Multi-method gateway-based network security systems and methods

US 8,635,695 B2
Filed: 09/14/2012
Issued: 01/21/2014
Est. Priority Date: 02/08/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

receiving, at a network device, a packet;

inspecting, by the network device, the packet to determine whether the packet includes information indicative of a security breach,inspecting the packet including a plurality of;

inspecting the packet to identify one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more protocol irregularities,inspecting the packet to identify one or more attack signatures to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more attack signatures,inspecting the packet for one or more traffic signatures matching a packet flow, associated with the packet, to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet for the one or more traffic signatures,one of inspecting the packet to identify the one or more protocol irregularities, inspecting the packet to identify the one or more attack signatures, or inspecting the packet for the one or more traffic signatures being performed based on another one of inspecting the packet to identify the one or more protocol irregularities, inspecting the packet to identify the one or more attack signatures, or inspecting the packet for the one or more traffic signatures;

dropping, by the network device, the packet when the packet includes the information indicative of the security breach; and

forwarding, by the network device, the packet to a network destination of the packet when the packet does not include the information indicative of the security breach.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.

Citations

20 Claims

1. A method comprising:
- receiving, at a network device, a packet;
  
  inspecting, by the network device, the packet to determine whether the packet includes information indicative of a security breach,inspecting the packet including a plurality of;
  
  inspecting the packet to identify one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more protocol irregularities,inspecting the packet to identify one or more attack signatures to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more attack signatures,inspecting the packet for one or more traffic signatures matching a packet flow, associated with the packet, to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet for the one or more traffic signatures,one of inspecting the packet to identify the one or more protocol irregularities, inspecting the packet to identify the one or more attack signatures, or inspecting the packet for the one or more traffic signatures being performed based on another one of inspecting the packet to identify the one or more protocol irregularities, inspecting the packet to identify the one or more attack signatures, or inspecting the packet for the one or more traffic signatures;
  
  dropping, by the network device, the packet when the packet includes the information indicative of the security breach; and
  
  forwarding, by the network device, the packet to a network destination of the packet when the packet does not include the information indicative of the security breach.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, where inspecting the packet includes:
    - inspecting the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach;
      
      inspecting the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach, when the packet does not include the one or more protocol irregularities; and
      
      inspecting the packet for the one or more traffic signatures matching the packet flow to determine whether the packet includes the information indicative of the security breach, when the packet does not include the one or more attack signatures.
  - 3. The method of claim 1, where inspecting the packet includes:
    - inspecting the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach;
      
      inspecting the packet for the one or more traffic signatures matching the packet flow to determine whether the packet includes the information indicative of the security breach, when the packet does not include the one or more protocol irregularities; and
      
      inspecting the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach, when the one or more traffic signatures do not match the packet flow.
  - 4. The method of claim 1, where inspecting the packet includes:
    - inspecting the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach;
      
      inspecting the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, when the packet does not include the one or more attack signatures; and
      
      inspecting the packet for the one or more traffic signatures matching the packet flow to determine whether the packet includes the information indicative of the security breach, when the packet does not include the one or more protocol irregularities.
  - 5. The method of claim 1, where inspecting the packet includes:
    - inspecting the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach;
      
      inspecting the packet for the one or more traffic signatures matching the packet flow to determine whether the packet includes the information indicative of the security breach, when the packet does not include the one or more attack signatures; and
      
      inspecting the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, when the one or more traffic signatures do not match the packet flow.
  - 6. The method of claim 1, where inspecting the packet includes:
    - inspecting the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, where inspecting the packet to identify the one or more protocol irregularities in the packet includes;
      
      determining irregularities in network protocol specifications in the packet.
  - 7. The method of claim 1, where inspecting the packet includes:
    - inspecting the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach,where inspecting the packet to identify the one or more attack signatures includes;
      
      matching attack signatures to information in a header of the packet and data associated with a network protocol used to transmit the packet.

8. A system comprising:
- a device, comprising one or more hardware components, to;
  
  inspect a packet to determine whether the packet includes information indicative of a security breach,when inspecting the packet, the device is to perform a plurality of;
  
  inspect the packet to identify one or more protocol irregularities, associated with the packet, to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more protocol irregularities,inspect the packet to identify one or more attack signatures, associated with the packet, to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more attack signatures,inspect the packet to identify one or more traffic signatures, associated with the packet, to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more traffic signatures,the device to perform one of inspecting the packet to identify the one or more protocol irregularities, inspecting the packet to identify the one or more attack signatures, or inspecting the packet to identify the one or more traffic signatures based on another one of inspecting the packet to identify the one or more protocol irregularities, inspecting the packet to identify the one or more attack signatures, or inspecting the packet to identify the one or more traffic signatures;
  
  drop the packet when the packet includes the information indicative of the security breach; and
  
  forward the packet when the packet does not include the information indicative of the security breach.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, where, when inspecting the packet, the device is to:
    - inspect the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach; and
      
      when the packet does not include the one or more protocol irregularities, at least one of;
      
      inspect the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach, orinspect the packet to identify the one or more traffic signatures to determine whether the packet includes the information indicative of the security breach.
  - 10. The system of claim 8, where, when inspecting the packet, the device is to:
    - inspect the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach; and
      
      when the packet does not include the one or more attack signatures, at least one of;
      
      inspect the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, orinspect the packet to identify the one or more traffic signatures to determine whether the packet includes the information indicative of the security breach.
  - 11. The system of claim 8, where, when inspecting the packet, the device is to:
    - inspect the packet to identify the one or more traffic signatures to determine whether the packet includes the information indicative of the security breach; and
      
      where, when inspecting the packet to identify the one or more traffic signatures, the device is to;
      
      query a data structure for traffic signatures, including the one or more traffic signatures, associated a packet flow to which the packet belongs; and
      
      match the traffic signatures to the packet flow.
  - 12. The system of claim 11, where, when inspecting the packet, the device is further to at least one of:
    - inspect the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach, when the one or more traffic signatures do not match the packet flow, orinspect the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, when the one or more traffic signatures do not match the packet flow.
  - 13. The system of claim 8, where, when inspecting the packet, the device is to:
    - inspect the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach,where, when inspecting the packet to identify the one or more protocol irregularities in the packet, the device is to;
      
      determine whether the packet is compliant with a protocol that is used to transmit the packet, anddetermine whether one or more actions, associated with the packet, are authorized for the protocol.
  - 14. The system of claim 8, where, when inspecting the packet, the device is to:
    - inspect the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach,where, when inspecting the packet to identify the one or more attack signatures, the device is to;
      
      match attack signatures to a portion of the packet.

15. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by a device, cause the device to receive a packet;
  
  one or more instructions which, when executed by the device, cause the device to inspect the packet to determine whether the packet includes information indicative of a security breach,the one or more instructions to inspect the packet including a plurality of;
  
  one or more instructions which, when executed by the device, cause the device to inspect the packet to identify one or more protocol irregularities, associated with the packet, to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more protocol irregularities,one or more instructions which, when executed by the device, cause the device to inspect the packet to identify one or more attack signatures, associated with the packet, to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more attack signatures,one or more instructions which, when executed by the device, cause the device to inspect the packet to identify one or more traffic signatures, associated with the packet, to determine whether the packet includes the information indicative of the security breach, without a user request to inspect the packet to identify the one or more traffic signatures,one of inspecting the packet to identify the one or more protocol irregularities, inspecting the packet to identify the one or more attack signatures, or inspecting the packet to identify the one or more traffic signatures being performed based on another one of inspecting the packet to identify the one or more protocol irregularities, inspecting the packet to identify the one or more attack signatures, or inspecting the packet to identify the one or more traffic signatures;
  
  one or more instructions which, when executed by the device, cause the device to drop the packet when the packet includes the information indicative of the security breach; and
  
  one or more instructions which, when executed by the device, cause the device to forward the packet when the packet does not include the information indicative of the security breach.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, where the one or more instructions to inspect the packet include:
    - the one or more instructions to inspect the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach,where the one or more instructions to inspect the packet to identify the one or more protocol irregularities in the packet include;
      
      one or more instructions which, when executed by the device, cause the device to query a data structure for information associated a protocol that is used to transmit the packet; and
      
      one or more instructions which, when executed by the device, cause the device to determine, based on the information associated with the protocol, at least one of;
      
      whether the packet is compliant with the protocol, orwhether one or more commands, associated with the packet, are authorized for the protocol.
  - 17. The non-transitory computer-readable medium of claim 15, where the one or more instructions to inspect the packet include:
    - the one or more instructions to inspect the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach; and
      
      when the packet does not include the one or more attack signatures, at least one of;
      
      the one or more instructions to inspect the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, orthe one or more instructions to inspect the packet to identify the one or more traffic signatures to determine whether the packet includes the information indicative of the security breach.
  - 18. The non-transitory computer-readable medium of claim 15, where the one or more instructions to inspect the packet include:
    - the one or more instructions to inspect the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach; and
      
      when the packet does not include the one or more protocol irregularities, at least one of;
      
      the one or more instructions to inspect the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach, orthe one or more instructions to inspect the packet to identify the one or more traffic signatures to determine whether the packet includes the information indicative of the security breach.
  - 19. The non-transitory computer-readable medium of claim 15, where the one or more instructions to inspect the packet include:
    - the one or more instructions to inspect the packet to identify the one or more traffic signatures to determine whether the packet includes the information indicative of the security breach; and
      
      at least one of;
      
      the one or more instructions to inspect the packet to identify the one or more attack signatures to determine whether the packet includes the information indicative of the security breach, based on inspecting the packet to identify the one or more traffic signatures, orthe one or more instructions to inspect the packet to identify the one or more protocol irregularities in the packet to determine whether the packet includes the information indicative of the security breach, based on inspecting the packet to identify the one or more traffic signatures.
  - 20. The non-transitory computer-readable medium of claim 15, where the one or more instructions to inspect the packet include:
    - the one or more instructions to inspect the packet to identify the one or more traffic signatures to determine whether the packet includes the information indicative of the security breach, the packet including information identifying a particular Internet protocol (IP) address,where the one or more instructions to inspect the packet to identify the one or more traffic signatures include;
      
      one or more instructions which, when executed by the device, cause the device to query a data structure for traffic signatures, including the one or more traffic signatures, associated with a packet flow that is associated with the packet;
      
      one or more instructions which, when executed by the device, cause the device to inspect the packet to match the traffic signatures to the packet flow;
      
      one or more instructions which, when executed by the device, cause the device to update a count relating to a quantity of hosts contacted from the particular address when the packet matches the one or more traffic signatures; and
      
      one or more instructions which, when executed by the device, cause the device to generate an alarm when the count exceeds a threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zuk, Nir, Guruswamy, Kowsik
Primary Examiner(s)
Rahman, Mohammad L

Application Number

US13/616,046
Publication Number

US 20130067560A1
Time in Patent Office

494 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Multi-method gateway-based network security systems and methods

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-method gateway-based network security systems and methods

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links