Deep packet scan hacker identification
First Claim
1. A method comprising:
- receiving a plurality of data packets communicated to an access provider for a computer system, each data packet including a payload portion and an attribute portion;
identifying, from the attribute portion of at least one of the plurality of data packets, an IP address of at least one source of said at least one of the plurality of data packets;
storing, in a data structure, an indication that received packets associated with the IP address are to be scanned;
identifying one or more predetermined patterns at least by scanning at least one payload portion of the plurality of data packets, each of said at least one payload portion being associated with the IP address;
controlling access of the at least one source to the computer system based on whether a quantity of the one or more predetermined patterns exceeds a threshold; and
selecting to remove from the data structure or maintain in the data structure the indication that received packets associated with the IP address are to be scanned, said selecting being based on whether the quantity of the one or more predetermined patterns exceeds the threshold.
5 Assignments
0 Petitions
Accused Products
Abstract
Securing an accessible computer system typically includes receiving a data packet that includes a payload portion and an attribute portion, where the data packet is communicated between at least one access requestor and at least one access provider. At least the payload portion of the received data packet typically is monitored, where monitoring includes scanning the payload portion for at least one predetermined pattern. When the payload portion is determined to include at least one predetermined pattern, access by the access requestor to the access provider may be controlled. Monitoring the data packet may include scanning the payload portion while handling the data packet with a switch. Controlling access may include denying access by the access requestor to the access provider.
112 Citations
20 Claims
-
1. A method comprising:
-
receiving a plurality of data packets communicated to an access provider for a computer system, each data packet including a payload portion and an attribute portion; identifying, from the attribute portion of at least one of the plurality of data packets, an IP address of at least one source of said at least one of the plurality of data packets; storing, in a data structure, an indication that received packets associated with the IP address are to be scanned; identifying one or more predetermined patterns at least by scanning at least one payload portion of the plurality of data packets, each of said at least one payload portion being associated with the IP address; controlling access of the at least one source to the computer system based on whether a quantity of the one or more predetermined patterns exceeds a threshold; and selecting to remove from the data structure or maintain in the data structure the indication that received packets associated with the IP address are to be scanned, said selecting being based on whether the quantity of the one or more predetermined patterns exceeds the threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computing device, comprising:
-
one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the computing device to; receive a plurality of data packets communicated to an access provider for a computer system, each data packet including a payload portion and an attribute portion; identify from the attribute portion of at least one of the plurality of data packets an IP address of at least one source of said at least one of the plurality of data packets; store, in a data structure, an indication that received data packets associated with the IP address are to be scanned; identify one or more predetermined patterns at least by scanning at least one payload portion of the plurality of data packets, each of said at least one payload portion being associated with the IP address; control access of the at least one source to the computer system based on whether a quantity of the one or more predetermined patterns exceeds a threshold; and select to remove from the data structure or maintain in the data structure the indication that received packets associated with the IP address are to be scanned, said selecting being based on whether the quantity of the one or more predetermined patterns exceeds the threshold. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. One or more non-transitory computer-readable media storing instructions configured to, when executed by one or more computing devices, cause the one or more computing devices to:
-
receive a plurality of data packets communicated to an access provider for a computer system, each data packet including a payload portion and an attribute portion; identify from the attribute portion of at least one of the plurality of data packets an IP address of at least one source of said at least one of the plurality of data packets; store, in a data structure, an indication that received data packets associated with the IP address are to be scanned; identify one or more predetermined patterns at least by scanning at least one payload portion of the plurality of data packets, each of said at least one payload portion being associated with the IP address; control access of the at least one source to the computer system based on whether a quantity of the one or more predetermined patterns exceeds a threshold; and select to remove from the data structure or maintain in the data structure the indication that received packets associated with the IP address are to be scanned, said selecting being based on whether the quantity of the one or more predetermined patterns exceeds the threshold.
-
Specification