Multi-method gateway-based network security systems and methods

US 8,370,936 B2
Filed: 02/08/2002
Issued: 02/05/2013
Est. Priority Date: 02/08/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a network device, a plurality of packets;

inspecting, by the network device, the plurality of packets to determine whether the plurality of packets includes information indicative of a security breach,inspecting the plurality of packets including;

inspecting the plurality of packets to identify one or more protocol irregularities, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more protocol irregularities,after inspecting the plurality of packets to identify the one or more protocol irregularities and when the plurality of packets does not include the one or more protocol irregularities;

inspecting the plurality of packets to identify one or more attack signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more attack signatures, andafter inspecting the plurality of packets to identify the one or more attack signatures and when the plurality of packets does not include the one or more attack signatures;

inspecting the plurality of packets to identify one or more traffic signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more traffic signatures;

dropping, by the network device, at least one packet of the plurality of packets when the at least one packet includes the information indicative of the security breach; and

forwarding, by the network device, the at least one packet when the at least one packet does not include the information indicative of the security breach.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.

136 Citations

View as Search Results

37 Claims

1. A method comprising:
- receiving, at a network device, a plurality of packets;
  
  inspecting, by the network device, the plurality of packets to determine whether the plurality of packets includes information indicative of a security breach,inspecting the plurality of packets including;
  
  inspecting the plurality of packets to identify one or more protocol irregularities, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more protocol irregularities,after inspecting the plurality of packets to identify the one or more protocol irregularities and when the plurality of packets does not include the one or more protocol irregularities;
  
  inspecting the plurality of packets to identify one or more attack signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more attack signatures, andafter inspecting the plurality of packets to identify the one or more attack signatures and when the plurality of packets does not include the one or more attack signatures;
  
  inspecting the plurality of packets to identify one or more traffic signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more traffic signatures;
  
  dropping, by the network device, at least one packet of the plurality of packets when the at least one packet includes the information indicative of the security breach; and
  
  forwarding, by the network device, the at least one packet when the at least one packet does not include the information indicative of the security breach.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, where inspecting the plurality of packets to identify the one or more protocol irregularities includes:
    - identifying irregularities in network protocol specifications in the at least one packet.
  - 3. The method of claim 1, where inspecting the plurality of packets to identify the one or more attack signatures includes:
    - inspecting the plurality of packets to identify the one or more attack signatures using stateful signature detection.
  - 4. The method of claim 1, where inspecting the plurality of packets to identify the one or more traffic signatures includes searching packet flow descriptors, associated with the plurality of packets, for traffic signatures.
  - 5. The method of claim 1, further comprising:
    - identifying a network attack identifier, associated with the at least one packet, based on inspecting the plurality of packets to identify the one or more protocol irregularities, where the network attack identifier comprises a protocol irregularity of the one or more protocol irregularities; and
      
      dropping the at least one packet based on identifying the network attack identifier.
  - 6. The method of claim 1, further comprising:
    - identifying a network attack identifier, associated with the at least one packet, based on inspecting the plurality of packets to identify the one or more attack signatures, where the network attack identifier comprises an attack signature of the one or more attack signatures; and
      
      dropping the at least one packet based on identifying the network attack identifier.
  - 7. The method of claim 1, further comprising:
    - identifying a plurality of network attack identifiers, associated with the at least one packet, based on inspecting the plurality of packets to identify the one or more traffic signatures, where the plurality of network attack identifiers identifier comprises the one or more traffic signatures; and
      
      dropping the at least one packet based on identifying the plurality of network attack identifiers.
  - 8. The method of claim 1, further comprising:
    - identifying a plurality of network attack identifiers, associated with the at least one packet, based on inspecting the plurality of packets to identify the one or more attack signatures and inspecting the plurality of packets to identify the one or more traffic signatures, where the plurality of network attack identifiers comprises the one or more attack signatures and the one or more traffic signatures; and
      
      dropping the at least one packet based on identifying the plurality of network attack identifiers.
  - 9. The method of claim 6, where the attack signature is stored in a memory, andwhere inspecting the plurality of packets to identify the one or more attack signatures includes:
    - comparing a portion of the at least one packet to the attack signature stored in the memory.
  - 10. The method of claim 1, where inspecting the plurality of packets to identify the one or more attack signatures comprises:
    - querying a memory, that stores a plurality of attack signatures, to identify the one or more attack signatures, the plurality of attack signatures including the one or more attack signatures; and
      
      comparing the one or more attack signatures to information included in the plurality of packets.
  - 11. The method of claim 1, further comprising:
    - reconstructing a plurality of packet fragments into the plurality of packets.

12. A system comprising:
- a device to;
  
  receive a plurality of packets;
  
  inspect the plurality of packets to determine whether the plurality of packets includes information indicative of a security breach,when inspecting the plurality of packets, the device is to;
  
  inspect the plurality of packets to identify one or more protocol irregularities, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more protocol irregularities,after inspecting the plurality of packets to identify the one or more protocol irregularities and when the plurality of packets does not include the one or more protocol irregularities;
  
  inspect the plurality of packets to identify one or more attack signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more attack signatures, andafter inspecting the plurality of packets to identify the one or more attack signatures and when the plurality of packets does not include the one or more attack signatures;
  
  inspect the plurality of packets to identify one or more traffic signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more traffic signatures;
  
  drop at least one packet of the plurality of packets when the at least one packet includes the information indicative of the security breach; and
  
  forward the at least one packet when the at least one packet does not include the information indicative of the security breach.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, where the device further is to:
    - reconstruct a plurality of packet fragments into the plurality of packets.
  - 14. The system of claim 12, where the device further is to:
    - detect the information indicative of the security breach based on inspecting the plurality of packets to identify the one or more attack signatures using a stateful signature detection module of the device.
  - 15. The system of claim 12, where, when inspecting the plurality of packets to identify the one or more traffic signatures, the device is to use a traffic signature detection software module to search packet flow descriptors, associated with the plurality of packets, for the one or more traffic signatures.
  - 16. The system of claim 12, where, when inspecting the plurality of packets to identify the one or more protocol irregularities, the device is further to identify irregularities in protocol specifications in the at least one packet.
  - 17. The system of claim 12, where, when inspecting the plurality of packets to identify the one or more attack signatures, the device further is to:
    - query a memory to obtain the one or more attack signatures, andcompare the obtained one or more attack signatures to information included in the plurality of packets.
  - 18. The system of claim 12, further comprising:
    - another device to;
      
      collect a plurality of security logs and alarms recording information about security breaches found in the plurality of packets;
      
      store a network security policy identifying network traffic to inspect and a plurality of network attacks to be detected and prevented, the network security policy being associated with the collected plurality of security logs and alarms recording information;
      
      distribute the network security policy to one or more gateway points in the network; and
      
      update a memory that stores information identifying a plurality of protocols and information identifying a plurality of attack signatures.

19. A non-transitory computer-readable medium comprising:
- a plurality of instructions which, when executed by a device, causes the device to;
  
  receive a plurality of packets;
  
  inspect the plurality of packets to determine whether the plurality of packets includes information indicative of a security breach,one or more instructions, of the plurality of instructions, to inspect the plurality of packets including;
  
  one or more instructions to inspect the plurality of packets to identify one or more protocol irregularities, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more protocol irregularities,after inspecting the plurality of packets to identify the one or more protocol irregularities and when the plurality of packets does not include the one or more protocol irregularities;
  
  one or more instructions to inspect the plurality of packets to identify one or more traffic signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more traffic signatures, andafter inspecting the plurality of packets to identify the one or more traffic signatures and when the plurality of packets does not include the one or more traffic signatures;
  
  one or more instructions to inspect the plurality of packets to identify one or more attack signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more attack signatures;
  
  drop at least one packet of the plurality of packets when the at least one packet includes the information indicative of the security breach; and
  
  forward the at least one packet when the at least one packet does not include the information indicative of the security breach.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The non-transitory computer-readable medium of claim 19, where the device is located within a firewall.
  - 21. The non-transitory computer-readable medium of claim 19, where the device is located outside a firewall.
  - 22. The non-transitory computer-readable medium of claim 19, further comprising:
    - one or more instructions to reconstruct a plurality of packet fragments into the plurality of packets.
  - 23. The non-transitory computer-readable medium of claim 19, further comprising a plurality of instructions which, when executed by a server, cause the server to:
    - collect a plurality of security logs and alarms recording information about the information indicative of the security breach found in the plurality of packets;
      
      store a network security policy identifying network traffic to inspect and a plurality of network attacks to be detected and prevented, the network security policy being associated with the collected plurality of security logs and alarms recording information; and
      
      distribute the network security policy to the device.
  - 24. The non-transitory computer-readable medium of claim 19, further comprising one or more instructions to:
    - provide network security information for display to network security administrators;
      
      provide status information regarding the device for display; and
      
      specify a network security policy.

25. A device comprising:
- at least one processor to;
  
  receive a plurality of packets;
  
  inspect the plurality of packets to determine whether the plurality of packets includes information indicative of a security breach,when inspecting the plurality of packets, the at least one processor is to;
  
  inspect the plurality of packets to identify one or more protocol irregularities, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more protocol irregularities,when the plurality of packets does not include the one or more protocol irregularities;
  
  inspect the plurality of packets to identify one or more traffic signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more traffic signatures, andwhen the plurality of packets does not include the one or more traffic signatures;
  
  inspect the plurality of packets to identify one or more attack signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more attack signatures;
  
  drop at least one packet of the plurality of packets when the at least one packet includes the information indicative of the security breach; and
  
  forward the at least one packet when the at least one packet does not include the information indicative of the security breach.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. The device of claim 25, where the at least one processor is further to:
    - reconstruct a plurality of packet fragments into the plurality of packets.
  - 27. The device of claim 25, where a network security policy, identifying network traffic to inspect and a plurality of network attacks to be detected and prevented, is defined by a network security administrator using a graphical user interface associated with the device.
  - 28. The device of claim 27, where the at least one processor is further to provide:
    - network security information to the graphical user interface for display to network security administrators;
      
      status information regarding the device to the graphical user interface for display; and
      
      information specifying the network security policy to the graphical user interface for display.
  - 29. The device of claim 25, where a network security policy, identifying network traffic to inspect and a plurality of network attacks to be detected and prevented, is stored by and distributed to the device by a server.
  - 30. The device of claim 25, where the at least one processor is further to:
    - inspect the plurality of packets to identify the one or more protocol irregularities using a protocol anomaly detection software module.
  - 31. The device of claim 25, where the at least one processor is further to:
    - inspect the plurality of packets to identify the one or more attack signatures using a stateful signature detection software module.
  - 32. The device of claim 25, where the at least one processor is further to:
    - identify a network attack identifier, associated with the at least one packet, based on inspecting the plurality of packets to identify the one or more protocol irregularities, where the network attack identifier comprises a protocol irregularity of the one or more protocol irregularities; and
      
      drop the at least one packet based on identifying the network attack identifier.
  - 33. The device of claim 25, where the at least one processor is further to:
    - identify a network attack identifier, associated with the at least one packet, based on inspecting the plurality of packets to identify the one or more attack signatures, where the network attack identifier comprises an attack signature of the one or more attack signatures; and
      
      drop the at least one packet based on identifying the network attack identifier.

34. A method comprising:
- receiving, at a network device, a plurality of packets;
  
  inspecting, by the network device, the plurality of packets to determine whether the plurality of packets includes information indicative of a security breach,inspecting the plurality of packets including;
  
  inspecting the plurality of packets to identify one or more attack signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more attack signatures,when the plurality of packets does not include the one or more attack signatures;
  
  inspecting the plurality of packets to identify one or more protocol irregularities, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more protocol irregularities, andwhen the plurality of packets does not include the one or more protocol irregularities;
  
  inspecting the plurality of packets to identify one or more traffic signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more traffic signatures;
  
  dropping, by the network device, at least one packet of the plurality of packets when the at least one packet includes the information indicative of the security breach; and
  
  forwarding, by the network device, the at least one packet when the at least one packet does not include the information indicative of the security breach.
- View Dependent Claims (35)
- - 35. The method of claim 34, further comprising:
    - identifying a network attack identifier, associated with the at least one packet, based on inspecting the plurality of packets to identify the one or more protocol irregularities, where the network attack identifier comprises a protocol irregularity of the one or more protocol irregularities; and
      
      dropping the at least one packet based on identifying the network attack identifier.

36. A method comprising:
- receiving, at a network device, a plurality of packets;
  
  inspecting, by the network device, the plurality of packets to determine whether the plurality of packets includes information indicative of a security breach,inspecting the plurality of packets including;
  
  inspecting the plurality of packets to identify one or more traffic signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more traffic signatures,when the plurality of packets does not include the one or more traffic signatures;
  
  inspecting the plurality of packets to identify one or more protocol irregularities, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more protocol irregularities, andwhen the plurality of packets does not include the one or more protocol irregularities;
  
  inspecting the plurality of packets to identify one or more attack signatures, associated with the plurality of packets, to determine whether the plurality of packets includes the information indicative of the security breach, without a user request to inspect the plurality of packets to identify the one or more attack signatures;
  
  dropping, by the network device, at least one packet of the plurality of packets when the at least one packet includes the information indicative of the security breach; and
  
  forwarding, by the network device, the at least one packet when the at least one packet does not include the information indicative of the security breach.
- View Dependent Claims (37)
- - 37. The method of claim 36, further comprising:
    - identifying a network attack identifier, associated with the at least one packet, based on inspecting the plurality of packets to identify the one or more attack signatures, where the network attack identifier comprises an attack signature of the one or more attack signatures; and
      
      dropping the at least one packet based on identifying the network attack identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zuk, Nir, Guruswamy, Kowsik
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Rahman, Mohammad L

Application Number

US10/072,683
Publication Number

US 20030154399A1
Time in Patent Office

4,015 Days
Field of Search

726 11- 13, 726 22- 25, 709238-244, 713/153, 713/189, 705 51- 54
US Class Current

726/23
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Multi-method gateway-based network security systems and methods

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-method gateway-based network security systems and methods

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links