Inline intrusion detection

US 7,725,938 B2
Filed: 01/20/2005
Issued: 05/25/2010
Est. Priority Date: 01/20/2005
Status: Active Grant

First Claim

Patent Images

1. A method for inline intrusion detection, comprising:

receiving a packet at a network gateway;

storing the packet at the network gateway and assigning an identifier to the packet;

transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;

analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature;

maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system;

communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and

in response to the reply message taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for inline intrusion detection includes receiving a packet at a network gateway, storing the packet, and assigning an identifier to the packet. The method also includes transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system and analyzing the copy of the packet by the intrusion detection system to determine whether the packet includes an attack signature and communicating a reply message from the intrusion detection system to the network gateway. The reply message includes the identifier and is indicative of the results of the analysis. The size of the reply message is less than the size of the packet.

103 Citations

View as Search Results

34 Claims

1. A method for inline intrusion detection, comprising:
- receiving a packet at a network gateway;
  
  storing the packet at the network gateway and assigning an identifier to the packet;
  
  transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;
  
  analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature;
  
  maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system;
  
  communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and
  
  in response to the reply message taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the reply message comprises an indication of whether the packet contained an attack signature.
  - 3. The method of claim 1, wherein the reply message comprises an indication of a determined disposition of the packet.
  - 4. The method of claim 3, wherein the reply message comprises an indication of an action to perform, the action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 5. The method of claim 4, wherein allowing the packet to pass from the network gateway to a protected network after modifying the packet comprises modifying the header of the packet.
  - 6. The method of claim 4, wherein allowing the packet to pass from the network gateway to a protected network after modifying the packet comprises modifying a body of the packet to remove any material indicative of an attack signature.
  - 7. The method of claim 1, and further comprising, in response to the reply message, dropping, by the network gateway, the packet and any related packet.
  - 8. The method of claim 1, and further comprising setting a timer upon transmission of the packet from the network gateway to the intrusion detection system.
  - 9. The method of claim 8, and further comprising allowing, by the network gateway, the packet to pass from the network gateway to a protected network upon expiration of the timer.
  - 10. The method of claim 8, and further comprising dropping, by the network gateway, the packet upon expiration of the timer.
  - 11. The method of claim 1, wherein transmitting the copy and the packet and the identifier comprises modifying a header of the packet to include the identifier.

12. Logic embodied in a computer-readable medium operable to perform the steps of:
- receiving a packet at a network gateway;
  
  storing the packet at the network gateway and assigning an identifier to the packet;
  
  transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;
  
  analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature;
  
  maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system;
  
  communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and
  
  in response to the reply message taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The logic of claim 12, wherein the reply message comprises an indication of whether the packet contained an attack signature.
  - 14. The logic of claim 12, wherein the reply message comprises an indication of a determined disposition of the packet.
  - 15. The logic of claim 14, wherein the reply message comprises an indication of an action to perform, the action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 16. The logic of claim 15, wherein allowing the packet to pass from the network gateway to a protected network after modifying the packet comprises modifying a header of the packet.
  - 17. The logic of claim 15, wherein allowing the packet to pass from the network gateway to a protected network after modifying the packet comprises modifying a body of the packet to remove any material indicative of an attack signature.
  - 18. The logic of claim 12, wherein the logic is further operable to, in response to the reply message, drop the packet and any related packet.
  - 19. The logic of claim 12, wherein the logic is further operable to set a timer upon transmission of the packet from the network gateway to the intrusion detection system.
  - 20. The logic of claim 19, wherein the logic is further operable to allow the packet to pass from the network gateway to a protected network upon expiration of the timer.
  - 21. The logic of claim 19, wherein the logic is further operable to drop the packet upon expiration of the timer.
  - 22. The logic of claim 12, wherein transmitting the copy and the packet and the identifier comprises modifying a header of the packet to include the identifier.

23. A system comprising:
- means for receiving a packet at a network gateway;
  
  means for storing at the network gateway the packet and assigning an identifier to the packet;
  
  means for transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;
  
  means for analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature;
  
  means for maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system;
  
  means for communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and
  
  in response to the reply message means for taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.

24. An apparatus, comprising:
- a communication link;
  
  a network gateway operable to;
  
  receive a packet at a network gateway;
  
  store the packet at the network gateway and assign an identifier to the packet; and
  
  transmit a copy of the packet and the identifier from the network gateway to an intrusion detection system; and
  
  the network intrusion detection system coupled to the network gateway by the communication link and operable to;
  
  analyze the copy of the packet to determine whether the packet includes an attack signature;
  
  maintain the packet at the network gateway while the copy is analyzed by the intrusion detection system;
  
  communicate a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and
  
  in response to the reply message take, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 25. The apparatus of claim 24, wherein the reply message comprises an indication of whether the packet contained an attack signature.
  - 26. The apparatus of claim 24, wherein the reply message comprises an indication of a determined disposition of the packet.
  - 27. The apparatus of claim 26, wherein the reply message comprises an indication of an action to perform, the action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
  - 28. The apparatus of claim 27, wherein the network gateway is further operable to allow the packet to pass from the network gateway to a protected network after modifying the packet by modifying a header of the packet.
  - 29. The apparatus of claim 27, wherein the network gateway is further operable to allow the packet to pass from the network gateway to a protected network after modifying the packet by modifying a body of the packet to remove any material indicative of an attack signature.
  - 30. The apparatus of claim 24, wherein the network gateway is further operable to, in response to the reply message, drop the packet and any related packet.
  - 31. The apparatus of claim 24, wherein the network gateway is further operable to set a timer upon transmission of the packet from the network gateway to the intrusion detection system.
  - 32. The apparatus of claim 31, wherein the network gateway is further operable to allow the packet to pass from the network gateway to a protected network upon expiration of the timer.
  - 33. The apparatus of claim 31, wherein the network gateway is further operable to drop the packet from the network gateway upon expiration of the timer.
  - 34. The apparatus of claim 24, wherein the network gateway is further operable to transmit the copy of the packet and the identifier by modifying a header of the packet to include the identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Richardson, Aaron S., Cothrell, Scott A.
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US11/039,219
Publication Number

US 20060161983A1
Time in Patent Office

1,951 Days
Field of Search

726/13, 726/23, 726/22, 726/24, 726/25
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Inline intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

Inline intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others