Inline intrusion detection
First Claim
Patent Images
1. A method for inline intrusion detection, comprising:
- receiving a packet at a network gateway;
storing the packet at the network gateway and assigning an identifier to the packet;
transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system;
analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature;
maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system;
communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and
in response to the reply message taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for inline intrusion detection includes receiving a packet at a network gateway, storing the packet, and assigning an identifier to the packet. The method also includes transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system and analyzing the copy of the packet by the intrusion detection system to determine whether the packet includes an attack signature and communicating a reply message from the intrusion detection system to the network gateway. The reply message includes the identifier and is indicative of the results of the analysis. The size of the reply message is less than the size of the packet.
103 Citations
34 Claims
-
1. A method for inline intrusion detection, comprising:
-
receiving a packet at a network gateway; storing the packet at the network gateway and assigning an identifier to the packet; transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system; analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature; maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system; communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and in response to the reply message taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. Logic embodied in a computer-readable medium operable to perform the steps of:
-
receiving a packet at a network gateway; storing the packet at the network gateway and assigning an identifier to the packet; transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system; analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature; maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system; communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and in response to the reply message taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A system comprising:
-
means for receiving a packet at a network gateway; means for storing at the network gateway the packet and assigning an identifier to the packet; means for transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system; means for analyzing the copy of the packet, by the intrusion detection system, to determine whether the packet includes an attack signature; means for maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system; means for communicating a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and in response to the reply message means for taking, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network.
-
-
24. An apparatus, comprising:
-
a communication link; a network gateway operable to; receive a packet at a network gateway; store the packet at the network gateway and assign an identifier to the packet; and transmit a copy of the packet and the identifier from the network gateway to an intrusion detection system; and the network intrusion detection system coupled to the network gateway by the communication link and operable to; analyze the copy of the packet to determine whether the packet includes an attack signature; maintain the packet at the network gateway while the copy is analyzed by the intrusion detection system; communicate a reply message, including the identifier, from the intrusion detection system to the network gateway, the reply message indicative of the results of the analysis and the size of the reply message being less than the size of the packet; and in response to the reply message take, by the network gateway, an action selected from the group consisting of dropping the packet, allowing the packet to pass from the network gateway to a protected network, allowing the packet to pass from the network gateway to a protected network after modifying the packet, dropping the packet and dropping any related packet, and allowing the packet and any related packet to pass from the network gateway to a protected network. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification