Deep packet scan hacker identification

US 8,645,537 B2
Filed: 07/29/2011
Issued: 02/04/2014
Est. Priority Date: 08/24/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving a plurality of data packets communicated to an access provider for a computer system, each data packet including a payload portion and an attribute portion;

identifying, from the attribute portion of at least one of the plurality of data packets, an IP address of at least one source of said at least one of the plurality of data packets;

storing, in a data structure, an indication that received packets associated with the IP address are to be scanned;

identifying one or more predetermined patterns at least by scanning at least one payload portion of the plurality of data packets, each of said at least one payload portion being associated with the IP address;

controlling access of the at least one source to the computer system based on whether a quantity of the one or more predetermined patterns exceeds a threshold; and

selecting to remove from the data structure or maintain in the data structure the indication that received packets associated with the IP address are to be scanned, said selecting being based on whether the quantity of the one or more predetermined patterns exceeds the threshold.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securing an accessible computer system typically includes receiving a data packet that includes a payload portion and an attribute portion, where the data packet is communicated between at least one access requestor and at least one access provider. At least the payload portion of the received data packet typically is monitored, where monitoring includes scanning the payload portion for at least one predetermined pattern. When the payload portion is determined to include at least one predetermined pattern, access by the access requestor to the access provider may be controlled. Monitoring the data packet may include scanning the payload portion while handling the data packet with a switch. Controlling access may include denying access by the access requestor to the access provider.

112 Citations

20 Claims

1. A method comprising:
- receiving a plurality of data packets communicated to an access provider for a computer system, each data packet including a payload portion and an attribute portion;
  
  identifying, from the attribute portion of at least one of the plurality of data packets, an IP address of at least one source of said at least one of the plurality of data packets;
  
  storing, in a data structure, an indication that received packets associated with the IP address are to be scanned;
  
  identifying one or more predetermined patterns at least by scanning at least one payload portion of the plurality of data packets, each of said at least one payload portion being associated with the IP address;
  
  controlling access of the at least one source to the computer system based on whether a quantity of the one or more predetermined patterns exceeds a threshold; and
  
  selecting to remove from the data structure or maintain in the data structure the indication that received packets associated with the IP address are to be scanned, said selecting being based on whether the quantity of the one or more predetermined patterns exceeds the threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein controlling access of the at least one source to the computer system comprises denying access of the at least one source to the computer system when the quantity of the one or more predetermined patterns is higher than the threshold and the IP address is not included in an access list.
  - 3. The method of claim 1, wherein controlling access of the at least one source to the computer system comprises allowing access of the at least one source to the computer system when the IP address is included in an access list.
  - 4. The method of claim 1, wherein controlling access of the at least one source to the computer system comprises allowing access of the at least one source to the computer system when the quantity of the one or more predetermined patterns is lower than the threshold and the IP address is not included in an exclusion list.
  - 5. The method of claim 1, wherein controlling access of the at least one source to the computer system comprises denying access of the at least one source to the computer system when the IP address is included in an exclusion list.
  - 6. The method of claim 1, further comprising:
    - scanning at least one additional payload portion of the plurality of data packets, each of said at least one additional payload portion being associated with one IP address that is different from the IP address; and
      
      controlling access of at least one different source to the computer system based on scanning the at least one additional payload portion, each of the at least one different source being associated with said one IP address.
  - 7. The method of claim 1, wherein removing from the data structure the indication that received packets are to be scanned includes removing IP address from a table when the quantity of the one or more predetermined patterns is lower than the threshold.
  - 8. The method of claim 7, further comprising:
    - scanning one or more payload portions associated with remaining IP addresses in the table, wherein the remaining IP addresses are associated with one or more remaining sources; and
      
      controlling access of the one or more remaining sources to the computer system based on scanning the one or more payload portions associated with remaining IP addresses in the table.
  - 9. The method of claim 2, wherein denying access of the at least one source to the computer system comprises at least one of:
    - decreasing available bandwidth for communications from the at least one source;
      
      rerouting communications from the at least one source;
      
      ordenying communications from the at least one source for a configurable period of time.
  - 10. The method of claim 5, wherein denying access of the at least one source to the computer system comprises at least one of:
    - decreasing available bandwidth for communications from the at least one source;
      
      rerouting communications from the at least one source;
      
      ordenying communications from the at least one source for a configurable period of time.

11. A computing device, comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the computing device to;
  
  receive a plurality of data packets communicated to an access provider for a computer system, each data packet including a payload portion and an attribute portion;
  
  identify from the attribute portion of at least one of the plurality of data packets an IP address of at least one source of said at least one of the plurality of data packets;
  
  store, in a data structure, an indication that received data packets associated with the IP address are to be scanned;
  
  identify one or more predetermined patterns at least by scanning at least one payload portion of the plurality of data packets, each of said at least one payload portion being associated with the IP address;
  
  control access of the at least one source to the computer system based on whether a quantity of the one or more predetermined patterns exceeds a threshold; and
  
  select to remove from the data structure or maintain in the data structure the indication that received packets associated with the IP address are to be scanned, said selecting being based on whether the quantity of the one or more predetermined patterns exceeds the threshold.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computing device of claim 11, wherein controlling access of the at least one source to the computer system comprises denying access of the at least one source to the computer system when the quantity of the one or more predetermined patterns is higher than the threshold and the IP address is not included in an access list.
  - 13. The computing device of claim 11, wherein controlling access of the at least one source to the computer system comprises allowing access of the at least one source to the computer system when the IP address is included in an access list.
  - 14. The computing device of claim 11, wherein controlling access of the at least one source to the computer system comprises allowing access of the at least one source to the computer system when the quantity of the one or more predetermined patterns is lower than the threshold and the IP address is not included in an exclusion list.
  - 15. The computing device of claim 11, wherein controlling access of the at least one source to the computer system comprises denying access of the at least one source to the computer system when the IP address is included in an exclusion list.
  - 16. The computing device of claim 11, wherein the instructions, when executed by the one or more processors, further cause the computing device to:
    - scan at least one additional payload portion of the plurality of data packets, each of said at least one additional payload portion being associated with one IP address that is different from the IP address; and
      
      control access of at least one different source to the computer system based on scanning the at least one additional payload portion, each of the at least one different source being associated with said one IP address.
  - 17. The computing device of claim 11, wherein removing from the data structure the indication that received packets are to be scanned includes removing the IP address from a table when the quantity of the one or more predetermined patterns is lower than the threshold.
  - 18. The computing device of claim 17, wherein the instructions, when executed by the one or more processors, further cause the computing device to:
    - scan one or more payload portions associated with remaining IP addresses in the table, wherein the remaining IP addresses are associated with one or more remaining sources; and
      
      control access of the one or more remaining sources to the computer system based on scanning the one or more payload portions associated with remaining IP addresses in the table.
  - 19. The computing device of claim 12, wherein denying access of the at least one source to the computer system comprises at least one of:
    - decreasing available bandwidth for communications from the at least one source;
      
      rerouting communications from the at least one source;
      
      ordenying communications from the at least one source for a configurable period of time.

20. One or more non-transitory computer-readable media storing instructions configured to, when executed by one or more computing devices, cause the one or more computing devices to:
- receive a plurality of data packets communicated to an access provider for a computer system, each data packet including a payload portion and an attribute portion;
  
  identify from the attribute portion of at least one of the plurality of data packets an IP address of at least one source of said at least one of the plurality of data packets;
  
  store, in a data structure, an indication that received data packets associated with the IP address are to be scanned;
  
  identify one or more predetermined patterns at least by scanning at least one payload portion of the plurality of data packets, each of said at least one payload portion being associated with the IP address;
  
  control access of the at least one source to the computer system based on whether a quantity of the one or more predetermined patterns exceeds a threshold; and
  
  select to remove from the data structure or maintain in the data structure the indication that received packets associated with the IP address are to be scanned, said selecting being based on whether the quantity of the one or more predetermined patterns exceeds the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Jacoby, Brian, Wright, Christopher J.
Primary Examiner(s)
BOUTAH, ALINA A

Application Number

US13/193,996
Publication Number

US 20110289559A1
Time in Patent Office

921 Days
Field of Search

709223-225, 709/227, 709217-219, 726/3
US Class Current

709/225
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

H04L 63/1416   Event detection, e.g. attac...

Deep packet scan hacker identification

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Deep packet scan hacker identification

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links