predefined sequence of packets are maintained, the histogram including a table partitioned into a first field in which source addresses of network devices are kept and a second field concatenated to the first field; dynamically updating said histogram as selected ones of the predefined sequence of packets is detected by initializing or incrementing a state code field in response to an order in which packets in the predefined sequence of packets are detected;
concatenating a source address field, a target device address field, a source port field and a target device port field of a packet of the predefined sequential triplet into the table first and second fields as an ordered four-tuples;
hashing the ordered four-tuple; and
using the hashed ordered four-tuple as a histogram location index;observing an initial SYN packet originating from a source address; detecting a next sequential SYN/ACK packet issuing from a target device address in response to the SYN packet; and detecting a last sequential RST packet originating from the source address in response to the SYN/ACK packet; and issuing an alert indicating unauthorized scanning if the predefined sequence of packets are each relevant to the source address and if the state code field has an alert value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method to deploy an intrusion detection system on a network device comprising:
-
providing an algorithm to detect a predefined sequential triplet of TCP/IP protocol packets; providing a table to record at least one characteristic to identify network devices and state code corresponding to a sequence in which the predefined sequential triplet of packets are received, wherein each of the predefined sequential triplet packets comprise a source address field, a target device address field, a source port field and a target device port field; dynamically updating a histogram by concatenating a source address field, a target device address field, a source port field and a target device port field of a packet of the predefined sequential triplet into a histogram table field as an ordered four-tuple;
hashing the ordered four-tuple; and
using the hashed ordered four-tuple as a histogram location index; andgenerating an alert if the predefined triplet of packets is detected and the triplet packets are each relevant to a source address; wherein the triplet comprises an initial SYN packet originating from the source address, a next sequential SYN/ACK packet issuing from a target device address in response to the SYN packet, and a last sequential RST packet originating from the source address in response to the SYN/ACK packet. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method to protect devices from malicious attacks launched on a computer network comprising:
-
providing on a device to be protected a software program that monitors packets, the software program includes a table containing codes whose values represent detection of one of the predefined set of packets and at least one source address associated with at least one of the codes, each of the predefined sequential triplet packets comprising a source address field, a target device address field, a source port field and a target device port field; dynamically updating a histogram by concatenating a source address field, a target device address field, a source port field and a target device port field of a packet of the predefined sequential triplet into a histogram table field as an ordered four-tuple;
hashing the ordered four-tuple and using the hashed ordered four-tuple as a histogram location index; andissuing an alert if a predefined sequential triplet of TCP/IP protocol packets are detected and the triplet packets are each relevant to a source address; wherein the triplet comprises an initial SYN packet originating from the source address, a next sequential SYN/ACK packet issuing from a target device address in response to the SYN packet, and a last sequential RST packet originating from the source address in response to the SYN/ACK packet. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification