Switching device, method, and computer program for efficient intrusion detection
First Claim
1. A switching device for detecting unauthorized access in a communications network, said switching device comprising:
- a plurality of input ports;
a plurality of output ports;
switch logic coupled to each of the input ports and output ports, the switch logic comprising,a plurality of switch circuits corresponding to the plurality of input ports, each switch circuit operable for receiving incoming original packets from its corresponding input port and copy a selected number of the incoming original packets to create a limited number of copied packets, and wherein the selected number depends on a packet selection mechanism;
the packet selection mechanism including a maximum byte count, a time period for forwarding packets, a maximum amount of time that received packets should be copied, and a specified number of packets, andwherein the switch logic is operable to route the incoming original packets from each input port to one of the output ports using a routing table;
a processor operable to analyze information related to the incoming original packets and the limited number of copied packets from each input port to detect an anomaly related to the incoming original packets and the limited number of copied packets from each input port, the processor being further operable to cause the limited number of copied packets to be forwarded to an intrusion detection system within the communications network upon detecting the anomaly, the copied packets including a monitor field which when set directs the processor to process the packet to detect an anomaly related to the copied packets;
wherein the processor is further operable to analyze a copied packets relationship to adjacent and related packets to detect an anomaly related to the copied packets; and
wherein when an anomaly is detected said processor terminates a connection associated with said copied packets.
23 Assignments
0 Petitions
Accused Products
Abstract
A switching device, method, and computer program utilizes a copy technique to detect unauthorized access to a communications network. An interface of the switching device is connected to receive an original packet and copy the original packet to create a copied packet. A processor within the switching device is operable to analyze information related to the original packet or the copied packet to detect an anomaly related to the original packet or the copied packet. The processor is further operable to cause the copied packet to be forwarded to an intrusion detection system within the communications network upon detecting the anomaly.
317 Citations
19 Claims
-
1. A switching device for detecting unauthorized access in a communications network, said switching device comprising:
-
a plurality of input ports; a plurality of output ports; switch logic coupled to each of the input ports and output ports, the switch logic comprising, a plurality of switch circuits corresponding to the plurality of input ports, each switch circuit operable for receiving incoming original packets from its corresponding input port and copy a selected number of the incoming original packets to create a limited number of copied packets, and wherein the selected number depends on a packet selection mechanism;
the packet selection mechanism including a maximum byte count, a time period for forwarding packets, a maximum amount of time that received packets should be copied, and a specified number of packets, andwherein the switch logic is operable to route the incoming original packets from each input port to one of the output ports using a routing table; a processor operable to analyze information related to the incoming original packets and the limited number of copied packets from each input port to detect an anomaly related to the incoming original packets and the limited number of copied packets from each input port, the processor being further operable to cause the limited number of copied packets to be forwarded to an intrusion detection system within the communications network upon detecting the anomaly, the copied packets including a monitor field which when set directs the processor to process the packet to detect an anomaly related to the copied packets; wherein the processor is further operable to analyze a copied packets relationship to adjacent and related packets to detect an anomaly related to the copied packets; and
wherein when an anomaly is detected said processor terminates a connection associated with said copied packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for detecting unauthorized access on a switching device in a communications network, the method comprising:
-
receiving, by the switching device, a plurality of original packets from a plurality of input ports; copying, by the switching device, a selected number of the plurality of received original packets according to a packet selection mechanism, the packet selection mechanism including at a maximum byte count, a time period for forwarding packets, a maximum amount of time that received packets should be copied, and a specified number of packets; routing, by the switching device, the received original packets to at least a one of a plurality of output ports based on a routing table; analyzing, by the switching device, information related to the incoming original packets and the limited number of copied packets from each input port to detect an anomaly related to the incoming original packets and the limited number of copied packets from each input port; causing, by the switching device, the copied packets to be forwarded to an intrusion detection system within said communications network upon detecting the anomaly, the copied packets including a monitor field which when set directs the switching device to process the packet to detect an anomaly related to the copied packet, wherein the switching device is further operable to analyze a copied packets relationship to adjacent and related packets to detect an anomaly related to the copied packets; and
wherein when an anomaly is detected said switching device terminates a connection associated with said copied packets. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification