Inline intrusion detection
First Claim
Patent Images
1. A method comprising:
- in response to receiving a packet at a network gateway, assigning an identifier to the packet;
generating, by the network gateway, a copy of the packet;
inserting, by the network gateway, the identifier into a header of the copy of the packet;
storing the packet and the identifier identifying the copy of the packet at the network gateway;
transmitting the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system;
maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature;
receiving a reply message from the intrusion detection system at the network gateway, the reply message comprising the identifier extracted from the header of the copy of the packet and indicating one or more results of the analysis, the reply message further comprising a code representative of an action to take in response to the reply message, the size of the reply message less than the size of the packet; and
taking, by the network gateway, the action associated with the code in response to the reply message.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for inline intrusion detection includes receiving a packet at a network gateway, storing the packet, and assigning an identifier to the packet. The method also includes transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system and analyzing the copy of the packet by the intrusion detection system to determine whether the packet includes an attack signature and communicating a reply message from the intrusion detection system to the network gateway. The reply message includes the identifier and is indicative of the results of the analysis. The size of the reply message is less than the size of the packet.
142 Citations
19 Claims
-
1. A method comprising:
-
in response to receiving a packet at a network gateway, assigning an identifier to the packet; generating, by the network gateway, a copy of the packet; inserting, by the network gateway, the identifier into a header of the copy of the packet; storing the packet and the identifier identifying the copy of the packet at the network gateway; transmitting the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system; maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; receiving a reply message from the intrusion detection system at the network gateway, the reply message comprising the identifier extracted from the header of the copy of the packet and indicating one or more results of the analysis, the reply message further comprising a code representative of an action to take in response to the reply message, the size of the reply message less than the size of the packet; and taking, by the network gateway, the action associated with the code in response to the reply message. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
in response to receiving a packet at a network gateway, assigning an identifier to the packet; generating, by the network gateway, a copy of the packet; inserting, by the network gateway, the identifier into a header of the copy of the packet; storing the packet and the identifier identifying the copy of the packet at the network gateway; transmitting the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system; setting a timer upon transmission of the packet from the network gateway to the intrusion detection system; maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; and taking, by the network gateway, a default action in response to determining that the timer expired before a reply message is received from the intrusion detection system, the default action selected from the group consisting of; allowing, by the network gateway, the packet to pass from the network gateway to a protected network; and dropping, by the network gateway, the packet.
-
-
8. An apparatus comprising:
-
a memory configured to store a packet and an identifier identifying the packet at a network gateway; and one or more processors configured to; in response to receiving the packet at the network gateway, assigning an identifier to the packet; generate a copy of the packet; insert the identifier into a header of the copy of the packet; transmit the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system; maintain the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; receive a reply message from the intrusion detection system at the network gateway, the reply message comprising the identifier extracted from the header of the copy of the packet and indicating one or more results of the analysis, the reply message further comprising a code representative of an action to take in response to the reply message, the size of the reply message less than the size of the packet; and take the action associated with the code in response to the reply message. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. An apparatus comprising:
-
a memory configured to store a packet and an identifier identifying the packet at a network gateway; and one or more processors configured to; in response to receiving a packet at the network gateway, assign an identifier to the packet; generate a copy of the packet; insert the identifier into a header of the copy of the packet; transmit the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system; set a timer upon transmission of the packet from the network gateway to the intrusion detection system; maintain the packet in the memory while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; and take a default action in response to determining that the timer expired before a reply message is received from the intrusion detection system, the default action selected from the group consisting of; allowing, by the network gateway, the packet to pass from the network gateway to a protected network; and dropping the packet.
-
-
15. Logic embodied on one or more non-transitory computer-readable media and when executed operable to:
-
in response to receiving a packet at a network gateway, assign an identifier to the packet; generate, by the network gateway, a copy of the packet; insert, by the network gateway, the identifier into a header of the copy of the packet; store the packet and the identifier identifying the copy of the packet at the network gateway; transmit the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system; maintain the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; receive a reply message from the intrusion detection system at the network gateway, the reply message comprising the identifier extracted from the header of the copy of the packet and indicating one or more results of the analysis, the reply message further comprising a code representative of an action to take in response to the reply message, the size of the reply message less than the size of the packet; and take the action associated with the code in response to the reply message. - View Dependent Claims (16, 17, 18)
-
-
19. Logic embodied on one or more non-transitory computer-readable media and when executed operable to:
-
in response to receiving a packet at a network gateway, assign an identifier to the packet; generate, by the network gateway, a copy of the packet; insert, by the network gateway, the identifier into a header of the copy of the packet; store the packet and the identifier identifying the copy of the packet at the network gateway; transmit the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system; set a timer upon transmission of the packet from the network gateway to the intrusion detection system; maintain the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; and take, by the network gateway, a default action in response to determining that the timer expired before a reply message is received from the intrusion detection system, the default action selected from the group consisting of; allowing, by the network gateway, the packet to pass from the network gateway to a protected network; and dropping the packet.
-
Specification