Methods and apparatus for heuristic firewall

US 6,519,703 B1
Filed: 04/14/2000
Issued: 02/11/2003
Est. Priority Date: 04/14/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for processing packets in a computer communication network comprising the steps of:

analyzing a packet stream utilizing a plurality of differently-trained heuristic stages trained to recognize potentially harmful packets;

assigning a confidence rating to packets in the analyzed stream in accordance with a level of confidence regarding the harmfulness of the analyzed packets; and

selecting packets for further analysis in accordance with their assigned confidence rating.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention is a method for processing packets in a computer communication network that includes steps of analyzing a packet stream using at least a first heuristic stage trained to recognize potentially harmful packets; assigning a confidence rating to packets in the analyzed stream in accordance with a level of confidence regarding the harmfulness of the analyzed packets; and selecting packets for further analysis in accordance with their assigned confidence rating. This exemplary embodiment overcomes disadvantages of previous methods for providing firewall security and is able to learn from and adapt to data flowing through a network to provide additional network security.

362 Citations

40 Claims

1. A method for processing packets in a computer communication network comprising the steps of:
- analyzing a packet stream utilizing a plurality of differently-trained heuristic stages trained to recognize potentially harmful packets;
  
  assigning a confidence rating to packets in the analyzed stream in accordance with a level of confidence regarding the harmfulness of the analyzed packets; and
  
  selecting packets for further analysis in accordance with their assigned confidence rating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method in accordance with claim 1 further comprising pre-training the first heuristic stage to recognize packets indicative of at least one member of the group consisting of computer viruses, Trojans, and denial-of-service attacks.
  - 3. A method in accordance with claim 1 wherein selecting packets for further analysis in accordance with their assigned confidence rating comprises the steps of releasing packets (“
    - higher confidence packets”
      
      ) assigned a level of confidence indicative of higher confidence of the packets not being harmful, and further analyzing packets (“
      
      lesser confidence packets”
      
      ) assigned a level of confidence indicative of lesser confidence of the packets not being harmful.
  - 4. A method in accordance with claim 3 wherein further analyzing lesser confidence packets comprises analyzing the lesser confidence packets utilizing a first rule base.
  - 5. A method in accordance with claim 4 further comprising the steps of assigning a confidence rating intermediate to the confidence ratings of the lesser confidence packets and higher confidence packets to at least some packets (“
    - marginal confidence packets”
      
      ), and analyzing the marginal confidence packets utilizing a second rule base.
  - 6. A method in accordance with claim 5 further comprising the step of analyzing the marginal confidence packets with a second heuristic stage.
  - 7. A method in accordance with claim 6 further comprising training the second heuristic stage to recognize packets indicative of at least temporal anomalies in packet streams.
  - 8. A method in accordance with claim 7 wherein training the second heuristic stage to recognize packets indicative of at least temporal anomalies in packet streams comprises training the second heuristic stage to recognize at least one member of the group consisting of temporal attack signatures, frequency signatures, in-transit packet modification, forged-packet indicators, out-of-band (OOB) communications, and covert channel communications.
  - 9. A method in accordance with claim 6 further comprising the step of selectively releasing packets analyzed by the first rule base in accordance with a confidence rating assigned by the second heuristic stage.
  - 10. A method in accordance with claim 9 further comprising the step of the first heuristic stage assigning a confidence rating intermediate to the confidence ratings of the lesser confidence packets and higher confidence packets to at least some packets (“
    - marginal confidence packets”
      
      ), analyzing the marginal confidence packets utilizing a second rule base, selectively releasing packets analyzed by the first rule base in accordance with a confidence rating assigned by the second heuristic stage, and selectively releasing packets analyzed by the second rule base in accordance with a confidence rating assigned by the second heuristic stage.
  - 11. A method in accordance with claim 1 further comprising the steps of shunting packets analyzed and determined to be harmful to a network simulator.
  - 12. A method in accordance with claim 1 performed on both an incoming and outgoing packet stream.
  - 13. A method in accordance with claim 1 wherein analyzing a packet stream utilizing a plurality of differently-trained heuristic stages comprises analyzing a packet stream utilizing a heuristic stage trained to analyze packet streams transformed into a frequency domain.
  - 14. A method in accordance with claim 1 wherein analyzing a packet stream utilizing a plurality of differently-trained heuristic stages comprises analyzing a packet stream utilizing a heuristic stage trained to analyze a differential of the packet stream.
  - 15. A method in accordance with claim 1 wherein analyzing a packet stream utilizing a plurality of differently trained heuristic stages comprises analyzing a packet stream utilizing heuristic stages configured to analyze successive differential comparisons.
  - 16. A method in accordance with claim 1 wherein selecting packets for further analysis in accordance with their assigned confidence rating comprises the steps of releasing packets (“
    - higher confidence packets”
      
      ) assigned a level of confidence indicative of higher confidence of the packets not being harmful, and further analyzing packets (“
      
      lesser confidence packets”
      
      ) assigned a level of confidence indicative of lesser confidence of the packets not being harmful utilizing at least a second heuristic stage.

17. A method for processing packets in a computer communication network comprising:
- analyzing a packet stream using at least a first heuristic stage trained to respond to inputs with spatio-temporal independence;
  
  assigning a confidence rating to packets in the analyzed stream in accordance with a level of confidence regarding the harmfulness of the analyzed packets; and
  
  selecting packets for further analysis in accordance with their assigned confidence rating.
- View Dependent Claims (18)
- - 18. A method in accordance with claim 17 wherein analyzing a packet stream utilizing a first heuristic stage comprises the step of analyzing the packet stream utilizing a fully-connected, dual hidden-layer, back-propagation, sigmoid transfer function, neural network algorithm.

19. A computer network firewall configured to:
- analyze a packet stream using at least a first heuristic stage trained to recognize potentially harmful packets;
  
  assign a confidence rating to packets in the analyzed stream in accordance with a level of confidence regarding the harmfulness of the analyzed packets; and
  
  select packets for further analysis in accordance with their assigned confidence rating.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 20. A firewall in accordance with claim 19 wherein the first heuristic stage is pre-trained to recognize packets indicative of at least one member of the group consisting of computer viruses, Trojans, and denial-of-service attacks.
  - 21. A firewall in accordance with claim 19 wherein said firewall being configured to select packets for further analysis in accordance with their assigned confidence rating comprises said firewall being configured to release packets (“
    - higher confidence packets”
      
      ) assigned a level of confidence indicative of higher confidence of the packets not being harmful, and to further analyze packets (“
      
      lesser confidence packets”
      
      ) assigned a level of confidence indicative of lesser confidence of the packets not being harmful.
  - 22. A firewall in accordance with claim 21 wherein said firewall being configured to further analyze lesser confidence packets comprises said firewall being configured to analyze the lesser confidence packets utilizing a first rule base.
  - 23. A firewall in accordance with claim 22 further configured to assign a confidence rating intermediate to the confidence ratings of the lesser confidence packets and higher confidence packets to at least some packets (“
    - marginal confidence packets”
      
      ), and to analyze the marginal confidence packets utilizing a second rule base.
  - 24. A firewall in accordance with claim 23 further configured to analyze the marginal confidence packets using a second heuristic stage.
  - 25. A firewall in accordance with claim 24 wherein said second heuristic stage is trained to recognize packets indicative of at least temporal anomalies in packet streams.
  - 26. A firewall in accordance with claim 25 wherein said second heuristic stage is trained to recognize at least one member of the group consisting of temporal attack signatures, frequency signatures, in-transit packet modification, forged-packet indicators, out-of-band (OOB) communications, and covert channel communications.
  - 27. A firewall in accordance with claim 24 further configured to selectively release packets analyzed by the first rule base in accordance with a confidence rating assigned by the second heuristic stage.
  - 28. A firewall in accordance with claim 27 further configured so that the first heuristic stage assigns a confidence rating intermediate to the confidence ratings of the lesser confidence packets and higher confidence packets to at least some packets (“
    - marginal confidence packets”
      
      ), the firewall also being configured to analyze the marginal confidence packets utilizing a second rule base, selectively release packets analyzed by the first rule base in accordance with a confidence rating assigned by the second heuristic stage, and selectively release packets analyzed by the second rule base in accordance with a confidence rating assigned by the second heuristic stage.
  - 29. A firewall in accordance with claim 19 further configured to shunt packets analyzed and determined to be harmful to a network simulator.
  - 30. A firewall in accordance with claim 19 configured to operate on both an incoming and an outgoing packet stream.
  - 31. A firewall in accordance with claim 19 wherein said firewall being configured to analyze a packet stream using at least a first heuristic stage trained to recognize potentially harmful packets comprises said firewall being configured to analyze a packet stream utilizing a plurality of differently-trained heuristic stages.
  - 32. A firewall in accordance with claim 31 wherein said firewall being configured to analyze a packet stream utilizing a plurality of differently-trained heuristic stages comprises said firewall being configured to analyze a packet stream utilizing a heuristic stage trained to analyze a packet stream transformed into a frequency domain.
  - 33. A firewall in accordance with claim 31 wherein said firewall being configured to analyze a packet stream utilizing a plurality of differently-trained heuristic stages comprises said firewall being configured to analyze a packet stream utilizing a heuristic stage trained to analyze a differential of the packet stream.
  - 34. A firewall in accordance with claim 31 wherein said firewall being configured to analyze a packet stream utilizing a plurality of differently trained heuristic stages comprises said firewall being configured to analyze a packet stream utilizing heuristic stages configured to analyze successive differential comparisons.
  - 35. A firewall in accordance with claim 19 wherein said firewall being configured to analyze a packet stream using at least a first heuristic stage trained to recognize potentially harmful packets comprises said firewall being configured to analyze a packet stream using at least a first heuristic stage trained to respond to inputs with spatio-temporal independence.
  - 36. A firewall in accordance with claim 35 wherein said firewall being configured to analyze a packet stream utilizing a first heuristic stage comprises said firewall being configured to analyze the packet stream utilizing a fully-connected, dual hidden-layer, back-propagation, sigmoid transfer function, neural network algorithm.
  - 37. A firewall in accordance with claim 35 wherein said first heuristic stage comprises an input layer comprising a plurality of input layer processing elements, at least one hidden layer of processing elements, and an output layer of processing elements.
  - 38. A firewall in accordance with claim 37 wherein said firewall comprises a processor having an n-bit resolution, and the input layer comprises n processing elements.
  - 39. A firewall in accordance with claim 38 wherein each said hidden layer of processing elements comprises 2n processing elements.
  - 40. A firewall in accordance with claim 19 wherein said firewall being configured to select packets for further analysis in accordance with their assigned confidence rating comprises said firewall being configured to release packets (“
    - higher confidence packets”
      
      ) assigned a level of confidence indicative of higher confidence of the packets not being harmful, and further analyze packets (“
      
      lesser confidence packets”
      
      ) assigned a level of confidence indicative of lesser confidence of the packets not being harmful utilizing at least a second heuristic stage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bandura Cyber, Inc.
Original Assignee
James B Joyce
Inventors
Joyce, James B.
Primary Examiner(s)
Hayes, Gail
Assistant Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US09/549,417
Time in Patent Office

1,033 Days
Field of Search

713/200, 713/201, 713/154, 709/223-226, 706/15, 706/16, 706/21, 706/22, 706/45-48, 706/50, 706/61, 706/62
US Class Current

726/22
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/1408 by monitoring network traff...

Methods and apparatus for heuristic firewall

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

362 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for heuristic firewall

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

362 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links