Identification of network policy violations
First Claim
Patent Images
1. A method comprising:
- receiving, with an intrusion detection and prevention (IDP) device, network traffic flowing between a firewall and one or more computing nodes within a network;
identifying, with the IDP device, packet flows within the network traffic;
processing the packet flows with the IDP device to identify network elements associated with the packet flows;
forming application-layer communications from the packet flows with the IDP device;
processing the application-layer communications with protocol-specific decoders included within the IDP device to identify application-layer elements;
analyzing the application-layer elements to determine whether each of the packet flows represents a network attack;
based on the determination, forwarding packets of the packet flows to a destination identified by each of the packets;
generating profiling data to associate the application-layer elements of the application-layer communications with the network elements of the packet flows;
defining, with the IDP device, a policy violation object that specifies a set of rules for permissible packet flows within the network traffic expected to be output from the firewall, wherein each of the rules specifies network elements and application-layer elements to define permissible traffic characteristics for the permissible packet flows, and wherein the rules represent policies expected to be implemented by the firewall;
applying, with the IDP device, the policy violation object to the profiling data to identify any of the packet flows within the network traffic output from the firewall that satisfy none of the rules; and
producing, with the IDP device, a report listing the identified packet flows as packet flows that are not expected to be present within the network based on the application of the policy violation object to the profiling data generated by the IDP device.
1 Assignment
0 Petitions
Accused Products
Abstract
A correlation database stores profiling data that describes packet flows within a network. A network device stores a set of rules for permissible packet flows within the network. The network device queries the correlation database and identifies any of the packet flows within the correlation database that are exceptions to the rules. Each of the rules may specify network elements and application-layer elements to define permissible traffic characteristics for the network.
135 Citations
14 Claims
-
1. A method comprising:
-
receiving, with an intrusion detection and prevention (IDP) device, network traffic flowing between a firewall and one or more computing nodes within a network; identifying, with the IDP device, packet flows within the network traffic; processing the packet flows with the IDP device to identify network elements associated with the packet flows; forming application-layer communications from the packet flows with the IDP device; processing the application-layer communications with protocol-specific decoders included within the IDP device to identify application-layer elements; analyzing the application-layer elements to determine whether each of the packet flows represents a network attack; based on the determination, forwarding packets of the packet flows to a destination identified by each of the packets; generating profiling data to associate the application-layer elements of the application-layer communications with the network elements of the packet flows; defining, with the IDP device, a policy violation object that specifies a set of rules for permissible packet flows within the network traffic expected to be output from the firewall, wherein each of the rules specifies network elements and application-layer elements to define permissible traffic characteristics for the permissible packet flows, and wherein the rules represent policies expected to be implemented by the firewall; applying, with the IDP device, the policy violation object to the profiling data to identify any of the packet flows within the network traffic output from the firewall that satisfy none of the rules; and producing, with the IDP device, a report listing the identified packet flows as packet flows that are not expected to be present within the network based on the application of the policy violation object to the profiling data generated by the IDP device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
an intrusion detection and prevention (IDP) device; and a firewall that implements policies and applies the policies to packet flows within a network before forwarding the packet flows to the IDP device wherein the IDP device includes; a flow analysis module that receives packet flows output from the firewall, processes the packet flows and identify the network elements associated with the packet flows; an analysis engine that forms application-layer communications from the packet flows; a plurality of protocol-specific decoders that process the application-layer communications to generate the application-layer elements; a stateful inspection engine that analyzes the application-layer elements to determine whether each of the packet flows represents a network attack; a forwarding component that forwards packets of the packet flows to a destination identified by each of the packets based on the determination, wherein the profiler further generates the profiling data by correlating the application-layer elements of the application-layer communications with the network elements of the packet flows; a correlation database that stores the profiling data describing the packet flows to which the firewall previously applied the policies; a user interface by which a user defines a set rules for permissible packet flows expected to be within the network as a policy violation object that identifies one or more of the packet flows to which the firewall has previously applied the policies as the permissible packet flows, wherein each of the rules specifies network elements and application-layer elements to define permissible traffic characteristics for the packet flows within the network, and wherein the rules represent the policies expected to be implemented by the firewall; a profiler that queries the correlation database and identifies any of the packet flows within the correlation database that are exceptions to the rules; and a configuration manager that produces a report listing the identified packet flows as packet flows that are not expected to be present within the network based on the application of the policy violation object to the profiling data generated by the IDP device. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer-readable storage medium comprising instructions that cause a programmable processor within a network device to:
-
receive network traffic flowing between a firewall and one or more computing nodes within a network; identify packet flows within the network traffic; process the packet flows to identify the network elements associated with the packet flows; form application-layer communications from the packet flows; process the application-layer communications to identify application-layer elements; analyze the application-layer elements to determine whether each of the packet flows represents a network attack; based on the determination, forward packets of the packet flows to a destination identified by each of the packets; generate profiling data to associate the application-layer elements of the application-layer communications with the network elements of the packet flows; store the profiling data to a correlation database present a user interface by which a user defines a policy violation object that specifies a set of rules for a network, wherein each of the rules specifies network elements and application-layer elements to define permissible traffic characteristics for packet flows expected to be within a network, wherein the rules represent the policies expected to be implemented by the firewall; query the correlation database storing the profiling data to identify any packet flows within the network traffic output from the firewall that satisfy none of the rules; and producing a report listing the identified packet flows that are not expected to be present within the network based on the application of the policy violation object to the profiling data generated by the IDP device.
-
Specification