Protocol-parsing state machine and method of using same
First Claim
Patent Images
1. A method of detecting intrusions on a computer, comprising;
- storing an intrusion signature describing an attack on a computer;
receiving a plurality of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of states;
rearranging said plurality of internet protocol packets so as to place said information sequence in order;
successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature;
detecting a denial-of-service attack associated with the internet protocol packets; and
identifying a source of the denial-of-service attack.
12 Assignments
0 Petitions
Accused Products
Abstract
An intrusion signature describing an attack is stored on a computer. Once a plurality of internet protocol packets is received, the plurality of internet protocol packets collectively containing an information sequence within a series of states, it is rearranged so as to place the information sequence in order. Each state of the series of states is then successively examined so as to correlate the information sequence to the intrusion signature.
131 Citations
30 Claims
-
1. A method of detecting intrusions on a computer, comprising;
-
storing an intrusion signature describing an attack on a computer; receiving a plurality of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of states; rearranging said plurality of internet protocol packets so as to place said information sequence in order; successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature; detecting a denial-of-service attack associated with the internet protocol packets; and identifying a source of the denial-of-service attack.
-
-
2. A method of detecting intrusions on a computer, comprising:
-
storing an intrusion signature describing an attack on a computer; receiving a plurality of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of states; reassembling said plurality of internet protocol packets; successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature; detecting a denial-of-service attack associated with the internet protocol packets; and identifying a source of the denial-of-service attack. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer program product embodied on a tangible computer readable medium for detecting intrusions on a computer, comprising:
-
computer code for storing an intrusion signature describing an attack on a computer; computer code for receiving a plurally of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of stairs; computer code for reassembling said plurality of internet protocol packets; computer code for successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature; computer code for detecting a denial-of-service attack associated with the internet protocol packets; and computer code for identifying a source of the denial-of-service attack.
-
-
28. A system for detecting intrusions on a computer, comprising:
-
logic for storing an intrusion signature describing an attack on a computer; logic for receiving a plurality of internet protocol packets, said plurality of internet protocol packets collectively containing an information sequence within a series of states; logic for reassembling said plurality of internet protocol packets; logic for successively examining each state of said series of states so as to correlate said information sequence to said intrusion signature; logic for detecting a denial-of-service attack associated with the internet protocol packets; and logic for identifying a source of the denial-of-service attack.
-
-
29. A method of detecting intrusions on a computer, comprising:
-
receiving a plurality of internet protocol packets having an associated series of states, wherein each state of said series of states associated with the internet protocol packets are examined so as to correlate an information sequence to an intrusion signature describing an attack on a computer; and determining whether said plurality of internet protocol packets are out-of-order; wherein intrusions are further detected based on the determination.
-
-
30. A computer program product embodied on a tangible computer readable medium, comprising:
-
computer code for receiving a plurality of internet protocol packets having an associated series of states; computer code for examining each state of said series of states associated with the internet protocol packets so as to correlate an information sequence to an intrusion signature describing an intrusion; and computer code for determining whether said plurality of internet protocol packets are out-of-order for detecting intrusions.
-
Specification