Secure gateway with firewall and intrusion detection capabilities

US 8,176,553 B1
Filed: 11/13/2002
Issued: 05/08/2012
Est. Priority Date: 06/29/2001
Status: Active Grant

First Claim

Patent Images

1. A method for detecting attacks on a network, comprising:

receiving data at a gateway from a remote source, the data destined for a target;

discarding at least a portion of the data based on a predetermined set of rules utilizing a firewall associated with the gateway which is coupled to the remote source, wherein the firewall utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters selected from the group consisting of a source, a destination, and a port associated with the data;

passing that portion of the data not discarded to an intrusion detection system coupled to the firewall;

receiving the portion of data not discarded utilizing the intrusion detection system;

parsing the portion of data not discarded to identify data representing text therein utilizing the intrusion detection system;

comparing the portion of data not discarded representing text to a predetermined list of data representing text associated with attacks utilizing the intrusion detection system, wherein the data representing text of the predetermined list refers to different types of attacks selected from the group consisting of information gathering attacks, a web server denial of service attack, and a file server remote compromise;

identifying the portion of data not discarded representing text as hostile based on the comparison;

acting on the portion of data not discarded representing text identified as hostile in order to prevent an attack, wherein the portion of data not discarded representing text identified as hostile is acted upon differently based on the type of the attack by at least one of blocking the data, alerting an administrator, and disconnecting the remote source; and

updating the predetermined list of data representing text associated with attacks;

wherein the firewall and the intrusion detection system are included in a single device;

wherein the portion of data not discarded representing text identified as hostile is marked with an identifier from a table based on the comparison, the identifier being used to determine the manner in which the data representing text identified as hostile is acted upon;

wherein the text includes ASCII characters and UNICODE characters;

wherein the comparing, identifying, and acting further involves binary data, in order to identify binary data that is hostile;

wherein the portion of data not discarded is assembled utilizing the intrusion detection system using header information associated with one or more packets comprising the portion of data not discarded.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided. Initially, data is received from a remote source which is destined for a target. A portion of such data is discarded based on a predetermined set of rules utilizing a firewall. Further, the data is compared to a predetermined list of data associated with attacks utilizing an intrusion detection system. Based on the comparison, some of the data is marked as hostile. The data that is marked as hostile is then acted upon in order to prevent an attack.

103 Citations

View as Search Results

20 Claims

1. A method for detecting attacks on a network, comprising:
- receiving data at a gateway from a remote source, the data destined for a target;
  
  discarding at least a portion of the data based on a predetermined set of rules utilizing a firewall associated with the gateway which is coupled to the remote source, wherein the firewall utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters selected from the group consisting of a source, a destination, and a port associated with the data;
  
  passing that portion of the data not discarded to an intrusion detection system coupled to the firewall;
  
  receiving the portion of data not discarded utilizing the intrusion detection system;
  
  parsing the portion of data not discarded to identify data representing text therein utilizing the intrusion detection system;
  
  comparing the portion of data not discarded representing text to a predetermined list of data representing text associated with attacks utilizing the intrusion detection system, wherein the data representing text of the predetermined list refers to different types of attacks selected from the group consisting of information gathering attacks, a web server denial of service attack, and a file server remote compromise;
  
  identifying the portion of data not discarded representing text as hostile based on the comparison;
  
  acting on the portion of data not discarded representing text identified as hostile in order to prevent an attack, wherein the portion of data not discarded representing text identified as hostile is acted upon differently based on the type of the attack by at least one of blocking the data, alerting an administrator, and disconnecting the remote source; and
  
  updating the predetermined list of data representing text associated with attacks;
  
  wherein the firewall and the intrusion detection system are included in a single device;
  
  wherein the portion of data not discarded representing text identified as hostile is marked with an identifier from a table based on the comparison, the identifier being used to determine the manner in which the data representing text identified as hostile is acted upon;
  
  wherein the text includes ASCII characters and UNICODE characters;
  
  wherein the comparing, identifying, and acting further involves binary data, in order to identify binary data that is hostile;
  
  wherein the portion of data not discarded is assembled utilizing the intrusion detection system using header information associated with one or more packets comprising the portion of data not discarded.
- View Dependent Claims (2, 3, 4, 5, 16, 17, 18, 19, 20)
- - 2. The method as recited in claim 1, wherein the firewall utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters including the source, the destination, and the port associated with the data.
  - 3. The method as recited in claim 1, wherein the data representing text of the predetermined list refers to different types of attacks including the information gathering attacks, the web server denial of service attack, and the file server remote compromise.
  - 4. The method as recited in claim 1, wherein the predetermined list of data representing text associated with attacks is manually updated.
  - 5. The method as recited in claim 1, wherein the attacks include a SYN flood attack, ping of death, IP spoof, malformed packet attack, ACK storm, forged source address attack, network probe, packet fragmentation attack, session hijack, log overflow attack, SNMP attack, log manipulation, ICMP broadcast flooding, source routed packet, land attack, DNS cache corruption, ARP attack, mail spamming attack, ghost routing attack, DNS denial of service, sequence number predict, FTP bounce attack, port call attack, buffer overflow, ICMP protocol tunnel, mail exploit, VPN key generation attack, and authentication race attack.
  - 16. The method as recited in claim 1, wherein the identifier corresponds to the type of the attack associated with the portion of data not discarded representing text identified as hostile.
  - 17. The method as recited in claim 1, wherein an excessive ICMP traffic attack initiates a response including an alert.
  - 18. The method as recited in claim 1, wherein a web server denial of service attack initiates a response including an alert and blocking traffic.
  - 19. The method as recited in claim 1, wherein a file server remote compromise attack initiates a response including an alert and disconnecting a user.
  - 20. The method as recited in claim 1, wherein the table outlines a plurality of identifiers, a plurality of types of attacks and a plurality of responses, wherein each identifier of the plurality of identifiers is associated with a particular type of attack and at least one response.

6. A gateway system for detecting attacks on a network, comprising:
- a firewall for receiving data from a remote source, the data destined for a target, and discarding at least a portion of the data based on a predetermined set of rules, wherein the firewall utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters selected from the group consisting of a source, a destination, and a port associated with the data;
  
  an intrusion detection system coupled to the firewall for receiving that portion of the data not discarded, parsing the portion of data not discarded to identify data representing text therein, and comparing the portion of data not discarded representing text to a predetermined list of data representing text associated with attacks, wherein the data representing text of the predetermined list refers to different types of attacks selected from the group consisting of information gathering attacks, a web server denial of service attack, and a file server remote compromise, the intrusion detection system further capable of identifying the portion of data not discarded representing text as hostile based on the comparison, and acting on the portion of data not discarded representing text identified as hostile in order to prevent an attack, wherein the portion of data not discarded representing text identified as hostile is acted upon differently based on the type of the attack by at least one of blocking the data, alerting an administrator, and disconnecting the remote source, the intrusion detection system further capable of updating the predetermined list of data representing text associated with attacks;
  
  wherein the firewall and the intrusion detection system are included in a single device;
  
  wherein the portion of data not discarded representing text identified as hostile is marked with an identifier from a table based on the comparison, the identifier being used to determine the manner in which the portion of data not discarded representing text identified as hostile is acted upon;
  
  wherein the text includes ASCII characters and UNICODE characters;
  
  wherein the comparing, identifying, and acting further involves binary data, in order to identify binary data that is hostile;
  
  wherein the portion of data not discarded is assembled utilizing the intrusion detection system using header information associated with one or more packets comprising the portion of data not discarded.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system as recited in claim 6, wherein the firewall utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters including the source, the destination, and the port associated with the data.
  - 8. The system as recited in claim 6, wherein the data representing text of the predetermined list refers to different types of attacks including the information gathering attacks, the web server denial of service attack, and the file server remote compromise.
  - 9. The system as recited in claim 6, wherein the predetermined list of data representing text associated with attacks is manually updated.
  - 10. The system as recited in claim 6, wherein the attacks include a SYN flood attack, ping of death, IP spoof, malformed packet attack, ACK storm, forged source address attack, network probe, packet fragmentation attack, session hijack, log overflow attack, SNMP attack, log manipulation, ICMP broadcast flooding, source routed packet, land attack, DNS cache corruption, ARP attack, mail spamming attack, ghost routing attack, DNS denial of service, sequence number predict, FTP bounce attack, port call attack, buffer overflow, ICMP protocol tunnel, mail exploit, VPN key generation attack, and authentication race attack.

11. A computer program product embodied on a non-transitory computer readable medium for detecting attacks on a network, comprising:
- firewall computer code for receiving data from a remote source, the data destined for a target, and discarding at least a portion of the data based on a predetermined set of rules, wherein the firewall computer code utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters selected from the group consisting of a source, a destination, and a port associated with the data;
  
  intrusion detection system computer code in communication with the firewall computer code for receiving that portion of the data not discarded, parsing the portion of data not discarded to identify data representing text therein, and comparing the portion of data not discarded representing text to a predetermined list of data representing text associated with attacks, wherein the data representing text of the predetermined list refers to different types of attacks selected from the group consisting of information gathering attacks, a web server denial of service attack, and a file server remote compromise, the intrusion detection system computer code further capable of identifying the portion of data not discarded representing text as hostile based on the comparison, and acting on the portion of data not discarded representing text identified as hostile in order to prevent an attack, wherein the portion of data not discarded representing text identified as hostile is acted upon differently based on the type of the attack by at least one of blocking the data, alerting an administrator, and disconnecting the remote source, the intrusion detection system computer code further capable of updating the predetermined list of data representing text associated with attacks;
  
  wherein the firewall and the intrusion detection system are included in a single device;
  
  wherein the portion of data not discarded representing text identified as hostile is marked with an identifier from a table based on the comparison, the identifier being used to determine the manner in which the portion of data not discarded representing text identified as hostile is acted upon;
  
  wherein the text includes ASCII characters and UNICODE characters;
  
  wherein the comparing, identifying, and acting further involves binary data, in order to identify binary data that is hostile;
  
  wherein the portion of data not discarded is assembled utilizing the intrusion detection system using header information associated with one or more packets comprising the portion of data not discarded.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program product as recited in claim 11, wherein the firewall computer code utilizes the predetermined set of rules to discard the at least a portion of data as a function of a plurality of parameters including the source, the destination, and the port associated with the data.
  - 13. The computer program product as recited in claim 11, wherein the data representing text of the predetermined list refers to different types of attacks including the information gathering attacks, the web server denial of service attack, and the file server remote compromise.
  - 14. The computer program product as recited in claim 11, wherein the predetermined list of data representing text associated with attacks is manually updated.
  - 15. The computer program product as recited in claim 11, wherein the attacks include a SYN flood attack, ping of death, IP spoof, malformed packet attack, ACK storm, forged source address attack, network probe, packet fragmentation attack, session hijack, log overflow attack, SNMP attack, log manipulation, ICMP broadcast flooding, source routed packet, land attack, DNS cache corruption, ARP attack, mail spamming attack, ghost routing attack, DNS denial of service, sequence number predict, FTP bounce attack, port call attack, buffer overflow, ICMP protocol tunnel, mail exploit, VPN key generation attack, and authentication race attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Magdych, James S., Rahmanovic, Tarik, McDonald, John R., Tellier, Brock E., Osborne, Anthony C., Herath, Nishad P.
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US10/294,255
Time in Patent Office

3,464 Days
Field of Search

726/1, 726 11- 13, 726 22- 26, 713/188, 713/153, 709/223, 709/224
US Class Current

726/23
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Secure gateway with firewall and intrusion detection capabilities

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure gateway with firewall and intrusion detection capabilities

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links