Intrusion prevention for active networked applications

US 7,587,759 B1
Filed: 02/04/2002
Issued: 09/08/2009
Est. Priority Date: 02/04/2002
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

determining an active networked application;

filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application;

evaluating network traffic using the subset of intrusion rules;

detecting when no networked application is active; and

suspending the evaluating of network traffic until a networked application is active;

wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Intrusion prevention for a computer is based on intrusion rules corresponding to active networked applications executing on the computer. The intrusion rules are a subset of a full ruleset that may include signatures of known attacks or heuristic rules. The subset changes as network connections for active applications are initiated and terminated, or as the active applications terminate.

Citations

47 Claims

1. A computerized method comprising:
- determining an active networked application;
  
  filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application;
  
  evaluating network traffic using the subset of intrusion rules;
  
  detecting when no networked application is active; and
  
  suspending the evaluating of network traffic until a networked application is active;
  
  wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computerized method of claim 1 further comprising:
    - detecting when the active networked application becomes inactive; and
      
      re-filtering the set of intrusion rules.
  - 3. The computerized method of claim 2, wherein the detecting when the active networked application becomes inactive comprises:
    - monitoring network connection terminations.
  - 4. The computerized method of claim 2, wherein the detecting when the active networked application becomes inactive comprises:
    - monitoring application terminations.
  - 5. The computerized method of claim 1, wherein the determining comprises:
    - detecting when a network connection for an active application is initiated.
  - 6. The computerized method of claim 1, wherein the filtering comprises:
    - marking an intrusion rule corresponding to the active networked application.
  - 7. The computerized method of claim 1, wherein the filtering comprises:
    - extracting the subset of rules into an optimized set of rules.
  - 8. The computerized method of claim 1, wherein the evaluating comprises:
    - analyzing network traffic on a port specified in the subset of rules.
  - 9. The computerized method of claim 1, wherein the evaluating comprises:
    - analyzing network traffic for a protocol specified in the subset of rules.
  - 10. The computerized method of claim 1, wherein the evaluating comprises:
    - discarding network traffic that satisfies at least one of the subset of rules; and
      
      reporting an intrusion attempt.
  - 11. The computerized method of claim 1, wherein the set of intrusion rules comprises signatures of known attacks.
  - 12. The computerized method of claim 1, wherein the set of intrusion rules comprises heuristic rules.
  - 13. The computerized method of claim 1, wherein the intrusion rules include information selected from the group consisting of a targeted active networked application, a specific hostile payload, a network port, and a protocol.
  - 14. The computerized method of claim 1, wherein the intrusion rules include an attack signature.
  - 15. The computerized method of claim 1, wherein at least one of the intrusion rules is a heuristic rule.
  - 16. The computerized method of claim 15, wherein the heuristic rule includes information associated with an active networked application making a new connection never previously made.

17. A computerized method comprising:
- determining an active networked application;
  
  filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application;
  
  evaluating network traffic using the subset of intrusion rules; and
  
  continuing the evaluating of network traffic if no networked application is active;
  
  wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources;
  
  wherein the subset of rules further corresponds to an operating system.

18. A computer-readable medium having executable instructions to cause a computer to perform a method comprising:
- determining an active networked application;
  
  filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application;
  
  evaluating network traffic using the subset of intrusion rules;
  
  detecting when no networked application is active; and
  
  suspending the evaluating of network traffic until a network application is active;
  
  wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The computer-readable medium of claim 18, wherein the method further comprises:
    - detecting when the active networked application becomes inactive; and
      
      re-filtering the set of intrusion rules.
  - 20. The computer-readable medium of claim 19, wherein the detecting when the active networked application becomes inactive comprises:
    - monitoring network connection terminations.
  - 21. The computer-readable medium of claim 19, wherein the detecting when the active networked application becomes inactive comprises:
    - monitoring application terminations.
  - 22. The computer-readable medium of claim 18, wherein the determining comprises:
    - detecting when an active application initiates a network connection.
  - 23. The computer-readable medium of claim 18, wherein the filtering comprises:
    - marking an intrusion rule corresponding to the active networked application.
  - 24. The computer-readable medium of claim 18, wherein the filtering comprises:
    - extracting the subset of rules into an optimized set of rules.
  - 25. The computer-readable medium of claim 18, wherein the evaluating comprises:
    - analyzing network traffic on a port specified in the subset of rules.
  - 26. The computer-readable medium of claim 18, wherein the evaluating comprises:
    - analyzing network traffic for a protocol specified in the subset of rules.
  - 27. The computer-readable medium of claim 18, wherein the evaluating comprises:
    - discarding network traffic that satisfies at least one of the subset of rules; and
      
      reporting an intrusion attempt.
  - 28. The computer-readable medium of claim 18, wherein the set of intrusion rules comprises signatures of known attacks.
  - 29. The computer-readable medium of claim 18, wherein the set of intrusion rules comprises heuristic rules.

30. A computer-readable medium having executable instructions to cause a computer to perform a method comprising:
- determining an active networked application;
  
  filtering a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application;
  
  evaluating network traffic using the subset of intrusion rules; and
  
  continuing the evaluating of network traffic if no networked application is active;
  
  wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources;
  
  wherein the subset of rules further corresponds to an operating system.

31. A system comprising:
- a processor coupled to a memory through a bus; and
  
  an intrusion prevention process executed from the memory by the processor to cause the processor to determine an active networked application, to filter a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application, and to evaluate network traffic using the subset of intrusion rules;
  
  wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources;
  
  wherein the intrusion prevention process further causes the processor to detect when no networked application is active, and to suspend the evaluating of network traffic until a network application is active.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 32. The system of claim 31, wherein the intrusion prevention process further causes the processor to detect when the active networked application becomes inactive, and to re-filter the set of intrusion rules.
  - 33. The system of claim 32, wherein the intrusion prevention process further causes the processor to monitor network connection terminations in detecting when the active networked application becomes inactive.
  - 34. The system of claim 32, wherein the intrusion prevention process further causes the processor to monitor application terminations in detecting when the active networked application becomes inactive.
  - 35. The system of claim 31, wherein the intrusion prevention process further causes the processor to detect when an active application initiates a network connection in determining an active networked application.
  - 36. The system of claim 31, wherein the intrusion prevention process further causes the processor to mark an intrusion rule corresponding to the active networked application in filtering the set of intrusion rules.
  - 37. The system of claim 31, wherein the intrusion prevention process further causes the processor to extract the subset of rules into an optimized set of rules in filtering the set of intrusion rules.
  - 38. The system of claim 31, wherein the intrusion prevention process further causes the processor to analyze network traffic on a port specified in the subset of rules in the evaluating of the network traffic.
  - 39. The system of claim 31, wherein the intrusion prevention process further causes the processor to analyze network traffic for a protocol specified in the subset of rules in the evaluating of the network traffic.
  - 40. The system of claim 31, wherein the intrusion prevention process further causes the processor to discard network traffic that satisfies at least one of the subset of rules, and to report an intrusion attempt in the evaluating of the network traffic.
  - 41. The system of claim 31, wherein the set of intrusion rules comprises signatures of known attacks.
  - 42. The system of claim 31, wherein the set of intrusion rules comprises heuristic rules.

43. A system comprising:
- a processor coupled to a memory through a bus; and
  
  an intrusion prevention process executed from the memory by the processor to cause the processor to determine an active networked application, to filter a set of intrusion rules to create a subset of intrusion rules corresponding to the active networked application, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application, and to evaluate network traffic using the subset of intrusion rules;
  
  wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources;
  
  wherein the intrusion prevention process further causes the processor to further filter the intrusion rules based on an operating system and to continue the evaluating of network traffic if no networked application is active.

44. An apparatus comprising:
- means for determining when an active application becomes an active networked application;
  
  means for filtering coupled to the means for determining to create a subset of intrusion rules corresponding to the active networked application from a set of intrusion rules, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application; and
  
  means for evaluating coupled to the means for filtering to evaluate network traffic using the subset of intrusion rules;
  
  wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources;
  
  wherein the means for determining, further detects when no networked application is active and the means for evaluating further suspends the evaluation of network traffic until the means for determining determines a networked application is active.
- View Dependent Claims (45, 46)
- - 45. The apparatus of claim 44, wherein the means for determining further detects when the active networked application becomes inactive and the means for filtering further re-filters the set of intrusion rules when the active networked application becomes inactive.
  - 46. The apparatus of claim 44, wherein the means for evaluating comprises:
    - means for discarding network traffic that satisfies at least one of the subset of rules; and
      
      means for reporting an intrusion attempt.

47. An apparatus comprisingmeans for determining when an active application becomes an active networked application;
- means for filtering coupled to the means for determining to create a subset of intrusion rules corresponding to the active networked application from a set of intrusion rules, where the subset of the intrusion rules corresponding to the active networked application are capable of being used for evaluating intrusions that target the corresponding active networked application; and
  
  means for evaluating coupled to the means for filtering to evaluate network traffic using the subset of intrusion rules;
  
  wherein the subset of the intrusion rules corresponding to the active networked application are used for the evaluation for reducing a required amount of processing resources;
  
  wherein the means for filtering further filters the intrusion rules corresponding to an operating system and the means for evaluating continues the evaluation of network traffic when the means for determining determines no networked application is active.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
McArdle, Mark J., Johnston, Brent A.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US10/068,280
Time in Patent Office

2,773 Days
Field of Search

713151-154, 713200-201, 713/194, 709/318, 709/200, 709/202, 709/201, 709/217, 709221-225, 709/229, 711/216, 382/124, 726 1- 6, 726 13- 14, 726 22- 27, 726/18
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Intrusion prevention for active networked applications

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion prevention for active networked applications

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links