Inline intrusion detection

US 9,009,830 B2
Filed: 05/19/2010
Issued: 04/14/2015
Est. Priority Date: 01/20/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in response to receiving a packet at a network gateway, assigning an identifier to the packet;

generating, by the network gateway, a copy of the packet;

inserting, by the network gateway, the identifier into a header of the copy of the packet;

storing the packet and the identifier identifying the copy of the packet at the network gateway;

transmitting the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system;

maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature;

receiving a reply message from the intrusion detection system at the network gateway, the reply message comprising the identifier extracted from the header of the copy of the packet and indicating one or more results of the analysis, the reply message further comprising a code representative of an action to take in response to the reply message, the size of the reply message less than the size of the packet; and

taking, by the network gateway, the action associated with the code in response to the reply message.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for inline intrusion detection includes receiving a packet at a network gateway, storing the packet, and assigning an identifier to the packet. The method also includes transmitting a copy of the packet and the identifier from the network gateway to an intrusion detection system and analyzing the copy of the packet by the intrusion detection system to determine whether the packet includes an attack signature and communicating a reply message from the intrusion detection system to the network gateway. The reply message includes the identifier and is indicative of the results of the analysis. The size of the reply message is less than the size of the packet.

142 Citations

19 Claims

1. A method comprising:
- in response to receiving a packet at a network gateway, assigning an identifier to the packet;
  
  generating, by the network gateway, a copy of the packet;
  
  inserting, by the network gateway, the identifier into a header of the copy of the packet;
  
  storing the packet and the identifier identifying the copy of the packet at the network gateway;
  
  transmitting the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system;
  
  maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature;
  
  receiving a reply message from the intrusion detection system at the network gateway, the reply message comprising the identifier extracted from the header of the copy of the packet and indicating one or more results of the analysis, the reply message further comprising a code representative of an action to take in response to the reply message, the size of the reply message less than the size of the packet; and
  
  taking, by the network gateway, the action associated with the code in response to the reply message.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, the taking the action in response to the reply message further comprising performing an action selected from the following:
    - dropping the packet;
      
      dropping the packet and dropping one or more related packets;
      
      allowing the packet to pass from the network gateway to a protected network;
      
      allowing the packet and one or more related packets to pass from the network gateway to a protected network;
      
      ormodifying the packet and then allowing the packet to pass from the network gateway to a protected network.
  - 3. The method of claim 1, wherein the reply message comprises an indication of whether the packet comprises an attack signature.
  - 4. The method of claim 1, wherein the action represented by the code is selected from the following:
    - dropping the packet;
      
      dropping the packet and dropping one or more related packets;
      
      allowing the packet to pass from the network gateway to a protected network;
      
      allowing the packet and one or more related packets to pass from the network gateway to a protected network;
      
      ormodifying the packet and then allowing the packet to pass from the network gateway to a protected network.
  - 5. The method of claim 1, further comprising:
    - removing material indicative of an attack signature prior to allowing the packet to pass from the network gateway to a protected network.
  - 6. The method of claim 1, wherein taking the action in response to the reply message comprises:
    - determining that one or more additional packets received at the network gateway are related to the packet; and
      
      disposing of the one or more additional packets, by the network gateway, in a same manner as the packet, wherein the one or more additional packets are not analyzed by the intrusion detection system.

7. A method comprising:
- in response to receiving a packet at a network gateway, assigning an identifier to the packet;
  
  generating, by the network gateway, a copy of the packet;
  
  inserting, by the network gateway, the identifier into a header of the copy of the packet;
  
  storing the packet and the identifier identifying the copy of the packet at the network gateway;
  
  transmitting the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system;
  
  setting a timer upon transmission of the packet from the network gateway to the intrusion detection system;
  
  maintaining the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; and
  
  taking, by the network gateway, a default action in response to determining that the timer expired before a reply message is received from the intrusion detection system, the default action selected from the group consisting of;
  
  allowing, by the network gateway, the packet to pass from the network gateway to a protected network; and
  
  dropping, by the network gateway, the packet.

8. An apparatus comprising:
- a memory configured to store a packet and an identifier identifying the packet at a network gateway; and
  
  one or more processors configured to;
  
  in response to receiving the packet at the network gateway, assigning an identifier to the packet;
  
  generate a copy of the packet;
  
  insert the identifier into a header of the copy of the packet;
  
  transmit the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system;
  
  maintain the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature;
  
  receive a reply message from the intrusion detection system at the network gateway, the reply message comprising the identifier extracted from the header of the copy of the packet and indicating one or more results of the analysis, the reply message further comprising a code representative of an action to take in response to the reply message, the size of the reply message less than the size of the packet; and
  
  take the action associated with the code in response to the reply message.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, the taking the action in response to the reply message further comprising performing an action selected from the following:
    - dropping the packet;
      
      dropping the packet and dropping one or more related packets;
      
      allowing the packet to pass from the network gateway to a protected network;
      
      allowing the packet and one or more related packets to pass from the network gateway to a protected network;
      
      ormodifying the packet and then allowing the packet to pass from the network gateway to a protected network.
  - 10. The apparatus of claim 8, wherein the reply message comprises an indication of whether the packet comprises an attack signature.
  - 11. The apparatus of claim 8, the action represented by the code is selected from the following:
    - dropping the packet;
      
      dropping the packet and dropping one or more related packets;
      
      allowing the packet to pass from the network gateway to a protected network;
      
      allowing the packet and one or more related packets to pass from the network gateway to a protected network;
      
      ormodifying the packet and then allowing the packet to pass from the network gateway to a protected network.
  - 12. The apparatus of claim 8, the one or more processors further operable to:
    - remove material indicative of an attack signature prior to allowing the packet to pass from the network gateway to a protected network.
  - 13. The apparatus of claim 8, wherein, when taking the action in response to the reply message, the processor is configured to:
    - determine that one or more additional packets received at the network gateway are related to the packet; and
      
      dispose of the one or more additional packets, by the network gateway, in a same manner as the packet, wherein the one or more additional packets are not analyzed by the intrusion detection system.

14. An apparatus comprising:
- a memory configured to store a packet and an identifier identifying the packet at a network gateway; and
  
  one or more processors configured to;
  
  in response to receiving a packet at the network gateway, assign an identifier to the packet;
  
  generate a copy of the packet;
  
  insert the identifier into a header of the copy of the packet;
  
  transmit the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system;
  
  set a timer upon transmission of the packet from the network gateway to the intrusion detection system;
  
  maintain the packet in the memory while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; and
  
  take a default action in response to determining that the timer expired before a reply message is received from the intrusion detection system, the default action selected from the group consisting of;
  
  allowing, by the network gateway, the packet to pass from the network gateway to a protected network; and
  
  dropping the packet.

15. Logic embodied on one or more non-transitory computer-readable media and when executed operable to:
- in response to receiving a packet at a network gateway, assign an identifier to the packet;
  
  generate, by the network gateway, a copy of the packet;
  
  insert, by the network gateway, the identifier into a header of the copy of the packet;
  
  store the packet and the identifier identifying the copy of the packet at the network gateway;
  
  transmit the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system;
  
  maintain the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature;
  
  receive a reply message from the intrusion detection system at the network gateway, the reply message comprising the identifier extracted from the header of the copy of the packet and indicating one or more results of the analysis, the reply message further comprising a code representative of an action to take in response to the reply message, the size of the reply message less than the size of the packet; and
  
  take the action associated with the code in response to the reply message.
- View Dependent Claims (16, 17, 18)
- - 16. The logic of claim 15, the taking the action in response to the reply message further comprising performing an action selected from the following:
    - dropping the packet;
      
      dropping the packet and dropping one or more related packets;
      
      allowing the packet to pass from the network gateway to a protected network;
      
      allowing the packet and one or more related packets to pass from the network gateway to a protected network;
      
      ormodifying the packet and then allowing the packet to pass from the network gateway to a protected network.
  - 17. The logic of claim 15, further operable to:
    - remove material indicative of an attack signature prior to allowing the packet to pass from the network gateway to a protected network.
  - 18. The logic of claim 15, wherein taking the action in response to the reply message comprises:
    - determining that one or more additional packets received at the network gateway are related to the packet; and
      
      disposing of the one or more additional packets, by the network gateway, in a same manner as the packet, wherein the one or more additional packets are not analyzed by the intrusion detection system.

19. Logic embodied on one or more non-transitory computer-readable media and when executed operable to:
- in response to receiving a packet at a network gateway, assign an identifier to the packet;
  
  generate, by the network gateway, a copy of the packet;
  
  insert, by the network gateway, the identifier into a header of the copy of the packet;
  
  store the packet and the identifier identifying the copy of the packet at the network gateway;
  
  transmit the copy of the packet having the identifier in the header from the network gateway to an intrusion detection system;
  
  set a timer upon transmission of the packet from the network gateway to the intrusion detection system;
  
  maintain the packet at the network gateway while the copy is analyzed by the intrusion detection system to determine whether the packet includes an attack signature; and
  
  take, by the network gateway, a default action in response to determining that the timer expired before a reply message is received from the intrusion detection system, the default action selected from the group consisting of;
  
  allowing, by the network gateway, the packet to pass from the network gateway to a protected network; and
  
  dropping the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cothrell, Scott A., Richardson, Aaron S.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US12/782,969
Publication Number

US 20100226383A1
Time in Patent Office

1,791 Days
Field of Search

726/22, 726/23, 726/24, 726/25
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Inline intrusion detection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

142 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Inline intrusion detection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links