Protocol-parsing state machine and method of using same

US 7,308,715 B2
Filed: 06/13/2002
Issued: 12/11/2007
Est. Priority Date: 06/13/2001
Status: Active Grant

First Claim

Patent Images

1. A method of detecting intrusions on a computer, comprising;

storing an intrusion signature describing an attack on a computer;

receiving a plurality of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of states;

rearranging said plurality of internet protocol packets so as to place said information sequence in order;

successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature;

detecting a denial-of-service attack associated with the internet protocol packets; and

identifying a source of the denial-of-service attack.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion signature describing an attack is stored on a computer. Once a plurality of internet protocol packets is received, the plurality of internet protocol packets collectively containing an information sequence within a series of states, it is rearranged so as to place the information sequence in order. Each state of the series of states is then successively examined so as to correlate the information sequence to the intrusion signature.

131 Citations

View as Search Results

30 Claims

1. A method of detecting intrusions on a computer, comprising;
- storing an intrusion signature describing an attack on a computer;
  
  receiving a plurality of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of states;
  
  rearranging said plurality of internet protocol packets so as to place said information sequence in order;
  
  successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature;
  
  detecting a denial-of-service attack associated with the internet protocol packets; and
  
  identifying a source of the denial-of-service attack.

2. A method of detecting intrusions on a computer, comprising:
- storing an intrusion signature describing an attack on a computer;
  
  receiving a plurality of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of states;
  
  reassembling said plurality of internet protocol packets;
  
  successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature;
  
  detecting a denial-of-service attack associated with the internet protocol packets; and
  
  identifying a source of the denial-of-service attack.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 3. The method of claim 2, further comprising establishing a traffic level of network traffic received by the computer.
  - 4. The method of claim 3, further comprising determining a connectivity threshold.
  - 5. The method of claim 4, furthering comparing, the connectivity threshold with the traffic level.
  - 6. The method of claim 5, further comprising flaggingpackets that are identified as being an intrusion on the computer.
  - 7. The method of claim 2, wherein the denial-of-service attack is a distributed denial-of-service attack.
  - 8. The method of claim 2, wherein the denial-of-service attack is detected by inserting identification information into network traffic.
  - 9. The method of claim 8, wherein the denial-of-service attack is further detected by monitoring the identification information received from a plurality of sensors.
  - 10. The method of claim 9, wherein flags are set upon the detection of the denial-of-service attack.
  - 11. The method of claim 2, wherein a transition among the states is examined.
  - 12. The method of claim 11, wherein the transition among the states is examined utilizing a transition table.
  - 13. The method of claim 2, wherein the internet protocol packets are rearranged so as to place the information sequence in order.
  - 14. The method of claim 2, wherein the examining includes receiving a token.
  - 15. The method of claim 14, wherein the examining further includes loading a transition operation.
  - 16. The method of claim 15, wherein the transition operation is loaded by referring to a transition table.
  - 17. The method of claim 16, wherein the examining further includes determining whether a signature identifier is found.
  - 18. The method of claim 17, wherein field comparison tables are used to specify comparisons and corresponding signature identifiers for different types of comparisons.
  - 19. The method of claim 18, wherein the field comparison tables include a numerical equal field comparison table.
  - 20. The method of claim 19, wherein the numerical equal field comparison table includes a plurality of signature identifiers and a plurality of corresponding match values.
  - 21. The method of claim 18, wherein field, comparison tables include a numerical range field comparison table.
  - 22. The method of claim 21, wherein the numerical range field comparison table includes a plurality of signature identifiers and a plurality of corresponding low values and high values.
  - 23. The method of claim 18, wherein field comparison tables include a regular expression field comparison table.
  - 24. The method of claim 23, wherein the regular expression field comparison table includes a plurality of signature identifiers and a plurality of corresponding regular expressions.
  - 25. The method of claim 17, wherein the examining further includes transmitting the signature identifier to an attack detector module, if it is determined that the signature identifier is found.
  - 26. The method of claim 25, wherein the examining further includes repeating the examining until a flow is complete.

27. A computer program product embodied on a tangible computer readable medium for detecting intrusions on a computer, comprising:
- computer code for storing an intrusion signature describing an attack on a computer;
  
  computer code for receiving a plurally of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of stairs;
  
  computer code for reassembling said plurality of internet protocol packets;
  
  computer code for successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature;
  
  computer code for detecting a denial-of-service attack associated with the internet protocol packets; and
  
  computer code for identifying a source of the denial-of-service attack.

28. A system for detecting intrusions on a computer, comprising:
- logic for storing an intrusion signature describing an attack on a computer;
  
  logic for receiving a plurality of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of states;
  
  logic for reassembling said plurality of internet protocol packets;
  
  logic for successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature;
  
  logic for detecting a denial-of-service attack associated with the internet protocol packets; and
  
  logic for identifying a source of the denial-of-service attack.

29. A method of detecting intrusions on a computer, comprising:
- receiving a plurality of internet protocol packets having an associated series of states, wherein each state of said series of states associated with the internet protocol packets are examined so as to correlate an information sequence to an intrusion signature describing an attack on a computer; and
  
  determining whether said plurality of internet protocol packets are out-of-order;
  
  wherein intrusions are further detected based on the determination.

30. A computer program product embodied on a tangible computer readable medium, comprising:
- computer code for receiving a plurality of internet protocol packets having an associated series of states;
  
  computer code for examining each state of said series of states associated with the internet protocol packets so as to correlate an information sequence to an intrusion signature describing an intrusion; and
  
  computer code for determining whether said plurality of internet protocol packets are out-of-order for detecting intrusions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Gupta, Ramesh M., Jain, Parveen K., Amidon, Keith E., Gong, Fengmin, Vissamsetti, Srikant, Haeffele, Steve M., Raman, Ananth
Primary Examiner(s)
Moazzami, Nasser
Assistant Examiner(s)
Shiferaw, Eleni A

Application Number

US10/172,803
Publication Number

US 20030014662A1
Time in Patent Office

2,007 Days
Field of Search

726/23, 726/22, 713/188, 370/473, 370/351, 370/218
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Protocol-parsing state machine and method of using same

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Protocol-parsing state machine and method of using same

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others