Multi-stage deep packet inspection for lightweight devices

US 7,853,689 B2
Filed: 10/12/2007
Issued: 12/14/2010
Est. Priority Date: 06/15/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method of inspecting packets to detect an attempt at subverting an information processing computer system, comprising:

(a) determining on the information processing computer system whether a first signature of a received packet matches a signature of a known worm or virus;

(b) determining on the information processing computer system whether a second signature of the received packet matches a signature of a known application;

(c) determining on the information processing computer system whether a third signature of the received packet matches a signature of a known intrusion packet;

(d) if a match is found in any of the above determinations, sending the received packet from the information processing computer system to a central verification facility for further analysis;

(e) receiving, from the central verification facility, an indication that the received packet matches a database entry; and

(f) responding to the indication.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for the multi-stage analysis of incoming packets. Three stages are used, each of which addresses a particular category of threat by examining the headers and/or payload of each packet (“deep packet inspection”). The first stage detects incoming viruses or worms. The second stage detects malicious applications. The third stage detects attempts at intrusion. These three stages operate in sequence, but in alternative embodiments of the invention, they may be applied in a different order. These three stages are followed by a fourth stage that acts as a verification stage. If any of the first three stages detects a possible attack, then the packet or packets that have been flagged are routed to a central verification facility. In an embodiment of the invention, the verification facility is a server, coupled with a database. Here, suspect packets are compared to entries in the database to more comprehensively determine whether or not the packets represent an attempt to subvert the information processing system.

26 Citations

View as Search Results

22 Claims

1. A method of inspecting packets to detect an attempt at subverting an information processing computer system, comprising:
- (a) determining on the information processing computer system whether a first signature of a received packet matches a signature of a known worm or virus;
  
  (b) determining on the information processing computer system whether a second signature of the received packet matches a signature of a known application;
  
  (c) determining on the information processing computer system whether a third signature of the received packet matches a signature of a known intrusion packet;
  
  (d) if a match is found in any of the above determinations, sending the received packet from the information processing computer system to a central verification facility for further analysis;
  
  (e) receiving, from the central verification facility, an indication that the received packet matches a database entry; and
  
  (f) responding to the indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein steps (a) through (d) are performed in a device embedded in an information processing component of the information processing computer system.
  - 3. The method of claim 2, wherein said embedded device comprises a cable modem.
  - 4. The method of claim 2, wherein said information processing component comprises a router.
  - 5. The method of claim 1, wherein step (a) comprises:
    - (i) determining the first signature on the basis of the received packet;
      
      (ii) comparing the first signature to the signature of the known worm or virus; and
      
      (iii) if the first signature is equal to the signature of the known worm or virus, setting an alert flag.
  - 6. The method of claim 1, wherein step (b) comprises:
    - (i) determining the second signature on the basis of the received packet;
      
      (ii) comparing the second signature to the signature of the known application; and
      
      (iii) if the second signature is equal to the signature of the known application, setting an alert flag.
  - 7. The method of claim 1, wherein step (c) comprises:
    - (i) determining the third signature on the basis of the received packet;
      
      (ii) comparing the third signature to the signature of the known intrusion packet; and
      
      (iii) if the third signature is equal to the signature of the known intrusion packet, setting an alert flag.
  - 8. The method of claim 1, further comprising:
    - (g) receiving the received packet at the central verification facility;
      
      (h) comparing the received packet to a database entry; and
      
      (i) if the received packet matches the database entry, outputting an indication of the match.

9. A system for inspecting packets to detect an attempt at subverting an information processing system, comprising:
- a device embedded in an information processing component, said embedded device including;
  
  a first processor; and
  
  a first memory in communication with said first processor, said first memory for storing a first plurality of processing instructions for directing said first processor todetermine whether a first signature of a received packet matches a signature of a known worm or virus;
  
  determine whether a second signature of the received packet matches a signature of a known application;
  
  determine whether a third signature of the received packet matches a signature of a known intrusion packet; and
  
  if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis;
  
  a central verification facility in communication with said embedded device, said central verification facility including;
  
  a database;
  
  a second processor in connection with said database; and
  
  a second memory in communication with said second processor, said second memory for storing a second plurality of processing instructions for directing said second processor to;
  
  compare the received packet to a database entry; and
  
  if the received packet matches the database entry, output an indication of the match;
  
  wherein said first plurality of processing instructions further directs said first processor to;
  
  receive, from the central verification facility, the indication that the received packet matches the database entry; and
  
  respond to the indication.
- View Dependent Claims (10, 11, 12)
- - 10. The system of claim 9, wherein said embedded device comprises a cable modem.
  - 11. The system of claim 9, wherein said information processing component comprises a router.
  - 12. The system of claim 9, wherein said central verification facility comprises:
    - a server that comprises said second processor; and
      
      a database, accessible by the server, that stores said database entry.

13. A computer program product comprising a computer useable medium having control logic stored therein for causing a computer to detect an attempt at subverting an information processing system, the control logic comprising:
- first computer readable program code means for causing the computer to determine if a first signature of a received packet matches a signature of a known worm or virus;
  
  second computer readable program code means for causing the computer to determine if a second signature of the received packet matches a signature of a known application;
  
  third computer readable program code means for causing the computer to determine if a third signature of the received packet matches a signature of a known intrusion packet;
  
  fourth computer readable program code means for causing the computer to send the received packet to a central verification facility for further analysis, if a match is found in any of the above determinations;
  
  fifth computer readable program code means for causing the computer to receive, from the central verification facility, an indication that the received packet matches a database entry; and
  
  sixth computer readable program code means for causing the computer to respond to the indication.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The computer program product of claim 13, wherein the computer is in a device embedded in an information processing component.
  - 15. The computer program product of claim 14, wherein said embedded device comprises a cable modem.
  - 16. The computer program product of claim 13, wherein said first computer readable program code means comprises means for causing the computer to:
    - determine the first signature on a basis of the received packet;
      
      compare the first signature to the signature of the known worm or virus; and
      
      if the first signature is equal to the signature of the known worm or virus, set an alert flag.
  - 17. The computer program product of claim 13, wherein said second computer readable program code means comprises means for causing the computer to:
    - determine the second signature on a basis of the received packet;
      
      compare the second signature to the signature of the known application; and
      
      if the second signature is equal to the signature of the known application, set an alert flag.
  - 18. The computer program product of claim 13, wherein said third computer readable program code means comprises means for causing the computer to:
    - determine the third signature on a basis of the received packet;
      
      compare the third signature to the signature of the known intrusion packet; and
      
      if the third signature is equal to the signature of the known intrusion packet, set an alert flag.
  - 19. The computer program product of claim 13, wherein said sixth computer readable program code means comprises means for terminating a data stream that comprises the received packet.
  - 20. The computer program product of claim 13, wherein said sixth computer readable program code means comprises means for causing the computer to add a source interne protocol (IP) address of the received packet to a blacklist.
  - 21. The computer program product of claim 13, wherein said sixth computer readable program code means comprises means for causing the computer to inform a central monitoring system of a subversion attempt.

22. A system for inspecting packets to detect an attempt at subverting an information processing system, comprising:
- a device embedded in an information processing component, said embedded device including;
  
  a processor; and
  
  a memory in communication with said processor for storing a first plurality of processing instructions for directing said processor to determine whether a first signature of a received packet matches a signature of a known worm or virus;
  
  determine whether a second signature of the received packet matches a signature of a known application;
  
  determine whether a third signature of the received packet matches a signature of a known intrusion packet; and
  
  if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis;
  
  wherein said plurality of processing instructions further directs said processor to;
  
  receive, from the central verification facility, the indication that the received packet matches the database entry; and
  
  respond to the indication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies General IP PTE Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Enderby, Russell
Primary Examiner(s)
Osman; Ramy M

Application Number

US11/871,866
Publication Number

US 20080313738A1
Time in Patent Office

1,159 Days
Field of Search

709/224, 709/225, 709/238, 709/203, 709/217, 709/219, 726 23- 25
US Class Current

709/224
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 2221/2115   Third party

H04L 63/1416   Event detection, e.g. attac...

Multi-stage deep packet inspection for lightweight devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-stage deep packet inspection for lightweight devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links