Parallel intrusion detection sensors with load balancing for high speed networks

US 8,239,942 B2
Filed: 05/16/2005
Issued: 08/07/2012
Est. Priority Date: 12/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting network intrusion, comprising:

receiving a plurality of packets at an internetworking device coupled with a network;

distributing examination of the plurality of packets received at the internetworking device among a plurality of intrusion detection sensors operating in parallel in accordance with a load-balancing technique;

detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and

determining whether the composite signature is associated with an unauthorized access attempt to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of a method and system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).

70 Citations

View as Search Results

23 Claims

1. A method for detecting network intrusion, comprising:
- receiving a plurality of packets at an internetworking device coupled with a network;
  
  distributing examination of the plurality of packets received at the internetworking device among a plurality of intrusion detection sensors operating in parallel in accordance with a load-balancing technique;
  
  detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and
  
  determining whether the composite signature is associated with an unauthorized access attempt to the network.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein at least one of the plurality of intrusion detection sensors performs a signature analysis of at least one of the packets.
  - 3. The method of claim 2, wherein the signature analysis is selected from the group consisting of checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, and TCP stream assembly.
  - 4. The method of claim 1, wherein at least one of the plurality of intrusion detection sensors comprises a detection engine operable to examine a header and payload of the at least one of the plurality of packets.
  - 5. The method of claim 1, wherein distributing examination of the plurality of packets among a plurality of intrusion detection sensors comprises delivering control signals to each of the plurality of intrusion detection sensors.

6. A system for detecting network intrusion, comprising:
- an internetworking device coupled with a network and operable to receive a plurality of packets;
  
  a plurality of intrusion detection sensors operating in parallel and operable to receive the plurality of packets;
  
  a load balancer operable to distribute examination of the plurality of packets received at the internetworking device among the plurality of intrusion detection sensors in accordance with a load-balancing technique; and
  
  an analyzer operable to;
  
  detect, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and
  
  determine whether the composite signature is associated with an unauthorized access attempt to the network.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein at least one of the plurality of intrusion detection sensors is operable to perform a signature analysis of at least one of the packets.
  - 8. The system of claim 7, wherein the signature analysis is selected from the group consisting of checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, and TCP stream assembly.
  - 9. The system of claim 6, wherein at least one of the plurality of intrusion detection sensors comprises a detection engine operable to examine a header and payload of the at least one of the plurality of packets.
  - 10. The system of claim 7, wherein a load balancer operable to distribute examination of the plurality of packets among a plurality of intrusion detection sensors comprises a load balancer operable to deliver control signals to each of the plurality of intrusion detection sensors.

11. A system for detecting network intrusion, comprising:
- means for receiving a plurality of packets at an internetworking device coupled with a network;
  
  means for distributing examination of the plurality of packets received at the internetworking device among a plurality of intrusion detection sensors operating in parallel in accordance with a load-balancing technique;
  
  means for detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and
  
  means for determining whether the composite signature is associated with an unauthorized access attempt to the network.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein at least one of the plurality of intrusion detection sensors performs a signature analysis of at least one of the packets.
  - 13. The system of claim 12, wherein the signature analysis is selected from the group consisting of checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, and TCP stream assembly.
  - 14. The system of claim 11, wherein at least one of the plurality of intrusion detection sensors comprises a detection engine operable to examine a header and payload of the at least one of the plurality of packets.
  - 15. The system of claim 11, wherein means for distributing examination of the plurality of packets among a plurality of intrusion detection sensors comprises means for delivering control signals to each of the plurality of intrusion detection sensors.

16. Logic embodied in a non-transitory computer readable medium, the computer readable medium comprising code operable to:
- receive a plurality of packets at an internetworking device coupled with a network;
  
  distribute the plurality of packets received at the internetworking device to a plurality of intrusion detection sensors operating in parallel;
  
  examine the plurality of packets at the plurality of intrusion detection sensors in accordance with a load-balancing technique;
  
  detect, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and
  
  determine whether the composite signature is associated with an unauthorized access attempt to the network.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The medium of claim 16, wherein at least one of the plurality of intrusion detection sensors comprises code operable to perform a signature analysis of at least one of the packets.
  - 18. The medium of claim 17, wherein the signature analysis is selected from the group consisting of checksum verification, hop count checking, IP option checking, MTU checking for maximum packet size, IP fragment reassembly, and TCP stream assembly.
  - 19. The medium of claim 16, wherein at least one of the plurality of intrusion detection sensors comprises code operable to examine a header and payload of the at least one of the plurality of packets.
  - 20. The medium of claim 16, wherein code operable to distribute examination of the plurality of packets among a plurality of intrusion detection sensors comprises code operable to deliver control signals to each of the plurality of intrusion detection sensors.

21. A method for detecting network intrusion, comprising:
- receiving a plurality of packets at an internetworking device coupled with a network;
  
  distributing the plurality of packets to a plurality of intrusion detection sensors operating in parallel;
  
  examining the plurality of packets received at the internetworking device at the plurality of intrusion detection sensors in accordance with a load-balancing technique;
  
  detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and
  
  determining whether the composite signature is associated with an unauthorized access attempt to the network.

22. A system for detecting network intrusion, comprising:
- an internetworking device coupled with a network and operable to receive a plurality of packets;
  
  a plurality of intrusion detection sensors operating in parallel and operable to receive the plurality of packets;
  
  a load balancer operable to determine a distribution of the examination of the plurality of packets received at the internetworking device at the plurality of intrusion detection sensors; and
  
  an analyzer operable to;
  
  detect, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of rackets received at the internetworking device, a composite signature of more than one of the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and
  
  determine whether the composite signature is associated with an unauthorized access attempt to the network.

23. A system for detecting network intrusion, comprising:
- means for receiving a plurality of packets at an internetworking device coupled with a network;
  
  means for distributing the plurality of packets to a plurality of intrusion detection sensors operating in parallel;
  
  means for examining the plurality of packets received at the internetworking device at the plurality of intrusion detection sensors in accordance with a load-balancing technique;
  
  means for detecting, from packets examined at more than one of the plurality of intrusion detection sensors that received the plurality of packets received at the internetworking device, a composite signature of more than one the plurality of packets, the composite signature detected based on information in more than one of the plurality of packets examined at more than one of the plurality of intrusion detection sensors; and
  
  means for determining whether the composite signature is associated with an unauthorized access attempt to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Shanklin, Steven D., Lathem, Gerald S.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US11/129,865
Publication Number

US 20050207420A1
Time in Patent Office

2,640 Days
Field of Search

726 2- 5, 726 13- 14, 726 22- 27, 713151-154, 713/171, 713/176, 713/168, 713/180, 709/229, 709/235, 709201-203, 709223-225, 709/227, 370/218, 370/229, 370/244, 370/386, 370351-357, 380/168, 380/54, 380/100, 380/232, 380/119, 705 57- 59, 705/19
US Class Current

726/23
CPC Class Codes

H04L 12/56 Packet switching systems

Parallel intrusion detection sensors with load balancing for high speed networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Parallel intrusion detection sensors with load balancing for high speed networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others