Method and an apparatus to perform multiple packet payloads analysis

US 7,600,257 B2
Filed: 10/13/2004
Issued: 10/06/2009
Est. Priority Date: 10/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a network interface of a data security system, a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern;

determining, by a processor of the data security system, whether each of the plurality of data packets is out of order; and

making and storing a local copy of the corresponding data packet in a storage device of the data security system if the corresponding data packet is out of order and at least one preceding packet of the corresponding data packet is not yet received;

the processor performing pattern matching on the corresponding data packet against at least a portion of an attack pattern comprising a plurality of predetermined patterns if all preceding packets of the corresponding data packet, if any, have been received;

the processor pointing a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the plurality of predetermined patterns, the DFA representing one of the plurality of predetermined patterns that is currently being matched, and the plurality of DFAs being arranged in a tree structure; and

the processor pointing a second pointer at a node of the tree structure, the node corresponding to the one of the plurality of predetermined patterns that is currently being matched, and the node comprising the DFA.

View all claims

22 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus to perform multiple packet payload analysis have been disclosed. In one embodiment, the method includes receiving a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern, determining whether each of the plurality of data packets is out of order, and making and storing a local copy of the corresponding data packet if the corresponding data packet is out of order. Other embodiments have been claimed and described.

Citations

43 Claims

1. A method comprising:
- receiving, by a network interface of a data security system, a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern;
  
  determining, by a processor of the data security system, whether each of the plurality of data packets is out of order; and
  
  making and storing a local copy of the corresponding data packet in a storage device of the data security system if the corresponding data packet is out of order and at least one preceding packet of the corresponding data packet is not yet received;
  
  the processor performing pattern matching on the corresponding data packet against at least a portion of an attack pattern comprising a plurality of predetermined patterns if all preceding packets of the corresponding data packet, if any, have been received;
  
  the processor pointing a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the plurality of predetermined patterns, the DFA representing one of the plurality of predetermined patterns that is currently being matched, and the plurality of DFAs being arranged in a tree structure; and
  
  the processor pointing a second pointer at a node of the tree structure, the node corresponding to the one of the plurality of predetermined patterns that is currently being matched, and the node comprising the DFA.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - the processor passing the corresponding data packet if the corresponding data packet is out of order and at least one preceding packet of the corresponding data packet is not yet received after making and storing the local copy of the corresponding data packet.
  - 3. The method of claim 1, wherein the pattern matching is performed in a plurality of states, each of the plurality of states corresponds to one of a plurality of segments of the one of the predetermined patterns.
  - 4. The method of claim 3, wherein the processor performing the pattern matching comprises:
    - the processor storing a current state of the pattern matching in the storage device of the data security system after performing the pattern matching on the corresponding data packet.
  - 5. The method of claim 4, further comprising:
    - the processor looking up the stored state when a next data packet is received; and
      
      the processor performing pattern matching on the next data packet from the stored state.
  - 6. The method of claim 1, further comprising:
    - the processor passing the corresponding data packet if the one or more data packets compared so far do not contain the attack pattern; and
      
      the processor blocking the corresponding data packet if the one or more data packets compared so far contain the attack pattern.
  - 7. The method of claim 6, further comprising:
    - the processor determining whether there is any in-order data packets stored locally; and
      
      if there is one or more locally stored in-order data packets, the processor performing pattern matching on the one or more locally stored in-order data packets against at least a portion of the attack pattern.
  - 8. The method of claim 6, further comprising:
    - the processor issuing an alarm to alert an administrator if the one or more data packets compared so far contain the attack pattern.
  - 9. The method of claim 1, wherein determining whether the corresponding data packet is out of order comprises the processor checking a sequence number in the corresponding data packet.
  - 10. The method of claim 1, wherein the plurality of packets are received from a network and are destined to one or more client applications running on one or more protected client machines.
  - 11. The method of claim 1, wherein the plurality of packets are received from a client application running on a client machine within an intranet and the plurality of packets are destined to a network external to the intranet.

12. A computer-readable storage medium that provides instructions that, if executed by a processor, will cause the processor to perform operations comprising:
- receiving a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern;
  
  determining whether each of the plurality of data packets is out of order; and
  
  making and storing a local copy of the corresponding data packet if the corresponding data packet is out of order and at least one preceding packet of the corresponding data packet is not yet received;
  
  performing pattern matching on the corresponding data packet against at least a portion of an attack pattern comprising a plurality of predetermined patterns if all preceding packets of the corresponding data packet, if any, have been received;
  
  pointing a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the plurality of predetermined patterns, the DFA representing one of the plurality of predetermined patterns that is currently being matched, and the plurality of DFAs being arranged in a tree structure; and
  
  pointing a second pointer at a node of the tree structure, the node corresponding to the one of the plurality of predetermined patterns that is currently being matched, and the node comprising the DFA.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer-readable storage medium of claim 12, wherein the operations further comprise:
    - passing the corresponding data packet if the corresponding data packet is out of order and at least one preceding packet of the corresponding data packet is not yet received after making and storing the local copy of the corresponding data packet.
  - 14. The computer-readable storage medium of claim 12, wherein the pattern matching is performed in a plurality of states, each of the plurality of states corresponds to one of a plurality of segments of the one of the predetermined patterns.
  - 15. The computer-readable storage medium of claim 12, wherein performing the pattern matching comprises:
    - storing a current state of the pattern matching after performing the pattern matching on the corresponding data packet.
  - 16. The computer-readable storage medium of claim 15, wherein the operations further comprise:
    - looking up the stored state when a next data packet is received; and
      
      performing pattern matching on the next data packet from the stored state.
  - 17. The computer-readable storage medium of claim 12, wherein the operations further comprise:
    - passing the corresponding data packet if the one or more data packets compared so far do not contain the attack pattern; and
      
      blocking the corresponding data packet if the one or more data packets compared so far contain the attack pattern.
  - 18. The computer-readable storage medium of claim 17, wherein the operations further comprise:
    - issuing an alarm to alert an administrator if the one or more data packets compared so far contain the attack pattern.
  - 19. The computer-readable storage medium of claim 17, wherein the operations further comprise:
    - determining whether there is any in-order data packets stored locally; and
      
      if there is one or more locally stored in-order data packets, performing pattern matching on the one or more locally stored in-order data packets against at least a portion of the predetermined data packet.
  - 20. The computer-readable storage medium of claim 12, wherein determining whether the corresponding data packet is out of order comprises checking a sequence number in the corresponding data packet.
  - 21. The computer-readable storage medium of claim 12, wherein the plurality of packets are received from a network and are destined to one or more client applications running on one or more protected client machines.
  - 22. The computer-readable storage medium of claim 12, wherein the plurality of packets are received from a client application running on a client machine within an intranet and the plurality of packets are destined to a network external to the intranet.

23. An apparatus comprising:
- an interface to receive data packets;
  
  a first storage device to store a tree structure representing an attack pattern comprising one or more predetermined patterns, the tree structure comprising one or more nodes, each of the one or more nodes representing each of the one or more predetermined patterns; and
  
  a processor to perform pattern matching on the data packets on a packet-by-packet basis without reassembling the data packets in order to scan for the attack pattern, to point a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the one or more predetermined patterns, the DFA representing a predetermined pattern of the attack pattern that is currently being matched, and to point a second pointer at a node of the tree structure corresponding to the predetermined pattern that is currently being matched, the node comprising the DFA.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The apparatus of claim 23, further comprising a buffer to temporarily store a copy of out-of-order data packets.
  - 25. The apparatus of claim 23, wherein the processor is operable to perform the pattern matching on the received data packets against the attack pattern using the DFA.
  - 26. The apparatus of claim 25, further comprising a second storage device to store a current state of the DFA such that the pattern matching is performed on a next data packet from the stored state if the next data packet is in order.
  - 27. The apparatus of claim 26, wherein the second storage device comprises a logical pointer.
  - 28. The apparatus of claim 23, wherein the data packets are received from a network and are destined to one or more client applications running on one or more protected client machines.
  - 29. The apparatus of claim 23, wherein the data packets are received from a client application running on a client machine within an intranet and are destined to a network external to the intranet.
  - 30. The apparatus of claim 23, wherein the processor is further operable to issue an alarm to alert an administrator if the attack pattern is detected.

31. A system comprising:
- at least one client application;
  
  a network; and
  
  an intrusion detection/prevention system (IPS) communicably coupled between the at least one client application and the network, the IPS comprising;
  
  an interface to receive data packets;
  
  a first storage device to store a tree structure representing an attack pattern comprising one or more predetermined patterns, the tree structure comprising one or more nodes, each of the one or more nodes representing each of the one or more predetermined patterns; and
  
  a processor to perform pattern matching on the data packets on a packet-by-packet basis without reassembling the data packets in order to scan for the attack pattern, to point a first pointer at a Deterministic Finite Automaton (DFA) of a plurality of DFAs representing the attack pattern such that each one of the plurality of DFAs represents a distinct one of the one or more predetermined patterns, the DFA representing a predetermined pattern of the attack pattern that is currently being matched, and to point a second pointer at a node of the tree structure corresponding to the predetermined pattern that is currently being matched, the node comprising the DFA.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 32. The system of claim 31, wherein the IPS further comprises a buffer to temporarily store a copy of out-of-order data packets.
  - 33. The system of claim 31, wherein the processor is operable to perform the pattern matching on the received data packets against the attack pattern using the DFA.
  - 34. The system of claim 33, wherein the IPS further comprises a second storage device to store a current state of the DFA such that the pattern matching is performed on a next data packet from the stored state if the next data packet is in order.
  - 35. The system of claim 34, wherein the second storage device comprises a logical pointer.
  - 36. The system of claim 31, further comprising a client machine, wherein the IPS is operable to run on the client machine.
  - 37. The system of claim 31, further comprising a router, wherein the IPS is operable to run on the router.
  - 38. The system of claim 31, further comprising a server, wherein the LIPS is operable to run on the server.
  - 39. The system of claim 31, wherein the data packets are received from the network and are destined to the at least one client application.
  - 40. The system of claim 31, wherein the data packets are received from the at least one client application and are destined to the network.
  - 41. The system of claim 31, wherein the processor is further operable to issue an alarm to alert an administrator if the attack pattern is detected.

42. A method comprising:
- responsive to receiving each packet of a sequence of packets that may be received out of sequence order, a data security system performing the following;
  
  if there are one or more of the packets that precede the current packet in the sequence of packets that have not yet been received, then a processor in the data security system buffering the current packet in a storage device in the data security system and sending the current packet on; and
  
  if there are not one or more of the packets that precede the current packet in the sequence of packets that have not yet been received, then the processor performing the following,the processor performing pattern matching using a plurality of Deterministic Finite Automata (DFAs) representing an attack pattern on any of the packets that precede the current packet in the sequence of packets that have been buffered and not yet processed for pattern matching and on the current packet, the attack pattern comprising a plurality of predetermined patterns, each of the plurality of predetermined patterns corresponding to a distinct one of the plurality of DFAs;
  
  the processor pointing a first pointer at a DFA representing a predetermined pattern that is currently being matched;
  
  the processor pointing a second pointer at a node of a tree structure representing the attack pattern, the node of the tree structure corresponding to the predetermined pattern that is currently being matched, and the node comprising the DFA;
  
  if there is an attack pattern match, the processor blocking the current packet; and
  
  if there is not an attack pattern match, the processor sending on the current packet.

43. A computer-readable storage medium that provides instructions that, if executed by a processor, will cause the processor to perform operations comprising:
- responsive to receiving each packet of a sequence of packets that may be received out of sequence order, performing the following;
  
  if there are one or more of the packets that precede the current packet in the sequence of packets that have not yet been received, then buffering the current packet and sending the current packet on; and
  
  if there are not one or more of the packets that precede the current packet in the sequence of packets that have not yet been received, then performing the following,performing pattern matching using a plurality of Deterministic Finite Automata (DFAs) representing an attack pattern on any of the packets that precede the current packet in the sequence of packets that have been buffered and not yet processed for pattern matching and on the current packet, the attack pattern comprising a plurality of predetermined patterns, each of the plurality of predetermined patterns corresponding to a distinct one of the plurality of DFAs;
  
  pointing a first pointer at a DFA representing a predetermined pattern that is currently being matched;
  
  pointing a second pointer at a node of a tree structure representing the attack pattern, the node of the tree structure corresponding to the predetermined pattern that is currently being matched, and the node comprising the DFA;
  
  if there is an attack pattern match, blocking the current packet; and
  
  if there is not an attack pattern match, sending on the current packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
More, Scott Aaron, Yanovsky, Boris, Yanovsky, Roman, Dubrovsky, Aleksandr
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
McNally; Michael S

Application Number

US10/964,871
Publication Number

US 20060077979A1
Time in Patent Office

1,819 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

H04L 47/34   ensuring sequence integrity...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 69/22   Parsing or analysis of headers

Method and an apparatus to perform multiple packet payloads analysis

First Claim

22 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Method and an apparatus to perform multiple packet payloads analysis

First Claim

22 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links