Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram
First Claim
Patent Images
1. An intrusion detection system, comprising:
- a memory device comprising a table containing a state code; and
a processing means in communication with the memory device, the processing means configured to examine received packets flowing within computer network communications and increment the memory device state code in response to observing each of a predefined sequential triplet of TCP/IP protocol packets, the predefined sequential packet triplet comprising an initial SYN packet originating from a source address, a next sequential SYN/ACK packet issuing from a target device address in response to the SYN packet, and a last sequential RST packet originating from the source address in response to the SYN/ACK packet, each of the packets comprising a source address field, a target device address field, a source port field and a target device port field;
wherein the processing means is configured to;
dynamically update a memory device histogram by concatenating a source address field, a target device address field, a source port field and a target device port field of a packet of the predefined sequential triplet into a histogram table field as an ordered four-tuple;
hash the ordered four-tuple; and
use the hashed ordered four-tuple as a histogram location index; and
wherein the processing means is configured to issue an alert if the predefined sequential triplet packet is detected, the predefined sequential triplet packets are each relevant to the source address and the incremented state code reaches a predefined alert value.
0 Assignments
0 Petitions
Accused Products
Abstract
A detection and response system that generates an Alert if unauthorized scanning is detected on a computer network that includes a look-up table to record state value corresponding to the sequence in which SYN, SYN/ACK and RST packets are observed. A set of algorithms executed on a processing engine adjusts the state value in response to observing the packets. When the state value reaches a predetermined value indicating that all three packets have been seen, the algorithm generates an Alert.
31 Citations
14 Claims
-
1. An intrusion detection system, comprising:
-
a memory device comprising a table containing a state code; and a processing means in communication with the memory device, the processing means configured to examine received packets flowing within computer network communications and increment the memory device state code in response to observing each of a predefined sequential triplet of TCP/IP protocol packets, the predefined sequential packet triplet comprising an initial SYN packet originating from a source address, a next sequential SYN/ACK packet issuing from a target device address in response to the SYN packet, and a last sequential RST packet originating from the source address in response to the SYN/ACK packet, each of the packets comprising a source address field, a target device address field, a source port field and a target device port field; wherein the processing means is configured to; dynamically update a memory device histogram by concatenating a source address field, a target device address field, a source port field and a target device port field of a packet of the predefined sequential triplet into a histogram table field as an ordered four-tuple; hash the ordered four-tuple; and use the hashed ordered four-tuple as a histogram location index; and wherein the processing means is configured to issue an alert if the predefined sequential triplet packet is detected, the predefined sequential triplet packets are each relevant to the source address and the incremented state code reaches a predefined alert value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A program product including:
-
a computer-readable medium; and a computer program recorded on said medium, said computer program including a set of instructions that, when executed on a computer, causes the computer to; define a table in a memory means containing codes whose values represent detection of each of a predefined sequential packet triplet and at least one source address associated with at least one of the codes, each of the predefined sequential triplet packets comprising a source address field, a target device address field, a source port field and a target device port field; monitor packets flowing on a computer network; dynamically update a histogram in the memory means by concatenating a source address field, a target device address field, a source port field and a target device port field of a packet of the predefined sequential packet triplet into a histogram table field as an ordered four-tuple;
hashing the ordered four-tuple; and
using the hashed ordered four-tuple as a histogram location index; andissue an alert if the predefined sequential triplet packet is detected, the predefined sequential triplet packets are each relevant to the source address and the incremented state code reaches a predefined alert value; wherein the predefined sequential packet triplet comprises an initial SYN packet originating from the source address, a next sequential SYN/ACK packet issuing from a target device address in response to the SYN packet, and a last sequential RST packet originating from the source address in response to the SYN/ACK packet. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification