Active network defense system and method
First Claim
1. A method for network protection, comprising:
- collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow;
performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;
blocking packets associated with the suspected multi-session attack from remaining in the data flow;
performing a deep packet inspection of all remaining packets passing in the data flow to identify good packets, bad packets and suspicious packets, wherein each of the packets includes a header portion and a payload portion, and the deep packet inspection compares non-header character strings and/or expression values within the payload portion of the packet against certain strings and/or expressions defining payload content-based threat criteria;
allowing the good packets to pass on to a protected network;
blocking the bad packets from entry into the protected network; and
extracting the suspicious packets from the data flow for further investigation.
10 Assignments
0 Petitions
Accused Products
Abstract
An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.
98 Citations
47 Claims
-
1. A method for network protection, comprising:
-
collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow; performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists; blocking packets associated with the suspected multi-session attack from remaining in the data flow; performing a deep packet inspection of all remaining packets passing in the data flow to identify good packets, bad packets and suspicious packets, wherein each of the packets includes a header portion and a payload portion, and the deep packet inspection compares non-header character strings and/or expression values within the payload portion of the packet against certain strings and/or expressions defining payload content-based threat criteria; allowing the good packets to pass on to a protected network; blocking the bad packets from entry into the protected network; and extracting the suspicious packets from the data flow for further investigation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for network protection, comprising:
-
collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow; performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists; terminating at least one session associated with the suspected multi-session attack; filtering all packets of remaining sessions in the data flow against a threat criteria for detecting threatening packets, each packet including a header portion and a payload portion, the filtering comprising comparing non-header character strings and/or expression values within the payload portion of the passing packets against the threat criteria which comprises both payload character strings and payload regular expression values that are characteristic of threatening packets; allowing non-threatening packets to pass on to a protected network; and extracting the threatening packets from the data flow. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A method for network protection, comprising:
-
monitoring all packets passing in a data flow at line speed for a presence of information indicative of an attack, comprising; collecting data concerning a nature of the packets in the data flow across multiple different sessions; statistically analyzing the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists; checking header field values in the packets for the presence of header content information indicative of dangerous packet traffic; and checking non-header character strings and/or expression values within a payload of the packets for the presence of certain payload character strings and payload regular expression values which are indicative of dangerous packet traffic; blocking those packets associated with the suspected multi-session attack from remaining in the data flow; and blocking those packets having said information indicative of dangerous packet traffic from entering a protected network.
-
-
43. A method of network protection, comprising:
-
collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow; performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists; blocking packets associated with the suspected multi-session attack from remaining in the data flow; performing a packet payload inspection of all remaining packets to identify packets by comparing non-header character strings and/or expression values within each said packet against payload character strings and payload regular expression values; allowing packets in said data flow to pass on to a protected network based on the identification; and blocking packets from entering said network based on the identification.
-
-
44. A method for network protection, comprising:
-
determining whether a multi-session attack exists, comprising; collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow; performing a statistical analysis on the collected data against an algorithmic filter to identify a suspicion of a multi-session attack; performing stateful pattern matching of the packets passing in the data flow, comprising; determining whether header field values in passing packets match field values characteristic of suspicious packets; and determining whether non-header character strings and/or expression values within payloads of said passing packets match character strings and regular expression values characteristic of suspicious packets; allowing packets not associated with the suspected multi-session attack and which pass pattern matching analysis to pass on to a protected network; blocking packets associated with the suspected multi-session attack or which fail pattern matching analysis from entry into said protected network.
-
-
45. A method for network protection, comprising:
-
collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow; performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists; performing a deep packet inspection of packets attempting to enter a protected network, wherein each of the packets includes a header portion and a payload portion, and the deep packet inspection compares non-header character strings and/or expression values within the payload portion against certain strings and/or expressions defining payload content-based threat criteria; allowing packets which are not associated with a suspected multi-session attack and which pass deep packet inspection to pass on to the protected network; and blocking packets which either are associated with a suspected multi-session attack or fail deep packet inspection from entry into the protected network.
-
-
46. A method for network protection, comprising:
-
collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow; statistically analyzing the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists; filtering packets against a threat criteria for detecting threatening packets by inspecting packets attempting to enter a protected network, each packet including a header portion and a payload portion, the filtering comprising comparing non-header character strings and/or expression values within the payload portion of all packets against the threat criteria which comprises both payload character strings and payload regular expression values that are characteristic of threatening packets; allowing non-threatening packets to pass on to a protected network; and extracting the threatening packets from the data flow; wherein the threat criteria are tailored in response to the suspected existence of a multi-session attack to make the filtering more sensitive to identifying threatening packets associated with the suspected multi-session attack.
-
-
47. A method for network protection, comprising:
-
monitoring all packets attempting to enter a protected network at line speed for a presence of information indicative of an attack, comprising; collecting data concerning a nature of the monitored packets across multiple different sessions; statistically analyzing the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists; checking header field values in the monitored packets for the presence of header content information indicative of dangerous packet traffic; and checking non-header character strings and/or expression values within a payload of the monitored packets for the presence of certain strings and/or expressions defining payload content information indicative of dangerous packet traffic; and blocking those packets associated with the suspected multi-session attack or having said information indicative of dangerous packet traffic from entering a protected network.
-
Specification