Intrusion detection strategies for hypertext transport protocol

US 7,496,962 B2
Filed: 09/29/2004
Issued: 02/24/2009
Est. Priority Date: 07/29/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented hypertext transport protocol inspection engine for decoding an obfuscated universal resource identifier in a communication packet transmitted in a packet network, for use with an intrusion detection system, comprising:

a hypertext transport protocol policy selection component configured to identify a Web server hypertext transport protocol intrusion detection policy associated with a packet, responsive to the packet which is uninspected, so as to determine if the packet is moving to or from a Web server, the hypertext transport protocol policy selection component identifying the Web server hypertext transport protocol intrusion detection policy by using an Internet protocol address obtained from the packet parsed by the intrusion detection system as a key to a keyword trie associating Internet protocol addresses with Web server hypertext transport protocol intrusion detection policies;

a request universal resource identifier discovery component configured to locate a universal resource identifier in the packet based on the Web server hypertext transport protocol intrusion detection policy; and

a universal resource identifier normalization module configured to decode an obfuscation within the universal resource identifier after it is located by the request universal resource identifier discovery component.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.

113 Citations

View as Search Results

23 Claims

1. A computer-implemented hypertext transport protocol inspection engine for decoding an obfuscated universal resource identifier in a communication packet transmitted in a packet network, for use with an intrusion detection system, comprising:
- a hypertext transport protocol policy selection component configured to identify a Web server hypertext transport protocol intrusion detection policy associated with a packet, responsive to the packet which is uninspected, so as to determine if the packet is moving to or from a Web server, the hypertext transport protocol policy selection component identifying the Web server hypertext transport protocol intrusion detection policy by using an Internet protocol address obtained from the packet parsed by the intrusion detection system as a key to a keyword trie associating Internet protocol addresses with Web server hypertext transport protocol intrusion detection policies;
  
  a request universal resource identifier discovery component configured to locate a universal resource identifier in the packet based on the Web server hypertext transport protocol intrusion detection policy; and
  
  a universal resource identifier normalization module configured to decode an obfuscation within the universal resource identifier after it is located by the request universal resource identifier discovery component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The hypertext transport protocol inspection engine of claim 1, the Web server hypertext transport protocol intrusion detection policy comprising one or more of universal resource identifier parsing instructions and universal resource identifier decoding instructions.
  - 3. The hypertext transport protocol inspection engine of claim 1, the request universal resource identifier discovery component locating the universal resource identifier within the packet parsed by the intrusion detection system based on a Web server hypertext transport protocol intrusion detection policy identified by the hypertext transport protocol policy selection component.
  - 4. The hypertext transport protocol inspection engine of claim 3, the request universal resource identifier discovery component locating the universal resource identifier within the packet parsed by the intrusion detection system by reading through the hypertext transport protocol application data one time.
  - 5. The hypertext transport protocol inspection engine of claim 4, the reading through the hypertext transport protocol application data one time comprising using a state machine.
  - 6. The hypertext transport protocol inspection engine of claim 1, the obfuscation comprising an encoding of a universal resource locator field recognized by a Web server identified by the hypertext transport protocol policy selection component.
  - 7. The hypertext transport protocol inspection engine of claim 1, the universal resource identifier normalization module decoding the obfuscation within the universal resource identifier located by the request universal resource identifier discovery component by one or more of hex decoding, double percent hex decoding, double nibble hex decoding, first nibble hex decoding, second nibble hex decoding, eight bit unicode transformation format decoding, eight bit unicode transformation format bare byte decoding, Microsoft™
    - %U decoding, and mismatch decoding.
  - 8. The hypertext transport protocol inspection engine of claim 1, the universal resource identifier normalization module decoding the obfuscation within the universal resource identifier located by the request universal resource identifier discovery component by reading through the hypertext transport protocol application data one time.
  - 9. The hypertext transport protocol inspection engine of claim 8, the reading through the hypertext transport protocol application data one time comprising using a state machine.
  - 10. The hypertext transport protocol inspection engine of claim 1, whereinthe request universal resource identifier discovery component is further configured to locate all universal resource identifiers, including the universal resource identifier, within the packet by reading through the entire hypertext transport protocol application data, andthe universal resource identifier normalization module is further configured to decode obfuscations within all of the universal resource identifiers located by the request universal resource identifier discovery component.

11. A method for detecting a hypertext transport protocol evasion on a network using an intrusion detection system, comprising:
- intercepting a packet transmitted on the network;
  
  parsing the packet;
  
  identifying an Internet protocol address of the packet;
  
  determining a Web server hypertext transport protocol intrusion detection policy for a network device located at the Internet protocol address, so as to determine if the packet is moving to or from a Web server, wherein determining a Web server hypertext transport protocol intrusion detection policy for a network device comprises using the Internet protocol address as a key to a keyword trie associating Internet protocol addresses with Web server hypertext transport protocol intrusion detection policies;
  
  locating at least one universal resource identifier within the packet based on the Web server hypertext transport protocol intrusion detection policy;
  
  comparing at least one pattern from a rule of the intrusion detection system to the at least one universal resource identifier which was located, to determine if there is a match between the at least one pattern from the rule of the intrusion detection system to the at least one universal resource identifier;
  
  identifying the match as the hypertext transport protocol evasion;
  
  decoding, after the locating, an obfuscation within the at least one universal resource identifier based on the Web server hypertext transport protocol intrusion detection policy;
  
  comparing, after the decoding, the at least one pattern from the rule of the intrusion detection system to the obfuscation which was decoded; and
  
  identifying, after the decoding, a match between the at least one pattern from the rule of the intrusion detection system and the obfuscation which was decoded as the hypertext transport protocol evasion.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 12. The method of claim 11, the packet comprising one of an unassembled packet and a reassembled packet.
  - 13. The method of claim 11, the network device comprising one of a Web client and a Web server.
  - 14. The method of claim 11, the Web server hypertext transport protocol intrusion detection policy comprising one or more of universal resource identifier parsing instructions and universal resource identifier decoding instructions.
  - 15. The method of claim 11, further comprising decoding at least one universal resource identifier from the packet by reading through the hypertext transport protocol application data one time.
  - 16. The method of claim 15, the reading through the hypertext transport protocol application data one time comprising using a state machine.
  - 17. The method of claim 11, the obfuscation comprising an encoding of a universal resource locator field recognized by a Web server of the network device.
  - 18. The method of claim 11, the decoding an obfuscation within the at least one universal resource identifier based on the Web server hypertext transport protocol intrusion detection policy comprising one or more of hex decoding, double percent hex decoding, double nibble hex decoding, first nibble hex decoding, second nibble hex decoding, eight bit Unicode transformation format decoding, eight bit Unicode transformation format bare byte decoding, Microsoft™
    - %U decoding, and mismatch decoding.
  - 19. The method of claim 11, the decoding an obfuscation within the at least one universal resource identifier based on the Web server hypertext transport protocol intrusion detection policy comprising reading through the hypertext transport protocol application data one time.
  - 20. The method of claim 19, the reading through the hypertext transport protocol application data one time comprising using a state machine.
  - 21. The method of claim 11, further comprising:
    - identifying one or more additional universal resource identifiers embedded in the packet;
      
      comparing at least one pattern from a rule of the intrusion detection system to the one or more additional universal resource identifiers; and
      
      identifying one or more matches between the at least one pattern from a rule of the intrusion detection system and the one or more additional universal resources identifiers as one or more hypertext transport protocol evasions.
  - 22. The method of claim 11, further comprising recording the match.

23. An intrusion detection system, comprising:
- a packet acquisition system that intercepts a packet transmitted across a network and parses the packet;
  
  a network protocol reassembly module that parses network protocols from the packet;
  
  a transport protocol reassembly module that parses transport protocols from the packet;
  
  a hypertext transport protocol inspection engine that parses hypertext transport protocol from the packet, determines a Web server hypertext transport protocol intrusion detection policy for the packet so as to determine if the packet is moving to or from a Web server, wherein determining a Web server hypertext transport protocol intrusion detection policy comprises using the Internet protocol address as a key to a keyword trie associating Internet protocol addresses with Web server hypertext transport protocol intrusion detection policies, locates at least one universal resource identifier from the packet based on the Web server hypertext transport protocol intrusion detection policy, and decodes an obfuscation within the at least one universal resource identifier based on the Web server hypertext transport protocol intrusion detection policy after the universal resource identifier is located;
  
  a detection engine that receives hypertext transport protocol inspected packet information from the hypertext transport protocol inspection engine and inspects the hypertext transport protocol inspected packet information for intrusions; and
  
  a logging system that receives and stores information about the intrusions from the detection engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Roelker, Daniel J., Norton, Marc A.
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
Abyaneh; Ali S

Application Number

US10/951,796
Publication Number

US 20080276316A1
Time in Patent Office

1,609 Days
Field of Search

726/23, 709/223
US Class Current

726/23
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1408 by monitoring network traff...

Intrusion detection strategies for hypertext transport protocol

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Intrusion detection strategies for hypertext transport protocol

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others