Device, system and method for analysis of segments in a transmission control protocol (TCP) session

US 7,701,945 B2
Filed: 08/10/2006
Issued: 04/20/2010
Est. Priority Date: 08/10/2006
Status: Active Grant

First Claim

Patent Images

1. A method performed in a processor of an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:

(A) monitoring, in a processor of an intrusion detection/prevention system, a plurality of segments in a transmission and determining a kind of host of a destination of the segments in response to receiving the segments; and

(B) reassembling, in the processor, data in the segments in the transmission in an order indicated by a segment reassembly policy selected from plural different processor-resident segment reassembly policies corresponding to different kinds of hosts based on the determined kind of host of the destination of the segments,the segment reassembly policy indicating an order specific to comprehensively overlapped segments,when the data is in the comprehensively overlapped segments, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which are not comprehensively overlapped,the data in comprehensively overlapped segments further being reassembled in a different order in the different segment reassembly policies.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.

Citations

24 Claims

1. A method performed in a processor of an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:
- (A) monitoring, in a processor of an intrusion detection/prevention system, a plurality of segments in a transmission and determining a kind of host of a destination of the segments in response to receiving the segments; and
  
  (B) reassembling, in the processor, data in the segments in the transmission in an order indicated by a segment reassembly policy selected from plural different processor-resident segment reassembly policies corresponding to different kinds of hosts based on the determined kind of host of the destination of the segments,the segment reassembly policy indicating an order specific to comprehensively overlapped segments,when the data is in the comprehensively overlapped segments, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which are not comprehensively overlapped,the data in comprehensively overlapped segments further being reassembled in a different order in the different segment reassembly policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, whereina plurality of destinations including the destination are provided, the destination being associated with the kind of host, respective kinds of host being associated with respective segment reassembly policies, andthe segment reassembly policy is associated with the kind of host associated with the destination.
  - 3. The method according to claim 1, wherein the segment reassembly policy includes evaluating an urgent indication in a transmission control protocol (TCP) flags field of a TCP header in the segments, andwhen the data in the segments has the TCP flags field including the urgent indication, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which do not have the urgent indication in the TCP flags field,the order of the data in segments with the urgent indication in the TCP flags field further being different for the different segment reassembly policies.
  - 4. The method according to claim 1, wherein the monitoring is performed in accordance with a TCP layer.
  - 5. The method according to claim 1, wherein the segments are formatted according to a TCP layer format.
  - 6. The method according to claim 1, whereinthe segments can be one of non-overlapped, comprehensively overlapped, partially overlapped, and completely overlapped.
  - 7. The method according to claim 3, the order of the reassembled data further being reassembled differently depending on the TCP flags field in combination with a value in a TCP header pointer field in a same segment, the order of the data in segments with the urgent indication in the TCP flags field further being reassembled differently in the different segment reassembly policies.

8. A computer-readable non-transitory medium comprising instructions for execution by a computer, the instructions including a computer-implemented method for analyzing segments in a transmission in a communication network, a transmission including a plurality of segments in the same transmission control protocol (TCP) session and associated with the same destination, where segments can be one of non-overlapped, partially overlapped, and completely overlapped, the instructions for implementing:
- (A) determining a kind of host of a destination of segments in a transmission in response to receiving the segments, and identifying at least one segment reassembly policy of plural different processor-resident segment reassembly policies corresponding to different kinds of hosts, the at least one segment reassembly policy corresponding to the determined kind of host of the destination; and
  
  (B) providing data in the segments in the transmission in an order indicated by the at least one segment reassembly policy, the at least one segment reassembly policy indicating an order specific to comprehensively overlapped segments,when the data is in the comprehensively overlapped segments, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which are not comprehensively overlapped,the data in comprehensively overlapped segments further being reassembled in a different order in the different segment reassembly policies.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium according to claim 8, further comprising instructions for:
    - reassembling the segments in the order indicated by the at least one segment reassembly policy; and
      
      providing the reassembled segments to an intrusion detection/protection system.
  - 10. The computer-readable medium according to claim 8, further comprising instructions for receiving the segments in the session, whereinthe receiving is performed in accordance with a TCP layer, andthe providing data in the segments includes applying the TCP layer format to the segments.
  - 11. The computer-readable medium according to claim 8, whereina plurality of destinations including the destination are provided, a destination being associated with a kind of host, respective kinds of host being associated with respective segment reassembly policies, andthe at least one segment reassembly policy which is identified is associated with the kind of host associated with the destination.
  - 12. The computer-readable medium according to claim 8, wherein the at least one segment reassembly policy includes evaluating an urgent indication in a transmission control protocol (TCP) flags field of a TCP header in the segments, andwhen the data in the segments has the TCP flags field including the urgent indication, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which do not have the urgent indication in the TCP flags field,the order of the data in segments with the urgent indication in the TCP flags field further being different from the different segment reassembly policies.
  - 13. A computer system configured with the computer-readable medium of claim 8.
  - 14. A communication network comprising at least one computer system configured with the computer-readable medium of claim 8.

15. A computer system for at least one of detecting and preventing intrusion, comprising:
- (A) a unit configured by a computer to facilitate determining a kind of host of a destination of segments in a transmission, in response to receiving the segments in a transmission control protocol (TCP) session;
  
  (B) a segment reassembly unit configured to facilitate selecting at least one segment reassembly policy of plural different processor-resident segment reassembly policies corresponding to different kinds of hosts, the at least one segment reassembly policy corresponding to the kind of host associated with the segments in the transmission; and
  
  (C) an order providing unit configured to facilitate providing data in the segments in the transmission in an order indicated by the at least one segment reassembly policy, the segment reassembly policy indicating an order specific to comprehensively overlapped segments,when the data is in the comprehensively overlapped segments, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which are not comprehensively overlapped,the data in comprehensively overlapped segments further being reassembled in a different order in the different segment reassembly policies.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The computer system according to claim 15, further comprising a reassembler to reassemble the segments in the order indicated by the at least one segment reassembly policy.
  - 17. The computer system according to claim 16, further comprising an intrusion detection/prevention unit to detect an intrusion in the reassembled segments, whereinthe reassembler provides the reassembled segments to the intrusion detection/prevention unit.
  - 18. The computer system according to claim 15, further comprising a receiving unit configured to facilitate receiving segments in the transmission, whereinthe segments are received in accordance with a TCP layer.
  - 19. The computer system according to claim 15, wherein the order providing unit further determines the order of the data in the segments according to a TCP layer format.
  - 20. The computer system according to claim 15, wherein the destination is indicated as a destination address and destination port in the segments.
  - 21. The computer system according to claim 15, whereina plurality of destinations including the destination are provided, a destination being associated with a kind of host, respective kinds of host corresponding to respective segment reassembly policies, andthe at least one segment reassembly policy which is identified corresponds to the kind of host associated with the destination.
  - 22. The computer system according to claim 15, whereinthe segments can be one of non-overlapped, partially overlapped, comprehensively overlapped, and completely overlapped,and the segment reassembly policy indicates an order specific to at least comprehensively overlapped segments.

23. A computer system for at least one of detecting and preventing intrusion, comprising:
- (A) a unit configured by a computer to facilitate determining a kind of host of a destination of segments in a transmission, in response to receiving the segments in a transmission control protocol (TCP) session;
  
  (B) a segment reassembly unit configured to facilitate selecting at least one segment reassembly policy of plural different processor-resident segment reassembly policies corresponding to different kinds of hosts, the at least one segment reassembly policy corresponding to the kind of host associated with the segments in the transmission; and
  
  (C) an order providing unit configured to facilitate providing data in the segments in the transmission in an order indicated by the at least one segment reassembly policy,wherein the segment reassembly policy includes evaluating an urgent indication in a transmission control protocol (TCP) flags field of a TCP header in the segments, andwhen the data in the segments has the TCP flags field including the urgent indication, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which do not have the urgent indication in the TCP flags field,the order of the data in segments with the urgent indication in the TCP flags field further being different from the different segment reassembly policies.

24. A method performed in a processor of an intrusion detection/prevention system, for analyzing segments in a transmission in a communication network, the transmission including a plurality of segments in the same transmission control protocol (TCP) session, comprising:
- (A) monitoring, in a processor of an intrusion detection/prevention system, a plurality of segments in a transmission; and
  
  (B) reassembling, in the processor, data in the segments in the transmission in an order indicated by a segment reassembly policy, the segment reassembly policy including an evaluation of an urgent indication in a TCP flags field of a TCP header in the segments, andwhen the data in the segments has the TCP flags field including the urgent indication, the order of the data indicated by the segment reassembly policy is different from the order of the data when in segments which do not have the urgent indication in the TCP flags field,the order of the data in segments with the urgent indication in the TCP flags field further being different from the different segment reassembly policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Novak, Judy Hollis, Roesch, Martin Frederick, Sturges, Steven
Primary Examiner(s)
Ferris; Derrick W
Assistant Examiner(s)
Crompton; Christopher R

Application Number

US11/501,776
Publication Number

US 20080037587A1
Time in Patent Office

1,349 Days
Field of Search

370/389, 370/446, 370/474, 726/1, 726/23
US Class Current

370/394
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

H04L 69/16   Implementation or adaptatio...

H04L 69/166   IP fragmentation; TCP segme...

Device, system and method for analysis of segments in a transmission control protocol (TCP) session

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system and method for analysis of segments in a transmission control protocol (TCP) session

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links