Method and system for detecting unauthorized use of a communication network

US 20060242703A1
Filed: 08/11/2003
Published: 10/26/2006
Est. Priority Date: 08/11/2003
Status: Active Grant

First Claim

Patent Images

1-25. -25. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting unauthorised use of a network is provided with a pattern matching engine for searching attack signatures into data packets, and with a response analysis engine for detecting response signatures into data packets sent back from an attacked network/computer. When a suspect signature has been detected into a packet, the system enters an alarm status starting a monitoring process on the packets sent back from the potentially attacked network/computer. An alarm is generated only in case the analysis of the response packets produces as well a positive result. Such intrusion detection system is much less prone to false positives and misdiagnosis than a conventional pattern matching intrusion detection system.

96 Citations

View as Search Results

50 Claims

1-25. -25. (canceled)

26. An intrusion detection system for detecting unauthorised use of a network, comprising:
- a sniffer for capturing data being transmitted on said network and a pattern matching engine receiving data captured by said sniffer and comparing said data with attack signatures for generating an event when a match between captured data and at least one attack signature is found; and
  
  a response analysis engine, triggered by said event for comparing with response signatures the data being transmitted on said network as a response to said data matched with said attack signature and for correlating the results of said comparisons with attack and response signatures for generating an alarm.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 27. The system of claim 26, wherein said data being transmitted on said network as a response to said data matched with said attack signature is captured by said sniffer by performing an analysis of source IP address in data packets transmitted on said network.
  - 28. The system of claim 26, wherein said data being transmitted on said network as a response to said data matched with said attack signature is captured by said sniffer by performing an analysis of both source and destination IP addresses in data packets transmitted on said network.
  - 29. The system of claim 26, wherein said data being transmitted on said network as a response to said data matched with said attack signature is captured by said sniffer by analysing transport level information in data packets transmitted on said network.
  - 30. The system of claim 26, wherein said response analysis engine generates an alarm when said data being transmitted on said network as a response to said data matched with said attack signature indicates that a new network connection has been established.
  - 31. The system of claim 26, wherein said response signatures are arranged in two categories, response signatures identifying an illicit traffic, and response signatures identifying legitimate traffic.
  - 32. The system of claim 31, wherein said response analysis engine generates an alarm when a match between captured data and a response signature identifying illicit traffic is found.
  - 33. The system of claim 31, wherein said response analysis engine comprises a counter which is incremented when a match between captured data and a response signature identifying legitimate traffic is found.
  - 34. The system of claim 33, wherein, when said counter reaches a predetermined value, said response analysis engine terminates without generating any alarm.
  - 35. The system of claim 26, wherein said response analysis engine comprises a time-out system triggered by said event for starting a probing task.
  - 36. The system of claim 35, wherein said probing task verifies if any data has been detected on said network as a response to said data matched with said attack signature and, if such condition is verified:
    - generates an alarm in case only response signatures indicating legitimate traffic have been used by said response analysis engine;
      
      or ends the probing task in case only response signatures indicating illicit traffic or both response signatures indicating legitimate traffic and illicit traffic have been used by said response analysis engine.
  - 37. The system of claim 36, wherein, if such condition is not verified, said probing task attempts to perform a connection to a suspected attacked computer, for generating an alarm if such attempt is successful, or for ending the probing task if such attempt is unsuccessful.

38. A method for detecting unauthorised use of a network, comprising the steps:
- capturing data being transmitted on said network;
  
  comparing said data with attack signatures for generating an event when a match between captured data and at least one attack signature is found; and
  
  when triggered by said event;
  
  comparing with response signatures the data being transmitted on said network as a response to said data matched with said attack signature; and
  
  correlating the results of said comparisons with attack and response signatures for generating an alarm.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 39. The method of claim 38, wherein said data being transmitted on said network as a response to said data matched with said attack signature is captured by performing an analysis of source IP address in data packets transmitted on said network.
  - 40. The method of claim 38, wherein said data being transmitted on said network as a response to said data matched with said attack signature is captured by performing an analysis of both source and destination IP addresses in data packets transmitted on said network.
  - 41. The method of claim 38, wherein said data being transmitted on said network as a response to said data matched with said attack signature is captured by analysing transport level information in data packets transmitted on said network.
  - 42. The method of claim 38, comprising the step of generating an alarm when said data being transmitted on said network as a response to said data matched with said attack signature indicates that a new network connection has been established.
  - 43. The method of claim 38, wherein said response signatures are arranged in two categories, response signatures identifying illicit traffic, and response signatures identifying legitimate traffic.
  - 44. The method of claim 43, comprising the step of generating an alarm when a match between captured data and a response signature identifying illicit traffic is found.
  - 45. The method of claim 43, comprising the step of incrementing a counter when a match between captured data and a response signature identifying legitimate traffic is found.
  - 46. The method of claim 45, wherein said step of comparing data with response signatures is terminated when said counter reaches a predetermined value.
  - 47. The method of claim 38, comprising the step of providing a time-out system, triggered by said event, for starting a probing task.
  - 48. The method of claim 47, comprising the step of verifying if any data has been detected on said network as a response to said data matched with said attack signature, and, if such condition is verified:
    - generating an alarm in case only response signatures indicating legitimate traffic have been used;
      
      or ending said probing task in case only response signatures indicating illicit traffic or both response signatures indicating legitimate traffic and illicit traffic have been used.
  - 49. The method of claim 48, wherein, if such condition is not verified, said probing task attempts to perform a connection to a suspected attacked computer, for generating an alarm if such attempt is successful, or for ending the probing task if such attempt is unsuccessful.
  - 50. A computer program product capable of being loaded in the memory of at least one computer and including software code portions for performing the method of any one of claims 38 to 49 when the product is capable of being run on a computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
III Holdings 1, LLC
Original Assignee
Telecom Italia S.p.A.
Inventors
Abeni, Paolo

Granted Patent

US 8,006,302 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Method and system for detecting unauthorized use of a communication network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting unauthorized use of a communication network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links