Active network defense system and method

US 7,454,499 B2
Filed: 11/07/2002
Issued: 11/18/2008
Est. Priority Date: 11/07/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method for network protection, comprising:

collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow;

performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;

blocking packets associated with the suspected multi-session attack from remaining in the data flow;

performing a deep packet inspection of all remaining packets passing in the data flow to identify good packets, bad packets and suspicious packets, wherein each of the packets includes a header portion and a payload portion, and the deep packet inspection compares non-header character strings and/or expression values within the payload portion of the packet against certain strings and/or expressions defining payload content-based threat criteria;

allowing the good packets to pass on to a protected network;

blocking the bad packets from entry into the protected network; and

extracting the suspicious packets from the data flow for further investigation.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.

98 Citations

View as Search Results

47 Claims

1. A method for network protection, comprising:
- collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow;
  
  performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;
  
  blocking packets associated with the suspected multi-session attack from remaining in the data flow;
  
  performing a deep packet inspection of all remaining packets passing in the data flow to identify good packets, bad packets and suspicious packets, wherein each of the packets includes a header portion and a payload portion, and the deep packet inspection compares non-header character strings and/or expression values within the payload portion of the packet against certain strings and/or expressions defining payload content-based threat criteria;
  
  allowing the good packets to pass on to a protected network;
  
  blocking the bad packets from entry into the protected network; and
  
  extracting the suspicious packets from the data flow for further investigation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1 wherein performing comprises making the identification through an inspection of a plurality of packets within the context of a single session.
  - 3. The method of claim 2 wherein performing comprises filtering packets in the data flow in operable response to threat criteria designed for detecting the bad packets across said single session.
  - 4. The method of claim 2 further comprising filtering packets in the data flow in operable response to a criteria designed for detecting the good packets across said single session.
  - 5. The method of claim 4 further comprising blocking each said packet in the data flow that fails to be identified as meeting the criteria.
  - 6. The method of claim 1 wherein performing comprises making the identification through an inspection of a plurality of packets within the context of multiple sessions.
  - 7. The method of claim 6 wherein performing comprises filtering packets in the data flow in operable response to threat criteria designed for detecting the bad packets across said multiple sessions.
  - 8. The method of claim 7 wherein packet content matching and packet header matching operate in conjunction with each other.
  - 9. The method of claim 6 further comprising filtering packets in the data flow in operable response to a criteria designed for detecting the good packets across said multiple sessions.
  - 10. The method of claim 9 further comprising blocking each said packet in the data flow that fails to be identified as meeting the criteria.
  - 11. The method of claim 1 further including performing a more thorough threat assessment analysis on the extracted suspicious packets.
  - 12. The method of claim 1 wherein performing comprises pattern matching the payload portion contents of all passing packets against the payload content-based threat criteria.
  - 13. The method of claim 12 wherein pattern matching is performed in multiple parallel instances.
  - 14. The method of claim 1 further comprising packet header matching the passing packets by determining whether header field values in the packet header portion match header field-related threat criteria.
  - 15. The method of claim 14 wherein packet header matching further comprises checking the header field values for a presence of header field-related information indicative of an attack.
  - 16. The method of claim 15 wherein the header field values comprises destination and source IP address.
  - 17. The method of claim 15 wherein the header field values comprises destination and source ports.
  - 18. The method of claim 14 wherein packet payload portion content comparison and packet header portion matching operate in conjunction with each other.
  - 19. The method of claim 1 wherein performing comprises matching packet payload elements in the payload portion to character strings and regular expression values characteristic of threatening packets.
  - 20. The method of claim 1 further comprising packet header matching the passing packets by determining whether header field values in the packet header portions of a plurality of packets match header field-related threat criteria.
  - 21. The method of claim 20 wherein packet header matching further comprises checking the header field values for a presence of header field-related information indicative of an attack.
  - 22. The method of claim 21 wherein the header field values comprises destination and source IP address.
  - 23. The method of claim 21 wherein the header field values comprises destination and source ports.
  - 24. The method of claim 1 wherein performing comprises packet content matching the passing packets by determining whether the character strings and/or regular expression values of packet payload portions of a plurality of packets match packet payload threat criteria.

25. A method for network protection, comprising:
- collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow;
  
  performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;
  
  terminating at least one session associated with the suspected multi-session attack;
  
  filtering all packets of remaining sessions in the data flow against a threat criteria for detecting threatening packets, each packet including a header portion and a payload portion, the filtering comprising comparing non-header character strings and/or expression values within the payload portion of the passing packets against the threat criteria which comprises both payload character strings and payload regular expression values that are characteristic of threatening packets;
  
  allowing non-threatening packets to pass on to a protected network; and
  
  extracting the threatening packets from the data flow.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 26. The method of claim 25 wherein comparing comprises making the detection with respect to plural passing packets within the context of a single session.
  - 27. The method of claim 26 wherein filtering further comprises comparing packet header portion header field values against the threat criteria.
  - 28. The method of claim 27 wherein comparing packet header field values comprises checking the header field values for a presence of information indicative of an attack.
  - 29. The method of claim 28 wherein the header field values comprises destination and source IP address.
  - 30. The method of claim 28 wherein the header field values comprises destination and source ports.
  - 31. The method of claim 26 wherein packet content comparing and packet header comparison operate in conjunction with each other.
  - 32. The method of claim 26 further comprising filtering packets in the data flow in operable response to a criteria designed for detecting the good packets across said single session.
  - 33. The method of claim 32 further comprising blocking each said packet in the data flow that fails to be identified as meeting the criteria.
  - 34. The method of claim 25 wherein comparing comprises making the detection with respect to plural passing packets within the context of multiple sessions.
  - 35. The method of claim 34 wherein filtering further comprises comparing packet header portion header field values against the threat criteria.
  - 36. The method of claim 35 wherein comparing packet header field values comprises checking the header field values for a presence of information indicative of an attack.
  - 37. The method of claim 36 wherein the header field values comprises destination and source IP address.
  - 38. The method of claim 36 wherein the header field values comprises destination and source ports.
  - 39. The method of claim 34 further comprising filtering packets in the data flow in operable response to a criteria designed for detecting the good packets across said multiple sessions.
  - 40. The method of claim 39 further comprising blocking each said packet in the data flow that fails to be identified as meeting the criteria.
  - 41. The method of claim 25 further including performing a more thorough threat assessment analysis on the extracted packets.

42. A method for network protection, comprising:
- monitoring all packets passing in a data flow at line speed for a presence of information indicative of an attack, comprising;
  
  collecting data concerning a nature of the packets in the data flow across multiple different sessions;
  
  statistically analyzing the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;
  
  checking header field values in the packets for the presence of header content information indicative of dangerous packet traffic; and
  
  checking non-header character strings and/or expression values within a payload of the packets for the presence of certain payload character strings and payload regular expression values which are indicative of dangerous packet traffic;
  
  blocking those packets associated with the suspected multi-session attack from remaining in the data flow; and
  
  blocking those packets having said information indicative of dangerous packet traffic from entering a protected network.

43. A method of network protection, comprising:
- collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow;
  
  performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;
  
  blocking packets associated with the suspected multi-session attack from remaining in the data flow;
  
  performing a packet payload inspection of all remaining packets to identify packets by comparing non-header character strings and/or expression values within each said packet against payload character strings and payload regular expression values;
  
  allowing packets in said data flow to pass on to a protected network based on the identification; and
  
  blocking packets from entering said network based on the identification.

44. A method for network protection, comprising:
- determining whether a multi-session attack exists, comprising;
  
  collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow;
  
  performing a statistical analysis on the collected data against an algorithmic filter to identify a suspicion of a multi-session attack;
  
  performing stateful pattern matching of the packets passing in the data flow, comprising;
  
  determining whether header field values in passing packets match field values characteristic of suspicious packets; and
  
  determining whether non-header character strings and/or expression values within payloads of said passing packets match character strings and regular expression values characteristic of suspicious packets;
  
  allowing packets not associated with the suspected multi-session attack and which pass pattern matching analysis to pass on to a protected network;
  
  blocking packets associated with the suspected multi-session attack or which fail pattern matching analysis from entry into said protected network.

45. A method for network protection, comprising:
- collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow;
  
  performing a statistical analysis on the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;
  
  performing a deep packet inspection of packets attempting to enter a protected network, wherein each of the packets includes a header portion and a payload portion, and the deep packet inspection compares non-header character strings and/or expression values within the payload portion against certain strings and/or expressions defining payload content-based threat criteria;
  
  allowing packets which are not associated with a suspected multi-session attack and which pass deep packet inspection to pass on to the protected network; and
  
  blocking packets which either are associated with a suspected multi-session attack or fail deep packet inspection from entry into the protected network.

46. A method for network protection, comprising:
- collecting data concerning a nature of all packets across multiple different sessions which are received in a data flow;
  
  statistically analyzing the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;
  
  filtering packets against a threat criteria for detecting threatening packets by inspecting packets attempting to enter a protected network, each packet including a header portion and a payload portion, the filtering comprising comparing non-header character strings and/or expression values within the payload portion of all packets against the threat criteria which comprises both payload character strings and payload regular expression values that are characteristic of threatening packets;
  
  allowing non-threatening packets to pass on to a protected network; and
  
  extracting the threatening packets from the data flow;
  
  wherein the threat criteria are tailored in response to the suspected existence of a multi-session attack to make the filtering more sensitive to identifying threatening packets associated with the suspected multi-session attack.

47. A method for network protection, comprising:
- monitoring all packets attempting to enter a protected network at line speed for a presence of information indicative of an attack, comprising;
  
  collecting data concerning a nature of the monitored packets across multiple different sessions;
  
  statistically analyzing the collected data against an algorithmic filter to determine whether a suspicion of a multi-session attack exists;
  
  checking header field values in the monitored packets for the presence of header content information indicative of dangerous packet traffic; and
  
  checking non-header character strings and/or expression values within a payload of the monitored packets for the presence of certain strings and/or expressions defining payload content information indicative of dangerous packet traffic; and
  
  blocking those packets associated with the suspected multi-session attack or having said information indicative of dangerous packet traffic from entering a protected network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
TippingPoint Technologies, Inc. (Open Text Corporation)
Inventors
Smith, Brian, Willebeek-LeMair, Marc, Cox, Dennis, Cantrell, Craig, Kolbly, Donovan, McHale, John
Primary Examiner(s)
BAROT, BHARAT

Application Number

US10/291,095
Publication Number

US 20040093513A1
Time in Patent Office

2,203 Days
Field of Search

709231-232, 709223-226, 709234-235, 370229-231, 370392-394
US Class Current

709/225
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 43/028   by filtering

H04L 43/0888   Throughput

H04L 43/16   Threshold monitoring

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0442   wherein the sending and rec...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Active network defense system and method

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Active network defense system and method

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links