Switching device, method, and computer program for efficient intrusion detection

US 7,849,506 B1
Filed: 10/12/2004
Issued: 12/07/2010
Est. Priority Date: 10/12/2004
Status: Active Grant

First Claim

Patent Images

1. A switching device for detecting unauthorized access in a communications network, said switching device comprising:

a plurality of input ports;

a plurality of output ports;

switch logic coupled to each of the input ports and output ports, the switch logic comprising,a plurality of switch circuits corresponding to the plurality of input ports, each switch circuit operable for receiving incoming original packets from its corresponding input port and copy a selected number of the incoming original packets to create a limited number of copied packets, and wherein the selected number depends on a packet selection mechanism;

the packet selection mechanism including a maximum byte count, a time period for forwarding packets, a maximum amount of time that received packets should be copied, and a specified number of packets, andwherein the switch logic is operable to route the incoming original packets from each input port to one of the output ports using a routing table;

a processor operable to analyze information related to the incoming original packets and the limited number of copied packets from each input port to detect an anomaly related to the incoming original packets and the limited number of copied packets from each input port, the processor being further operable to cause the limited number of copied packets to be forwarded to an intrusion detection system within the communications network upon detecting the anomaly, the copied packets including a monitor field which when set directs the processor to process the packet to detect an anomaly related to the copied packets;

wherein the processor is further operable to analyze a copied packets relationship to adjacent and related packets to detect an anomaly related to the copied packets; and

wherein when an anomaly is detected said processor terminates a connection associated with said copied packets.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A switching device, method, and computer program utilizes a copy technique to detect unauthorized access to a communications network. An interface of the switching device is connected to receive an original packet and copy the original packet to create a copied packet. A processor within the switching device is operable to analyze information related to the original packet or the copied packet to detect an anomaly related to the original packet or the copied packet. The processor is further operable to cause the copied packet to be forwarded to an intrusion detection system within the communications network upon detecting the anomaly.

317 Citations

19 Claims

1. A switching device for detecting unauthorized access in a communications network, said switching device comprising:
- a plurality of input ports;
  
  a plurality of output ports;
  
  switch logic coupled to each of the input ports and output ports, the switch logic comprising,a plurality of switch circuits corresponding to the plurality of input ports, each switch circuit operable for receiving incoming original packets from its corresponding input port and copy a selected number of the incoming original packets to create a limited number of copied packets, and wherein the selected number depends on a packet selection mechanism;
  
  the packet selection mechanism including a maximum byte count, a time period for forwarding packets, a maximum amount of time that received packets should be copied, and a specified number of packets, andwherein the switch logic is operable to route the incoming original packets from each input port to one of the output ports using a routing table;
  
  a processor operable to analyze information related to the incoming original packets and the limited number of copied packets from each input port to detect an anomaly related to the incoming original packets and the limited number of copied packets from each input port, the processor being further operable to cause the limited number of copied packets to be forwarded to an intrusion detection system within the communications network upon detecting the anomaly, the copied packets including a monitor field which when set directs the processor to process the packet to detect an anomaly related to the copied packets;
  
  wherein the processor is further operable to analyze a copied packets relationship to adjacent and related packets to detect an anomaly related to the copied packets; and
  
  wherein when an anomaly is detected said processor terminates a connection associated with said copied packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The switching device in accordance with claim 1 wherein the switch logic is further operable to route the received incoming original packets towards one or more destination devices identified in the received incoming original packets.
  - 3. The switching device in accordance with claim 1 wherein the processor is operable to set a maximum byte count as the selected number.
  - 4. The switching device in accordance with claim 1 wherein the information relates to the incoming original packets and includes statistical information related to one of the input ports.
  - 5. The switching device in accordance with claim 4 wherein the processor is further operable to perform a task upon detecting the anomaly.
  - 6. The switching device in accordance with claim 5 wherein the incoming original packets is associated with a flow, and wherein the processor is further operable to cause a plurality of packets related to the flow to be forwarded to the intrusion detection system.
  - 7. The switching device in accordance with claim 4 wherein the statistical information is statistical port information of one of the ports maintained by one of the switch circuits corresponding to the one port.
  - 8. The switching device in accordance with claim 1 wherein the information relates to the limited number of copied packets.
  - 9. The switching device in accordance with claim 8 wherein the incoming original packets is associated with a connection, and wherein the task includes terminating the connection.
  - 10. The switching device in accordance with claim 8 wherein the incoming original packets is associated with a flow, and wherein the processor is further operable to cause a plurality of packets related to the flow to be forwarded to an intrusion detection system.
  - 11. The switching device in accordance with claim 1 wherein said processor is further operable to compare the information to a threshold to detect the anomaly.

12. A method for detecting unauthorized access on a switching device in a communications network, the method comprising:
- receiving, by the switching device, a plurality of original packets from a plurality of input ports;
  
  copying, by the switching device, a selected number of the plurality of received original packets according to a packet selection mechanism, the packet selection mechanism including at a maximum byte count, a time period for forwarding packets, a maximum amount of time that received packets should be copied, and a specified number of packets;
  
  routing, by the switching device, the received original packets to at least a one of a plurality of output ports based on a routing table;
  
  analyzing, by the switching device, information related to the incoming original packets and the limited number of copied packets from each input port to detect an anomaly related to the incoming original packets and the limited number of copied packets from each input port;
  
  causing, by the switching device, the copied packets to be forwarded to an intrusion detection system within said communications network upon detecting the anomaly, the copied packets including a monitor field which when set directs the switching device to process the packet to detect an anomaly related to the copied packet, wherein the switching device is further operable to analyze a copied packets relationship to adjacent and related packets to detect an anomaly related to the copied packets; and
  
  wherein when an anomaly is detected said switching device terminates a connection associated with said copied packets.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method in accordance with claim 12 further comprising:
    - routing the received plurality of original packets towards one more destination devices identified in received original packets.
  - 14. The method in accordance with claim 12 further comprising:
    - setting a maximum byte count as the selected number.
  - 15. The method in accordance with claim 12 wherein the information relates to the incoming original packets and includes statistical information related to one of the input ports.
  - 16. The method in accordance with claim 15 further comprising:
    - performing a task upon detecting the anomaly.
  - 17. A method in accordance with claim 16 wherein the incoming original packets is associated with a flow, and the method further comprises:
    - causing a plurality of packets related to the flow to be forwarded to the intrusion detection system.
  - 18. The method in accordance with claim 12 further comprising:
    - performing a task upon detecting the anomaly.
  - 19. A method in accordance with claim 18 wherein at the incoming original packets is associated with a flow, and the method further comprises:
    - causing a plurality of packets related to the flow to be forwarded to an intrusion detection system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Dansey, Stephen Thomas, Kuc, Zenon
Primary Examiner(s)
Moise, Emmanuel L
Assistant Examiner(s)
PHAM, LUU T

Application Number

US10/964,213
Time in Patent Office

2,247 Days
Field of Search

726/25
US Class Current

726/22
CPC Class Codes

H04L 49/208 Port mirroring

H04L 63/1416 Event detection, e.g. attac...

Switching device, method, and computer program for efficient intrusion detection

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

317 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Switching device, method, and computer program for efficient intrusion detection

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

317 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others