Extension model for improved parsing and describing protocols

US 9,191,397 B2
Filed: 06/27/2008
Issued: 11/17/2015
Est. Priority Date: 06/27/2008
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a computer-implemented method comprising:

receiving, by an intrusion detection engine implemented on at least one processor, data corresponding to network protocols;

parsing the data, including arranging a plurality of modules in a tree-like structure, the plurality of modules including at least one parent module and at least one child module, the at least one parent module comprising a protocol definition and the at least one child module comprising a protocol definition extension, in which a child module specifies a parent module and specifies a condition set containing at least one condition that, in response to the at least one condition being met, prompts the parent module to invoke the child module, the parent module parsing the data corresponding to the network protocols to determine whether to invoke the child module;

processing a selected module of the plurality of modules to determine whether the selected module has a parent module associated therewith; and

responsive to determining that the selected module does not have a parent module associated therewith, designating the selected module as a top-level parent module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is a technology by which an engine parses data based upon modules arranged in a tree-like model structure. Only those modules that meet a condition with respect to the data are invoked for processing the data. Each child module specifies a parent module and specifies a condition for when the parent is to invoke the child module. As a module processes the data, if a child module'"'"'s specified condition is met, it invokes the corresponding child module, (which in turn may invoke a lower child if its condition is met, and so on). When the data corresponds to protocols, the model facilitates protocol layering. A top level parent may represent one protocol (e.g., TCP), a child beneath may represent a lower-layer protocol (e.g., HTTP), whose children may handle certain types of HTTP commands, or correspond to a signature that the child module is programmed to detect.

28 Citations

View as Search Results

20 Claims

1. In a computing environment, a computer-implemented method comprising:
- receiving, by an intrusion detection engine implemented on at least one processor, data corresponding to network protocols;
  
  parsing the data, including arranging a plurality of modules in a tree-like structure, the plurality of modules including at least one parent module and at least one child module, the at least one parent module comprising a protocol definition and the at least one child module comprising a protocol definition extension, in which a child module specifies a parent module and specifies a condition set containing at least one condition that, in response to the at least one condition being met, prompts the parent module to invoke the child module, the parent module parsing the data corresponding to the network protocols to determine whether to invoke the child module;
  
  processing a selected module of the plurality of modules to determine whether the selected module has a parent module associated therewith; and
  
  responsive to determining that the selected module does not have a parent module associated therewith, designating the selected module as a top-level parent module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1 further comprising:
    - responsive to determining that the selected module has a parent module associated therewith, locating the parent module and positioning the selected module as a child module under the parent module and providing the parent module with the condition set for invoking the child module during parsing of the data.
  - 3. The computer-implemented method of claim 1 wherein parsing the data comprises parsing network traffic.
  - 4. The computer-implemented method of claim 1 wherein the condition set includes a condition that specifies a port or other attribute of incoming or outgoing data.
  - 5. The computer-implemented method of claim 1 wherein the condition set includes a condition on the data.
  - 6. The computer-implemented method of claim 1 wherein the child module corresponds to a signature, wherein the child module specifies that the child module is to be invoked by the parent module in response to that signature being present in parsed data, and wherein the child module includes processing directed towards detecting that signature.
  - 7. The computer-implemented method of claim 1 wherein the child module includes a rule and visitor code associated with that rule, and further comprising:
    - running the visitor code in response to encountering the rule during execution.
  - 8. The computer-implemented method of claim 7 wherein the visitor code associated with the rule corresponds to a pre-process and post-process visitor.
  - 9. The computer-implemented method of claim 1 further comprising:
    - maintaining session context management data in association with at least one of the modules.

10. In a computing environment, a system comprising:
- memory coupled to a bus system, the memory comprising computer useable program code;
  
  one or more processing units, the one or more processing units configured to execute the computer useable program code to implement a parsing engine, the parsing engine configured to parse data corresponding to network protocols; and
  
  a tree-structured model comprising a plurality of modules, including at least one parent module having at least one child module, the at least one parent module comprising a protocol definition and the at least one child module comprising a protocol definition extension, the parsing engine configured to access the tree-structured model to parse the data, including;
  
  invoking the at least one parent module from a top-level module based upon a condition being met, the at least one parent module providing processing for parsing the data and invoking the at least one child module for further processing upon another condition being met, the at least one child module specifies the at least one parent module and the other condition that prompts the at least one parent module to invoke the at least one child module;
  
  processing a selected module of the plurality of modules to determine whether the selected module has an associated parent module; and
  
  responsive to determining that the selected module does not have an associated parent module, designating the selected module as a top-level parent module within the tree-structured model.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10 wherein the at least one child module contains information that specifies its parent module and the condition for the at least one parent module to invoke the at least one child module.
  - 12. The system of claim 10 wherein parsing the data corresponds to network traffic.
  - 13. The system of claim 10 wherein parsing the data corresponds to network traffic, and wherein the condition for invoking the at least one parent module from the top-level module is based on a port at which the network traffic was received.
  - 14. The system of claim 10 wherein the condition for invoking the at least one child module is based on a condition on the data.
  - 15. The system of claim 10 wherein the at least one child module includes logic for detecting known processing vulnerabilities.
  - 16. The system of claim 10 wherein the at least one child module is a parent to at least one other child module that is invoked upon another condition being met.
  - 17. The system of claim 10 further comprising:
    - a set of session context management data that is maintained in association with the tree-structured model.

18. One or more computer storage devices having computer-executable instructions, which on execution by a computer, cause the computer to:
- receive, by a parsing engine implemented on at least one processor, data corresponding to network protocols; and
  
  parse the data based on a plurality of modules arranged in a tree-like structure, in which a child module specifies a parent module and a condition set containing at least one condition for the parent module invoking the child module, the parent module comprising a protocol definition and the child module comprising a protocol definition extension, the parent module parsing the data corresponding to the network protocols, and evaluating the data to determine whether to invoke the child module, and responsive to the at least one condition specified by the child module being met, the parent module invoking the child module as a rule visitor during the parsing;
  
  process a selected module of the plurality of modules to determine whether the selected module has an associated parent module; and
  
  responsive to determining that the selected module does not have an associated parent module, designate the selected module as a top-level parent module.
- View Dependent Claims (19, 20)
- - 19. The one or more computer storage devices of claim 18 further comprising:
    - responsive to a determination that the selected module does have an associated parent, locate the associated parent module and positioning the selected module as a selected child module under the associated parent module and provide the associated parent module with the condition set for invoking the selected child module.
  - 20. The one or more computer storage devices of claim 18, wherein the child module corresponds to a signature, wherein the child module specifies that the child module is to be invoked by the parent module in response to that signature being present in parsed data, and wherein the child module includes processing directed towards detecting that signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Chinta, Ramesh, Lifliand, Vladimir, Nagampalli, Narasimha Rao S. S., Li, Crystal
Primary Examiner(s)
SERRAO, RANODHI N

Application Number

US12/147,895
Publication Number

US 20090327993A1
Time in Patent Office

2,699 Days
Field of Search

709/238, 717/104, 706/47
US Class Current

1/1
CPC Class Codes

H04L 43/18   Protocol analysers

H04L 63/1408   by monitoring network traff...

H04L 69/03   Protocol definition or spec...

Extension model for improved parsing and describing protocols

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Extension model for improved parsing and describing protocols

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links