Deep packet scan hacker identification

US 8,001,244 B2
Filed: 04/12/2010
Issued: 08/16/2011
Est. Priority Date: 08/24/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of securing an accessible computer system, the method comprising:

scanning a plurality of data packets communicated between a plurality of access requestors and an access provider to detect one or more predetermined patterns;

in response to detecting that a number of data packets, transmitted between a first access requestor and the access provider, that include the one or more predetermined patterns exceeds a first configurable threshold, blacklisting the first access requestor; and

in response to detecting the transmission, between a second access requestor and the access provider, of a configurable number of data packets in which an occurrence of the one or more predetermined patterns is below a second configurable threshold, ceasing to scan data packets between the second access requestor and the access provider to detect occurrences of the one or more predetermined patterns.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securing an accessible computer system typically includes receiving a data packet that includes a payload portion and an attribute portion, where the data packet is communicated between at least one access requestor and at least one access provider. At least the payload portion of the received data packet typically is monitored, where monitoring includes scanning the payload portion for at least one predetermined pattern. When the payload portion is determined to include at least one predetermined pattern, access by the access requestor to the access provider may be controlled . Monitoring the data packet may include scanning the payload portion while handling the data packet with a switch. Controlling access may include denying access by the access requestor to the access provider.

Citations

22 Claims

1. A computer-implemented method of securing an accessible computer system, the method comprising:
- scanning a plurality of data packets communicated between a plurality of access requestors and an access provider to detect one or more predetermined patterns;
  
  in response to detecting that a number of data packets, transmitted between a first access requestor and the access provider, that include the one or more predetermined patterns exceeds a first configurable threshold, blacklisting the first access requestor; and
  
  in response to detecting the transmission, between a second access requestor and the access provider, of a configurable number of data packets in which an occurrence of the one or more predetermined patterns is below a second configurable threshold, ceasing to scan data packets between the second access requestor and the access provider to detect occurrences of the one or more predetermined patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the predetermined pattern comprises a login request message communicated from an access provider to the access requestor.
  - 3. The method of claim 1, wherein the predetermined pattern comprises a login failure message communicated from the access provider to an access requestor.
  - 4. The method of claim 3, wherein the login failure message includes a signature located at a specific offset.
  - 5. The method of claim 3, wherein the login failure message includes login failure reasons.
  - 6. The method of claim 1, wherein blacklisting the first access requestor comprises:
    - decreasing available bandwidth for communications from the first access requestor to the access provider.
  - 7. The method of claim 1, wherein blacklisting the first access requestor comprises:
    - rerouting communications from the first access requestor to the access provider.
  - 8. The method of claim 1, wherein blacklisting the first access requestor comprises:
    - denying communications from the first access requestor to the access provider that occur within a configurable period of time.
  - 9. The method of claim 1, wherein blacklisting the first access requestor comprises:
    - denying communications from the first access requestor to the access provider that include the one or more predetermined patterns.
  - 10. The method of claim 1, further comprising:
    - blacklisting the second access requestor in response to detecting a data packet communicated between the second access requestor and the access provider that includes the one or more predetermined patterns; and
      
      removing the second access requestor from the blacklisting in response to detecting the transmission, between the second access requestor and the access provider, of the configurable number of data packets in which the occurrence of the one or more predetermined patterns is below the second configurable threshold.
  - 11. The method of claim 1, wherein:
    - the first configurable threshold comprises one of a number and a ratio; and
      
      the second configurable threshold comprises one of a number and a ratio.

12. A computer system, comprising:
- a processing system, comprising one or more processors;
  
  a memory device, comprising one or more computer-readable media, wherein the computer-readable media include stored computer instructions that, when executed by the processing system, cause the processing system to perform the operations of;
  
  scanning a plurality of data packets communicated between a plurality of access requestors and an access provider to detect one or more predetermined patterns;
  
  in response to detecting that a number of data packets, transmitted between a first access requestor and the access provider, that include the one or more predetermined patterns exceeds a first configurable threshold, blacklisting the first access requestor; and
  
  in response to detecting the transmission, between a second access requestor and the access provider, of a configurable number of data packets in which an occurrence of the one or more predetermined patterns is below a second configurable threshold, ceasing to scan data packets between the second access requestor and the access provider to detect occurrences of the one or more predetermined patterns.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the predetermined pattern comprises a login request message communicated from an access provider to the access requestor.
  - 14. The system of claim 12, wherein the predetermined pattern comprises a login failure message communicated from the access provider to an access requestor.
  - 15. The system of claim 14, wherein the login failure message includes a signature located at a specific offset.
  - 16. The system of claim 14, wherein the login failure message includes login failure reasons.
  - 17. The system of claim 12, wherein blacklisting the first access requestor comprises:
    - decreasing available bandwidth for communications from the first access requestor to the access provider.
  - 18. The system of claim 12, wherein blacklisting the first access requestor comprises:
    - rerouting communications from the first access requestor to the access provider.
  - 19. The system of claim 12, wherein blacklisting the first access requestor comprises:
    - denying communications from the first access requestor to the access provider that occur within configurable period of time.
  - 20. The system of claim 12, wherein blacklisting the first access requestor comprises:
    - denying communications from the first access requestor to the access provider that include the one or more predetermined patterns.
  - 21. The system of claim 12, the operations executed by the processing system further comprising:
    - blacklisting the second access requestor in response to detecting a data packet communicated between the second access requestor and the access provider that includes the one or more predetermined patterns; and
      
      removing the second access requestor from the blacklisting in response to detecting the transmission, between the second access requestor and the access provider, of the configurable number of data packets in which the occurrence of the one or more predetermined patterns is below the second configurable threshold.
  - 22. The system of claim 12, wherein:
    - the first configurable threshold comprises one of a number and a ratio; and
      
      the second configurable threshold comprises one of a number and a ratio.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
AOL Inc. (Apollo Global Management, Inc.)
Inventors
Jacoby, Brian, Wright, Christopher J.
Primary Examiner(s)
Boutah; Alina N.

Application Number

US12/758,456
Publication Number

US 20100198969A1
Time in Patent Office

491 Days
Field of Search

709217-219, 709223-225, 709/227, 709/229
US Class Current

709/225
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

H04L 63/1416   Event detection, e.g. attac...

Deep packet scan hacker identification

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Deep packet scan hacker identification

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links