Multi-stage deep packet inspection for lightweight devices
First Claim
1. A method of inspecting packets to detect an attempt at subverting an information processing computer system, comprising:
- (a) determining on the information processing computer system whether a first signature of a received packet matches a signature of a known worm or virus;
(b) determining on the information processing computer system whether a second signature of the received packet matches a signature of a known application;
(c) determining on the information processing computer system whether a third signature of the received packet matches a signature of a known intrusion packet;
(d) if a match is found in any of the above determinations, sending the received packet from the information processing computer system to a central verification facility for further analysis;
(e) receiving, from the central verification facility, an indication that the received packet matches a database entry; and
(f) responding to the indication.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method for the multi-stage analysis of incoming packets. Three stages are used, each of which addresses a particular category of threat by examining the headers and/or payload of each packet (“deep packet inspection”). The first stage detects incoming viruses or worms. The second stage detects malicious applications. The third stage detects attempts at intrusion. These three stages operate in sequence, but in alternative embodiments of the invention, they may be applied in a different order. These three stages are followed by a fourth stage that acts as a verification stage. If any of the first three stages detects a possible attack, then the packet or packets that have been flagged are routed to a central verification facility. In an embodiment of the invention, the verification facility is a server, coupled with a database. Here, suspect packets are compared to entries in the database to more comprehensively determine whether or not the packets represent an attempt to subvert the information processing system.
26 Citations
22 Claims
-
1. A method of inspecting packets to detect an attempt at subverting an information processing computer system, comprising:
-
(a) determining on the information processing computer system whether a first signature of a received packet matches a signature of a known worm or virus; (b) determining on the information processing computer system whether a second signature of the received packet matches a signature of a known application; (c) determining on the information processing computer system whether a third signature of the received packet matches a signature of a known intrusion packet; (d) if a match is found in any of the above determinations, sending the received packet from the information processing computer system to a central verification facility for further analysis; (e) receiving, from the central verification facility, an indication that the received packet matches a database entry; and (f) responding to the indication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for inspecting packets to detect an attempt at subverting an information processing system, comprising:
-
a device embedded in an information processing component, said embedded device including; a first processor; and a first memory in communication with said first processor, said first memory for storing a first plurality of processing instructions for directing said first processor to determine whether a first signature of a received packet matches a signature of a known worm or virus; determine whether a second signature of the received packet matches a signature of a known application; determine whether a third signature of the received packet matches a signature of a known intrusion packet; and if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis; a central verification facility in communication with said embedded device, said central verification facility including; a database; a second processor in connection with said database; and a second memory in communication with said second processor, said second memory for storing a second plurality of processing instructions for directing said second processor to; compare the received packet to a database entry; and if the received packet matches the database entry, output an indication of the match; wherein said first plurality of processing instructions further directs said first processor to; receive, from the central verification facility, the indication that the received packet matches the database entry; and respond to the indication. - View Dependent Claims (10, 11, 12)
-
-
13. A computer program product comprising a computer useable medium having control logic stored therein for causing a computer to detect an attempt at subverting an information processing system, the control logic comprising:
-
first computer readable program code means for causing the computer to determine if a first signature of a received packet matches a signature of a known worm or virus; second computer readable program code means for causing the computer to determine if a second signature of the received packet matches a signature of a known application; third computer readable program code means for causing the computer to determine if a third signature of the received packet matches a signature of a known intrusion packet; fourth computer readable program code means for causing the computer to send the received packet to a central verification facility for further analysis, if a match is found in any of the above determinations; fifth computer readable program code means for causing the computer to receive, from the central verification facility, an indication that the received packet matches a database entry; and sixth computer readable program code means for causing the computer to respond to the indication. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system for inspecting packets to detect an attempt at subverting an information processing system, comprising:
-
a device embedded in an information processing component, said embedded device including; a processor; and a memory in communication with said processor for storing a first plurality of processing instructions for directing said processor to determine whether a first signature of a received packet matches a signature of a known worm or virus; determine whether a second signature of the received packet matches a signature of a known application; determine whether a third signature of the received packet matches a signature of a known intrusion packet; and if a match is found in any of the above determinations, sending the received packet to a central verification facility for further analysis; wherein said plurality of processing instructions further directs said processor to; receive, from the central verification facility, the indication that the received packet matches the database entry; and respond to the indication.
-
Specification