Detection and prevention of encapsulated network attacks using an intermediate device

US 7,797,411 B1
Filed: 02/02/2005
Issued: 09/14/2010
Est. Priority Date: 02/02/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with an intermediate device, packets;

determining, with the intermediate device, whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, wherein the intermediate device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device;

applying a set of heuristics to the data units to determine whether the data units are encrypted;

when the data units are determined not to be encrypted, extracting, with the intermediate device, the encapsulated data units from the one or more received packets determined to be associated with the network tunnel;

when the data units are determined not the be encrypted, generating, with the intermediate device, temporary packets from the data units, wherein the temporary packets are different from the originally received packets;

analyzing, with the intermediate device, the temporary packets to detect a network attack,wherein analyzing the temporary packet to detect a network attack comprises processing the data units within the temporary packets with the intermediate network device to identify network elements associated with the data units, forming application-layer communications from the data units within the temporary packets, processing the application-layer communications with protocol-specific decoders to identify application-layer elements, and applying an attack definition to the network elements and the application-layer elements to detect the network attack;

selectively transmitting, with the intermediate device, the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted;

analyzing, with the intermediate device, those of the received packets determined not to be associated with the network tunnel to detect a network attack without generating the temporary packets from the received packets; and

selectively transmitting, with the intermediate device, those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network device is capable of recognizing and blocking network attacks associated with packet flows regardless of whether the packet flows are encapsulated within network tunnels. For example, the network device includes a filter module that receives packets associated with a network tunnel from an ingress device to an egress device. The filter module applies heuristics to determine whether the packets encapsulate encrypted data units. If the data units are not encrypted, the filter module extracts the data units and generates temporary packets for use within the network device. An attack detection engine within the device analyzes the temporary packets to detect any network attacks carried by the encapsulated data units. A forwarding component selectively forwards the packets to the egress device based on whether any network attacks are detected.

Citations

28 Claims

1. A method comprising:
- receiving, with an intermediate device, packets;
  
  determining, with the intermediate device, whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, wherein the intermediate device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device;
  
  applying a set of heuristics to the data units to determine whether the data units are encrypted;
  
  when the data units are determined not to be encrypted, extracting, with the intermediate device, the encapsulated data units from the one or more received packets determined to be associated with the network tunnel;
  
  when the data units are determined not the be encrypted, generating, with the intermediate device, temporary packets from the data units, wherein the temporary packets are different from the originally received packets;
  
  analyzing, with the intermediate device, the temporary packets to detect a network attack,wherein analyzing the temporary packet to detect a network attack comprises processing the data units within the temporary packets with the intermediate network device to identify network elements associated with the data units, forming application-layer communications from the data units within the temporary packets, processing the application-layer communications with protocol-specific decoders to identify application-layer elements, and applying an attack definition to the network elements and the application-layer elements to detect the network attack;
  
  selectively transmitting, with the intermediate device, the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted;
  
  analyzing, with the intermediate device, those of the received packets determined not to be associated with the network tunnel to detect a network attack without generating the temporary packets from the received packets; and
  
  selectively transmitting, with the intermediate device, those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the data units comprise packets or frames.
  - 3. The method of claim 1, wherein the data units conform to a protocol associated with a wireless communication network.
  - 4. The method of claim 1, wherein generating temporary packets comprises pre-pending headers to the data units to form the temporary packets in accordance with a protocol supported by the intermediate device.
  - 5. The method of claim 1, wherein generating temporary packets comprises:
    - buffering a plurality of the data units to form communication frames; and
      
      pre-pending headers to the communication frames to form the temporary packets.
  - 6. The method of claim 1, wherein generating temporary packets comprises:
    - determining a protocol for the data units; and
      
      applying a protocol-specific algorithm to generate the temporary packets from the data units.
  - 7. The method of claim 6, wherein the protocol comprises one of the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Point-to-Point Protocol (PPP), or Internet Protocol (IP).
  - 8. The method of claim 1, wherein selectively extracting and analyzing comprises:
    - extracting the data units, generating the temporary packets from the data units and analyzing the data units of the temporary packets to detect the network attack when the data units are unencrypted; and
      
      forwarding the originally received packets without otherwise extracting the data units, generating the temporary packets from the data units and analyzing the data units of the temporary packets when the data units are encrypted.
  - 9. The method of claim 1, wherein the network elements include low-level network information including at least one of a network host, network peers or a network port associated with the network traffic.
  - 10. The method of claim 1, wherein the application-layer elements comprise named elements that uniquely identify types of the application-layer elements and values for the named elements.
  - 11. The method of claim 10, wherein the named elements for the application-layer communications include at least one of a file name, a user name, a software application name or a name of an attached document.
  - 12. The method of claim 1, wherein selectively transmitting the original packets comprises:
    - discarding the originally received packets upon detecting the network attack within the temporary packets, andforwarding the originally received packets when the network attack is not detected within the temporary packets.
  - 13. The method of claim 1,wherein the packets associated with the network tunnel conform to a tunneling protocol and include headers that identify the tunnel, andwherein the encapsulated data units within the packet conform to a protocol different from the tunneling protocol and have at least one header.
  - 14. The method of claim 13,wherein generating the temporary packets comprises:
    - removing the header from the tunneled packet with the intermediate device;
      
      pre-pending a new header to form a non-tunneled temporary packet with the intermediate device, wherein the new header is associated with a protocol other than the tunneling protocol, andwherein analyzing the data units comprises analyzing the non-tunneled temporary packet with the intermediate device to detect the network attack.

15. A method comprising:
- receiving, with an intermediate device, packets;
  
  determining, with the intermediate device, whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, wherein the intermediate device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device;
  
  applying a set of heuristics to the data units to determine whether the data units are encrypted;
  
  when the data units are determined not to be encrypted, extracting, with the intermediate device, the encapsulated data units from the one or more received packets determined to be associated with the network tunnel;
  
  when the data units are determined not the be encrypted, generating, with the intermediate device, temporary packets from the data units, wherein the temporary packets are different from the originally received packets;
  
  analyzing, with the intermediate device, the temporary packets to detect a network attack based upon application of an attack definition;
  
  selectively transmitting, with the intermediate device, the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted;
  
  analyzing, with the intermediate device, those of the received packets determined not to be associated with the network tunnel to detect a network attack without generating the temporary packets from the received packets; and
  
  selectively transmitting, with the intermediate device, those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets;
  
  wherein applying a set of heuristics comprises;
  
  examining the data units for indicators of a size of payloads within the data units;
  
  determining an actual size for each of the payloads;
  
  comparing the indicators with the actual size of each of the payloads; and
  
  determining whether the data units are encrypted based on a result of the comparison.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein examining the data units comprises:
    - determining a protocol associated with the data units; and
      
      selecting the indicators from the data units based on the protocol.

17. A network device comprising:
- a filter module to receive packets, determine whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, apply a set of heuristics to the data units to determine whether the data units are encrypted and, when the data units are determined not to be encrypted, extract data units encapsulated within those of the packets determined to be associated with the network tunnel, wherein the network device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device,wherein the filter module includes a packet generation module to generate, when the data units are determined not to be encrypted, temporary packets from the extracted data units, wherein the temporary packets are different from the originally received packets;
  
  an attack detection engine to process the data units within the temporary packets to identify network elements associated with the data units, form application-layer communications from the data units within the temporary packets, process the application-layer communications with protocol-specific decoders to identify application-layer elements to detect a network attack; and
  
  a forwarding component to selectively forward the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted,wherein the forwarding component further analyzes those of the received packets determined not to be associated with the network tunnel to detect a network to detect a network attack without generating the temporary packets from the received packets, and selectively transmitting those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The network device of claim 17, wherein the data units comprise packets, frames or cells.
  - 19. The network device of claim 17, wherein the data units conform to a protocol associated with a wireless communication network.
  - 20. The network device of claim 17, wherein the packet generation module pre-pends headers to the data units to form the temporary packets in accordance with a protocol supported by the attack detection engine.
  - 21. The network device of claim 17,wherein the packet generation module buffers the data units to form communication frames that span one or more of the packets, andwherein the packet generation module pre-pends headers to the communication frames to form the temporary packets.
  - 22. The network device of claim 17, wherein the packet generation module determines a protocol for the data units, and applies a protocol-specific algorithm to extract the data units and generate the temporary packets from the data units based on the determined protocol.
  - 23. The network device of claim 22, wherein the protocol comprises one of Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Point-to-Point Protocol (PPP), or Internet Protocol (IP).
  - 24. The network device of claim 17, wherein the forwarding component includes a routing table storing routes for a network.
  - 25. The network device of claim 17, wherein the network device comprises a router or a firewall.
  - 26. The network device of claim 17,wherein the attack detection module analyzes those of the received packets determined not to be associated with the network tunnel to detect a network attack without generating temporary packets, andwherein the forwarding component selectively forwards those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets.

27. A network device comprising:
- a filter module to receive packets, determine whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, apply a set of heuristics to the data units to determine whether the data units are encrypted and, when the data units are determined not to be encrypted, extract data units encapsulated within those of the packets determined to be associated with the network tunnel, wherein the network device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device,wherein the filter module includes a packet generation module to generate, when the data units are determined not to be encrypted, temporary packets from the extracted data units, wherein the temporary packets are different from the originally received packets;
  
  an attack detection engine to analyze packets to detect a network attack based on application of an attack definition; and
  
  a forwarding component to selectively forward the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted,wherein the forwarding component further analyzes those of the received packets determined not to be associated with the network tunnel to detect a network to detect a network attack without generating the temporary packets from the received packets, and selectively transmitting those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets,wherein the filter module examines the data units to determine indicators of a size of payloads within the data units and compares the indicators with an actual size for each of the payloads, and extracts the data units based on the result of the comparison.

28. A computer-readable medium comprising instructions that cause a programmable processor within a network device to:
- present a user interface that receives input specifying an attack definition; and
  
  configure a forwarding plane of the network device to receive packets;
  
  determine whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel;
  
  apply a set of heuristics to the data units to determine whether the data units are encrypted;
  
  when the data units are determined not to be encrypted, extracting the encapsulated data units from the one or more received packets determined to be associated with the network tunnel;
  
  when the data units are determined not to be encrypted, generate temporary packets from data units encapsulated within those of the originally received packets determined to be associated with the network tunnel;
  
  apply the attack definition to the temporary packets to detect a network attack by processing the data units within the temporary packets with the network device to identify network elements associated with the data units, forming application-layer communications with protocol-specific decoders to identify application-layer elements, and applying the attack definition to the network elements and the application-layer elements to detect the network attack; and
  
  forward the originally received packets to an egress device of the tunnel based on the application of the attack definition to the temporary packets such that those of the originally received packets sharing the same data units as those of the temporary packets from which the network attack is detected are not transmitted and those of the originally received packets sharing the same data units as those of the temporary packets from which the network attack is not detected are transmitted,wherein the forwarding component further analyzes those of the received packets determined not to be associated with the network tunnel to detect a network to detect a network attack without generating the temporary packets from the received packets, and selectively transmitting those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets,wherein the network device is positioned between the ingress device and the egress device, andwherein the network device is separate from both the ingress device and the egress device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Yang, Siyang, Guruswamy, Kowsik
Primary Examiner(s)
Vaughn, Jr.; William C
Assistant Examiner(s)
RICHARDSON, THOMAS W

Application Number

US11/049,620
Time in Patent Office

2,050 Days
Field of Search

709/223, 370/229, 370/235, 370/357, 370/395.5, 713150-154, 726 2- 4, 726 11- 14, 726/22, 726/23
US Class Current

709/223
CPC Class Codes

G06F 15/173   using an interconnection ne...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Detection and prevention of encapsulated network attacks using an intermediate device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and prevention of encapsulated network attacks using an intermediate device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links