Methods and systems to detect an evasion attack

US 8,613,088 B2
Filed: 10/23/2006
Issued: 12/17/2013
Est. Priority Date: 02/03/2006
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a repository to store a plurality of signature fragments that together constitute an attack signature;

an interceptor to intercept data packets associated with a network connection;

a detector to detect that a size of a data packet from the data packets is less than a size threshold, the detection that the size of the data packet is less than the size threshold indicating that the data packet cannot include at least one of the plurality of signature fragments; and

a state machine to;

commence maintaining a state for the network connection in response to the detector detecting that the size of the data packet is less than the size threshold, andbased on the state of the network connection, causing a reassembler to reassemble one or more of the intercepted data packets to identify a match between the reassembled data packets and a signature fragment from the plurality of signature fragments, wherein the match may cause a responder to perform a prevention action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system to detect an evasion attack are provided. The system may include a repository to store signature fragments that together constitute an attack signature, an interceptor to intercept a data packet associated with a network connection, a string-matching module to determine whether the payload of the data packet includes any of the stored signature fragments thereby identifying a match, a responder to perform a prevention action in response to the match, and a detector to detect that a size of the data packet is less than a size threshold. The system may further include a state machine to commence maintaining a state for the network connection in response to the detector determining that the size of the data packet is less than the size threshold.

Citations

18 Claims

1. A system comprising:
- a repository to store a plurality of signature fragments that together constitute an attack signature;
  
  an interceptor to intercept data packets associated with a network connection;
  
  a detector to detect that a size of a data packet from the data packets is less than a size threshold, the detection that the size of the data packet is less than the size threshold indicating that the data packet cannot include at least one of the plurality of signature fragments; and
  
  a state machine to;
  
  commence maintaining a state for the network connection in response to the detector detecting that the size of the data packet is less than the size threshold, andbased on the state of the network connection, causing a reassembler to reassemble one or more of the intercepted data packets to identify a match between the reassembled data packets and a signature fragment from the plurality of signature fragments, wherein the match may cause a responder to perform a prevention action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the prevention action comprises dropping the data packet.
  - 3. The system of claim 1, wherein the prevention action comprises dropping the network connection.
  - 4. The system of claim 1, wherein the state machine comprises a counter to update a count of detected anomalies with respect to data packets intercepted by the interceptor.
  - 5. The system of claim 4, wherein an anomaly from the detected anomalies is associated with a sequence length between small data packets from the data packets intercepted by the interceptor, wherein a size for each of the small data packets is less than the size threshold.
  - 6. The system of claim 4, wherein an anomaly from the detected anomalies is associated with a data packet from the data packets intercepted by the interceptor, the data packet having an out-of-order sequence number.
  - 7. The system of claim 4, further comprising a responder to redirect data packets intercepted by the interceptor to the reassembler in response to the count of detected anomalies reaching a count threshold.
  - 8. The system of claim 1, wherein the network connection is a TCP connection and the data packet is a TCP data packet.

9. A non-transitory machine-readable storage medium having stored thereon data representing sets of instructions which, when executed by a machine, cause the machine to:
- store a plurality of signature fragments that together constitute an attack signature;
  
  intercept a data packet associated with a network connection;
  
  detect that a size of the data packet is less than a size threshold, the detection that the size of the data packet is less than the size threshold indicating that the data packet cannot include at least one of the plurality of signature fragments;
  
  commence maintaining a state for the network connection in response to the detector detecting that the size of the data packet is less than the size threshold; and
  
  based on the state of the network connection, causing one or more of the intercepted data packets to be reassembled to identify a match between the reassembled data packets and a signature fragment from the plurality of signature fragments, wherein the match may cause a responder to perform a prevention action.
- View Dependent Claims (10)
- - 10. The system machine-readable medium of claim 9, wherein the maintaining of the state for the network connection comprises updating a count of detected anomalies with respect to data packets associated with the network connection.

11. A method comprising:
- storing a plurality of signature fragments that together constitute an attack signature;
  
  intercepting data packets associated with a network connection;
  
  detecting, using at least one processor, that a size of a data packet from the data packets is less than a size threshold, the detection that the size of the data packet is less than the size threshold indicating that the data packet cannot include at least one of the plurality of signature fragments;
  
  commencing maintaining a state for the network connection in response to the detector detecting that the size of the data packet is less than the size threshold;
  
  based on the state of the network connection, causing one or more of the intercepted data packets to be reassembled to identify a match between the reassembled data packets and a signature fragment from the plurality of signature fragments, wherein the match may cause a responder to perform a prevention action.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein the prevention action comprises dropping the data packet.
  - 13. The method of claim 11, wherein the prevention action comprises dropping the network connection.
  - 14. The method of claim 11, further comprising updating a count of detected anomalies with respect to the intercepted data packets.
  - 15. The method of claim 14, wherein an anomaly from the detected anomalies is associated with a sequence length between small data packets from the intercepted data packets, wherein a size for each of the small data packets is less than the size threshold.
  - 16. The method of claim 14, wherein an anomaly from the detected anomalies is associated with a data packet from the intercepted data packets, the data packet having an out-of-order sequence number.
  - 17. The method of claim 14, further comprising redirecting intercepted data packets to be reassembled in response to the count of detected anomalies reaching a count threshold.
  - 18. The method of claim 11, wherein the network connection is a TCP connection and the data packet is a TCP data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Varghese, George, Bonomi, Flavio Giovanni, Fingerhut, John Andrew
Primary Examiner(s)
Nalven, Andrew L
Assistant Examiner(s)
Mehrmanesh, Amir

Application Number

US11/552,025
Publication Number

US 20070192861A1
Time in Patent Office

2,612 Days
Field of Search

709224-225, 709230-232
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/145 the attack involving the pr...

Methods and systems to detect an evasion attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems to detect an evasion attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links