Methods, systems, and products for intrusion detection

US 7,971,053 B2
Filed: 05/26/2004
Issued: 06/28/2011
Est. Priority Date: 05/26/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A system, comprising:

a host computer system;

a peripheral card coupled to the host computer system, the peripheral card comprising a first interface to a first communications network and a second interface to a second communications network, the first interface comprising a first wireless communications portion and a processor managing the first wireless communications portion, the first wireless communications portion coupled to an antenna and configured for one-way communication to wirelessly receive data packets from the first communications network, the first wireless communications portion lacking a configuration to transmit data to the first communications network, the second interface interfacing with the second communications network; and

memory coupled to the peripheral card, the peripheral card storing the data packets in the memory, the peripheral card inspecting a header portion and a payload portion of each data packet and comparing the header portion and the payload portion to a set of rules stored in the memory; and

if the header portion and the payload portion satisfy the set of rules, then the peripheral card ignores a data packet, and if the header portion and the payload portion fail to satisfy the set of rules, then a failure signifies an intrusion event,wherein the first interface of the peripheral card reduces intrusion of the first communications network by preventing a download of the data packets from the first communications network and the second communications network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and products are disclosed for detecting an intrusion to a communications network. One embodiment describes a system for detecting intrusions. The system has a peripheral card coupled to a host computer system. The peripheral card has a communications portion and a processor managing the communications portion. The communications portion has only a capability for receiving data packets via a communications network. The communications portion lacks capability of transmitting the data packets via the communications network. The communications portion of the peripheral card reduces intrusion of the communications network.

229 Citations

18 Claims

1. A system, comprising:
- a host computer system;
  
  a peripheral card coupled to the host computer system, the peripheral card comprising a first interface to a first communications network and a second interface to a second communications network, the first interface comprising a first wireless communications portion and a processor managing the first wireless communications portion, the first wireless communications portion coupled to an antenna and configured for one-way communication to wirelessly receive data packets from the first communications network, the first wireless communications portion lacking a configuration to transmit data to the first communications network, the second interface interfacing with the second communications network; and
  
  memory coupled to the peripheral card, the peripheral card storing the data packets in the memory, the peripheral card inspecting a header portion and a payload portion of each data packet and comparing the header portion and the payload portion to a set of rules stored in the memory; and
  
  if the header portion and the payload portion satisfy the set of rules, then the peripheral card ignores a data packet, and if the header portion and the payload portion fail to satisfy the set of rules, then a failure signifies an intrusion event,wherein the first interface of the peripheral card reduces intrusion of the first communications network by preventing a download of the data packets from the first communications network and the second communications network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A system according to claim 1, further comprising a second peripheral card coupled to the host computer system, the second peripheral card comprising another communications portion configured only for one-way communication to transmit the data packets via the first communications network, the another communications portion lacking configuration of receiving the data packets via the first communications network, wherein the second peripheral card further reduces intrusion of the second communications network.
  - 3. A system according to claim 2, further comprising a third peripheral card coupled to the host computer system, the third peripheral card comprising a network interface portion to maintain a network connection between the second communications network and the host computer system.
  - 4. A system according to claim 1, further comprising an Intrusion Detection Module stored in the memory that triggers an intrusion alert when the header portion and the payload portion fail to satisfy the set of rules.
  - 5. A system according to claim 4, wherein the memory stores seven rules describing the following seven observations:
    - i) ad-hoc communications from a client device,ii) a mis-configured access point,iii) probing for a service set identifier of the second communications network,iv) a rogue access point,v) a rogue client device,vi) a rogue communications network, andvii) unauthorized conversation between the host communications system and the client device.
  - 6. A system according to claim 1, further comprising a dynamically configurable Intrusion Detection Module stored in the memory, the Intrusion Detection Module containing intrusion detection software that reloads a configuration file without rebooting the host computer system.
  - 7. A system according to claim 1, further comprising a second peripheral card coupled to the host computer system, the second peripheral card comprising a dynamically-available communications portion that is configured for a normally unavailable state, but when dynamically activated the second peripheral card configures for one-way communication to only transmit the data packets to the second communications network, the second peripheral card lacking configuration of receiving the data packets from the first communications network, the second peripheral card further reducing intrusion of the second communications network.

8. A method, comprising:
- coupling a host computer system to a peripheral card that comprises a first interface to a first communications network and a second interface to a second communications network, the first interface comprising a first wireless communications portion and a processor managing the communications portion, the first wireless communications portion configured for one-way communication to wirelessly receive data packets from the first communications network and lacking a configuration to transmit data to the first communications network;
  
  wirelessly receiving the data packets at an antenna coupled to the first wireless communications portion, the antenna wirelessly receiving the data packets from the first communications network;
  
  coupling the peripheral card to memory and storing the data packets in the memory;
  
  inspecting a header portion and a payload portion of each data packet and comparing the header portion and the payload portion to a set of rules stored in the memory;
  
  ignoring a data packet when the header portion and the payload portion satisfy the set of rules; and
  
  failing the data packet when the header portion and the payload portion fail to satisfy the set of rules, a failure signifying an intrusion event,wherein the first interface of the peripheral card reduces intrusion of the first communications network by preventing a download of the data packets from the first communications network and the second communications network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method according to claim 8, further comprising coupling a second peripheral card to the host computer system, the second peripheral card comprising another communications portion configured for one-way communication to only wirelessly transmit the data packets via the first communications network, the another communications portion lacking configuration to wirelessly receive the data packets via the first communications network, wherein the second peripheral card further reduces intrusion of the second communications network.
  - 10. The method according to claim 8, further comprising coupling a third peripheral card to the host computer system, the third peripheral card comprising a network interface portion to maintain a network connection between the first communications network and the host computer system.
  - 11. The method according to claim 8, further comprising triggering an intrusion alert when the header portion and the payload portion fail to satisfy the set of rules.
  - 12. The method according to claim 11, further comprising storing in the memory seven rules describing the following seven observations:
    - ad-hoc communications from a client device,a mis-configured access point,probing for a service set identifier of the first communications network,a rogue access point,a rogue client device,a rogue communications network, andunauthorized conversation between the host communications system and the client device.
  - 13. The method according to claim 8, further comprising dynamically configuring an Intrusion Detection Module stored in the memory, the Intrusion Detection Module containing intrusion detection software that reloads a configuration file without rebooting the host computer system.
  - 14. The method according to claim 8, further comprising coupling a second peripheral card to the host computer system, the second peripheral card comprising a dynamically-available communications portion, the second communications portion configured as having a normally unavailable state, but when dynamically activated the second peripheral card configures for one-way communication to only wirelessly transmit the data packets to the second communications network, the second peripheral card lacking configuration to wirelessly receive the data packets from the first communications network, the second peripheral card further reducing intrusion of the second communications network.

15. A computer program product storing processor executable instructions for performing a method, the method comprising:
- coupling a host computer system to a peripheral card comprising a first interface to a first communications network and a second interface to a second communications network, the first interface comprising a first wireless communications portion and a processor managing the first wireless communications portion, the first wireless communications portion configured for one-way communication to wirelessly receive data packets from the first communications network, the first wireless communications portion lacking a configuration to transmit data to the first communications network;
  
  wirelessly receiving the data packets at an antenna coupled to the first wireless communications portion, the antenna wirelessly receiving the data packets from the first communications network;
  
  coupling the peripheral card to memory and storing the data packets in the memory;
  
  inspecting a header portion and a payload portion of each data packet and comparing the header portion and the payload portion to a set of rules stored in the memory;
  
  ignoring a received data packet when the header portion and the payload portion satisfy the set of rules; and
  
  failing a data packet when the header portion and the payload portion fail to satisfy the set of rules, a failure signifying an intrusion event,wherein the first interface of the peripheral card reduces intrusion of the first communications network by preventing a download of the data packets from the first communications network and the second communications network.
- View Dependent Claims (16, 17, 18)
- - 16. A computer program product according to claim 15, further comprising storing instructions for seven rules describing the following seven observations:
    - ad-hoc communications from a client device,a mis-configured access point,probing for a service set identifier of the first communications network,a rogue access point,a rogue client device,a rogue communications network, andunauthorized conversation between the host communications system and the client device.
  - 17. A computer program product according to claim 15, further comprising storing instructions for detecting an unauthorized conversation involving i) a known host communicating with an unknown client and ii) a known client communicating with an unknown access point.
  - 18. A computer program product according to claim 15, further comprising storing instructions for triggering an intrusion alert when the header portion and the payload portion fail to satisfy the set of rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Prince, David, Gibson, Gary O Sr., Norton, Stephen Pancoast, Burchfield, Chris, Frataccia, Rick J.
Primary Examiner(s)
El Hady; Nabil M
Assistant Examiner(s)
Shaifer Harriman; Dant B

Application Number

US10/854,478
Publication Number

US 20050268337A1
Time in Patent Office

2,589 Days
Field of Search

713/201, 713/153, 713/154
US Class Current

713/153
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Methods, systems, and products for intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

229 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and products for intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

229 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links