Method and apparatus for capturing and filtering datagrams for network security monitoring

US 7,467,408 B1
Filed: 09/09/2002
Issued: 12/16/2008
Est. Priority Date: 09/09/2002
Status: Active Grant

First Claim

Patent Images

1. A method for network security monitoring in a computer network, comprising the steps of:

providing a default path in the computer network for suspect datagrams, the computer network configured as a Local Area Network (LAN);

capturing suspect datagrams transmitted on said default path, the suspect datagrams generated by clients within the computer network the suspect datagrams having destination addresses that do not match any of the destination addresses located in routing tables of network routers within the LAN;

filtering said captured suspect datagrams and transmitting said filtered datagrams to a network monitor wherein filtering said captured suspect datagrams comprises limiting a rate of the suspect datagrams to be transmitted to the network monitor, a quantity of suspect datagrams to be transmitted to the network monitor, a size of the suspect datagrams to be transmitted to the network monitor, and a bandwidth associated with the suspect datagrams to be transmitted to the network monitor;

wherein said providing step further comprises advertising a low-cost network perimeter route to a network router such that said router enters said low-cost network perimeter route into a routing table as said default path,identifying, by the network monitor, a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor, anddisabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for security monitoring in a computer network has a packet sink with filtering and data analysis capabilities. The packet sink is a default destination for data packets having an address unrecognized by the network routers. At the packet sink, the packets are filtered and statistical summaries about the data traffic are created. The packet sink then forwards the data to a monitor, the information content depending on the level of traffic in the network.

Citations

17 Claims

1. A method for network security monitoring in a computer network, comprising the steps of:
- providing a default path in the computer network for suspect datagrams, the computer network configured as a Local Area Network (LAN);
  
  capturing suspect datagrams transmitted on said default path, the suspect datagrams generated by clients within the computer network the suspect datagrams having destination addresses that do not match any of the destination addresses located in routing tables of network routers within the LAN;
  
  filtering said captured suspect datagrams and transmitting said filtered datagrams to a network monitor wherein filtering said captured suspect datagrams comprises limiting a rate of the suspect datagrams to be transmitted to the network monitor, a quantity of suspect datagrams to be transmitted to the network monitor, a size of the suspect datagrams to be transmitted to the network monitor, and a bandwidth associated with the suspect datagrams to be transmitted to the network monitor;
  
  wherein said providing step further comprises advertising a low-cost network perimeter route to a network router such that said router enters said low-cost network perimeter route into a routing table as said default path,identifying, by the network monitor, a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor, anddisabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein said filtering step further comprises filtering based on Layer 4 header information.
  - 3. The method of claim 1 wherein said step of transmitting includes the step of:
    - sending said filtered datagrams through a tunnel to said network monitor to increase a likelihood of reception of said filtered packets by said network monitor.
  - 4. The method of claim 1 further comprising the steps of:
    - creating statistical summaries about said datagrams transmitted on said default path; and
      
      forwarding said statistical summaries to the network monitor.
  - 5. The method of claim 1 wherein said method executes inside a network router and wherein said providing step further comprises the step of establishing a default destination in a routing table.
  - 6. The method of claim 5, wherein said transmitting step further comprises the step of establishing a Generic Routing Encapsulation tunnel through which to transmit said filtered datagrams.
  - 7. The method of claim 5, wherein said network monitor is a Web cache, and wherein said providing step further comprises the step of providing data traffic redirection using Web Cache Communication Protocol;
    - and wherein said transmitting step further comprises establishing a Generic Routing Encapsulation tunnel through which suspect datagrams are redirected to the Web cache.
  - 8. The method of claim 1 further comprising the step of maintaining state data of active connections.
  - 9. The method of claim 1, wherein advertising a low-cost network perimeter route to the network router comprises advertising a low-cost network perimeter route of a Local Area Network (LAN) to the network router such that said router enters said low-cost network perimeter route into the routing table as said default path, the low-cost perimeter route configured as a network edge of the LAN.
  - 10. The method of claim 1, wherein capturing suspect datagrams transmitted on said default path comprises capturing suspect datagrams transmitted on said default path, the suspect datagrams generated by a virus-infected client within the LAN.
  - 11. The method of claim 1, wherein:
    - identifying, by the network monitor, a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor comprises analyzing the filtered datagrams to detect a breach of security of the LAN; and
      
      disabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN comprises in response to detecting a breach of security of the LAN, disabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN.
  - 12. The method of claim 11, wherein transmitting said filtered datagrams to a network monitor comprises forwarding a first subset of the filtered datagrams to the network monitor when the computer network has a first traffic load and forwarding a second subset of the filtered datagrams to the network monitor when the computer network has a second traffic load, the first subset of the filtered datagrams being larger than the second subset of the filtered datagrams and the first traffic load being smaller than the second traffic load.

13. A network security system, comprising:
- means for providing a default path in a Local Area Network (LAN) for suspect datagrams, the suspect datagrams generated within the LAN;
  
  means for capturing datagrams transmitted on said default path within the LAN;
  
  means for filtering said captured datagrams and means for transmitting said filtered datagrams to a network monitor wherein means for filtering said captured suspect datagrams comprises means for limiting a rate of the suspect datagrams to be transmitted to the network monitor, a quantity of suspect datagrams to be transmitted to the network monitor, a size of the suspect datagrams to be transmitted to the network monitor, and a bandwidth associated with the suspect datagrams to be transmitted to the network monitor;
  
  wherein said means for providing further comprises means for advertising a low-cost network perimeter route to a network router such that said router enters said low-cost network perimeter route into a routing table as said default path,wherein the network monitor comprises means for identifying a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor, andmeans for disabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN.
- View Dependent Claims (14, 15, 16)
- - 14. The network security system of claim 13 wherein said means for transmitting further comprises means for sending said filtered datagrams through a tunnel to said network monitor to increase a likelihood of reception of said filtered packets by said network monitor.
  - 15. The network security system of claim 13, further comprising:
    - means for creating statistical summaries about said datagrams transmitted on said default path; and
      
      means for forwarding said statistical summaries to the network monitor.
  - 16. The network security system of claim 13 wherein the network security system is implemented in a router and wherein said providing step further comprises means for establishing a default destination in a routing table.

17. A computer program product having a computer-readable medium including computer program logic encoded thereon that, when performed on a computer system directs the computer system to perform the method of:
- providing a default path in a network for suspect datagrams, the computer network configured as a Local Area Network (LAN);
  
  capturing suspect datagrams transmitted on said default path, the suspect datagrams generated by clients within the computer network, the suspect datagrams having destination addresses that do not match any of the destination addresses located in routing tables of network routers within the LAN;
  
  filtering said captured datagrams and transmitting said filtered datagrams to a network monitor wherein filtering said captured suspect datagrams comprises limiting a rate of the suspect datagrams to be transmitted to the network monitor, a quantity of suspect datagrams to be transmitted to the network monitor, a size of the suspect datagrams to be transmitted to the network monitor, and a bandwidth associated with the suspect datagrams to be transmitted to the network monitor;
  
  wherein providing further comprises advertising a low-cost network perimeter route to a network router such that said router enters said low-cost network perimeter route into a routing table as said default path,identifying, by the network monitor, a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor, anddisabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
O'Toole, James W. Jr.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Henning; Matthew T

Application Number

US10/237,519
Time in Patent Office

2,290 Days
Field of Search

726/13, 726 22- 24
US Class Current

726/22
CPC Class Codes

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 63/164   at the network layer

Method and apparatus for capturing and filtering datagrams for network security monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for capturing and filtering datagrams for network security monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links