Identifying applications for intrusion detection systems
First Claim
1. A method comprising:
- receiving, with a network device, a first packet flow within a network from a client to a server;
performing an initial identification of a type of software application and communication protocol associated with the first packet flow, to determine a first type of software application for the first packet flow;
applying a first set of patterns to the first packet flow to determine whether the first packet flow represents a network attack, wherein the first set of patterns are associated with the determined first type of software application and the communication protocol;
buffering the first packet flow to store at least a connection request by the client;
forwarding the first packet flow to the server;
receiving, in response to forwarding the first packet flow to the server, a second packet flow from the server;
associating the first packet flow and the second packet flow as a communication session between the client and the server;
using the first packet flow and the second packet flow, reevaluating the initial identification of the type of software application and protocol associated with the communication session, to determine a second type of software application for the first packet flow;
selecting a second set of patterns based on the determined second type of software application for the first packet flow and the reevaluated communication protocol; and
after receiving the second packet flow from the server, applying the second set of patterns to the buffered connection request of the first packet flow to re-determine whether the first packet flow represents a network attack.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.
-
Citations
29 Claims
-
1. A method comprising:
-
receiving, with a network device, a first packet flow within a network from a client to a server; performing an initial identification of a type of software application and communication protocol associated with the first packet flow, to determine a first type of software application for the first packet flow; applying a first set of patterns to the first packet flow to determine whether the first packet flow represents a network attack, wherein the first set of patterns are associated with the determined first type of software application and the communication protocol; buffering the first packet flow to store at least a connection request by the client; forwarding the first packet flow to the server; receiving, in response to forwarding the first packet flow to the server, a second packet flow from the server; associating the first packet flow and the second packet flow as a communication session between the client and the server; using the first packet flow and the second packet flow, reevaluating the initial identification of the type of software application and protocol associated with the communication session, to determine a second type of software application for the first packet flow; selecting a second set of patterns based on the determined second type of software application for the first packet flow and the reevaluated communication protocol; and after receiving the second packet flow from the server, applying the second set of patterns to the buffered connection request of the first packet flow to re-determine whether the first packet flow represents a network attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An intrusion detection system (“
- IDS”
) device comprising;a flow analysis module to receive a first packet flow from a client and a second packet flow from a server in response to the first packet flow; a data buffer to store packets from each of the first packet flow and the second packet flow; a forwarding component to send the first packet flow to the server and the second packet flow to the client; a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack; and an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow to determine a first type of software application for the first packet flow, and to reevaluate the identification of the type of software application and protocol according to the second packet flow to determine a second type of software application for the first packet flow, wherein the stateful inspection engine is configured to apply a first set of patterns associated with the determined first type of software application to the first packet flow following the determination of the first type of software application, and to apply a second set of patterns associated with the determined second type of software application to the first packet flow stored in the data buffer following the reevaluation of the identification of the second type of software application. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- IDS”
-
24. A non-transitory computer-readable medium comprising instructions for causing a programmable processor to:
-
receive a first packet flow within a network from a client to a server; perform an initial identification of a type of software application and communication protocol associated with the first packet flow using a hierarchically ordered list of applications and protocols and a static port mapping, to determine a first type of software application for the first packet flow; apply a first set of patterns to the first packet flow to determine whether the first packet flow represents a network attack, wherein the first set of patterns are associated with the determined first type of software application and the communication protocol; store the first packet flow in a data buffer; forward the first packet flow to the server; receive, in response to forwarding the first packet flow to the server, a second packet flow from the server; associate the first packet flow and the second packet flow as a communication session between the client and the server; store the second packet flow in the data buffer; reevaluate the identification of the type of software application and protocol associated with the communication session using the list of applications and protocols and the static port mapping with the first packet flow and the second packet flow, to determine a second type of software application for the first packet flow; select a second set of patterns based on the determined second type of software application for the first packet flow and the reevaluated communication protocol; apply the second set of patterns to the first packet flow to re-determine whether the first packet flow represents a network attack; and forward the second packet flow to the client. - View Dependent Claims (25)
-
-
26. A method comprising:
-
receiving, with a first network device, a first packet flow within a network; performing an initial identification of a type of software application and communication protocol associated with the first packet flow, to determine a first type of software application for the first packet flow; applying a first set of patterns to the first packet flow to determine whether the first packet flow represents a network attack, wherein the first set of patterns are associated with the determined first type of software application and the communication protocol; buffering the first packet flow to store at least a connection request by the client; forwarding the first packet flow to a second network device; receiving, in response to forwarding the first packet flow to the server, a second packet flow from the second network device; associating the first packet flow and the second packet flow as a communication session between the first network device and the second network device; using the first packet flow and the second packet flow, reevaluating the initial identification of the type of software application and protocol associated with the communication session, to determine a second type of software application for the first packet flow; selecting a second set of patterns based on the determined second type of software application for the first packet flow and the reevaluated communication protocol; and applying the second set of patterns to each of the first packet flow and the second packet flow to re-determine whether the first packet flow or the second packet flow represent a network attack. - View Dependent Claims (27, 28, 29)
-
Specification