Method and system for intrusion detection and prevention based on packet type recognition in a network

US 8,879,388 B2
Filed: 05/30/2006
Issued: 11/04/2014
Est. Priority Date: 05/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method for handling data in a communication network, the method comprising:

performing by one or more processors, one or more circuits, or any combination thereof;

determining a packet type for each of a plurality of network packets received by a network switching device based on a portion of content of each of said plurality of received network packets; and

blocking at least a portion of said plurality of received network packets at an input port to regulate a rate at which network packets of said determined packet type are handled at said input port based on information relating to a number of occurrences of said determined packet type that occur within a time period, wherein said information is based on said determined packet type.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Certain aspects of a method and system for intrusion detection and prevention based on packet type recognition in a network are disclosed. Aspects of one method may include determining a packet type for each of a plurality of received network packets based on at least one of: a header and content of each of the plurality of received network packets. The rate at which the plurality of received network packets are handled at a port in the network switching device may be regulated based on a number of occurrences of the determined packet type of the plurality of received network packets.

Citations

25 Claims

1. A method for handling data in a communication network, the method comprising:
- performing by one or more processors, one or more circuits, or any combination thereof;
  
  determining a packet type for each of a plurality of network packets received by a network switching device based on a portion of content of each of said plurality of received network packets; and
  
  blocking at least a portion of said plurality of received network packets at an input port to regulate a rate at which network packets of said determined packet type are handled at said input port based on information relating to a number of occurrences of said determined packet type that occur within a time period, wherein said information is based on said determined packet type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein said information comprises a determination of whether said number of occurrences of said determined packet type has exceeded a threshold value within said time period, wherein said threshold value is set based on said determined packet type.
  - 3. The method according to claim 2, comprising if said determined number of occurrences of said determined packet type exceeds said threshold value within said time period, blocking at least a portion of a plurality of additional network packets of said determined packet type received at said input port in said network switching device.
  - 4. The method according to claim 2, comprising if said determined number of occurrences of said determined packet type exceeds said threshold value within said time period, disabling at least one of a plurality of ports in said network switching device handling at least one of said plurality of received network packets.
  - 5. The method according to claim 2, wherein said input port is disabled to block said portion of said received packets.
  - 6. The method according to claim 1, comprising determining whether said determined packet type matches with a packet type stored in memory.
  - 7. The method according to claim 6, comprising if said determined packet type matches with said packet type stored in said memory, regulating a rate at which said received network packets of said determined packet type are handled at a plurality of ports in said network switching device.
  - 8. The method according to claim 1, comprising determining said packet type for each of said plurality of received network packets based on a portion of a header of each of said plurality of received network packets.

9. A non transitory computer readable medium having stored thereon, a computer program having at least one code section for handling data in a communication network, the at least one code section being executable by a computer for causing the computer to perform steps comprising:
- determining a packet type for each of a plurality of-network packets received by a network switching device based on a portion of content of each of said plurality of received network packets; and
  
  regulating a rate at which said plurality of received network packets are handled by blocking packets at an input port in said network switching device based on information relating to a number of occurrences of said determined packet type that occur within a time period, wherein said information is based on said determined packet type.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non transitory computer readable medium according to claim 9, wherein said information comprises a determination of whether said number of occurrences of said determined packet type has exceeded a threshold value within said time period, wherein said threshold value is set based on said determined packet type.
  - 11. The non transitory computer readable medium according to claim 10, wherein said at least one code section comprises code for dropping at least a portion of a plurality of additional network packets of said determined packet type received at said input port in said network switching device, if said determined number of occurrences of said determined packet type exceeds said threshold value within said time period.
  - 12. The non transitory computer readable medium according to claim 10, wherein said at least one code section comprises code for disabling at least one of a plurality of ports in said network switching device handling said at least one of said plurality of received network packets, if said determined number of occurrences of said determined packet type exceeds said threshold value within said time period.
  - 13. The non transitory computer readable medium according to claim 10, wherein said at least one code section comprises code for determining whether to temporarily increase the threshold.
  - 14. The non transitory computer readable medium according to claim 9, wherein said at least one code section comprises code for determining whether said determined packet type matches with a packet type stored in memory.
  - 15. The non transitory computer readable medium according to claim 14, wherein said at least one code section comprises code for regulating said rate at which said plurality of received network packets of said determined packet type are handled at said input port in said network switching device, if said determined packet type matches with said packet type stored in said memory.
  - 16. The non transitory computer readable medium according to claim 9, wherein said at least one code section comprises code for determining said packet type for each of said plurality of received network packets based on a portion of a header of each of said plurality of received network packets.

17. A system for handling data in a communication network, the system comprising:
- one or more circuits that are operable to determine a packet type for each of a plurality of network packets received by a network switching device based on a portion of content of each of said plurality of received network packets; and
  
  said one or more circuits are operable to regulate a rate at which said plurality of received network packets are handled at an output port in said network switching device based on information relating to a number of occurrences of said determined packet type that occur within a time period, wherein said information is based on said determined packet type.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The system according to claim 17, wherein said information comprises a determination of whether said number of occurrences of said determined packet type has exceeded a threshold value within said time period, wherein said threshold value is set based on said determined packet type.
  - 19. The system according to claim 18, wherein said one or more circuits are operable to drop at least a portion of a plurality of additional network packets of said determined packet type at said output port in said network switching device, if said determined number of occurrences of said determined packet type exceeds said threshold value within said time period.
  - 20. The system according to claim 17, wherein said one or more circuits are operable to determine whether said determined packet type matches with a packet type stored in memory.
  - 21. The system according to claim 20, wherein said one or more circuits are operable to regulate said rate at which said plurality of received network packets of said determined network type are handled at said output port in said network switching device, if said determined packet type matches with said packet type stored in said memory.
  - 22. The system according to claim 17, wherein said network switching device comprises a network switch.
  - 23. The system according to claim 17, wherein said one or more circuits are operable to determine said packet type for each of said plurality of received network packets based on a portion of a header of each of said plurality of received network packets.

24. A system for handling data in a communication network, the system comprising:
- one or more circuits that are operable to determine a packet type for each of a plurality of received network packets based on a portion of content of each of said plurality of received network packets;
  
  said one or more circuits are operable to regulate a rate at which said plurality of received network packets are handled at a port in a network switching device based on information relating to a number of occurrences of said determined packet type that occur within a time period, said information comprising a determination of whether said number of occurrences of said determined packet type has exceeded a threshold value within said time period, said threshold value based on said determined packet type; and
  
  said one or more circuits are operable to disable at least one of a plurality of ports in said network switching device handling at least one of said plurality of received network packets, if said determined number of occurrences of said determined packet type exceeds said threshold value within said time period.
- View Dependent Claims (25)
- - 25. The system according to claim 24, wherein said at least one of said plurality of ports includes said output port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Lund, Martin
Primary Examiner(s)
Yao, Kwang B
Assistant Examiner(s)
DUDA, ADAM K

Application Number

US11/442,850
Publication Number

US 20070280106A1
Time in Patent Office

3,080 Days
Field of Search

370/235, 370/252, 370/389
US Class Current

370/235
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Method and system for intrusion detection and prevention based on packet type recognition in a network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for intrusion detection and prevention based on packet type recognition in a network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links