Deep packet scan hacker identification

US 7,725,587 B1
Filed: 06/29/2001
Issued: 05/25/2010
Est. Priority Date: 08/24/2000
Status: Active Grant

First Claim

Patent Images

1. A method for securing an accessible computer system, the method comprising:

receiving more than one data packet at a network device, each data packet including a payload portion and an attribute portion and being communicated between at least one access requestor and at least one access provider through the network device;

monitoring, at the network device, at least the payload portion of the data packets directed from at least one of the access providers to at least one of the access requestors by scanning the payload portion for at least one predetermined pattern and counting a number of data packets having payload portions that include the predetermined pattern; and

using the network device to deny communication of subsequent data packets from the access requestor to the access provider when a number of payload portions of the data packets received from the access provider to the access requestor are deemed to include the predetermined pattern exceed a configurable threshold number.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securing an accessible computer system typically includes receiving a data packet that includes a payload portion and an attribute portion, where the data packet is communicated between at least one access requestor and at least one access provider. At least the payload portion of the received data packet typically is monitored, where monitoring includes scanning the payload portion for at least one predetermined pattern. When the payload portion is determined to include at least one predetermined pattern, access by the access requestor to the access provider may be controlled. Monitoring the data packet may include scanning the payload portion while handling the data packet with a switch. Controlling access may include denying access by the access requestor to the access provider.

58 Citations

View as Search Results

48 Claims

1. A method for securing an accessible computer system, the method comprising:
- receiving more than one data packet at a network device, each data packet including a payload portion and an attribute portion and being communicated between at least one access requestor and at least one access provider through the network device;
  
  monitoring, at the network device, at least the payload portion of the data packets directed from at least one of the access providers to at least one of the access requestors by scanning the payload portion for at least one predetermined pattern and counting a number of data packets having payload portions that include the predetermined pattern; and
  
  using the network device to deny communication of subsequent data packets from the access requestor to the access provider when a number of payload portions of the data packets received from the access provider to the access requestor are deemed to include the predetermined pattern exceed a configurable threshold number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method as in claim 1 wherein monitoring the data packets includes scanning the payload portion while handling the data packets with a network device.
  - 3. The method as in claim 2 whereinmonitoring the data packet includes monitoring only at least one data packet that is distinguished.
  - 4. The method as in claim 1 wherein:
    - securing the accessible computer system further comprises distinguishing at least one of the data packets from among the data packets received for additional processing, andmonitoring the payload portion includes monitoring the payload portion of the at least one data packet distinguished.
  - 5. The method as in claim 4 wherein the at least one data packet is distinguished based on an Internet address associated with the data packet.
  - 6. The method as in claim 1 wherein monitoring the data packet includes monitoring all of the data packets received.
  - 7. The method as in claim 1 wherein the predetermined pattern includes a login failure message communicated from the access provider to the access requestor.
  - 8. The method of claim 7 wherein the predetermined pattern further includes a login request message.
  - 9. The method of claim 7 wherein the login failure message includes a signature located at a specific offset from an end of the data packet communicated from the access provider to the access requestor.
  - 10. The method of claim 7 wherein the login failure message includes login failure reasons.
  - 11. The method as in claim 1 wherein the data packets include a token-based protocol packet, or a TCP packet or a PPP packet.
  - 12. The method as in claim 1 wherein denying communication of subsequent data packets includes affecting bandwidth for communications between the access requestor and the access provider.
  - 13. The method as in claim 1 further comprising rerouting the access requestor.
  - 14. The method as in claim 1 wherein denying data packets from the access requestor to the access provider includes denying data packets from the access requestor to the access provider when a number of payload portions that include the predetermined pattern exceed a configurable threshold number during a configurable period of time.
  - 15. The method as in claim 1 wherein denying communication of subsequent data packets from the access requestor to the access provider further comprises denying communication of subsequent data packets from a group of access requestors to the access provider when a number of payload portions within the data packets that are received, from the access provider by at least one access requester which is a group member, include the predetermined pattern exceed a configurable threshold number.
  - 16. The method of claim 1 further comprises determining whether the access requestor is on a permitted access list that is associated with the access requestors allowing subsequent access from the access requestor to the access provider conditioned on whether or not the access requestor is determined to be included in the permitted access list.
  - 17. The method of claim 16 wherein determining whether the access requestor is included in the permitted access list further comprises determining whether the IP address of the access requestor is included in the permitted access list.
  - 18. The method of claim 1 wherein subsequent data packets from the access requestor to the access provider is denied for a pre-determined and limited period of time.
  - 19. The method of claim 18 wherein denial of subsequent data packets from by the access provider starts a new pre-determined and limited time period upon detecting an access request the access requestor during the elapsing of the predetermined and limited period of time.
  - 20. The method of claim 1 wherein denying subsequent data packets from the access requestor is performed in response to a command received from the access provider, irrespective of the inspection of data packets received from the access provider.
  - 21. The method of claim 1 wherein the network device is a physically independent processor from the access providers.
  - 22. The method of claim 1 wherein the network device is a switch.
  - 23. The method of claim 1 wherein the access provider is a device configurable to make a determination of whether access is permitted.
  - 24. The method of claim 23 wherein the access provider is a field arbitrator, configured to determine whether access is provided.

25. A system that connects a plurality of access requestors to a plurality of access providers for securing an accessible computer system, comprising:
- a receiving component that is structured and arranged to receive more than one data packet, each data packet including a payload portion and an attribute portion and being communicated between at least one access requestor and at least one access provider;
  
  a monitoring component that is structured and arranged to monitor at least the payload portion of the data packets directed from at least one of the access providers to at least one of the access requestors and includes a scanning component that is structured and arranged to scan the payload portion for at least one predetermined pattern and to count a number of data packets having payload portions that include the predetermined pattern; and
  
  an access controlling component that is structured and arranged to deny communication of subsequent data packets from the access requestor to the access provider when a number of payload portions of data packets received from the access provider to the access requestor that include the predetermined pattern exceed a configurable threshold number.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The system of claim 25 wherein the monitoring component includes a scanning component that is structured and arranged to scan the payload portion while handling the data packets with a network device.
  - 27. The system of claim 26 whereinthe monitoring component is structured and arranged to monitor only at least one data packet that is distinguished.
  - 28. The system of claim 25 wherein:
    - the system further comprises a distinguishing component that is structured and arranged to distinguish at least one of the data packets from among the data packets received for additional processing, andthe monitoring component is structured and arranged to monitor the payload portion of the at least one data packet distinguished.
  - 29. The system of claim 28 wherein the at least one data packet is distinguished based on an Internet address associated with the data packet.
  - 30. The system of claim 25 whereinthe monitoring component is structured and arranged to monitor all of the data packets received.
  - 31. The system of claim 25 wherein the data packets are monitored when communicated from the access requestor to the access provider.
  - 32. The system of claim 25 wherein the predetermined pattern includes a login failure message communicated from the access provider to the access requestor.
  - 33. The system of claim 25 wherein the data packets include a token-based protocol packet, or a TCP packet or a PPP packet.
  - 34. The system of claim 25 wherein the access controlling component is structured and arranged to affect bandwidth for communications between the access requestor and the access provider.
  - 35. The system of claim 25 wherein the access controlling component is structured and arranged to reroute the access requestor.
  - 36. The system of claim 25 wherein the access controlling component is structured and arranged to deny subsequent access by the access requestor to the access provider when a number of payload portions that include the predetermined pattern exceed a configurable threshold number during a configurable period of time.

37. A computer program stored on a network device computer that connects a plurality of access requestors to a plurality of access providers for securing an accessible computer system, comprising:
- a receiving code segment that causes the computer to receive more than one data packet, each data packet including a payload portion and an attribute portion and being communicated between at least one access requestor and at least one access provider;
  
  a monitoring code segment that causes the computer to monitor at least the payload portion of the data packets directed from at least one of the access providers to at least one of the access requestors and includes a scanning code segment that causes the computer to scan the payload portion for at least one predetermined pattern and to count a number of data packets having payload portions that include the predetermined pattern; and
  
  an access controlling code segment that causes the computer to deny subsequent communication of data packets from the access requestor to the access provider when a number of payload portions of the data packets received from the access provider to the access requestor that include the predetermined pattern exceed a configurable threshold number.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 38. The computer program of claim 37 wherein the monitoring code segment includes a scanning code segment that causes the computer to scan the payload portion while handling the data packets with a network device.
  - 39. The computer program of claim 38 whereinthe monitoring code segment causes the computer to monitor only at least one data packet that is distinguished.
  - 40. The computer program of claim 37 wherein:
    - the computer program further comprises a distinguishing code segment that causes the computer to distinguish at least one of the data packets from among the data packets received for additional processing, andthe monitoring code segment causes the computer to monitor the payload portion of the at least one data packet distinguished.
  - 41. The computer program of claim 40 wherein the at least one data packet is distinguished based on an Internet address associated with the data packet.
  - 42. The computer program of claim 37 whereinthe monitoring code segment causes the computer to monitor all of the data packets received.
  - 43. The computer program of claim 37 wherein the data packets are monitored when communicated from the access requestor to the access provider.
  - 44. The computer program of claim 37 wherein the predetermined pattern includes a login failure message communicated from the access provider to the access requestor.
  - 45. The computer program of claim 37 wherein the data packets include a token-based protocol packet, or a TCP packet or a PPP packet.
  - 46. The computer program of claim 37 wherein the access controlling code segment causes the computer to affect bandwidth for communications between the access requestor and the access provider.
  - 47. The computer program of claim 37 wherein the access controlling code segment causes the computer to reroute the access requestor.
  - 48. The computer program of claim 37 wherein the access controlling code segment causes the computer to deny subsequent access by the access requestor to the access provider when a number of payload portions that include the predetermined pattern exceed a configurable threshold number during a configurable period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
AOL LLC (Apollo Global Management, Inc.)
Inventors
Jacoby, Brian, Wright, Christopher J.
Primary Examiner(s)
BOUTAH, ALINA A

Application Number

US09/894,918
Time in Patent Office

3,252 Days
Field of Search

709224-225, 709/229, 709217-219
US Class Current

709/229
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

H04L 63/1416   Event detection, e.g. attac...

Deep packet scan hacker identification

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Deep packet scan hacker identification

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links