Method and apparatus for the detection and prevention of intrusions, computer worms, and denial of service attacks

US 7,761,917 B1
Filed: 06/27/2003
Issued: 07/20/2010
Est. Priority Date: 11/21/2002
Status: Active Grant

First Claim

Patent Images

1. A method for using a security apparatus to provide security for a computer system, comprising:

dynamically loading into the security apparatus information permitting detection of vulnerabilities and exposures for an application and information on how the security apparatus is to prevent exploitation of the vulnerabilities and exposures on the computer system;

using the security apparatus to intercept data traffic entering the computer system; and

using the dynamically loaded information to process the intercepted data to prevent exploitation of the vulnerabilities and exposures on the computer system, wherein the using of the dynamically loaded information further comprises using, by the security apparatus, new information on vulnerabilities and exposures to handle new application sessions for the application and continuing to use old information on vulnerabilities and exposures to handle existing application sessions for the application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for the detection and prevention of intrusions, DOS attacks, and computer worms comprising of: 1) dynamically loading information about vulnerabilities and exposures 2) intercepting application data 3) using information about vulnerabilities and exposures to detect their exploitation 4) taking custom action to stop the exploitation. Invention also includes an apparatus and method for reducing time it takes to capture information about vulnerabilities and exposures for the purpose of detecting their exploitation and stopping it. Invention further includes an apparatus and method to convert information about vulnerabilities and exposures into an intermediate form that optimizes the processing speed of the method and apparatus for stopping intrusions, DOS attacks, and computer worms.

Citations

15 Claims

1. A method for using a security apparatus to provide security for a computer system, comprising:
- dynamically loading into the security apparatus information permitting detection of vulnerabilities and exposures for an application and information on how the security apparatus is to prevent exploitation of the vulnerabilities and exposures on the computer system;
  
  using the security apparatus to intercept data traffic entering the computer system; and
  
  using the dynamically loaded information to process the intercepted data to prevent exploitation of the vulnerabilities and exposures on the computer system, wherein the using of the dynamically loaded information further comprises using, by the security apparatus, new information on vulnerabilities and exposures to handle new application sessions for the application and continuing to use old information on vulnerabilities and exposures to handle existing application sessions for the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method defined in claim 1 further comprising:
    - performing transport layer functions including selectively intercepting data traffic, and dropping, forwarding, and bypassing some of the data traffic.
  - 3. The method defined in claim 1 further comprising:
    - using virtual patches and decoder plug-ins to create an interpreter configuration data structure; and
      
      using the interpreter configuration data structure at the security apparatus to process the intercepted data to prevent exploitation of the vulnerabilities and exposures in the computer system.
  - 4. The method defined in claim 1 wherein there are multiple applications that run on the computer system and wherein information on vulnerabilities and exposures for each of the multiple applications is dynamically loaded into the security apparatus, the method further comprising:
    - using virtual proxies on the security apparatus to process the intercepted data based on the dynamically-loaded information, wherein there is a separate virtual proxy for each of the applications on the computer system.
  - 5. The method defined in claim 1 wherein the data traffic includes information elements, the method further comprising:
    - using virtual proxies on the security apparatus to drop at least some of the information elements in the data traffic.
  - 6. The method defined in claim 1 wherein the data traffic includes information elements, the method further comprising:
    - using virtual proxies on the security apparatus to modify at least some of the information elements in the data traffic.
  - 7. The method defined in claim 1 wherein the data traffic includes information elements, the method further comprising:
    - using virtual proxies on the security apparatus to insert new information elements into the data traffic.
  - 8. The method defined in claim 1 wherein the data traffic includes information elements of various types, wherein the dynamically-loaded information comprises a tree that contains a static element corresponding to each type of information element, and wherein each static element contains a list of processing procedures for the vulnerabilities and exposures and contains a list of decoding procedures for decoding children of the information elements, the method further comprising triggering the processing and decoding procedures for each information element using the static element corresponding to that information element.
  - 9. The method defined in claim 8, further comprising:
    - using the static elements in determining whether to pass the information elements.
  - 10. The method defined in claim 8, further comprising:
    - using the static elements in determining whether to flush the information elements.
  - 11. The method defined in claim 8, further comprising:
    - using the static elements in determining whether to load the information elements.
  - 12. The method defined in claim 1 further comprising:
    - converting information about the vulnerabilities and exposures into an intermediate form that is loaded into the security apparatus as the dynamically-loaded information and that optimizes processing speed for the processing of the intercepted data to prevent exploitation of the vulnerabilities and exposures on the computer system; and
      
      identifying information elements that are needed for processing the vulnerabilities and exposures and inserting this information into the intermediate form.
  - 13. The method defined in claim 1 further comprising:
    - converting information about the vulnerabilities and exposures into an intermediate form that is loaded into the security apparatus as the dynamically-loaded information and that optimizes processing speed for the processing of the intercepted data to prevent exploitation of the vulnerabilities and exposures on the computer system; and
      
      identifying when to load, flush, and pass information elements in the data traffic to minimize latency and inserting this information into the intermediate form.
  - 14. The method defined in claim 1 further comprising:
    - converting information about the vulnerabilities and exposures into an intermediate form that is loaded into the security apparatus as the dynamically-loaded information and that optimizes processing speed for the processing of the intercepted data to prevent exploitation of the vulnerabilities and exposures on the computer system; and
      
      extracting regular expression matches, pattern matches, and value list comparisons from the information about the vulnerabilities and exposures and converting the matches and comparisons into the intermediate form to optimize the processing of the intercepted data.
  - 15. The method defined in claim 1 wherein the data traffic includes information elements, the method further comprising:
    - maintaining a list of which information elements are used by the vulnerabilities and exposures; and
      
      during processing of the data traffic, decoding only the information elements in the data traffic that appear in the list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Kumar, Dileep
Primary Examiner(s)
Dinh; Minh

Application Number

US10/608,746
Time in Patent Office

2,580 Days
Field of Search

713/168, 713/182, 713/189
US Class Current

726/23
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Method and apparatus for the detection and prevention of intrusions, computer worms, and denial of service attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for the detection and prevention of intrusions, computer worms, and denial of service attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links