Use of application signature to identify trusted traffic
First Claim
Patent Images
1. A method for monitoring communication packets, comprising:
- storing site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device;
storing rules that determine whether the communication packet has vulnerabilities or anomalies;
receiving a communication packet;
determining a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier;
comparing the communication packet signature to the site-specific application signatures by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures;
in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determining that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and
in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by;
determining whether the communication packet matches the rules;
in response to determining that the communication packet matches one or more rules, issuing an alert; and
in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are techniques for monitoring communication packets. A communication packet is received. A communication packet signature of the communication packet is determined. The communication packet signature is compared to one or more site-specific application signatures. In response to determining that the communication packet signature matches at least of the one or more site-specific application signatures, it is determined that the communication packet is to be trusted.
-
Citations
24 Claims
-
1. A method for monitoring communication packets, comprising:
-
storing site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device; storing rules that determine whether the communication packet has vulnerabilities or anomalies; receiving a communication packet; determining a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier; comparing the communication packet signature to the site-specific application signatures by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures; in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determining that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by; determining whether the communication packet matches the rules; in response to determining that the communication packet matches one or more rules, issuing an alert; and in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for monitoring communication packets on a network, comprising:
-
one or more application signatures data stores coupled to the network storing site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device; a rules data store storing rules that determine whether a communication packet has vulnerabilities or anomalies; a processor; and a computer readable medium including code capable of being executed by the processor to perform operations comprising; receiving a communication packet; determining a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier; comparing the communication packet signature to the site-specific application signatures in the one or more application signatures data stores by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures; in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determining that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by; determining whether the communication packet matches the rules; in response to determining that the communication packet matches one or more rules, issuing an alert; and in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. An article of manufacture for monitoring communication packets, wherein the article of manufacture comprises a computer readable medium storing instructions, and wherein the article of manufacture is operable to:
-
store site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device; store rules that determine whether the communication packet has vulnerabilities or anomalies; receive a communication packet; determine a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier; compare the communication packet signature to the site-specific application signatures by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures; in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determine that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, compare the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by; determining whether the communication packet matches the rules; in response to determining that the communication packet matches one or more rules, issuing an alert; and in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A apparatus for monitoring communication packets on a network, comprising:
-
one or more application signatures data stores coupled to the network storing site-specific application signatures, wherein each of the site-specific application signatures includes a source address, a destination address, a protocol identifier, and a port identifier, wherein each of the site-specific application signatures is associated with an application executing at a specific source computing device; a rules data store storing rules that determine whether a communication packet has vulnerabilities or anomalies; and an application signatures engine coupled to the network and capable of accessing the one or more application signatures data stores; wherein the application signatures engine receives a communication packet; wherein the application signatures engine determines a communication packet signature of the communication packet, wherein the communication packet signature includes a source address, a destination address, a protocol identifier, and a port identifier; wherein the application signatures engine compares the communication packet signature to the site-specific application signatures in the one or more application signatures data stores by comparing the source address, the destination address, the protocol identifier, and the port identifier of the communication packet with the site-specific application signatures; wherein the application signatures engine, in response to determining that the communication packet signature matches at least one of the site-specific application signatures, determines that the communication packet is to be trusted and allowing the communication packet to be routed without comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies, wherein the communication packet signature matches at least one of the site-specific signatures when the source address, the destination address, the protocol identifier, and the port identifier of the communication packet matches the source address, the destination address, the protocol identifier, and the port identifier of the at least one site-specific application signatures; and wherein the application signatures engine, in response to determining that the communication packet signature does not match at least one of the site-specific application signatures, comparing the communication packet to the rules that determine whether the communication packet has vulnerabilities or anomalies by; determining whether the communication packet matches the rules; in response to determining that the communication packet matches one or more rules, issuing an alert; and in response to determining that that communication packet does not match the rules, allowing the communication packet to be routed without issuing the alert. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification