Parallel intrusion detection sensors with load balancing for high speed networks
First Claim
1. A method for detecting network intrusion, comprising:
- receiving a plurality of packets at an internetworking device coupled with a network;
distributing examination of the plurality of packets received at the internetworking device among a plurality of intrusion detection sensors operating in parallel in accordance with a load-balancing technique;
detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and
determining whether the composite signature is associated with an unauthorized access attempt to the network.
1 Assignment
0 Petitions
Accused Products
Abstract
Various embodiments of a method and system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).
70 Citations
23 Claims
-
1. A method for detecting network intrusion, comprising:
-
receiving a plurality of packets at an internetworking device coupled with a network; distributing examination of the plurality of packets received at the internetworking device among a plurality of intrusion detection sensors operating in parallel in accordance with a load-balancing technique; detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and determining whether the composite signature is associated with an unauthorized access attempt to the network. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for detecting network intrusion, comprising:
-
an internetworking device coupled with a network and operable to receive a plurality of packets; a plurality of intrusion detection sensors operating in parallel and operable to receive the plurality of packets; a load balancer operable to distribute examination of the plurality of packets received at the internetworking device among the plurality of intrusion detection sensors in accordance with a load-balancing technique; and an analyzer operable to; detect, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and determine whether the composite signature is associated with an unauthorized access attempt to the network. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for detecting network intrusion, comprising:
-
means for receiving a plurality of packets at an internetworking device coupled with a network; means for distributing examination of the plurality of packets received at the internetworking device among a plurality of intrusion detection sensors operating in parallel in accordance with a load-balancing technique; means for detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and means for determining whether the composite signature is associated with an unauthorized access attempt to the network. - View Dependent Claims (12, 13, 14, 15)
-
-
16. Logic embodied in a non-transitory computer readable medium, the computer readable medium comprising code operable to:
-
receive a plurality of packets at an internetworking device coupled with a network; distribute the plurality of packets received at the internetworking device to a plurality of intrusion detection sensors operating in parallel; examine the plurality of packets at the plurality of intrusion detection sensors in accordance with a load-balancing technique; detect, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and determine whether the composite signature is associated with an unauthorized access attempt to the network. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method for detecting network intrusion, comprising:
-
receiving a plurality of packets at an internetworking device coupled with a network; distributing the plurality of packets to a plurality of intrusion detection sensors operating in parallel; examining the plurality of packets received at the internetworking device at the plurality of intrusion detection sensors in accordance with a load-balancing technique; detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and determining whether the composite signature is associated with an unauthorized access attempt to the network.
-
-
22. A system for detecting network intrusion, comprising:
-
an internetworking device coupled with a network and operable to receive a plurality of packets; a plurality of intrusion detection sensors operating in parallel and operable to receive the plurality of packets; a load balancer operable to determine a distribution of the examination of the plurality of packets received at the internetworking device at the plurality of intrusion detection sensors; and an analyzer operable to; detect, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of rackets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and determine whether the composite signature is associated with an unauthorized access attempt to the network.
-
-
23. A system for detecting network intrusion, comprising:
-
means for receiving a plurality of packets at an internetworking device coupled with a network; means for distributing the plurality of packets to a plurality of intrusion detection sensors operating in parallel; means for examining the plurality of packets received at the internetworking device at the plurality of intrusion detection sensors in accordance with a load-balancing technique; means for detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and means for determining whether the composite signature is associated with an unauthorized access attempt to the network.
-
Specification