Compound attack detection in a computer network
First Claim
Patent Images
1. A method comprising:
- presenting, with a network device, a user interface to define a compound attack definition for detecting a network attack identified by ordered occurrences in a packet flow of both at least one pattern and at least one protocol anomaly, wherein the at least one pattern identifies a binary pattern associated with a network attack that is different from the at least one protocol anomaly, and wherein the user interface includes a first input to select the at least one pattern, a second input to select the at least one protocol anomaly, and a third input that specifies an order in which the at least one pattern and the at least one protocol anomaly must occur in the packet flow for the compound attack definition to determine that the packet flow constitutes the network attack;
receiving, with the network device, input data selecting the at least one protocol anomaly, the at least one pattern and the order via the respective first, second and third inputs of the user interface to define the compound attack definition for detecting the network attack;
applying, with the network device, the compound attack definition to a packet flow of a computer network to determine whether the packet flow constitutes the network attack in that the packet flow includes both of the at least one pattern and the at least one protocol anomaly in the order specified by the compound attack definition; and
selectively discarding, with the network device, the packet flow based on the determination of whether the packet flow constitutes the network attack.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection and prevention (IDP) device includes an attack detection module and a forwarding component. The attack detection module applies a compound attack definition to a packet flow of a computer network to determine whether the packet flow includes at least one pattern and at least one protocol anomaly. The forwarding component selectively discards the packet flow based on the determination. The IDP device may further include a reassembly module to form application-layer communications from the packet flows, and a plurality of protocol-specific decoders to process the application-layer communications to extract application-layer elements and detect protocol anomalies.
99 Citations
29 Claims
-
1. A method comprising:
-
presenting, with a network device, a user interface to define a compound attack definition for detecting a network attack identified by ordered occurrences in a packet flow of both at least one pattern and at least one protocol anomaly, wherein the at least one pattern identifies a binary pattern associated with a network attack that is different from the at least one protocol anomaly, and wherein the user interface includes a first input to select the at least one pattern, a second input to select the at least one protocol anomaly, and a third input that specifies an order in which the at least one pattern and the at least one protocol anomaly must occur in the packet flow for the compound attack definition to determine that the packet flow constitutes the network attack; receiving, with the network device, input data selecting the at least one protocol anomaly, the at least one pattern and the order via the respective first, second and third inputs of the user interface to define the compound attack definition for detecting the network attack; applying, with the network device, the compound attack definition to a packet flow of a computer network to determine whether the packet flow constitutes the network attack in that the packet flow includes both of the at least one pattern and the at least one protocol anomaly in the order specified by the compound attack definition; and selectively discarding, with the network device, the packet flow based on the determination of whether the packet flow constitutes the network attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 27)
-
-
13. A network device comprising:
-
a processor; a user interface to define a compound attack definition for detecting a network attack identified by ordered occurrences in a packet flow of both at least one pattern and at least one protocol anomaly in a packet flow, wherein the at least one pattern identifies a binary pattern associated with a network attack that is different from the at least one protocol anomaly, and wherein the user interface includes a first input to select the at least one pattern, a second input to select the at least one protocol anomaly, and a third input that selects an order in which the at least one pattern and the at least one protocol anomaly must occur in the packet flow for the compound attack definition to determine to the packet flow constitutes the network attack, wherein the user interface receives input data selecting the at least one protocol anomaly, the at least one pattern and the order via the respective first, second and third inputs of the user interface to define the compound attack definition for detecting the network attack; an attack detection module to apply the compound attack definition to a packet flow of a computer network to determine whether the packet flow constitutes the network attack in that the packet flow includes both of the at least one pattern and the at least one protocol anomaly in the order specified by the compound attack definition; and a forwarding component to selectively discard the packet flow based on the determination of whether the packet flow constitutes the network attack. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer-readable medium comprising instructions that cause a programmable processor within a network device to:
-
present a user interface that receives input specifying a compound attack definition for detecting a network attack identified by ordered occurrences in a packet flow of both at least one pattern and at least one protocol anomaly, wherein the at least one pattern identifies a binary pattern associated with a network attack that is different from the at least one protocol anomaly, and wherein the user interface includes a first input by which to receive the input defining the at least one pattern, a second input by which to receive the input defining the at least one protocol anomaly, and a third input by which to receive the input defining an order in which the at least one pattern and the at least one protocol anomaly must occur in the packet flow for the compound attack definition to determine that the packet flow constitutes the network attack; configure a forwarding plane of a network device to apply the compound attack definition to a packet flow of a computer network to determine whether the packet flow constitutes the network attack in that the packet flow includes both of the at least one pattern and the at least one protocol anomaly in the order specified by the compound attack definition; and selectively discard with the forwarding plane the packet flow based on the determination of whether the packet flow constitutes the network attack.
-
-
26. A method comprising:
-
storing, within a network device, a compound attack definition for detecting a network attack identified by ordered occurrences in a packet flow of both at least one pattern and at least one protocol anomaly, wherein the at least one pattern identifies a binary pattern associated with a network attack that is different from the at least one protocol anomaly, and wherein the compound attack definition specifies all of;
(i) the at least one pattern of the network attack, (ii) the at least one protocol anomaly of the network attack and (iii) an order in which the at least one pattern and the at least one protocol anomaly occur within the packet flow of the computer network to identify the network attack,applying, with the network device, the compound attack definition to a placket flow of a computer network by; (i) processing the packet flow with protocol-specific decoders to identify application-layer elements; and (ii) analyzing the application-layer elements to determine whether the packet flow constitutes the network attack in that (i) the at least one pattern is present within the application-layer elements, (ii) the at least one protocol anomaly is detected within relationships between the application-layer elements, and (iii) the pattern and protocol anomaly occur within the packet flow in accordance with the order specified by the compound attack definition; and selectively discarding the packet flow based on the determination of whether the packet flow constitutes the network attack.
-
-
28. A method comprising:
-
presenting, with a network device, a user interface to define a compound attack definition for detecting a network attack identified by ordered occurrences in a packet flow of both at least one pattern and at least one protocol anomaly, wherein the at least one pattern identifies a binary pattern associated with a network attack that is different from the at least one protocol anomaly, and wherein the user interface includes a first input to select the at least one pattern, a second input to select the at least one protocol anomaly, and a third input that specifies an order in which the at least one pattern and the at least one protocol anomaly must occur in the packet flow for the compound attack definition to determine that the packet flow constitutes the network attack and wherein the order specified by the compound attack definition includes specifying that the at least one pattern occurs before the at least one protocol anomaly in the packet flow; receiving, with the network device, input data selecting the at least one protocol anomaly, the at least one pattern and the order via the respective first, second and third inputs of the user interface to define the compound attack definition for detecting the network attack; with the network device, applying, in accordance with the order specified by the compound attack definition, the at least one pattern to the packet flow to detect the pattern within the packet flow; and only after detecting the pattern in the packet flow, applying, with the network device, the at least one protocol anomaly to the packet flow in accordance with the order specified by the compound attack definition to determine whether the packet flow constitutes the network attack; and selectively discarding, with the network device, the packet flow based on the determination of whether the packet flow constitutes the network attack. - View Dependent Claims (29)
-
Specification