Methods and systems to detect an evasion attack
First Claim
1. A system comprising:
- a repository to store a plurality of signature fragments that together constitute an attack signature;
an interceptor to intercept data packets associated with a network connection;
a detector to detect that a size of a data packet from the data packets is less than a size threshold, the detection that the size of the data packet is less than the size threshold indicating that the data packet cannot include at least one of the plurality of signature fragments; and
a state machine to;
commence maintaining a state for the network connection in response to the detector detecting that the size of the data packet is less than the size threshold, andbased on the state of the network connection, causing a reassembler to reassemble one or more of the intercepted data packets to identify a match between the reassembled data packets and a signature fragment from the plurality of signature fragments, wherein the match may cause a responder to perform a prevention action.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system to detect an evasion attack are provided. The system may include a repository to store signature fragments that together constitute an attack signature, an interceptor to intercept a data packet associated with a network connection, a string-matching module to determine whether the payload of the data packet includes any of the stored signature fragments thereby identifying a match, a responder to perform a prevention action in response to the match, and a detector to detect that a size of the data packet is less than a size threshold. The system may further include a state machine to commence maintaining a state for the network connection in response to the detector determining that the size of the data packet is less than the size threshold.
-
Citations
18 Claims
-
1. A system comprising:
-
a repository to store a plurality of signature fragments that together constitute an attack signature; an interceptor to intercept data packets associated with a network connection; a detector to detect that a size of a data packet from the data packets is less than a size threshold, the detection that the size of the data packet is less than the size threshold indicating that the data packet cannot include at least one of the plurality of signature fragments; and a state machine to; commence maintaining a state for the network connection in response to the detector detecting that the size of the data packet is less than the size threshold, and based on the state of the network connection, causing a reassembler to reassemble one or more of the intercepted data packets to identify a match between the reassembled data packets and a signature fragment from the plurality of signature fragments, wherein the match may cause a responder to perform a prevention action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory machine-readable storage medium having stored thereon data representing sets of instructions which, when executed by a machine, cause the machine to:
-
store a plurality of signature fragments that together constitute an attack signature; intercept a data packet associated with a network connection; detect that a size of the data packet is less than a size threshold, the detection that the size of the data packet is less than the size threshold indicating that the data packet cannot include at least one of the plurality of signature fragments; commence maintaining a state for the network connection in response to the detector detecting that the size of the data packet is less than the size threshold; and based on the state of the network connection, causing one or more of the intercepted data packets to be reassembled to identify a match between the reassembled data packets and a signature fragment from the plurality of signature fragments, wherein the match may cause a responder to perform a prevention action. - View Dependent Claims (10)
-
-
11. A method comprising:
-
storing a plurality of signature fragments that together constitute an attack signature; intercepting data packets associated with a network connection; detecting, using at least one processor, that a size of a data packet from the data packets is less than a size threshold, the detection that the size of the data packet is less than the size threshold indicating that the data packet cannot include at least one of the plurality of signature fragments; commencing maintaining a state for the network connection in response to the detector detecting that the size of the data packet is less than the size threshold; based on the state of the network connection, causing one or more of the intercepted data packets to be reassembled to identify a match between the reassembled data packets and a signature fragment from the plurality of signature fragments, wherein the match may cause a responder to perform a prevention action. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
Specification