Fast network security utilizing intrusion prevention systems

US 7,808,897 B1
Filed: 03/01/2006
Issued: 10/05/2010
Est. Priority Date: 03/01/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method for providing intrusion protection for a unique packet flow of network data traffic, comprising the steps of:

receiving at a switch a first portion of the unique packet flow;

transmitting a congestion message to an intrusion prevention system in response to a table of packet flow information on the switch approaching its maximum capacity and transmitting a list of one or more packet flows to the intrusion prevention system that can be deleted from the table;

determining at the switch whether a second portion of the unique packet flow has previously been received at the switch;

in response to determining that the second portion of the unique packet flow has not been received at the switch, analyzing the first portion of the unique packet flow at the intrusion prevention system; and

in response to determining that the second portion of the unique packet flow has been received at the switch, checking a value of a single status field corresponding to the unique packet flow, and based on the value, performing one of;

blocking the first portion of the unique packet flow at the switch without communicating information relating to the unique packet flow to a security device; and

transmitting the first portion of the unique packet flow from the switch to its intended destination without communicating information relating to the unique packet flow to the security device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Intrusion Prevention Systems (“IPSs”) are used to detect and/or prevent intrusion events from infiltrating a computer network. However, in large computer networks the IPSs cannot conduct their analysis on network data traffic quickly enough in the network core to meet the demand placed on them by the computer networks, thereby causing delays in the transmission of network data traffic from a source to a destination. To prevent this delay, the IPSs can be configured to intelligently communicate with a high-capacity network switch. The IPSs conduct the initial inspection of the network data traffic flows to determine if an intrusion event is present. However, after the initial inspection, the IPS can inform the switch of what actions to take for future traffic flows including determining which future traffic flows are inspected by the IPSs and which future traffic flows are allowed to be blocked or transmitted to their destination by the switch.

197 Citations

32 Claims

1. A computer-implemented method for providing intrusion protection for a unique packet flow of network data traffic, comprising the steps of:
- receiving at a switch a first portion of the unique packet flow;
  
  transmitting a congestion message to an intrusion prevention system in response to a table of packet flow information on the switch approaching its maximum capacity and transmitting a list of one or more packet flows to the intrusion prevention system that can be deleted from the table;
  
  determining at the switch whether a second portion of the unique packet flow has previously been received at the switch;
  
  in response to determining that the second portion of the unique packet flow has not been received at the switch, analyzing the first portion of the unique packet flow at the intrusion prevention system; and
  
  in response to determining that the second portion of the unique packet flow has been received at the switch, checking a value of a single status field corresponding to the unique packet flow, and based on the value, performing one of;
  
  blocking the first portion of the unique packet flow at the switch without communicating information relating to the unique packet flow to a security device; and
  
  transmitting the first portion of the unique packet flow from the switch to its intended destination without communicating information relating to the unique packet flow to the security device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the step of determining whether the second portion of the unique packet flow has previously been received at the switch further comprises the step of comparing packet flow information relating to the first portion of the unique packet flow to a plurality of packet flow information entries in a table corresponding to a plurality of previously received packet flows.
  - 3. The method of claim 2, wherein the step of comparing the packet flow information further comprises determining whether a source IP address, a destination IP address, a source port, a destination port, a layer-4 protocol, and a VLAN tag for the first portion of the unique packet flow matches a source IP address, a destination IP address, a source port, a destination port, a layer-4 protocol, and a VLAN tag for one of the plurality of packet flow information entries in the table corresponding to one of the plurality of previously received packet flows.
  - 4. The method of claim 1, further comprising a plurality of intrusion prevention systems, wherein the step of analyzing the first portion of the unique packet flow at an intrusion prevention system in response to determining that the second portion of the unique packet flow has not been received at the switch, further comprises the steps of:
    - assigning the unique packet flow to one of the plurality of intrusion prevention systems;
      
      assigning a packet flow number to the unique packet flow;
      
      gathering packet flow information for the first portion of the unique packet flow;
      
      determining whether the first portion of the unique packet flow contains a security violation; and
      
      assigning a status value to the unique packet flow.
  - 5. The method of claim 4, further comprising the steps of:
    - assigning an interest priority value for the unique packet flow; and
      
      assigning a global interest priority value at the switch.
  - 6. The method of claim 4, wherein the step of assigning the unique packet flow to one of the plurality of intrusion prevention systems, further comprises the steps of:
    - creating a hash value for the unique packet flow from the packet flow information;
      
      dividing the hash value for the unique packet flow by a number equal to the quantity of intrusion preventions systems that are available to analyze the unique packet flow; and
      
      assigning the unique packet flow with the switch to the intrusion prevention system associated with a remainder value resulting from the step of dividing the hash value.
  - 7. The method of claim 1, further comprising the steps of:
    - transmitting a flow qualification message relating to the unique packet flow from the intrusion prevention system to a table on the switch;
      
      transmitting the first portion of the unique packet flow from the intrusion prevention system to the switch; and
      
      performing an action on the first portion of the unique packet flow at the switch.
  - 8. The method of claim 7, wherein the step of performing an action on the first portion of the unique packet flow, further comprises one of:
    - blocking the first portion of the unique packet flow at the switch, andtransmitting the first portion of the unique packet flow from the switch to its intended destination.
  - 9. The method of claim 1, wherein the step of in response to determining that the second portion of the unique packet flow has been received at the switch, further comprises the option of:
    - analyzing the first portion of the unique packet flow at the intrusion prevention system.
  - 10. The method of claim 9, wherein the step of analyzing the first portion of the unique packet flow at the intrusion prevention system in response to determining that the second portion of the unique packet flow has been received at the switch, further comprises the steps of:
    - determining whether the first portion of the unique packet flow contains a security violation; and
      
      assigning a status value to the unique packet flow.
  - 11. The method of claim 10, further comprising the steps of:
    - assigning an interest priority value for the unique packet flow; and
      
      assigning a global priority value at the switch.
  - 12. The method of claim 10, further comprising the steps of:
    - transmitting a flow qualification message relating to the unique packet flow from the intrusion prevention system to a table on the switch;
      
      transmitting the first portion of the unique packet flow from the intrusion prevention system to the switch; and
      
      performing one of;
      
      blocking the first portion of the unique packet flow at the switch; and
      
      transmitting the first portion of the unique packet flow from the switch to its intended destination.
  - 13. The method of claim 1, further comprising the steps of:
    - determining which of the one or more packet flows to delete from the table on the switch based on the list of one or more packet flows received from the switch;
      
      transmitting a reset message to a source address and a destination address of the one or more packet flows that the intrusion prevention system has determined to delete; and
      
      transmitting an instruction message to the switch identifying which of the one or more packet flows to delete from the table.
  - 14. The method of claim 1, further comprising the steps of:
    - monitoring a current capacity of the intrusion prevention system for analyzing traffic flows; and
      
      adjusting a global priority value in response to the current capacity reaching a particular threshold.

15. A system for providing intrusion protection for a unique packet flow of network data traffic, comprising:
- a switch operative to;
  
  receive a first portion of the unique packet flow and determine whether a second portion of the unique packet flow has previously been received;
  
  transmit a congestion message to an intrusion prevention system in response to a table of packet flow information on the switch approaching its maximum capacity and transmit a list of one or more packet flows to the intrusion prevention system that can be deleted from the table; and
  
  in response to determining that the second portion of the unique packet flow has been received at the switch, check a value of a single status field corresponding to the unique packet flow, and based on the value, perform one of;
  
  block the first portion of the unique packet flow at the switch without communicating information relating to the unique packet flow to a security device; and
  
  transmit the first portion of the unique packet flow from the switch to its intended destination without communicating information relating to the unique packet flow to the security device; and
  
  one or more intrusion prevention systems operative to analyze the first portion of the unique packet flow in response to a determination that the second portion of the unique packet flow has not been previously received at the switch.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 16. The system of claim 15, wherein the switch is further operative to determine whether a second portion of the unique packet flow has previously been received by comparing packet flow information relating to the first portion of the unique packet flow to a plurality of packet flow information entries in a table corresponding to a plurality of previously received packet flows.
  - 17. The system of claim 16, wherein the switch is further operative to compare the packet flow information by determining whether a source IP address, a destination IP address, a source port, a destination port, a layer-4 protocol, and a VLAN tag for the first portion of the unique packet flow matches a source IP address, a destination IP address, a source port, a destination port, a layer-4 protocol, and a VLAN tag for one of the plurality of packet flow information entries in the table corresponding to one of the plurality of previously received packet flows.
  - 18. The system of claim 15, wherein the switch is further operative to assign the unique packet flow to one of the intrusion prevention systems.
  - 19. The system of claim 18 wherein the switch is further operative to assigning the unique packet flow to one of the plurality of intrusion prevention systems by:
    - creating a hash value for the unique packet flow from the packet flow information;
      
      dividing the hash value for the unique packet flow by a number equal to the quantity of intrusion preventions systems that are available to analyze the unique packet flow; and
      
      assigning the unique packet flow to one of the plurality of intrusion prevention systems associated with the remainder value from the step of dividing the hash value.
  - 20. The system of claim 15, wherein the one or more intrusion prevention systems are further operative to analyze the first portion of the unique packet flow in response to determining that the second portion of the unique packet flow has not been received at the switch by:
    - assigning a packet flow number to the unique packet flow;
      
      gathering packet flow information for the first portion of the unique packet flow;
      
      determining whether the first portion of the unique packet flow contains a security violation; and
      
      assigning a status value to the unique packet flow.
  - 21. The system of claim 20, wherein the intrusion prevention system is further operative to:
    - assign an interest priority value for the unique packet flow; and
      
      assign a global priority value at the switch.
  - 22. The system of claim 15, wherein the intrusion prevention system is further operative to:
    - transmit a flow qualification message relating to the unique packet flow to a table on the switch; and
      
      transmit the first portion of the unique packet flow to the switch.
  - 23. The system of claim 15, wherein the switch is further operative to perform an action on the first portion of the unique packet flow.
  - 24. The system of claim 23, wherein the switch is further operative to perform an action on the first portion of the unique packet flow by:
    - blocking the first portion of the unique packet flow, andtransmitting the first portion of the unique packet flow to its intended destination.
  - 25. The system of claim 15, wherein in response to a determination that the second portion of the unique packet flow has been previously received at the switch, the switch is further operative to:
    - transmit the first portion of the unique packet flow to the intrusion prevention system for analysis.
  - 26. The system of claim 25, wherein the intrusion prevention system is further operative to analyze the first portion of the unique packet flow in response to the determination that the second portion of the unique packet flow has been previously received at the switch by:
    - determining whether the first portion of the unique packet flow contains a security violation; and
      
      assigning a status value to the unique packet flow.
  - 27. The system of claim 26, wherein the intrusion prevention system is further operative to:
    - assign an interest priority value for the unique packet flow; and
      
      assign a global priority value at the switch.
  - 28. The system of claim 26, wherein the intrusion prevention system is further operative to:
    - transmit a flow qualification message relating to the unique packet flow to a table on the switch; and
      
      transmit the first portion of the unique packet flow to the switch.
  - 29. The system of claim 26, wherein the switch is further operative to perform one of:
    - blocking the first portion of the unique packet flow; and
      
      transmitting the first portion of the unique packet flow to its intended destination.
  - 30. The system of claim 15, wherein the intrusion prevention system is operative to:
    - determine which of the one or more packet flows to delete from the table on the switch based on the list of one or more packet flows received from the switch;
      
      transmit a reset message to a source address and a destination address of the one or more packet flows that the intrusion prevention system has determined to delete; and
      
      transmit an instruction message to the switch identifying which of the one or more packet flows to delete from the table.
  - 31. The system of claim 15, wherein the intrusion prevention system is further operative to:
    - monitor its current capacity for analyzing traffic flows;
      
      adjust a global priority value in response to the current capacity reaching a particular threshold; and
      
      transmit the global priority value to the switch.
  - 32. The system of claim 15, wherein the switch is further operative to:
    - monitor a traffic flow ratio of the intrusion prevention system; and
      
      adjust a global priority value in response to the traffic flow ratio of the intrusion prevention system reaching a particular threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LinkedIn Corporation (Microsoft Corporation)
Original Assignee
International Business Machines Corporation
Inventors
Graham, Robert David, Mehta, Neel
Primary Examiner(s)
Moe; Aung S
Assistant Examiner(s)
Mered; Habte

Application Number

US11/365,977
Time in Patent Office

1,679 Days
Field of Search

370/392, 370/401, 370/230, 370/235, 726 22- 25, 726 11- 15, 709/24, 709223-225, 713150-154, 713160-162, 713/169
US Class Current

370/230
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/0209   Architectural arrangements,...

H04L 63/1408   by monitoring network traff...

Fast network security utilizing intrusion prevention systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

197 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Fast network security utilizing intrusion prevention systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

197 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links