Identification of network policy violations

US 7,937,755 B1
Filed: 01/27/2005
Issued: 05/03/2011
Est. Priority Date: 01/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with an intrusion detection and prevention (IDP) device, network traffic flowing between a firewall and one or more computing nodes within a network;

identifying, with the IDP device, packet flows within the network traffic;

processing the packet flows with the IDP device to identify network elements associated with the packet flows;

forming application-layer communications from the packet flows with the IDP device;

processing the application-layer communications with protocol-specific decoders included within the IDP device to identify application-layer elements;

analyzing the application-layer elements to determine whether each of the packet flows represents a network attack;

based on the determination, forwarding packets of the packet flows to a destination identified by each of the packets;

generating profiling data to associate the application-layer elements of the application-layer communications with the network elements of the packet flows;

defining, with the IDP device, a policy violation object that specifies a set of rules for permissible packet flows within the network traffic expected to be output from the firewall, wherein each of the rules specifies network elements and application-layer elements to define permissible traffic characteristics for the permissible packet flows, and wherein the rules represent policies expected to be implemented by the firewall;

applying, with the IDP device, the policy violation object to the profiling data to identify any of the packet flows within the network traffic output from the firewall that satisfy none of the rules; and

producing, with the IDP device, a report listing the identified packet flows as packet flows that are not expected to be present within the network based on the application of the policy violation object to the profiling data generated by the IDP device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A correlation database stores profiling data that describes packet flows within a network. A network device stores a set of rules for permissible packet flows within the network. The network device queries the correlation database and identifies any of the packet flows within the correlation database that are exceptions to the rules. Each of the rules may specify network elements and application-layer elements to define permissible traffic characteristics for the network.

135 Citations

View as Search Results

14 Claims

1. A method comprising:
- receiving, with an intrusion detection and prevention (IDP) device, network traffic flowing between a firewall and one or more computing nodes within a network;
  
  identifying, with the IDP device, packet flows within the network traffic;
  
  processing the packet flows with the IDP device to identify network elements associated with the packet flows;
  
  forming application-layer communications from the packet flows with the IDP device;
  
  processing the application-layer communications with protocol-specific decoders included within the IDP device to identify application-layer elements;
  
  analyzing the application-layer elements to determine whether each of the packet flows represents a network attack;
  
  based on the determination, forwarding packets of the packet flows to a destination identified by each of the packets;
  
  generating profiling data to associate the application-layer elements of the application-layer communications with the network elements of the packet flows;
  
  defining, with the IDP device, a policy violation object that specifies a set of rules for permissible packet flows within the network traffic expected to be output from the firewall, wherein each of the rules specifies network elements and application-layer elements to define permissible traffic characteristics for the permissible packet flows, and wherein the rules represent policies expected to be implemented by the firewall;
  
  applying, with the IDP device, the policy violation object to the profiling data to identify any of the packet flows within the network traffic output from the firewall that satisfy none of the rules; and
  
  producing, with the IDP device, a report listing the identified packet flows as packet flows that are not expected to be present within the network based on the application of the policy violation object to the profiling data generated by the IDP device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein applying the policy violation object comprises applying the policy violation object to a database to identify any of the packet flows that are exceptions to the rules.
  - 3. The method of claim 1, wherein applying the policy violation object comprises applying a query to a database.
  - 4. The method of claim 1, wherein at least one of the rules specifies a permissible packet flow and includes a source address range and a destination address range.
  - 5. The method of claim 1, wherein generating profiling data comprises:
    - storing the network elements and the application-layer elements in a database; and
      
      defining relationships within the database to associate the network elements of the packet flows with the application-layer elements of the application-layer communications.
  - 6. The method of claim 5,wherein the network elements comprise data defining hosts associated with the packet flows, data defining peers for each of the packet flows, and data defining ports associated with the packet flows, andwherein defining relationships within the database comprises mapping each of the application-layer elements to a respective one of the peers.
  - 7. The method of claim 5, wherein processing the application-layer communications comprises processing the application-layer communications with protocol-specific decoders for at least one of a HyperText Transfer Protocol (HTTP) decoder, a File Transfer Protocol (FTP) decoder, a Network News Transfer Protocol (NNTP) decoder, a Telnet decoder, a Domain Name System (DNS) decoder, a Gopher decoder, a Finger decoder, a Post Office Protocol (POP) decoder, a Secure Socket Layer (SSL) protocol decoder, a Lightweight Directory Access Protocol (LDAP) decoder, a Secure Shell (SSH) decoder, a Server Message Block (SMB) decoder or a Simple Mail Transfer Protocol (SMTP) decoder.
  - 8. The method of claim 1, further comprising automatically updating forwarding rules within a forwarding component to drop those of the packet flows that satisfy none of the rules.

9. A system comprising:
- an intrusion detection and prevention (IDP) device; and
  
  a firewall that implements policies and applies the policies to packet flows within a network before forwarding the packet flows to the IDP devicewherein the IDP device includes;
  
  a flow analysis module that receives packet flows output from the firewall, processes the packet flows and identify the network elements associated with the packet flows;
  
  an analysis engine that forms application-layer communications from the packet flows;
  
  a plurality of protocol-specific decoders that process the application-layer communications to generate the application-layer elements;
  
  a stateful inspection engine that analyzes the application-layer elements to determine whether each of the packet flows represents a network attack;
  
  a forwarding component that forwards packets of the packet flows to a destination identified by each of the packets based on the determination,wherein the profiler further generates the profiling data by correlating the application-layer elements of the application-layer communications with the network elements of the packet flows;
  
  a correlation database that stores the profiling data describing the packet flows to which the firewall previously applied the policies;
  
  a user interface by which a user defines a set rules for permissible packet flows expected to be within the network as a policy violation object that identifies one or more of the packet flows to which the firewall has previously applied the policies as the permissible packet flows, wherein each of the rules specifies network elements and application-layer elements to define permissible traffic characteristics for the packet flows within the network, and wherein the rules represent the policies expected to be implemented by the firewall;
  
  a profiler that queries the correlation database and identifies any of the packet flows within the correlation database that are exceptions to the rules; and
  
  a configuration manager that produces a report listing the identified packet flows as packet flows that are not expected to be present within the network based on the application of the policy violation object to the profiling data generated by the IDP device.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the profiling data maps the application-layer elements to the network elements.
  - 11. The system of claim 9, wherein the plurality of protocol-specific decoders include at least one of a HyperText Transfer Protocol (HTTP) decoder, a File Transfer Protocol (FTP) decoder, a Network News Transfer Protocol (NNTP) decoder or a Simple Mail Transfer Protocol (SMTP) decoder.
  - 12. The system of claim 9, wherein the network elements comprise at least one of a network host, network peers, and a network port associated with the network traffic.
  - 13. The system of claim 9, wherein the forwarding component further discards the packet flows that are exceptions to the rules.

14. A computer-readable storage medium comprising instructions that cause a programmable processor within a network device to:
- receive network traffic flowing between a firewall and one or more computing nodes within a network;
  
  identify packet flows within the network traffic;
  
  process the packet flows to identify the network elements associated with the packet flows;
  
  form application-layer communications from the packet flows;
  
  process the application-layer communications to identify application-layer elements;
  
  analyze the application-layer elements to determine whether each of the packet flows represents a network attack;
  
  based on the determination, forward packets of the packet flows to a destination identified by each of the packets;
  
  generate profiling data to associate the application-layer elements of the application-layer communications with the network elements of the packet flows;
  
  store the profiling data to a correlation databasepresent a user interface by which a user defines a policy violation object that specifies a set of rules for a network, wherein each of the rules specifies network elements and application-layer elements to define permissible traffic characteristics for packet flows expected to be within a network, wherein the rules represent the policies expected to be implemented by the firewall;
  
  query the correlation database storing the profiling data to identify any packet flows within the network traffic output from the firewall that satisfy none of the rules; and
  
  producing a report listing the identified packet flows that are not expected to be present within the network based on the application of the policy violation object to the profiling data generated by the IDP device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Guruswamy, Kowsik
Primary Examiner(s)
Dada; Beemnet W
Assistant Examiner(s)
Schwartz; Darren B

Application Number

US11/044,332
Time in Patent Office

2,287 Days
Field of Search

726 22- 25, 709223-225, 370229-231, 370/235
US Class Current

726/22
CPC Class Codes

H04L 41/5009 Determining service level p...

H04L 63/1416 Event detection, e.g. attac...

Identification of network policy violations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

135 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Identification of network policy violations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links