Use of application signature to identify trusted traffic

US 7,703,138 B2
Filed: 12/29/2004
Issued: 04/20/2010
Est. Priority Date: 12/29/2004
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring communication packets, comprising:

storing site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device;

storing rules that determine whether the communication packet has vulnerabilities or anomalies;

receiving a communication packet;

determining a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier;

comparing the communication packet signature to the site-specific application signatures by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures;

in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determining that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and

in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by;

determining whether the communication packet matches the rules;

in response to determining that the communication packet matches one or more rules, issuing an alert; and

in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are techniques for monitoring communication packets. A communication packet is received. A communication packet signature of the communication packet is determined. The communication packet signature is compared to one or more site-specific application signatures. In response to determining that the communication packet signature matches at least of the one or more site-specific application signatures, it is determined that the communication packet is to be trusted.

58 Citations

View as Search Results

24 Claims

1. A method for monitoring communication packets, comprising:
- storing site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device;
  
  storing rules that determine whether the communication packet has vulnerabilities or anomalies;
  
  receiving a communication packet;
  
  determining a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier;
  
  comparing the communication packet signature to the site-specific application signatures by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures;
  
  in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determining that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and
  
  in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by;
  
  determining whether the communication packet matches the rules;
  
  in response to determining that the communication packet matches one or more rules, issuing an alert; and
  
  in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - in response to determining that the communication packet is to be trusted, allowing the communication packet to be routed without issuing an alert.
  - 3. The method of claim 1, wherein a site-specific application signature comprises a source address of a source computing device from which the communication packet is sent, a destination address of the destination computing device to which the communication packet is sent, a protocol identifier identifying a protocol in which the communication packet is sent, and a port identifier identifying a port on the destination computing device to which the communication packet is sent.
  - 4. The method of claim 1, wherein a site-specific application signature comprises a marking of a payload in the communication packet.
  - 5. The method of claim 1, further comprising:
    - periodically importing the site-specific application signatures from one or more application signatures data stores.
  - 6. The method of claim 1, further comprising:
    - querying at least one application signatures data store for the site-specific application signatures.

7. A system for monitoring communication packets on a network, comprising:
- one or more application signatures data stores coupled to the network storing site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device;
  
  a rules data store storing rules that determine whether a communication packet has vulnerabilities or anomalies;
  
  a processor; and
  
  a computer readable medium including code capable of being executed by the processor to perform operations comprising;
  
  receiving a communication packet;
  
  determining a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier;
  
  comparing the communication packet signature to the site-specific application signatures in the one or more application signatures data stores by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures;
  
  in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determining that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and
  
  in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by;
  
  determining whether the communication packet matches the rules;
  
  in response to determining that the communication packet matches one or more rules, issuing an alert; and
  
  in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the operations further comprise:
    - in response to determining that the communication packet is to be trusted, allowing the communication packet to be routed without issuing an alert.
  - 9. The system of claim 7, wherein a site-specific application signature comprises a source address of a source computing device from which the communication packet is sent, a destination address of the destination computing device to which the communication packet is sent, a protocol identifier identifying a protocol in which the communication packet is sent, and a port identifier identifying a port on the destination computing device to which the communication packet is sent.
  - 10. The system of claim 7, wherein a site-specific application signature comprises a marking of a payload in the communication packet.
  - 11. The system of claim 7, wherein the operations further comprise:
    - periodically importing the site-specific application signatures from one or more application signatures data stores.
  - 12. The system of claim 7, wherein the operations further comprise:
    - querying at least one application signatures data store for the site-specific application signatures.

13. An article of manufacture for monitoring communication packets, wherein the article of manufacture comprises a computer readable medium storing instructions, and wherein the article of manufacture is operable to:
- store site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device;
  
  store rules that determine whether the communication packet has vulnerabilities or anomalies;
  
  receive a communication packet;
  
  determine a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier;
  
  compare the communication packet signature to the site-specific application signatures by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures;
  
  in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determine that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and
  
  in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, compare the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by;
  
  determining whether the communication packet matches the rules;
  
  in response to determining that the communication packet matches one or more rules, issuing an alert; and
  
  in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The article of manufacture of claim 13, wherein the article of manufacture is operable to:
    - in response to determining that the communication packet is to be trusted, allow the communication packet to be routed without issuing an alert.
  - 15. The article of manufacture of claim 13, wherein a site-specific application signature comprises a source address of a source computing device from which the communication packet is sent, a destination address of the destination computing device to which the communication packet is sent, a protocol identifier identifying a protocol in which the communication packet is sent, and a port identifier identifying a port on the destination computing device to which the communication packet is sent.
  - 16. The article of manufacture of claim 13, wherein a site-specific application signature comprises a marking of a payload in the communication packet.
  - 17. The article of manufacture of claim 13, wherein the article of manufacture is operable to:
    - periodically import the site-specific application signatures from one or more application signatures data stores.
  - 18. The article of manufacture of claim 13, wherein the article of manufacture is operable to:
    - query at least one application signatures data store for the site-specific application signatures.

19. A apparatus for monitoring communication packets on a network, comprising:
- one or more application signatures data stores coupled to the network storing site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device;
  
  a rules data store storing rules that determine whether a communication packet has vulnerabilities or anomalies; and
  
  an application signatures engine coupled to the network and capable of accessing the one or more application signatures data stores;
  
  wherein the application signatures engine receives a communication packet;
  
  wherein the application signatures engine determines a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier;
  
  wherein the application signatures engine compares the communication packet signature to the site-specific application signatures in the one or more application signatures data stores by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures;
  
  wherein the application signatures engine, in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determines that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and
  
  wherein the application signatures engine, in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by;
  
  determining whether the communication packet matches the rules;
  
  in response to determining that the communication packet matches one or more rules, issuing an alert; and
  
  in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The apparatus of claim 19, wherein the application signatures engine is capable of:
    - in response to determining that the communication packet is to be trusted, allowing the communication packet to be routed without issuing an alert.
  - 21. The apparatus of claim 19, wherein a site-specific application signature comprises a source address of a source computing device from which the communication packet is sent, a destination address of the destination computing device to which the communication packet is sent, a protocol identifier identifying a protocol in which the communication packet is sent, and a port identifier identifying a port on the destination computing device to which the communication packet is sent.
  - 22. The apparatus of claim 19, wherein a site-specific application signature comprises a marking of a payload in the communication packet.
  - 23. The apparatus of claim 19, wherein the application signatures engine is capable of:
    - periodically importing the site-specific application signatures from the one or more application signatures data stores.
  - 24. The apparatus of claim 19, wherein the application signatures engine is capable of:
    - querying at least one application signatures data store for the site-specific application signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Chauvin, Patrick J., Noel, Jac M., Desai, Nehal G.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ARMOUCHE, HADI S

Application Number

US11/027,871
Publication Number

US 20060143710A1
Time in Patent Office

1,938 Days
Field of Search

726/23, 713/176, 370/252, 370/389, 370/411, 709/249
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Use of application signature to identify trusted traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Use of application signature to identify trusted traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links