Device, system and method for analysis of segments in a transmission control protocol (TCP) session
First Claim
1. A method performed in a processor of an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:
- (A) monitoring, in a processor of an intrusion detection/prevention system, a plurality of segments in a transmission and determining a kind of host of a destination of the segments in response to receiving the segments; and
(B) reassembling, in the processor, data in the segments in the transmission in an order indicated by a segment reassembly policy selected from plural different processor-resident segment reassembly policies corresponding to different kinds of hosts based on the determined kind of host of the destination of the segments,the segment reassembly policy indicating an order specific to comprehensively overlapped segments,when the data is in the comprehensively overlapped segments, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which are not comprehensively overlapped,the data in comprehensively overlapped segments further being reassembled in a different order in the different segment reassembly policies.
3 Assignments
0 Petitions
Accused Products
Abstract
A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.
-
Citations
24 Claims
-
1. A method performed in a processor of an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:
-
(A) monitoring, in a processor of an intrusion detection/prevention system, a plurality of segments in a transmission and determining a kind of host of a destination of the segments in response to receiving the segments; and (B) reassembling, in the processor, data in the segments in the transmission in an order indicated by a segment reassembly policy selected from plural different processor-resident segment reassembly policies corresponding to different kinds of hosts based on the determined kind of host of the destination of the segments, the segment reassembly policy indicating an order specific to comprehensively overlapped segments, when the data is in the comprehensively overlapped segments, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which are not comprehensively overlapped, the data in comprehensively overlapped segments further being reassembled in a different order in the different segment reassembly policies. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable non-transitory medium comprising instructions for execution by a computer, the instructions including a computer-implemented method for analyzing segments in a transmission in a communication network, a transmission including a plurality of segments in the same transmission control protocol (TCP) session and associated with the same destination, where segments can be one of non-overlapped, partially overlapped, and completely overlapped, the instructions for implementing:
-
(A) determining a kind of host of a destination of segments in a transmission in response to receiving the segments, and identifying at least one segment reassembly policy of plural different processor-resident segment reassembly policies corresponding to different kinds of hosts, the at least one segment reassembly policy corresponding to the determined kind of host of the destination; and (B) providing data in the segments in the transmission in an order indicated by the at least one segment reassembly policy, the at least one segment reassembly policy indicating an order specific to comprehensively overlapped segments, when the data is in the comprehensively overlapped segments, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which are not comprehensively overlapped, the data in comprehensively overlapped segments further being reassembled in a different order in the different segment reassembly policies. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for at least one of detecting and preventing intrusion, comprising:
-
(A) a unit configured by a computer to facilitate determining a kind of host of a destination of segments in a transmission, in response to receiving the segments in a transmission control protocol (TCP) session; (B) a segment reassembly unit configured to facilitate selecting at least one segment reassembly policy of plural different processor-resident segment reassembly policies corresponding to different kinds of hosts, the at least one segment reassembly policy corresponding to the kind of host associated with the segments in the transmission; and (C) an order providing unit configured to facilitate providing data in the segments in the transmission in an order indicated by the at least one segment reassembly policy, the segment reassembly policy indicating an order specific to comprehensively overlapped segments, when the data is in the comprehensively overlapped segments, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which are not comprehensively overlapped, the data in comprehensively overlapped segments further being reassembled in a different order in the different segment reassembly policies. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer system for at least one of detecting and preventing intrusion, comprising:
-
(A) a unit configured by a computer to facilitate determining a kind of host of a destination of segments in a transmission, in response to receiving the segments in a transmission control protocol (TCP) session; (B) a segment reassembly unit configured to facilitate selecting at least one segment reassembly policy of plural different processor-resident segment reassembly policies corresponding to different kinds of hosts, the at least one segment reassembly policy corresponding to the kind of host associated with the segments in the transmission; and (C) an order providing unit configured to facilitate providing data in the segments in the transmission in an order indicated by the at least one segment reassembly policy, wherein the segment reassembly policy includes evaluating an urgent indication in a transmission control protocol (TCP) flags field of a TCP header in the segments, and when the data in the segments has the TCP flags field including the urgent indication, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which do not have the urgent indication in the TCP flags field, the order of the data in segments with the urgent indication in the TCP flags field further being different from the different segment reassembly policies.
-
-
24. A method performed in a processor of an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:
-
(A) monitoring, in a processor of an intrusion detection/prevention system, a plurality of segments in a transmission; and (B) reassembling, in the processor, data in the segments in the transmission in an order indicated by a segment reassembly policy, the segment reassembly policy including an evaluation of an urgent indication in a TCP flags field of a TCP header in the segments, and when the data in the segments has the TCP flags field including the urgent indication, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which do not have the urgent indication in the TCP flags field, the order of the data in segments with the urgent indication in the TCP flags field further being different from the different segment reassembly policies.
-
Specification