Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session

US 8,069,352 B2
Filed: 02/28/2007
Issued: 11/29/2011
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method performed in an intrusion detection/prevention system for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp, comprising:

(A) determining which timestamp policy of plural different timestamp policies corresponds to an operating system of a target receiving the segments in a TCP connection, the different time stamp policies respectively corresponding to different operating systems;

(B) identifying a baseline timestamp based on a three way handshake in the TCP connection;

(C) monitoring, in a processor disposed between an origination and a destination of the TCP connection, segments in the TCP connection; and

(D) filtering the segments in the TCP connection as indicated in the timestamp policy corresponding to the operating system of the target, the timestamp policy indicating whether the processor is to filter out or forward the segments to the target based on the operating system of the target by comparing the timestamp of the segments to the baseline timestamp, the segments in the TCP connection further being filtered out and forwarded to the target differently by the different time stamp policies based on the kind of operating system,the segments in the TCP connection further being filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to zero timestamp values on the three-way handshake; and

the segments in the TCP connection further being filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to whether the segments have no TCP timestamp option and associated values even when both hosts have negotiated the use of timestamps,wherein, if the timestamp in the three way handshake is zero, the timestamp in the first TCP segment expected after the handshake becomes the baseline timestamp if properly received.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method performed in an intrusion detection/prevention system, a system or a device for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable. The TCP connection can include TCP segments beginning with a three way handshake. A TCP segment can include a field for a timestamp. A timestamp policy of plural timestamp policies is identified, the timestamp policy corresponding to a target associated with the segments in a TCP connection. A baseline timestamp is identified based on a three way handshake in the TCP connection. Segments in the TCP connection are monitored. The segments in the TCP connection are filtered as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp.

Citations

12 Claims

1. A method performed in an intrusion detection/prevention system for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp, comprising:
- (A) determining which timestamp policy of plural different timestamp policies corresponds to an operating system of a target receiving the segments in a TCP connection, the different time stamp policies respectively corresponding to different operating systems;
  
  (B) identifying a baseline timestamp based on a three way handshake in the TCP connection;
  
  (C) monitoring, in a processor disposed between an origination and a destination of the TCP connection, segments in the TCP connection; and
  
  (D) filtering the segments in the TCP connection as indicated in the timestamp policy corresponding to the operating system of the target, the timestamp policy indicating whether the processor is to filter out or forward the segments to the target based on the operating system of the target by comparing the timestamp of the segments to the baseline timestamp, the segments in the TCP connection further being filtered out and forwarded to the target differently by the different time stamp policies based on the kind of operating system,the segments in the TCP connection further being filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to zero timestamp values on the three-way handshake; and
  
  the segments in the TCP connection further being filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to whether the segments have no TCP timestamp option and associated values even when both hosts have negotiated the use of timestamps,wherein, if the timestamp in the three way handshake is zero, the timestamp in the first TCP segment expected after the handshake becomes the baseline timestamp if properly received.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, wherein the monitoring is performed in accordance with a TCP layer.
  - 3. The method according to claim 1, wherein the segments are formatted according to a TCP layer format.
  - 4. The method according to claim 1, wherein the filtering further comprises evaluating sequence numbers identified in the segments to determine whether the timestamp is valid for the target, relative to the timestamps of prior segments in the sequence.

5. A computer system for detecting or preventing intrusion, comprising:
- (A) a unit configured to facilitate determining a kind of operating system associated with a target, in response to an indication of the target in segments in a transmission control protocol (TCP) connection; and
  
  (B) a segment filtering unit configured to facilitate determining which timestamp policy of plural different timestamp policies corresponds to the kind of operating system associated with the target of the segments in the TCP connection, the different time stamp policies respectively corresponding to different kinds of operating systems, the timestamp policy indicating whether the segments are to be filtered out or retained for the target based on the kind of operating system of the target by comparing the timestamp of the segments to a baseline timestamp, the baseline timestamp being based on a three way handshake in the TCP connection, and forwarding the segments in the TCP connection to the target if retained, the segments in the TCP connection further being filtered out and forwarded differently by the different time stamp policies based on the kind of operating system,wherein the segments in the TCP connection are filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to zero timestamp values on the three-way handshake; and
  
  the segments in the TCP connection are filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to whether the segments have no TCP timestamp option and associated values even when both hosts have negotiated the use of timestamps,wherein, if the timestamp in the three way handshake is zero, the timestamp in the first TCP segment expected after the handshake becomes the baseline timestamp if properly received.
- View Dependent Claims (6, 7, 8)
- - 6. The computer system according to claim 5, further comprising an intrusion detection/prevention unit to detect an intrusion in the segments, wherein the segment filtering unit provides the filtered segments to the intrusion detection/prevention unit.
  - 7. The computer system according to claim 5, further comprising a receiving unit configured to facilitate receiving segments in the TCP connection, wherein the segments are received in accordance with a TCP layer.
  - 8. The computer system according to claim 5, wherein the segment filtering unit is further configured to evaluate sequence numbers identified in the segments to determine whether the timestamp is valid for the target, relative to the timestamps of prior segments in the sequence.

9. A non-transitory computer-readable medium comprising instructions for execution by a processor, the instructions including a computer-implemented method performed in an intrusion detection/prevention system, for analyzing segments in a transmission control protocol (TCP) connection in a communication network, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp and a field for a sequence number, the instructions for implementing:
- (A) monitoring, in a processor disposed between an origination and the destination of the TCP connection, a plurality of segments in a TCP connection;
  
  (B) identifying a kind of operating system associated with the target receiving the segments in the TCP connection, and determining which timestamp policy of plural different timestamp policies corresponds to the kind of operating system of the target, the different time stamp policies respectively corresponding to different operating systems;
  
  (C) filtering the segments in the TCP connection as indicated in a timestamp policy corresponding to the kind of operating system target, the timestamp policy indicating whether the processor is to filter out or forward the segments to the target based on the kind of operating system of the target by comparing the timestamp of the segments to the baseline timestamp and by evaluating sequence numbers identified in the segments to determine whether the timestamp is valid for the target relative to the timestamps of prior segments in the sequence according to the sequence numbers, the segments in the TCP connection further being filtered out and forwarded differently by different time stamp policies based on the kind of operating system; and
  
  (D) setting the baseline timestamp to the timestamp in the first TCP segment expected after the handshake if properly received, if the timestamp in the three way handshake is zero,wherein the segments in the TCP connection are filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to zero timestamp values on the three-way handshake; and
  
  the segments in the TCP connection are filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to whether the segments have no TCP timestamp option and associated values even when both hosts have negotiated the use of timestamps.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer-readable medium according to claim 9, further comprising instructions for setting the baseline timestamp to the timestamp in the next segment which is received properly according to the timestamp policy.
  - 11. The non-transitory computer-readable medium according to claim 9, further comprising instructions for setting the baseline timestamp to the timestamp in the three way handshake, if the timestamp in the three way handshake is non-zero.
  - 12. The non-transitory computer-readable medium according to claim 9, further comprising instructions for receiving the segments in the TCP connection, wherein the segments are received in accordance with a TCP layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Novak, Judy Hollis, Sturges, Steven
Primary Examiner(s)
Dada; Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US11/711,876
Publication Number

US 20080209518A1
Time in Patent Office

1,735 Days
Field of Search

726/3, 726/22, 726/23, 726/24, 726/25, 726/26, 713/178, 713/188, 380/35, 380/36, 380/218
US Class Current

713/178
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links