WO2006037809A1 - Offline analysis of packets - Google Patents

Offline analysis of packets Download PDF

Info

Publication number
WO2006037809A1
WO2006037809A1 PCT/EP2005/055096 EP2005055096W WO2006037809A1 WO 2006037809 A1 WO2006037809 A1 WO 2006037809A1 EP 2005055096 W EP2005055096 W EP 2005055096W WO 2006037809 A1 WO2006037809 A1 WO 2006037809A1
Authority
WO
WIPO (PCT)
Prior art keywords
packets
receiving
symptom
symptoms
analyzer
Prior art date
Application number
PCT/EP2005/055096
Other languages
French (fr)
Inventor
Foaad Khosmood
Ognjen Petrovic
Jeremy Matthew Savoy
Duncan Allen Woods
Original Assignee
International Business Machines Corporation
Ibm United Kingdom Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corporation, Ibm United Kingdom Limited filed Critical International Business Machines Corporation
Priority to DE602005020045T priority Critical patent/DE602005020045D1/en
Priority to AT05801396T priority patent/ATE461578T1/en
Priority to CN2005800339787A priority patent/CN101036369B/en
Priority to EP05801396A priority patent/EP1805963B1/en
Publication of WO2006037809A1 publication Critical patent/WO2006037809A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • An embodiment of the invention generally relates to computers.
  • an embodiment of the invention generally relates to offline analysis of packets for network security.
  • Computer systems typically include a combination of hardware components (such as semiconductors, integrated circuits, programmable logic devices, programmable gate arrays, power supplies, electronic card assemblies, sheet metal, cables, and connectors) and software, also known as computer programs.
  • hardware components such as semiconductors, integrated circuits, programmable logic devices, programmable gate arrays, power supplies, electronic card assemblies, sheet metal, cables, and connectors
  • software also known as computer programs.
  • a denial-of-service attack In a denial-of-service attack, an intruder attempts to prevent legitimate users or organizations from accessing information, resources, or services that they would normally expect to have. Typically, the loss of service is the unavailability of a particular network service, such as e-mail, or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation.
  • a denial-of-service attack may also destroy programming and files in a computer system, may cause system slowdowns or crashes, or may disrupt access to important online accounts, e.g., a banking account. Although often intentional and malicious, a denial-of-service attack can sometimes happen accidentally, although the destructive effect may still be the same. Denial-of-service attacks do not necessarily result in the theft of information or other security loss. Nevertheless, these attacks may still cost the target user or organization a great deal of time and money.
  • Another type of denial-of-service attack occurs when an attacker uses spam email messages to launch an attack on a target user's email account. Whether users have an email account supplied by their employers or one available through a free service such as Yahoo or Hotmail, each user is assigned a specific quota, which limits the amount of data the user is allowed to have in the account at any given time. By sending many, or large, email messages to the account, an attacker can consume the user's quota, preventing the receipt of legitimate messages.
  • Another type of denial-of-service attack is often referred to as a "buffer overflow attack, " in which an attacker sends more traffic to a network address than the programmers who planned its data buffers anticipated someone might send.
  • the attacker may be aware that the target system has a weakness that can be exploited, or the attacker may simply try a variety of types of attacks until one is found that works.
  • a few of the better-known attacks based on the buffer characteristics of a program or system include: sending e-mail messages that have attachments with long file names, sending oversized Internet Control Message Protocol (ICMP) packets (this is also known as the Packet Internet or Inter-Network Groper (ping) of death), or sending email with a long "From" address.
  • ICMP Internet Control Message Protocol
  • SYN Attack Another type of denial-of-service attack is often referred to as a "SYN Attack.”
  • TCP Transport Control Program
  • server When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid "hand-shaking" exchange of messages that sets up the session.
  • the session-establishing packets include a SYN field, which identifies the sequence in the message exchange.
  • An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer, which reduces the buffer space that the server can use to accommodate other, legitimate connection requests.
  • the server drops the packet in the buffer after a certain period of time without a reply, the effect of many of these false connection requests is to slow the speed at which the server can establish legitimate requests for a session.
  • IP Internet Protocol
  • the fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system.
  • the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
  • TCP Transmission Control Protocol
  • smurf attack Another type of denial-of-service attack is often referred to as a "smurf attack," in which the attacker sends an IP ping (or "echo my message back to me") request to a target server.
  • IP ping or "echo my message back to me”
  • the ping packet instructs the receiving server to broadcast the ping packet to a number of hosts within the receiving server's local network.
  • the packet also indicates that the request is from another site, the target site that is to receive the denial-of-service. (Sending a packet with someone else's return address in it is called spoofing the return address.)
  • the result is many ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.
  • Denial-of-service attacks may also be distributed, in which an attacker may use the computer of an unsuspecting user to attack another computer.
  • an attacker could take control of the computers belonging to multiple unsuspecting users. The attacker then forces these computers to send large amounts of data to a web site or to send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers to launch the denial-of-service attack.
  • the firewall takes its name from the physical building structure that stops the spread of fire from one location to another.
  • a firewall in computer terms is hardware and/or software that stops an attack from entering the computer.
  • the firewall typically examines incoming packets of data from a network and filters the malicious packets.
  • firewalls have additional problems in that they may create false attack alarms due to an incomplete and inaccurate attack detection mechanism. The reason for many false alarms lies in insufficient packet analysis. Further, in existing firewalls, the packet detection process is often too tightly coupled with the network stack processing and packet filtering. For example, if the detection process has the same execution priority as the filtering process, this imposes a resource (e.g., CPU, memory) restriction on the complexity of attack detection.
  • a resource e.g., CPU, memory
  • One technique for attempting to address the problem of attack detection and analysis is to use fast hardware implementation. Unfortunately, the hardware-based solutions are usually costly to manufacture. Without a better way to detect and respond to denial-of-service attacks, users will continue to suffer from either reduced attack detection effectiveness or degraded throughput and false alarms.
  • a method, apparatus, system, and signal-bearing medium are provided that, in an embodiment, filter packets received from a network based on rules.
  • the filtering discards a subset of the packets based on the rules and keeps a remaining subset of the packets.
  • the remaining subset is copied to a destination.
  • the rules are created offline in a lower priority process from the filtering and copying by detecting whether symptoms exist in a sample of the remaining subset. In an embodiment, the order that the symptoms are detected is changed based on the frequency of the existence of the symptoms in the sample.
  • the symptoms may include receiving a threshold number of ping packets within a time period, receiving a threshold number of broadcast packets within a time period, receiving a packet with an invalid source address, receiving a packet with an invalid header flag, and receiving a threshold number of the packets within a time period that contain a sequence flag. In this way, firewall throughput performance is increased.
  • the present invention provides signal-bearing medium encoded with instructions, wherein the instructions when executed comprise: filtering packets based on at least one rule, wherein the filtering discards a first subset of the packets based on the rule and keeps a remaining subset of the packets; creating a sample of the remaining subset; detecting whether each of a plurality of symptoms exists in the sample; changing an order of execution of the detecting whether each of the plurality of symptoms exists based on a frequency of each of the plurality of symptoms in the sample; and determining the at least one rule based on the detecting, wherein the detecting and the determining execute in a different process from the filtering and the creating.
  • the signal-bearing medium can further comprise: copying the remaining subset to a destination.
  • the copying instruction further comprises: copying the remaining subset to the destination in a same process as the filtering and the creating.
  • the symptom comprises: receiving a threshold number of ping packets within a time period or receiving a threshold number of broadcast packets within a time period.
  • the symptom may also comprise: receiving one of the packets with an invalid source address.
  • the symptom may also comprise: receiving one of the packets with an invalid header flag.
  • the symptom may also comprise: receiving a threshold number of the packets that contain a sequence flag within a time period.
  • the different process has a lower priority than the filtering and the creating.
  • a computer system comprising: a processor; and a network interface comprising a plurality of analyzer modules, wherein the plurality of analyzer modules detect a plurality of respective symptoms in packets and create a plurality of respective rules based on the plurality of symptoms, a filter module that filters the packets based on the plurality of rules, wherein the plurality of analyzer modules execute offline from the filter module, and a sampling module that sends the filtered packets to an application that executes on the processor and that sends a sample of the filtered packets to the plurality of analyzer modules.
  • the plurality of analyzer modules execute in an order and wherein one of the plurality of analyzer modules reprioritizes the order based on a presence or absence of one of the plurality of symptoms.
  • a priority of the one analyzer module is increased if the one symptom is present, and wherein the order is based on the priority,
  • a priority of the one analyzer module is decreased if the one symptom is absent, and wherein the order is based on the priority.
  • one of the plurality of analyzer modules periodically removes the respective rule from the filter module.
  • the one of the plurality of analyzer modules periodically removes the respective rule from the filter module based on a time threshold.
  • the one of the plurality of analyzer modules periodically removes the respective rule from the filter module based on a number of the packets that met the respective rule and were discarded.
  • the sampling module creates a subset of the filtered packets, and wherein the analyzer module analyzes the subset.
  • the present invention provides a method for configuring a computer, comprising: configuring the computer to filter packets based on a rule; configuring the computer to analyze the filtered packets for a symptom; and configuring the computer to create the rule based on the symptom, wherein the filtered packets are analyzed and the rule is created offline from the filtering of the packets.
  • Fig. 1 depicts a block diagram of an example system for implementing an embodiment of the invention
  • Fig. 2 depicts a block diagram of select components of the example system, according to an embodiment of the invention
  • Fig. 3 depicts a block diagram showing the flow of packets in the example system, according to an embodiment of the invention
  • Fig. 4 depicts a flowchart of example processing for a filter module, according to an embodiment of the invention
  • Fig. 5 depicts a flowchart of example processing for a sampling module, according to an embodiment of the invention
  • Fig. 6 depicts a flowchart of example processing for an analyzer module, according to an embodiment of the invention.
  • Fig. 7 depicts a flowchart of example further processing for the analyzer module, according to an embodiment of the invention.
  • Fig. 1 depicts a high-level block diagram representation of a computer system 100 connected to a network 130, according to an embodiment of the present invention.
  • the major components of the computer system 100 include one or more processors 101, main memory 102, a terminal interface 111, a storage interface 112, an I/O (Input/Output) device interface 113, and communications/network interfaces 114 (in an embodiment a firewall) , all of which are coupled for inter-component communication via a memory bus 103, an I/O bus 104, and an I/O bus interface unit 105.
  • the computer system 100 contains one or more general-purpose programmable central processing units (CPUs) 101A, 101B, 101C, and 101D, herein generically referred to as the processor 101.
  • the computer system 100 contains multiple processors typical of a relatively large system; however, in another embodiment, the computer system 100 may alternatively be a single CPU system.
  • Each processor 101 executes instructions stored in the main memory 102 and may include one or more levels of on-board cache.
  • Each processor 101 may be implemented as a single-threaded processor, or as a multithreaded processor.
  • each hardware thread in a multithreaded processor is treated like an independent processor by the software resident in the computer 100.
  • a single-threaded processor will be considered to incorporate a single hardware thread, i.e., a single independent unit of execution.
  • software-based multithreading or multitasking may be used in connection with both single-threaded and multithreaded processors to further support the parallel performance of multiple tasks in the computer 100.
  • the main memory 102 is a random-access semiconductor memory for storing data and programs.
  • the main memory 102 is conceptually a single monolithic entity, but in other embodiments, the main memory 102 is a more complex arrangement, such as a hierarchy of caches and other memory devices.
  • memory may exist in multiple levels of caches, and these caches may be further divided by function, so that one cache holds instructions while another holds non-instruction data, which is used by the processor or processors.
  • Memory may further be distributed and associated with different CPUs or sets of CPUs, as is known in any of various so-called non-uniform memory access (NUMA) computer architectures.
  • NUMA non-uniform memory access
  • the main memory 102 includes an operating system 150, which is software that controls the allocation and usage of hardware resources of the computer system 100 among various applications, processes, or threads, such as processing time of the processor 101, the memory 102, disk space, and peripheral devices.
  • the operating system 150 is typically the foundation on which applications are built. In various embodiments, the operating system 150 may be implemented by OS/400, UNIX, AIX, or any other appropriate operating system.
  • the operating system 150 includes instructions capable of executing on the processor 101 or statements capable of being interpreted by instructions that execute on the processor 101.
  • the computer system 100 may use virtual addressing mechanisms that allow the programs of the computer system 100 to behave as if they only have access to a large, single storage entity instead of access to multiple, smaller storage entities. Thus, while the operating system 150 is illustrated as being contained within the memory 102 in the computer system 100, portions of the operation system 150 are not necessarily all completely contained in the same storage device at the same time.
  • the main memory 102 further includes an application or applications 152.
  • the application is a destination or recipient of packets of data received from the network 130.
  • the application 152 is illustrated in Fig. 1 as being separate from the operating system 150, in another embodiment they are packaged together or are one and the same.
  • the memory bus 103 provides a data communication path for transferring data among the processors 101, the main memory 102, and the I/O bus interface unit 105.
  • the I/O bus interface unit 105 is further coupled to the system I/O bus 104 for transferring data to and from the various I/O units.
  • the I/O bus interface unit 105 communicates with multiple I/O interface units 111, 112, 113, and 114, which are also known as I/O processors (IOPs) or I/O adapters (IOAs), through the system I/O bus 104.
  • the system I/O bus 104 may be, e.g., an industry standard PCI (Peripheral Component Interconnect) bus, or any other appropriate bus technology.
  • the I/O interface units support communication with a variety of storage and I/O devices.
  • the terminal interface unit 111 supports the attachment of one or more user terminals 121, 122, 123, and 124.
  • the storage interface unit 112 supports the attachment of one or more direct access storage devices (DASD) 125, 126, and 127 (which are typically rotating magnetic disk drive storage devices, although they could alternatively be other devices, including arrays of disk drives configured to appear as a single large storage device to a host) .
  • DASD direct access storage devices
  • the contents of the DASD 125, 126, and 127 may be loaded from and stored to the memory 102 as needed.
  • the storage interface unit 112 may also support other types of devices, such as a tape device 131, an optical device, or any other type of storage device.
  • the I/O and other device interface 113 provides an interface to any of various other input/output devices or devices of other types. Two such devices, the printer 128 and the fax machine 129, are shown in the exemplary embodiment of Fig. 1, but in other embodiments, many other such devices may exist, which may be of differing types.
  • the network interface 114 provides one or more communications paths from the computer system 100 to other digital devices and computer systems; such paths may include, e.g., one or more networks 130.
  • the network interface 114 may be implemented via a firewall, a router, a modem, a LAN (Local Area Network) card, a virtual LAN card, an Internet Service Provider (ISP) , a personal computer or any other appropriate network interface or combination of network interfaces. Selected components of the network interface 114 are further described below with reference to Fig. 2.
  • the memory bus 103 is shown in Fig. 1 as a relatively simple, single bus structure providing a direct communication path among the processors 101, the main memory 102, and the I/O bus interface 105, in fact, the memory bus 103 may comprise multiple different buses or communication paths, which may be arranged in any of various forms, such as point-to-point links in hierarchical, star or web configurations, multiple hierarchical buses, parallel and redundant paths, etc.
  • the I/O bus interface 105 and the I/O bus 104 are shown as single respective units, the computer system 100 may, in fact, contain multiple I/O bus interface units 105 and/or multiple I/O buses 104. While multiple I/O interface units are shown, which separate the system I/O bus 104 from various communications paths running to the various I/O devices, in other embodiments, some or all of the I/O devices are connected directly to one or more system I/O buses.
  • the computer system 100 depicted in Fig. 1, has multiple attached terminals 121, 122, 123, and 124, such as might be typical of a multi-user "mainframe" computer system. Typically, in such a case the actual number of attached devices is greater than those shown in Fig. 1, although the present invention is not limited to systems of any particular size.
  • the computer system 100 may alternatively be a single-user system, typically containing only a single user display and keyboard input, or might be a server or similar device which has little or no direct user interface, but receives requests from other computer systems (clients) .
  • the computer system 100 may be implemented as a firewall, router, Internet Service Provider (ISP) , personal computer, portable computer, laptop or notebook computer, PDA (Personal Digital Assistant) , tablet computer, pocket computer, telephone, pager, automobile, teleconferencing system, appliance, or any other appropriate type of electronic device.
  • ISP Internet Service Provider
  • PDA Personal Digital Assistant
  • the network 130 may be any suitable network or combination of networks and may support any appropriate protocol suitable for communication of data and/or code to/from the computer system 100.
  • the network 130 may represent a storage device or a combination of storage devices, either connected directly or indirectly to the computer system 100.
  • the network 130 may support Infiniband.
  • the network 130 may support wireless communications.
  • the network 130 may support hard-wired communications, such as a telephone line, cable, or bus.
  • the network 130 may support the Ethernet IEEE (Institute of Electrical and Electronics Engineers) 802.3x specification.
  • the network 130 may be the Internet and may support IP (Internet Protocol) .
  • the network 130 may be a local area network (LAN) or a wide area network (WAN) .
  • the network 130 may be a hotspot service provider network.
  • the network 130 may be an intranet.
  • the network 130 may be a GPRS (General Packet Radio Service) network.
  • the network 130 may be a FRS (Family Radio Service) network.
  • the network 130 may be any appropriate cellular data network or cell-based radio network technology.
  • the network 130 may be an IEEE 802.HB wireless network.
  • the network 130 may be any suitable network or combination of networks. Although one network 130 is shown, in other embodiments any number of networks (of the same or different types) may be present.
  • Fig. 1 is intended to depict the representative major components of the computer system 100 and the network 130 at a high level, that individual components may have greater complexity than represented in Fig. 1, that components other than, fewer than, or in addition to those shown in Fig. 1 may be present, and that the number, type, and configuration of such components may vary.
  • additional complexity or additional variations are disclosed herein; it being understood that these are by way of example only and are not necessarily the only such variations. Indeed, other alternative hardware and/or software environments may be used without departing from the scope of the invention.
  • Fig. 2 depicts a block diagram of select components of the example system, according to an embodiment of the invention.
  • the example system includes the computer system 100 (acting as a server) , the firewall 114, and the network 130, all previously described above with reference to Fig. 1.
  • the major components of the firewall 114 include a processor 201 and main memory 202, which are coupled for inter-component communication via a memory bus 203, an I/O bus 204, and an I/O bus interface unit 205.
  • the processor 201 executes instructions stored in the main memory 102, may include one or more levels of on-board cache, and is analogous to the processor 101, as previously described above with reference to Fig. 1.
  • the main memory 202 is a random-access semiconductor memory for storing data and programs and is analogous to the description of the main memory 102 in Fig. 1, as previously described above.
  • the main memory 202 may be read-only, read-write, volatile, or non-volatile.
  • the main memory 202 includes a sampling module 250, a filter module 252, and an analyzer module 254. Although the sampling module 250, the filter module 252, and the analyzer module 254 are illustrated as being contained within the memory 202 in the firewall 114, in other embodiments, some or all of them may be on different electronic devices and may be accessed remotely.
  • sampling module 250, the filter module 252, and the analyzer module 254 are all illustrated as being contained within the memory 202 in the firewall 114, these elements are not necessarily all completely contained in the same storage device at the same time. In various embodiments, some or all of the sampling module 250, the filter module 252, and the analyzer module 254 may be burned into the memory 202, loaded from the server 100, received via the network 130, or loaded from an unillustrated secondary storage device. The functions of the sampling module 250, the filter module 252, and the analyzer module 254 and the flow of packets between the sampling module 250, the filter module 252, and the analyzer module 254 are further described below with reference to Fig. 3.
  • the memory bus 203 provides a data communication path for transferring data among the processor 201, the main memory 202, and the I/O bus interface unit 205.
  • the I/O bus interface unit 205 is further coupled to the system I/O bus 204 for transferring data to and from the various I/O units.
  • the I/O bus interface unit 205 communicates with the server 100 and the network 130 through the system I/O bus 204.
  • the system I/O bus 204 may be, e.g., an industry standard PCI (Peripheral Component Interconnect) bus, or any other appropriate bus technology.
  • Fig. 2 is intended to depict the representative major components of the firewall 114 and its relationship to the server 100 and the network 130 at a high level, that individual components may have greater complexity than represented in Fig. 2, that components other than, fewer than, or in addition to those shown in Fig. 2 may be present, and that the number, type, and configuration of such components may vary.
  • additional complexity or additional variations are disclosed herein; it being understood that these are by way of example only and are not necessarily the only such variations.
  • the various software components illustrated in Fig. 2 and implementing various embodiments of the invention may be implemented in a number of manners, including using various computer software applications, routines, components, programs, objects, modules, data structures, etc., referred to hereinafter as "computer programs," or simply “programs.”
  • the computer programs typically comprise one or more instructions that are resident at various times in various memory and storage devices in the firewall 114, and that, when read and executed by one or more processors 201 in the firewall 114, cause the firewall 114 to perform the steps necessary to execute steps or elements embodying the various aspects of an embodiment of the invention.
  • a non-rewriteable storage medium e.g., a read-only memory device attached to or within a computer system, such as a CD-ROM, DVD-R, or DVD+R
  • alterable information stored on a rewriteable storage medium e.g., a hard disk drive, CD-RW, DVD-RW, DVD+RW, DVD-RAM, or diskette; or
  • a communications medium such as through a computer or a telephone network, e.g., the network 130, including wireless communications.
  • Such signal-bearing media when carrying machine-readable instructions that direct the functions of the present invention, represent embodiments of the present invention.
  • exemplary environments illustrated in Fig. 2 are not intended to limit the present invention. Indeed, other alternative hardware and/or software environments may be used without departing from the scope of the invention.
  • Fig. 3 depicts a block diagram showing the flow of packets in the example system of the firewall 114 connected to the server 100 and the network 130, according to an embodiment of the invention.
  • the filter module 252 receives a data stream of packets from the network 130 and filters the received data stream of packets based on rules, which are received from the analyzer module 254. If a received packet meets one of the rules, i.e., the received packet displays symptoms indicative of an attack by an intruder, the filter module 252 discards the packet. In various embodiments, the filter module 252 may discard the packet by moving it to a virtual trash bin or log, where it may be interrogated later if desired, or the filter module 252 may simply delete or overwrite the packet with other data, such as another packet received later.
  • the filter module 252 forwards the received packet to the sampling module 250.
  • the filter module 252 filters packets based on at least one rule, discards a subset of the packets based on the rules, and forwards a remaining subset of the packets.
  • the functions of the filter module 252 are further described below with reference to Fig. 4.
  • the sampling module 250 receives the remaining subset of the packets from the filter module 252 and then copies the remaining subset to a destination, such as the application 152, in the server 100.
  • the sampling module 250 further copies a sample of the remaining subset of the received packets to the analyzer module 254. Any appropriate sampling rate may be used.
  • the sampled packets that the sampling module 250 sends to the analyzer module 254 are a further subset of the packets that the sampling module 250 receives from the filter module 252.
  • the functions of the sampling module 250 are further described below with reference to Fig. 5.
  • the analyzer module 254 receives the sampled packets from the sampling module 250 at the sampling rate and analyzes the sampled packets for symptoms of an attack from an intruder.
  • the analyzer module 254 executes offline from the sampling module 250 and the filter module 252, meaning that the analyzer module 254 executes in a different thread, process, or job.
  • the analyzer module 254 executes at a lower priority than the filter module 252 and the sampling module 250, so as to lessen any performance impact on the functions of the filter module 252 and the sampling module 250.
  • the functions of the analyzer module 254 are further described below with reference to Figs. 6 and 7.
  • Fig. 4 depicts a flowchart of example processing for the filter module 252, according to an embodiment of the invention.
  • Control begins at block 400.
  • Control then continues to block 405 where the filter module 252 receives a packet from the network 130.
  • Control then continues to block 410 where the filter module 252 determines whether the received packet meets a rule or rules, which the filter module 252 has previously received from the analyzer module 254 (further described below with reference to Fig. 7) . If the determination at block 410 is true, then the received packet meets the rule or rules, so control continues to block 415 where the filter module 252 rejects and discards the packet and updates statistical counters that track the packets that met the rule and were discarded. The statistical counters are used as further described below with reference to Fig. 7. Control then returns to block 405 to process the next packet, as previously described above.
  • Fig. 5 depicts a flowchart of example processing for the sampling module 250, according to an embodiment of the invention. Control begins at block 500. Control then continues to block 505 where the sampling module 250 receives a packet from the filter module 252. Control then continues to block 510 where the sampling module 250 copies the packet to a destination at the server 100, such as the application 152. Control then continues to block 515 where the sampling module 250 may store the packet in storage associated with the analyzer module 254 depending on the sampling rate. In another embodiment, the sampling module 250 may send the sampled packet to the analyzer module 254. Control then returns to block 505, as previously described above.
  • Fig. 6 depicts a flowchart of example processing for the analyzer module 254 that executes once for every sampled packet, according to an embodiment of the invention.
  • Control begins at block 600.
  • Control then continues to block 610 where the highest-priority analyzer module A 254 determines whether action is required for the symptom A and manages a rule A for the symptom A if necessary, as further described below with reference to Fig. 7.
  • analyzer modules A, B, C, and N 254 are illustrated for corresponding symptoms A, B, C, and N and corresponding rules A, B, C, and N, respectively, in other embodiments any number of analyzer modules, symptoms and rules may be present. Further, although different modules A, B, C, and N 254 are illustrated detecting different symptoms A, B, C, and N, respectively, in other embodiments, some or all of the different symptoms A, B, C, and N may be detected by the same analyzer module 254. The symptoms A, B, C, and N and the corresponding rules A, B, C, and N are further described below with reference to Fig. 7.
  • the analyzer module A is described in Fig. 6 as being the highest-priority analyzer module, the analyzer module B is the second-highest priority, the analyzer module C is the third-highest priority, and the analyzer module N is the lowest priority, the priorities of the analyzer modules 254 may change, as further described below with reference to Fig. 7. In response to the changing of the priorities, the order of execution of the various analyzer modules A, B, C, and N 254 changes in Fig. 6.
  • Fig. 7 depicts a flowchart of example processing of any and all of the analyzer modules A, B, C, and N 254 (previously described above with reference to Fig. 6), according to an embodiment of the invention.
  • Fig. 7 refers to any analyzer module A, B, C, or N as "analyzer X" 254, where "X" refers to A, B, C, or N, depending on from which block in Fig. 6 the logic of Fig. 7 was invoked.
  • Control begins at block 700. Control then continues to block 705 where the analyzer module X 254 determines whether the associated symptom X has previously been detected (by a previous invocation of the logic of Fig. 7 at block 720) and the associated rule X is currently implemented (by the filter module 252, as previously described above with reference to Fig. 4) . If the determination at block 705 is true, then the rule X has already been implemented by the filter module 252, so control continues to block 710 where the analyzer module X 254 determines whether it is time to remove the implemented rule X by estimating whether the attacked that causes the symptom X has ceased or abated.
  • the analyzer module X 254 makes the determination by comparing the elapsed time since the rule X was implemented to a threshold, and all rules X may have the same or different thresholds. In another embodiment, the analyzer module X 254 makes the determination at block 710 by analyzing the statistics previously saved by the filter module 252, as previously described above with reference to block 415 in Fig. 4. Thus, the analyzer module 254 estimates whether the symptom X detected by the rule X is no longer occurring based on a threshold or based on the number of packets that met the rule and were discarded.
  • control continues to block 715 where the analyzer module X 254 removes the rule X from the rule set that the filter module 252 currently enforces. Control then continues to block 799 where the logic of Fig. 7 returns.
  • control continues to block 722 where the analyzer module X 254 increments or otherwise increases the priority of the analyzer module X 254.
  • the priorities of the analyzer modules are used to sort the order of the execution of the detection of the symptoms, as previously described above with reference to Fig. 6. Control then continues to block 725 where the analyzer module X 254 sends the determined rule X to the filter module 252.
  • the symptoms X (symptoms A, B, C, and N as previously described above with reference to Fig. 6) and their respective rules X (rules A, B, C, and N as previously described above with reference to Fig. 6) may include any, some, or all of the following:
  • Ping Floods if the analyzer module 254 detects the symptom of a number of ICMP echo requests sent to a specific target (e.g., the application 152) that exceed a threshold, the analyzer module 254 creates a rule instructing the filter module 252 to discard all echo or ping requests directed to that target for a period of time.
  • a specific target e.g., the application 152
  • the analyzer module 254 creates a rule instructing the filter module 252 to discard all echo or ping requests directed to that target for a period of time.
  • a broadcast packet requests the target to send the same packet to multiple destinations. Some number of broadcast packets are normal in an active network. But, when sent in excessive amounts, networks can be overwhelmed in forwarding and processing these packets. If the analyzer module 254 detects the symptom of receiving a threshold number of broadcast packets in a period of time, the analyzer module creates a rule instructing the filter module 252 to discard all broadcast packets for a period of time.
  • the analyzer module 254 if the analyzer module 254 detects the symptom of receiving a packet with an invalid source address, the analyzer module 254 creates a rule instructing the filter module 252 to discard all packets originating from the invalid source address.
  • Invalid TCP flags if the analyzer module 254 detects the symptom of receiving a packet with an invalid flag or flags in the packet header, the analyzer module 254 creates a rule instructing the filter module 252 to discard all packets with the invalid flag or flags.
  • TCP flags are described, in other embodiments flags for any appropriate protocol may be used.
  • SYN floods The SYN flood attack sends TCP connections requests faster than the target destination, e.g., the application 152 can process them.
  • the attacker creates a random source address for each packet.
  • the SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address.
  • the victim destination responds to spoofed IP address, then waits for confirmation that never arrives.
  • the victim's connection table fills up waiting for replies. After the table fills up, all new connections are ignored. Legitimate users are ignored as well, and cannot access the server.
  • the attacker stops flooding the server the server usually goes back to a normal state, so that SYN floods rarely crash servers.
  • the SYN flood attack can be used as part of other attacks, such as disabling one side of a connection in TCP hijacking, or by preventing authentication or logging between servers. If the analyzer module 254 detects the symptom of receiving a threshold number of packets within a time period that contain the SYN flag, the analyzer module 254 creates a rule instructing the filter module 252 to discard all packets with the SYN flag set for a period of time.

Abstract

A method, apparatus, system, and signal-bearing medium that, in an embodiment, filter packets received from a network based on rules. The filtering discards a subset of the packets based on the rules and keeps a remaining subset of the packets. The remaining subset is copied to a destination. The rules are created offline in a lower priority process from the filtering and copying by detecting whether symptoms exist in a sample of the remaining subset. In an embodiment, the order that the symptoms are detected is changed based on the frequency of the existence of the symptoms in the sample. In various embodiments, the symptoms may include receiving a threshold number of ping packets within a time period, receiving a threshold number of broadcast packets within a time period, receiving a packet with an invalid source address, receiving a packet with an invalid header flag, and receiving a threshold number of the packets within a time period that contain a sequence flag. In this way, firewall throughput performance is increased.

Description

OFFLINE ANALYSIS OF PACKETS
FIELD
An embodiment of the invention generally relates to computers. In particular, an embodiment of the invention generally relates to offline analysis of packets for network security.
BACKGROUND
The development of the EDVAC computer system of 1948 is often cited as the beginning of the computer era. Since that time, computer systems have evolved into extremely sophisticated devices, and computer systems may be found in many different settings. Computer systems typically include a combination of hardware components (such as semiconductors, integrated circuits, programmable logic devices, programmable gate arrays, power supplies, electronic card assemblies, sheet metal, cables, and connectors) and software, also known as computer programs.
Years ago, computers were isolated devices that did not communicate with each other. But, today computers are often connected in networks, such as the Internet or World Wide Web, and a user at one computer, often called a client, may wish to access information at multiple other computers, often called servers, via a network. Although this connectivity can be of great benefit to authorized users, it also provides an opportunity for unauthorized persons (often called intruders, attackers, or hackers) to access, break into, or misuse computers that might be thousands of miles away. This unauthorized access may take a wide variety of forms, but will be referred to generically herein as a denial-of-service (DoS) attack.
In a denial-of-service attack, an intruder attempts to prevent legitimate users or organizations from accessing information, resources, or services that they would normally expect to have. Typically, the loss of service is the unavailability of a particular network service, such as e-mail, or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial-of-service attack may also destroy programming and files in a computer system, may cause system slowdowns or crashes, or may disrupt access to important online accounts, e.g., a banking account. Although often intentional and malicious, a denial-of-service attack can sometimes happen accidentally, although the destructive effect may still be the same. Denial-of-service attacks do not necessarily result in the theft of information or other security loss. Nevertheless, these attacks may still cost the target user or organization a great deal of time and money.
Although denial-of-service attacks may take many forms, one of the most common and obvious types occurs when an attacker "floods" or overloads a network with information, which is sometimes called a "broadcast storm." To understand this type of attack, consider the actions taken when a user types a URL (Universal Resource Locator) for a particular web site into a browser. This results in the browser sending a request to that site's computer server to view the identified page. But, the server can only process a certain number of requests at once, so if an attacker overloads the server with requests, the server is not able to process requests from legitimate users.
Another type of denial-of-service attack occurs when an attacker uses spam email messages to launch an attack on a target user's email account. Whether users have an email account supplied by their employers or one available through a free service such as Yahoo or Hotmail, each user is assigned a specific quota, which limits the amount of data the user is allowed to have in the account at any given time. By sending many, or large, email messages to the account, an attacker can consume the user's quota, preventing the receipt of legitimate messages.
Another type of denial-of-service attack is often referred to as a "buffer overflow attack, " in which an attacker sends more traffic to a network address than the programmers who planned its data buffers anticipated someone might send. The attacker may be aware that the target system has a weakness that can be exploited, or the attacker may simply try a variety of types of attacks until one is found that works. A few of the better-known attacks based on the buffer characteristics of a program or system include: sending e-mail messages that have attachments with long file names, sending oversized Internet Control Message Protocol (ICMP) packets (this is also known as the Packet Internet or Inter-Network Groper (ping) of death), or sending email with a long "From" address.
Another type of denial-of-service attack is often referred to as a "SYN Attack." When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid "hand-shaking" exchange of messages that sets up the session. The session-establishing packets include a SYN field, which identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer, which reduces the buffer space that the server can use to accommodate other, legitimate connection requests. Although the server drops the packet in the buffer after a certain period of time without a reply, the effect of many of these false connection requests is to slow the speed at which the server can establish legitimate requests for a session.
Another type of denial-of-service attack is often referred to as a "teardrop attack, " which exploits the way that the Internet Protocol (IP) requires a packet to be divided into fragments when the packet is too large for the next router to handle. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
In another type of denial-of-service attack, the attacker sends TCP (Transmission Control Protocol) packets with invalid flags in the header. The target server's TCP software will detect the error and discard the packet, but the act of interrogating the packet and determining that it is invalid still consumes valuable resources and processing bandwidth, especially when the server is inundated with many invalid packets.
Another type of denial-of-service attack is often referred to as a "smurf attack," in which the attacker sends an IP ping (or "echo my message back to me") request to a target server. The ping packet instructs the receiving server to broadcast the ping packet to a number of hosts within the receiving server's local network. The packet also indicates that the request is from another site, the target site that is to receive the denial-of-service. (Sending a packet with someone else's return address in it is called spoofing the return address.) The result is many ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.
Computer viruses, Trojan horses, worms, or other potentially destructive code, which replicate across a network in various ways, can also be viewed as denial-of-service attacks where the victim is not usually specifically targeted but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial-of-service can range from hardly noticeable all the way through completely disastrous.
Denial-of-service attacks may also be distributed, in which an attacker may use the computer of an unsuspecting user to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of the computers belonging to multiple unsuspecting users. The attacker then forces these computers to send large amounts of data to a web site or to send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers to launch the denial-of-service attack.
One way that computers defend against these denial-of-service attacks is through a device commonly called a firewall. The firewall takes its name from the physical building structure that stops the spread of fire from one location to another. Analogously, a firewall in computer terms is hardware and/or software that stops an attack from entering the computer. The firewall typically examines incoming packets of data from a network and filters the malicious packets.
Current firewalls use a reactive approach where the same process handles detecting of malicious packets, filtering of the malicious packets, and routing of innocent packets. Further, the reaction of filtering and routing occurs immediately following the detection. The problem with simple reactive firewalls is that the time they take to recognize an attack by analyzing the incoming stream is taken directly from the time needed to execute existing firewall rules. Thus, the more complex the detection process, the longer the firewall takes to perform the normal operations of routing innocent network packets to their destination within the target server.
Some current firewalls have additional problems in that they may create false attack alarms due to an incomplete and inaccurate attack detection mechanism. The reason for many false alarms lies in insufficient packet analysis. Further, in existing firewalls, the packet detection process is often too tightly coupled with the network stack processing and packet filtering. For example, if the detection process has the same execution priority as the filtering process, this imposes a resource (e.g., CPU, memory) restriction on the complexity of attack detection. One technique for attempting to address the problem of attack detection and analysis is to use fast hardware implementation. Unfortunately, the hardware-based solutions are usually costly to manufacture. Without a better way to detect and respond to denial-of-service attacks, users will continue to suffer from either reduced attack detection effectiveness or degraded throughput and false alarms.
SUMMARY
A method, apparatus, system, and signal-bearing medium are provided that, in an embodiment, filter packets received from a network based on rules. The filtering discards a subset of the packets based on the rules and keeps a remaining subset of the packets. The remaining subset is copied to a destination. The rules are created offline in a lower priority process from the filtering and copying by detecting whether symptoms exist in a sample of the remaining subset. In an embodiment, the order that the symptoms are detected is changed based on the frequency of the existence of the symptoms in the sample. In various embodiments, the symptoms may include receiving a threshold number of ping packets within a time period, receiving a threshold number of broadcast packets within a time period, receiving a packet with an invalid source address, receiving a packet with an invalid header flag, and receiving a threshold number of the packets within a time period that contain a sequence flag. In this way, firewall throughput performance is increased.
In accordance with one embodiment, the present invention provides signal-bearing medium encoded with instructions, wherein the instructions when executed comprise: filtering packets based on at least one rule, wherein the filtering discards a first subset of the packets based on the rule and keeps a remaining subset of the packets; creating a sample of the remaining subset; detecting whether each of a plurality of symptoms exists in the sample; changing an order of execution of the detecting whether each of the plurality of symptoms exists based on a frequency of each of the plurality of symptoms in the sample; and determining the at least one rule based on the detecting, wherein the detecting and the determining execute in a different process from the filtering and the creating.
The signal-bearing medium can further comprise: copying the remaining subset to a destination.
In accordance with another embodiment the copying instruction further comprises: copying the remaining subset to the destination in a same process as the filtering and the creating. In accordance with other embodiment the symptom comprises: receiving a threshold number of ping packets within a time period or receiving a threshold number of broadcast packets within a time period.
The symptom may also comprise: receiving one of the packets with an invalid source address. The symptom may also comprise: receiving one of the packets with an invalid header flag. The symptom may also comprise: receiving a threshold number of the packets that contain a sequence flag within a time period. In accordance with another embodiment the different process has a lower priority than the filtering and the creating.
In a accordance with another embodiment of the present invention provides a computer system comprising: a processor; and a network interface comprising a plurality of analyzer modules, wherein the plurality of analyzer modules detect a plurality of respective symptoms in packets and create a plurality of respective rules based on the plurality of symptoms, a filter module that filters the packets based on the plurality of rules, wherein the plurality of analyzer modules execute offline from the filter module, and a sampling module that sends the filtered packets to an application that executes on the processor and that sends a sample of the filtered packets to the plurality of analyzer modules. In accordance with another embodiment the plurality of analyzer modules execute in an order and wherein one of the plurality of analyzer modules reprioritizes the order based on a presence or absence of one of the plurality of symptoms. In another embodiment a priority of the one analyzer module is increased if the one symptom is present, and wherein the order is based on the priority, n accordance with yet another embodiment a priority of the one analyzer module is decreased if the one symptom is absent, and wherein the order is based on the priority. In another embodiment one of the plurality of analyzer modules periodically removes the respective rule from the filter module. In accorandance with anther embodiment the one of the plurality of analyzer modules periodically removes the respective rule from the filter module based on a time threshold.
In accordance with anther embodiment the one of the plurality of analyzer modules periodically removes the respective rule from the filter module based on a number of the packets that met the respective rule and were discarded. In accordance with another embodiment the sampling module creates a subset of the filtered packets, and wherein the analyzer module analyzes the subset. In accordance with another embodiment, the present invention provides a method for configuring a computer, comprising: configuring the computer to filter packets based on a rule; configuring the computer to analyze the filtered packets for a symptom; and configuring the computer to create the rule based on the symptom, wherein the filtered packets are analyzed and the rule is created offline from the filtering of the packets.
BRIEF DESCRIPTION OF THE DRAWING
The present invention will now be described, by way of example only, with reference to the accompanying drawings in which:
Fig. 1 depicts a block diagram of an example system for implementing an embodiment of the invention;
Fig. 2 depicts a block diagram of select components of the example system, according to an embodiment of the invention;
Fig. 3 depicts a block diagram showing the flow of packets in the example system, according to an embodiment of the invention;
Fig. 4 depicts a flowchart of example processing for a filter module, according to an embodiment of the invention;
Fig. 5 depicts a flowchart of example processing for a sampling module, according to an embodiment of the invention;
Fig. 6 depicts a flowchart of example processing for an analyzer module, according to an embodiment of the invention; and
Fig. 7 depicts a flowchart of example further processing for the analyzer module, according to an embodiment of the invention.
DETAILED DESCRIPTION
Referring to the Drawing, wherein like numbers denote like parts throughout the several views, Fig. 1 depicts a high-level block diagram representation of a computer system 100 connected to a network 130, according to an embodiment of the present invention. The major components of the computer system 100 include one or more processors 101, main memory 102, a terminal interface 111, a storage interface 112, an I/O (Input/Output) device interface 113, and communications/network interfaces 114 (in an embodiment a firewall) , all of which are coupled for inter-component communication via a memory bus 103, an I/O bus 104, and an I/O bus interface unit 105.
The computer system 100 contains one or more general-purpose programmable central processing units (CPUs) 101A, 101B, 101C, and 101D, herein generically referred to as the processor 101. In an embodiment, the computer system 100 contains multiple processors typical of a relatively large system; however, in another embodiment, the computer system 100 may alternatively be a single CPU system. Each processor 101 executes instructions stored in the main memory 102 and may include one or more levels of on-board cache.
Each processor 101 may be implemented as a single-threaded processor, or as a multithreaded processor. For the most part, each hardware thread in a multithreaded processor is treated like an independent processor by the software resident in the computer 100. In this regard, for the purposes of this disclosure, a single-threaded processor will be considered to incorporate a single hardware thread, i.e., a single independent unit of execution. It will be appreciated, however, that software-based multithreading or multitasking may be used in connection with both single-threaded and multithreaded processors to further support the parallel performance of multiple tasks in the computer 100.
The main memory 102 is a random-access semiconductor memory for storing data and programs. The main memory 102 is conceptually a single monolithic entity, but in other embodiments, the main memory 102 is a more complex arrangement, such as a hierarchy of caches and other memory devices. For example, memory may exist in multiple levels of caches, and these caches may be further divided by function, so that one cache holds instructions while another holds non-instruction data, which is used by the processor or processors. Memory may further be distributed and associated with different CPUs or sets of CPUs, as is known in any of various so-called non-uniform memory access (NUMA) computer architectures.
The main memory 102 includes an operating system 150, which is software that controls the allocation and usage of hardware resources of the computer system 100 among various applications, processes, or threads, such as processing time of the processor 101, the memory 102, disk space, and peripheral devices. The operating system 150 is typically the foundation on which applications are built. In various embodiments, the operating system 150 may be implemented by OS/400, UNIX, AIX, or any other appropriate operating system. The operating system 150 includes instructions capable of executing on the processor 101 or statements capable of being interpreted by instructions that execute on the processor 101. The computer system 100 may use virtual addressing mechanisms that allow the programs of the computer system 100 to behave as if they only have access to a large, single storage entity instead of access to multiple, smaller storage entities. Thus, while the operating system 150 is illustrated as being contained within the memory 102 in the computer system 100, portions of the operation system 150 are not necessarily all completely contained in the same storage device at the same time.
The main memory 102 further includes an application or applications 152. The application is a destination or recipient of packets of data received from the network 130. Although the application 152 is illustrated in Fig. 1 as being separate from the operating system 150, in another embodiment they are packaged together or are one and the same.
The memory bus 103 provides a data communication path for transferring data among the processors 101, the main memory 102, and the I/O bus interface unit 105. The I/O bus interface unit 105 is further coupled to the system I/O bus 104 for transferring data to and from the various I/O units. The I/O bus interface unit 105 communicates with multiple I/O interface units 111, 112, 113, and 114, which are also known as I/O processors (IOPs) or I/O adapters (IOAs), through the system I/O bus 104. The system I/O bus 104 may be, e.g., an industry standard PCI (Peripheral Component Interconnect) bus, or any other appropriate bus technology. The I/O interface units support communication with a variety of storage and I/O devices. For example, the terminal interface unit 111 supports the attachment of one or more user terminals 121, 122, 123, and 124.
The storage interface unit 112 supports the attachment of one or more direct access storage devices (DASD) 125, 126, and 127 (which are typically rotating magnetic disk drive storage devices, although they could alternatively be other devices, including arrays of disk drives configured to appear as a single large storage device to a host) . The contents of the DASD 125, 126, and 127 may be loaded from and stored to the memory 102 as needed. The storage interface unit 112 may also support other types of devices, such as a tape device 131, an optical device, or any other type of storage device. The I/O and other device interface 113 provides an interface to any of various other input/output devices or devices of other types. Two such devices, the printer 128 and the fax machine 129, are shown in the exemplary embodiment of Fig. 1, but in other embodiments, many other such devices may exist, which may be of differing types.
The network interface 114 provides one or more communications paths from the computer system 100 to other digital devices and computer systems; such paths may include, e.g., one or more networks 130. In various embodiments, the network interface 114 may be implemented via a firewall, a router, a modem, a LAN (Local Area Network) card, a virtual LAN card, an Internet Service Provider (ISP) , a personal computer or any other appropriate network interface or combination of network interfaces. Selected components of the network interface 114 are further described below with reference to Fig. 2.
Although the memory bus 103 is shown in Fig. 1 as a relatively simple, single bus structure providing a direct communication path among the processors 101, the main memory 102, and the I/O bus interface 105, in fact, the memory bus 103 may comprise multiple different buses or communication paths, which may be arranged in any of various forms, such as point-to-point links in hierarchical, star or web configurations, multiple hierarchical buses, parallel and redundant paths, etc. Furthermore, while the I/O bus interface 105 and the I/O bus 104 are shown as single respective units, the computer system 100 may, in fact, contain multiple I/O bus interface units 105 and/or multiple I/O buses 104. While multiple I/O interface units are shown, which separate the system I/O bus 104 from various communications paths running to the various I/O devices, in other embodiments, some or all of the I/O devices are connected directly to one or more system I/O buses.
The computer system 100, depicted in Fig. 1, has multiple attached terminals 121, 122, 123, and 124, such as might be typical of a multi-user "mainframe" computer system. Typically, in such a case the actual number of attached devices is greater than those shown in Fig. 1, although the present invention is not limited to systems of any particular size. The computer system 100 may alternatively be a single-user system, typically containing only a single user display and keyboard input, or might be a server or similar device which has little or no direct user interface, but receives requests from other computer systems (clients) . In other embodiments, the computer system 100 may be implemented as a firewall, router, Internet Service Provider (ISP) , personal computer, portable computer, laptop or notebook computer, PDA (Personal Digital Assistant) , tablet computer, pocket computer, telephone, pager, automobile, teleconferencing system, appliance, or any other appropriate type of electronic device.
The network 130 may be any suitable network or combination of networks and may support any appropriate protocol suitable for communication of data and/or code to/from the computer system 100. In an embodiment, the network 130 may represent a storage device or a combination of storage devices, either connected directly or indirectly to the computer system 100. In an embodiment, the network 130 may support Infiniband. In another embodiment, the network 130 may support wireless communications. In another embodiment, the network 130 may support hard-wired communications, such as a telephone line, cable, or bus. In another embodiment, the network 130 may support the Ethernet IEEE (Institute of Electrical and Electronics Engineers) 802.3x specification.
In another embodiment, the network 130 may be the Internet and may support IP (Internet Protocol) . In another embodiment, the network 130 may be a local area network (LAN) or a wide area network (WAN) . In another embodiment, the network 130 may be a hotspot service provider network. In another embodiment, the network 130 may be an intranet. In another embodiment, the network 130 may be a GPRS (General Packet Radio Service) network. In another embodiment, the network 130 may be a FRS (Family Radio Service) network. In another embodiment, the network 130 may be any appropriate cellular data network or cell-based radio network technology. In another embodiment, the network 130 may be an IEEE 802.HB wireless network. In still another embodiment, the network 130 may be any suitable network or combination of networks. Although one network 130 is shown, in other embodiments any number of networks (of the same or different types) may be present.
It should be understood that Fig. 1 is intended to depict the representative major components of the computer system 100 and the network 130 at a high level, that individual components may have greater complexity than represented in Fig. 1, that components other than, fewer than, or in addition to those shown in Fig. 1 may be present, and that the number, type, and configuration of such components may vary. Several particular examples of such additional complexity or additional variations are disclosed herein; it being understood that these are by way of example only and are not necessarily the only such variations. Indeed, other alternative hardware and/or software environments may be used without departing from the scope of the invention.
Fig. 2 depicts a block diagram of select components of the example system, according to an embodiment of the invention. The example system includes the computer system 100 (acting as a server) , the firewall 114, and the network 130, all previously described above with reference to Fig. 1.
The major components of the firewall 114 include a processor 201 and main memory 202, which are coupled for inter-component communication via a memory bus 203, an I/O bus 204, and an I/O bus interface unit 205. The processor 201 executes instructions stored in the main memory 102, may include one or more levels of on-board cache, and is analogous to the processor 101, as previously described above with reference to Fig. 1.
In an embodiment, the main memory 202 is a random-access semiconductor memory for storing data and programs and is analogous to the description of the main memory 102 in Fig. 1, as previously described above. The main memory 202 may be read-only, read-write, volatile, or non-volatile. The main memory 202 includes a sampling module 250, a filter module 252, and an analyzer module 254. Although the sampling module 250, the filter module 252, and the analyzer module 254 are illustrated as being contained within the memory 202 in the firewall 114, in other embodiments, some or all of them may be on different electronic devices and may be accessed remotely. Further, while the sampling module 250, the filter module 252, and the analyzer module 254 are all illustrated as being contained within the memory 202 in the firewall 114, these elements are not necessarily all completely contained in the same storage device at the same time. In various embodiments, some or all of the sampling module 250, the filter module 252, and the analyzer module 254 may be burned into the memory 202, loaded from the server 100, received via the network 130, or loaded from an unillustrated secondary storage device. The functions of the sampling module 250, the filter module 252, and the analyzer module 254 and the flow of packets between the sampling module 250, the filter module 252, and the analyzer module 254 are further described below with reference to Fig. 3.
The memory bus 203 provides a data communication path for transferring data among the processor 201, the main memory 202, and the I/O bus interface unit 205. The I/O bus interface unit 205 is further coupled to the system I/O bus 204 for transferring data to and from the various I/O units. The I/O bus interface unit 205 communicates with the server 100 and the network 130 through the system I/O bus 204. The system I/O bus 204 may be, e.g., an industry standard PCI (Peripheral Component Interconnect) bus, or any other appropriate bus technology.
It should be understood that Fig. 2 is intended to depict the representative major components of the firewall 114 and its relationship to the server 100 and the network 130 at a high level, that individual components may have greater complexity than represented in Fig. 2, that components other than, fewer than, or in addition to those shown in Fig. 2 may be present, and that the number, type, and configuration of such components may vary. Several particular examples of such additional complexity or additional variations are disclosed herein; it being understood that these are by way of example only and are not necessarily the only such variations.
The various software components illustrated in Fig. 2 and implementing various embodiments of the invention may be implemented in a number of manners, including using various computer software applications, routines, components, programs, objects, modules, data structures, etc., referred to hereinafter as "computer programs," or simply "programs." The computer programs typically comprise one or more instructions that are resident at various times in various memory and storage devices in the firewall 114, and that, when read and executed by one or more processors 201 in the firewall 114, cause the firewall 114 to perform the steps necessary to execute steps or elements embodying the various aspects of an embodiment of the invention.
Moreover, while embodiments of the invention have and hereinafter will be described in the context of fully functioning firewalls, the various embodiments of the invention are capable of being distributed as a program product in a variety of forms, and the invention applies equally regardless of the particular type of signal-bearing medium used to actually carry out the distribution. The programs defining the functions of this embodiment may be delivered to the firewall 114 via a variety of signal-bearing media, which include, but are not limited to:
(1) information permanently stored on a non-rewriteable storage medium, e.g., a read-only memory device attached to or within a computer system, such as a CD-ROM, DVD-R, or DVD+R; (2) alterable information stored on a rewriteable storage medium, e.g., a hard disk drive, CD-RW, DVD-RW, DVD+RW, DVD-RAM, or diskette; or
(3) information conveyed to the firewall 114 by a communications medium, such as through a computer or a telephone network, e.g., the network 130, including wireless communications.
Such signal-bearing media, when carrying machine-readable instructions that direct the functions of the present invention, represent embodiments of the present invention.
In addition, various programs described hereinafter may be identified based upon the application for which they are implemented in a specific embodiment of the invention. But, any particular program nomenclature that follows is used merely for convenience, and thus embodiments of the invention should not be limited to use solely in any specific application identified and/or implied by such nomenclature.
The exemplary environments illustrated in Fig. 2 are not intended to limit the present invention. Indeed, other alternative hardware and/or software environments may be used without departing from the scope of the invention.
Fig. 3 depicts a block diagram showing the flow of packets in the example system of the firewall 114 connected to the server 100 and the network 130, according to an embodiment of the invention. The filter module 252 receives a data stream of packets from the network 130 and filters the received data stream of packets based on rules, which are received from the analyzer module 254. If a received packet meets one of the rules, i.e., the received packet displays symptoms indicative of an attack by an intruder, the filter module 252 discards the packet. In various embodiments, the filter module 252 may discard the packet by moving it to a virtual trash bin or log, where it may be interrogated later if desired, or the filter module 252 may simply delete or overwrite the packet with other data, such as another packet received later. If the received packet does not meet the rules, the filter module 252 forwards the received packet to the sampling module 250. Thus, the filter module 252 filters packets based on at least one rule, discards a subset of the packets based on the rules, and forwards a remaining subset of the packets. The functions of the filter module 252 are further described below with reference to Fig. 4. The sampling module 250 receives the remaining subset of the packets from the filter module 252 and then copies the remaining subset to a destination, such as the application 152, in the server 100. The sampling module 250 further copies a sample of the remaining subset of the received packets to the analyzer module 254. Any appropriate sampling rate may be used. Thus, the sampled packets that the sampling module 250 sends to the analyzer module 254 are a further subset of the packets that the sampling module 250 receives from the filter module 252. The functions of the sampling module 250 are further described below with reference to Fig. 5.
The analyzer module 254 receives the sampled packets from the sampling module 250 at the sampling rate and analyzes the sampled packets for symptoms of an attack from an intruder. The analyzer module 254 executes offline from the sampling module 250 and the filter module 252, meaning that the analyzer module 254 executes in a different thread, process, or job. In an embodiment, the analyzer module 254 executes at a lower priority than the filter module 252 and the sampling module 250, so as to lessen any performance impact on the functions of the filter module 252 and the sampling module 250. The functions of the analyzer module 254 are further described below with reference to Figs. 6 and 7.
Fig. 4 depicts a flowchart of example processing for the filter module 252, according to an embodiment of the invention. Control begins at block 400. Control then continues to block 405 where the filter module 252 receives a packet from the network 130. Control then continues to block 410 where the filter module 252 determines whether the received packet meets a rule or rules, which the filter module 252 has previously received from the analyzer module 254 (further described below with reference to Fig. 7) . If the determination at block 410 is true, then the received packet meets the rule or rules, so control continues to block 415 where the filter module 252 rejects and discards the packet and updates statistical counters that track the packets that met the rule and were discarded. The statistical counters are used as further described below with reference to Fig. 7. Control then returns to block 405 to process the next packet, as previously described above.
If the determination at block 410 is false, then the received packet does not meet the rule or rules, so control continues to block 420 where the filter module 252 sends the received packet to the sampling module 250. Control then returns to block 405, as previously described above. Fig. 5 depicts a flowchart of example processing for the sampling module 250, according to an embodiment of the invention. Control begins at block 500. Control then continues to block 505 where the sampling module 250 receives a packet from the filter module 252. Control then continues to block 510 where the sampling module 250 copies the packet to a destination at the server 100, such as the application 152. Control then continues to block 515 where the sampling module 250 may store the packet in storage associated with the analyzer module 254 depending on the sampling rate. In another embodiment, the sampling module 250 may send the sampled packet to the analyzer module 254. Control then returns to block 505, as previously described above.
Fig. 6 depicts a flowchart of example processing for the analyzer module 254 that executes once for every sampled packet, according to an embodiment of the invention. Control begins at block 600. Control then continues to block 610 where the highest-priority analyzer module A 254 determines whether action is required for the symptom A and manages a rule A for the symptom A if necessary, as further described below with reference to Fig. 7.
Control then continues to block 620 where the second-highest priority analyzer module B 254 determines whether action is required for the symptom B and manages a corresponding rule B for the symptom B if necessary, as further described below with reference to Fig. 7.
Control then continues to block 630 where the third-highest priority analyzer module C 254 determines whether action is required for the symptom C and manages a corresponding rule C for the symptom C if necessary, as further described below with reference to Fig. 7.
Control then continues to block 640 where the lowest-priority analyzer module N 254 determines whether action is required for the symptom N and manages a corresponding rule N for the symptom N if necessary, as further described below with reference to Fig. 7. Control then continues to block 645 where control logic associated with the analyzer module 254 reprioritizes the order of execution of the analyzer modules A, B, and N 254 based on new priorities of the analyzer modules 254, which are calculated as further described below with reference to Fig. 7. For example, the next time logic of Fig. 6 is executed, the highest priority to the lowest priority analyzer modules may be different. In this way, the order of execution of detecting whether each of the symptoms exists is changed based on the frequency of each of the symptoms in the sampled packets, as further described below with reference to Fig. 7. Thus, the symptoms that occur most frequently are checked for first while the symptoms that occur the least frequently are checked for last, and so on. Control then continues to block 699 where the logic of Fig. 6 returns.
Although the analyzer modules A, B, C, and N 254 are illustrated for corresponding symptoms A, B, C, and N and corresponding rules A, B, C, and N, respectively, in other embodiments any number of analyzer modules, symptoms and rules may be present. Further, although different modules A, B, C, and N 254 are illustrated detecting different symptoms A, B, C, and N, respectively, in other embodiments, some or all of the different symptoms A, B, C, and N may be detected by the same analyzer module 254. The symptoms A, B, C, and N and the corresponding rules A, B, C, and N are further described below with reference to Fig. 7.
Although the analyzer module A is described in Fig. 6 as being the highest-priority analyzer module, the analyzer module B is the second-highest priority, the analyzer module C is the third-highest priority, and the analyzer module N is the lowest priority, the priorities of the analyzer modules 254 may change, as further described below with reference to Fig. 7. In response to the changing of the priorities, the order of execution of the various analyzer modules A, B, C, and N 254 changes in Fig. 6.
Fig. 7 depicts a flowchart of example processing of any and all of the analyzer modules A, B, C, and N 254 (previously described above with reference to Fig. 6), according to an embodiment of the invention. Generically, Fig. 7 refers to any analyzer module A, B, C, or N as "analyzer X" 254, where "X" refers to A, B, C, or N, depending on from which block in Fig. 6 the logic of Fig. 7 was invoked.
Control begins at block 700. Control then continues to block 705 where the analyzer module X 254 determines whether the associated symptom X has previously been detected (by a previous invocation of the logic of Fig. 7 at block 720) and the associated rule X is currently implemented (by the filter module 252, as previously described above with reference to Fig. 4) . If the determination at block 705 is true, then the rule X has already been implemented by the filter module 252, so control continues to block 710 where the analyzer module X 254 determines whether it is time to remove the implemented rule X by estimating whether the attacked that causes the symptom X has ceased or abated. In an embodiment, the analyzer module X 254 makes the determination by comparing the elapsed time since the rule X was implemented to a threshold, and all rules X may have the same or different thresholds. In another embodiment, the analyzer module X 254 makes the determination at block 710 by analyzing the statistics previously saved by the filter module 252, as previously described above with reference to block 415 in Fig. 4. Thus, the analyzer module 254 estimates whether the symptom X detected by the rule X is no longer occurring based on a threshold or based on the number of packets that met the rule and were discarded.
If the determination at block 710 is true, then it is time to remove the implemented rule, so control continues to block 715 where the analyzer module X 254 removes the rule X from the rule set that the filter module 252 currently enforces. Control then continues to block 799 where the logic of Fig. 7 returns.
If the determination at block 710 is false, then it is not time to remove the implemented rule, so control continues to block 799 where the logic of Fig. 7 returns.
If the determination at block 705 is false, then the associated rule X is not currently implemented by the filter module 252, so control continues to block 720 where the analyzer module X 254 determines whether the symptom X is present in the current sampled packet.
If the determination at block 720 is true, then the symptom X is present in the current sampled packet, so control continues to block 722 where the analyzer module X 254 increments or otherwise increases the priority of the analyzer module X 254. The priorities of the analyzer modules are used to sort the order of the execution of the detection of the symptoms, as previously described above with reference to Fig. 6. Control then continues to block 725 where the analyzer module X 254 sends the determined rule X to the filter module 252.
Control then continues to block 799 where the logic of Fig. 7 returns.
If the determination at block 720 is false, then the symptom X is not present in the current sample, so control continues to block 735 where the analyzer module X 254 decrements or otherwise decreases the associated priority for the analyzer module X 254. Control then continues to block 799, as previously described above. In various embodiments, the symptoms X (symptoms A, B, C, and N as previously described above with reference to Fig. 6) and their respective rules X (rules A, B, C, and N as previously described above with reference to Fig. 6) may include any, some, or all of the following:
Ping Floods: if the analyzer module 254 detects the symptom of a number of ICMP echo requests sent to a specific target (e.g., the application 152) that exceed a threshold, the analyzer module 254 creates a rule instructing the filter module 252 to discard all echo or ping requests directed to that target for a period of time. Although the ICMP protocol is described in this example, in other embodiments any echo request format may be used.
Broadcast Storms: A broadcast packet requests the target to send the same packet to multiple destinations. Some number of broadcast packets are normal in an active network. But, when sent in excessive amounts, networks can be overwhelmed in forwarding and processing these packets. If the analyzer module 254 detects the symptom of receiving a threshold number of broadcast packets in a period of time, the analyzer module creates a rule instructing the filter module 252 to discard all broadcast packets for a period of time.
Bogons : if the analyzer module 254 detects the symptom of receiving a packet with an invalid source address, the analyzer module 254 creates a rule instructing the filter module 252 to discard all packets originating from the invalid source address.
Invalid TCP flags: if the analyzer module 254 detects the symptom of receiving a packet with an invalid flag or flags in the packet header, the analyzer module 254 creates a rule instructing the filter module 252 to discard all packets with the invalid flag or flags. Although TCP flags are described, in other embodiments flags for any appropriate protocol may be used.
SYN (sequence) floods: The SYN flood attack sends TCP connections requests faster than the target destination, e.g., the application 152 can process them. The attacker creates a random source address for each packet. The SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address. The victim destination responds to spoofed IP address, then waits for confirmation that never arrives. The victim's connection table fills up waiting for replies. After the table fills up, all new connections are ignored. Legitimate users are ignored as well, and cannot access the server. Once the attacker stops flooding the server, the server usually goes back to a normal state, so that SYN floods rarely crash servers. The SYN flood attack can be used as part of other attacks, such as disabling one side of a connection in TCP hijacking, or by preventing authentication or logging between servers. If the analyzer module 254 detects the symptom of receiving a threshold number of packets within a time period that contain the SYN flag, the analyzer module 254 creates a rule instructing the filter module 252 to discard all packets with the SYN flag set for a period of time.
In the previous detailed description of exemplary embodiments of the invention, reference was made to the accompanying drawings (where like numbers represent like elements) , which form a part hereof, and in which is shown by way of illustration specific exemplary embodiments in which the invention may be practiced. These embodiments were described in sufficient detail to enable those skilled in the art to practice the invention, but other embodiments may be utilized, and logical, mechanical, electrical, and other changes may be made without departing from the scope of the present invention. Different instances of the word "embodiment" as used within this specification do not necessarily refer to the same embodiment, but they may. The previous detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims.
In the description, numerous specific details were set forth to provide a thorough understanding of the invention. But, the invention may be practiced without these specific details. In other instances, well-known circuits, structures, and techniques have not been shown in detail in order not to obscure the invention.

Claims

1 . A method comprising :
filtering packets based on a rule;
analyzing the filtered packets for a symptom; and
creating the rule based on the symptom, wherein the analyzing and the creating execute offline from the filtering.
2. The method of claim 1, further comprising:
sampling the filtered packets, wherein the sampling creates a subset of the filtered packets, and wherein the analyzing analyzes the subset.
3. The method of claim 1 or 2, wherein the symptom comprises:
receiving a threshold number of ping packets within a time period.
4. The method of claim 1 or 2, wherein the symptom comprises:
receiving a threshold number of broadcast packets within a time period.
5. The method of claim 1 or 2, wherein the symptom comprises:
receiving one of the packets with an invalid source address.
6. The method of claim 1 or 2, wherein the symptom comprises:
receiving one of the packets with an invalid header flag.
7. The method of claim 1 or 2, wherein the symptom comprises:
receiving a threshold number of the packets within a time period that contain a sequence flag.
8. An apparatus comprising: means for filtering packets based on at least one rule, wherein the means for filtering discards a first subset of the packets based on the rule and keeps a remaining subset of the packets;
means for creating a sample of the remaining subset;
a plurality of means for detecting whether each of a plurality of symptoms exists in the sample; and
means for determining the at least one rule based on the plurality of means for detecting, wherein the plurality of means for detecting and the means for determining execute in a different process from the means for filtering and the means for creating.
9. The apparatus of claim 8, further comprising:
means for copying the remaining subset to a destination.
10. The apparatus of claim 8 or 9, further comprising:
means for changing an order of execution of the plurality of means for detecting based on a frequency of the plurality of symptoms in the sample.
11. The apparatus of claim 8, 9 or 10, wherein the symptom comprises:
means for receiving a threshold number of ping packets within a time period.
12. The apparatus of claim 8, 9 or 10, wherein the symptom comprises:
means for receiving a threshold number of broadcast packets within a time period.
13. The apparatus of claim 8, 9 or 10, wherein the symptom comprises:
means for receiving one of the packets with an invalid source address.
14. The apparatus of claim 8, 9, or 10, wherein the symptom comprises:
means for receiving one of the packets with an invalid header flag.
15. The apparatus of claim 8,9 or 10, wherein the symptom comprises:
means for receiving a threshold number of the packets within a time period that contain a sequence flag.
16. The apparatus of claim 8, 9 or 10, wherein the different process has a lower priority than the means for filtering and the means for creating.
17. A computer program comprising program code means adapted to perform all the steps of claim 1 to 7 when said program is run on a computer.
18. A firewall comprising:
a plurality of analyzer modules, wherein the plurality of analyzer modules detect a plurality of respective symptoms in packets and create a plurality of respective rules based on the plurality of symptoms; and
a filter module that filters the packets based on the plurality of rules, wherein the plurality of analyzer modules execute offline from the filter module.
19. The firewall of claim 18, wherein the plurality of analyzer modules execute in an order and wherein one of the plurality of analyzer modules reprioritizes the order based on a presence or absence of one of the plurality of symptoms.
20. The firewall of claim 18 or 19, wherein a priority of the one analyzer module is increased if the one symptom is present, and wherein the order is based on the priority.
21. The firewall of claim 18 or 19, wherein a priority of the one analyzer module is decreased if the one symptom is absent, and wherein the order is based on the priority.
22. The firewall of claim 18, wherein one of the plurality of analyzer modules periodically removes the respective rule from the filter module.
23. The firewall of claim 18, further comprising:
a sampling module that samples the filtered packets, wherein the sampling creates a subset of the filtered packets, and wherein the analyzer module analyzes the subset.
PCT/EP2005/055096 2004-10-08 2005-10-07 Offline analysis of packets WO2006037809A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
DE602005020045T DE602005020045D1 (en) 2004-10-08 2005-10-07 OFFLINE ANALYSIS OF PACKAGES
AT05801396T ATE461578T1 (en) 2004-10-08 2005-10-07 OFFLINE ANALYSIS OF PACKETS
CN2005800339787A CN101036369B (en) 2004-10-08 2005-10-07 Offline analysis of packets
EP05801396A EP1805963B1 (en) 2004-10-08 2005-10-07 Offline analysis of packets

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/961,736 US7490235B2 (en) 2004-10-08 2004-10-08 Offline analysis of packets
US10/961,736 2004-10-08

Publications (1)

Publication Number Publication Date
WO2006037809A1 true WO2006037809A1 (en) 2006-04-13

Family

ID=35510913

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2005/055096 WO2006037809A1 (en) 2004-10-08 2005-10-07 Offline analysis of packets

Country Status (6)

Country Link
US (2) US7490235B2 (en)
EP (1) EP1805963B1 (en)
CN (1) CN101036369B (en)
AT (1) ATE461578T1 (en)
DE (1) DE602005020045D1 (en)
WO (1) WO2006037809A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008070549A2 (en) * 2006-12-01 2008-06-12 Sonus Networks, Inc. Filtering and policing for defending against denial of service attacks a network
US7672336B2 (en) 2006-12-01 2010-03-02 Sonus Networks, Inc. Filtering and policing for defending against denial of service attacks on a network
WO2010074900A1 (en) * 2008-12-23 2010-07-01 Interdigital Patent Holdings, Inc. Unsolicited communication mitigation
US7804774B2 (en) 2006-12-01 2010-09-28 Sonus Networks, Inc. Scalable filtering and policing mechanism for protecting user traffic in a network
US7940657B2 (en) 2006-12-01 2011-05-10 Sonus Networks, Inc. Identifying attackers on a network

Families Citing this family (100)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7447795B2 (en) * 2001-04-11 2008-11-04 Chelsio Communications, Inc. Multi-purpose switching network interface controller
US7831745B1 (en) 2004-05-25 2010-11-09 Chelsio Communications, Inc. Scalable direct memory access using validation of host and scatter gather engine (SGE) generation indications
US20060184792A1 (en) * 2005-02-17 2006-08-17 Scalable Software Protecting computer systems from unwanted software
US8095982B1 (en) 2005-03-15 2012-01-10 Mu Dynamics, Inc. Analyzing the security of communication protocols and channels for a pass-through device
US8095983B2 (en) 2005-03-15 2012-01-10 Mu Dynamics, Inc. Platform for analyzing the security of communication protocols and channels
US20070097976A1 (en) * 2005-05-20 2007-05-03 Wood George D Suspect traffic redirection
US8028160B1 (en) * 2005-05-27 2011-09-27 Marvell International Ltd. Data link layer switch with protection against internet protocol spoofing attacks
US7793333B2 (en) * 2005-06-13 2010-09-07 International Business Machines Corporation Mobile authorization using policy based access control
US7826447B1 (en) * 2005-06-22 2010-11-02 Marvell International Ltd. Preventing denial-of-service attacks employing broadcast packets
JP2007006054A (en) * 2005-06-23 2007-01-11 Hitachi Ltd Packet repeater and packet repeating system
US7724658B1 (en) 2005-08-31 2010-05-25 Chelsio Communications, Inc. Protocol offload transmit traffic management
US7660306B1 (en) 2006-01-12 2010-02-09 Chelsio Communications, Inc. Virtualizing the operation of intelligent network interface circuitry
US7616563B1 (en) 2005-08-31 2009-11-10 Chelsio Communications, Inc. Method to implement an L4-L7 switch using split connections and an offloading NIC
US7715436B1 (en) 2005-11-18 2010-05-11 Chelsio Communications, Inc. Method for UDP transmit protocol offload processing with traffic management
US7660264B1 (en) 2005-12-19 2010-02-09 Chelsio Communications, Inc. Method for traffic schedulign in intelligent network interface circuitry
GB0518578D0 (en) * 2005-09-13 2005-10-19 Qinetiq Ltd Communications systems firewall
US7760733B1 (en) * 2005-10-13 2010-07-20 Chelsio Communications, Inc. Filtering ingress packets in network interface circuitry
US7743260B2 (en) * 2006-05-17 2010-06-22 Richard Fetik Firewall+storage apparatus, method and system
US20080022386A1 (en) * 2006-06-08 2008-01-24 Shevchenko Oleksiy Yu Security mechanism for server protection
EP1892886A1 (en) * 2006-08-23 2008-02-27 Nokia Siemens Networks Gmbh & Co. Kg Method for controlling load adaptation in a mobile communications system
US9172611B2 (en) * 2006-09-01 2015-10-27 Spirent Communications, Inc. System and method for discovering assets and functional relationships in a network
US8316447B2 (en) 2006-09-01 2012-11-20 Mu Dynamics, Inc. Reconfigurable message-delivery preconditions for delivering attacks to analyze the security of networked systems
US7958230B2 (en) 2008-09-19 2011-06-07 Mu Dynamics, Inc. Test driven deployment and monitoring of heterogeneous network systems
US9455953B2 (en) * 2006-10-11 2016-09-27 Lantiq Beteiligungs-GmbH & Co. KG Router chip and method of selectively blocking network traffic in a router chip
US8935406B1 (en) 2007-04-16 2015-01-13 Chelsio Communications, Inc. Network adaptor configured for connection establishment offload
US8589587B1 (en) 2007-05-11 2013-11-19 Chelsio Communications, Inc. Protocol offload in intelligent network adaptor, including application level signalling
US8060644B1 (en) 2007-05-11 2011-11-15 Chelsio Communications, Inc. Intelligent network adaptor with end-to-end flow control
US7826350B1 (en) 2007-05-11 2010-11-02 Chelsio Communications, Inc. Intelligent network adaptor with adaptive direct data placement scheme
US7831720B1 (en) 2007-05-17 2010-11-09 Chelsio Communications, Inc. Full offload of stateful connections, with partial connection offload
US7774637B1 (en) * 2007-09-05 2010-08-10 Mu Dynamics, Inc. Meta-instrumentation for security analysis
JP4946902B2 (en) * 2008-02-08 2012-06-06 富士通株式会社 COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL METHOD, COMMUNICATION CONTROL PROGRAM
JP4798278B2 (en) * 2009-09-17 2011-10-19 コニカミノルタビジネステクノロジーズ株式会社 Job processing system, image processing apparatus, program, and control method for image processing apparatus
CN102045251B (en) * 2009-10-20 2012-08-22 国基电子(上海)有限公司 Router and TCP (Transmission Control Protocol) port defense method
TWI397286B (en) * 2009-10-28 2013-05-21 Hon Hai Prec Ind Co Ltd Router and method for protecting tcp ports
TWI492090B (en) * 2010-01-15 2015-07-11 Chunghwa Telecom Co Ltd System and method for guarding against dispersive blocking attacks
US8621627B1 (en) 2010-02-12 2013-12-31 Chelsio Communications, Inc. Intrusion detection and prevention processing within network interface circuitry
US8463860B1 (en) 2010-05-05 2013-06-11 Spirent Communications, Inc. Scenario based scale testing
US8547974B1 (en) 2010-05-05 2013-10-01 Mu Dynamics Generating communication protocol test cases based on network traffic
US9106514B1 (en) 2010-12-30 2015-08-11 Spirent Communications, Inc. Hybrid network software provision
US8464219B1 (en) 2011-04-27 2013-06-11 Spirent Communications, Inc. Scalable control system for test execution and monitoring utilizing multiple processors
JP2013070325A (en) * 2011-09-26 2013-04-18 Nec Corp Communication system, communication apparatus, server, and communication method
US9215184B2 (en) * 2011-10-17 2015-12-15 Hewlett-Packard Development Company, L.P. Methods of and apparatus for managing non-congestion-controlled message traffic in a datacenter
US8972543B1 (en) 2012-04-11 2015-03-03 Spirent Communications, Inc. Managing clients utilizing reverse transactions
US8938804B2 (en) * 2012-07-12 2015-01-20 Telcordia Technologies, Inc. System and method for creating BGP route-based network traffic profiles to detect spoofed traffic
US9628499B1 (en) 2012-08-08 2017-04-18 Google Inc. Statistics-based anomaly detection
US9565213B2 (en) 2012-10-22 2017-02-07 Centripetal Networks, Inc. Methods and systems for protecting a secured network
US9137205B2 (en) 2012-10-22 2015-09-15 Centripetal Networks, Inc. Methods and systems for protecting a secured network
US9203806B2 (en) 2013-01-11 2015-12-01 Centripetal Networks, Inc. Rule swapping in a packet network
US9286047B1 (en) 2013-02-13 2016-03-15 Cisco Technology, Inc. Deployment and upgrade of network devices in a network environment
US9124552B2 (en) 2013-03-12 2015-09-01 Centripetal Networks, Inc. Filtering network data transfers
US9614742B1 (en) 2013-03-14 2017-04-04 Google Inc. Anomaly detection in time series data
US9094445B2 (en) 2013-03-15 2015-07-28 Centripetal Networks, Inc. Protecting networks from cyber attacks and overloading
US10897426B2 (en) * 2013-09-30 2021-01-19 Mitsubishi Electric Corporation Reception apparatus and communication apparatus
US9692674B1 (en) * 2013-12-30 2017-06-27 Google Inc. Non-parametric change point detection
US9619157B2 (en) * 2014-04-03 2017-04-11 Analysis Solution Llc High-speed data storage
US9450916B2 (en) * 2014-08-22 2016-09-20 Honeywell International Inc. Hardware assist for redundant ethernet network
US9264370B1 (en) 2015-02-10 2016-02-16 Centripetal Networks, Inc. Correlating packets in communications networks
US9866576B2 (en) 2015-04-17 2018-01-09 Centripetal Networks, Inc. Rule-based network-threat detection
US10374904B2 (en) 2015-05-15 2019-08-06 Cisco Technology, Inc. Diagnostic network visualization
US9800497B2 (en) 2015-05-27 2017-10-24 Cisco Technology, Inc. Operations, administration and management (OAM) in overlay data center environments
US9967158B2 (en) 2015-06-05 2018-05-08 Cisco Technology, Inc. Interactive hierarchical network chord diagram for application dependency mapping
US10142353B2 (en) 2015-06-05 2018-11-27 Cisco Technology, Inc. System for monitoring and managing datacenters
US10089099B2 (en) 2015-06-05 2018-10-02 Cisco Technology, Inc. Automatic software upgrade
US10536357B2 (en) 2015-06-05 2020-01-14 Cisco Technology, Inc. Late data detection in data center
US10033766B2 (en) 2015-06-05 2018-07-24 Cisco Technology, Inc. Policy-driven compliance
US9917856B2 (en) 2015-12-23 2018-03-13 Centripetal Networks, Inc. Rule-based network-threat detection for encrypted communications
US11729144B2 (en) 2016-01-04 2023-08-15 Centripetal Networks, Llc Efficient packet capture for cyber threat analysis
US10171357B2 (en) 2016-05-27 2019-01-01 Cisco Technology, Inc. Techniques for managing software defined networking controller in-band communications in a data center network
US10931629B2 (en) 2016-05-27 2021-02-23 Cisco Technology, Inc. Techniques for managing software defined networking controller in-band communications in a data center network
US10289438B2 (en) 2016-06-16 2019-05-14 Cisco Technology, Inc. Techniques for coordination of application components deployed on distributed virtual machines
US10708183B2 (en) 2016-07-21 2020-07-07 Cisco Technology, Inc. System and method of providing segment routing as a service
US10972388B2 (en) 2016-11-22 2021-04-06 Cisco Technology, Inc. Federated microburst detection
CN106804045B (en) * 2016-12-30 2020-03-03 Oppo广东移动通信有限公司 Forwarding control method of broadcast message and access equipment
US10708152B2 (en) 2017-03-23 2020-07-07 Cisco Technology, Inc. Predicting application and network performance
US10523512B2 (en) 2017-03-24 2019-12-31 Cisco Technology, Inc. Network agent for generating platform specific network policies
US10250446B2 (en) 2017-03-27 2019-04-02 Cisco Technology, Inc. Distributed policy store
US10764141B2 (en) 2017-03-27 2020-09-01 Cisco Technology, Inc. Network agent for reporting to a network policy system
US10594560B2 (en) 2017-03-27 2020-03-17 Cisco Technology, Inc. Intent driven network policy platform
US10873794B2 (en) 2017-03-28 2020-12-22 Cisco Technology, Inc. Flowlet resolution for application performance monitoring and management
US10503899B2 (en) 2017-07-10 2019-12-10 Centripetal Networks, Inc. Cyberanalysis workflow acceleration
US10680887B2 (en) 2017-07-21 2020-06-09 Cisco Technology, Inc. Remote device status audit and recovery
US10284526B2 (en) 2017-07-24 2019-05-07 Centripetal Networks, Inc. Efficient SSL/TLS proxy
US11233777B2 (en) 2017-07-24 2022-01-25 Centripetal Networks, Inc. Efficient SSL/TLS proxy
US10554678B2 (en) 2017-07-26 2020-02-04 Cisco Technology, Inc. Malicious content detection with retrospective reporting
US10554501B2 (en) 2017-10-23 2020-02-04 Cisco Technology, Inc. Network migration assistant
US10523541B2 (en) 2017-10-25 2019-12-31 Cisco Technology, Inc. Federated network and application data analytics platform
US10594542B2 (en) 2017-10-27 2020-03-17 Cisco Technology, Inc. System and method for network root cause analysis
US11233821B2 (en) 2018-01-04 2022-01-25 Cisco Technology, Inc. Network intrusion counter-intelligence
US11765046B1 (en) 2018-01-11 2023-09-19 Cisco Technology, Inc. Endpoint cluster assignment and query generation
US10873593B2 (en) 2018-01-25 2020-12-22 Cisco Technology, Inc. Mechanism for identifying differences between network snapshots
US10574575B2 (en) 2018-01-25 2020-02-25 Cisco Technology, Inc. Network flow stitching using middle box flow stitching
US10798015B2 (en) 2018-01-25 2020-10-06 Cisco Technology, Inc. Discovery of middleboxes using traffic flow stitching
US10917438B2 (en) 2018-01-25 2021-02-09 Cisco Technology, Inc. Secure publishing for policy updates
US10999149B2 (en) 2018-01-25 2021-05-04 Cisco Technology, Inc. Automatic configuration discovery based on traffic flow data
US10826803B2 (en) 2018-01-25 2020-11-03 Cisco Technology, Inc. Mechanism for facilitating efficient policy updates
US11128700B2 (en) 2018-01-26 2021-09-21 Cisco Technology, Inc. Load balancing configuration based on traffic flow telemetry
WO2019211653A1 (en) * 2018-05-04 2019-11-07 Pratik Sharma Session based packet sniffer
US10333898B1 (en) 2018-07-09 2019-06-25 Centripetal Networks, Inc. Methods and systems for efficient network protection
US11362996B2 (en) 2020-10-27 2022-06-14 Centripetal Networks, Inc. Methods and systems for efficient adaptive logging of cyber threat incidents
US11159546B1 (en) 2021-04-20 2021-10-26 Centripetal Networks, Inc. Methods and systems for efficient threat context-aware packet filtering for network protection

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182580A1 (en) 2001-05-04 2003-09-25 Lee Jai-Hyoung Network traffic flow control system
WO2003094418A1 (en) 2002-04-30 2003-11-13 Intelliguard I.T. Pty Ltd A.C.N. 098 700 344 A packet filtering system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1232922C (en) * 2002-02-20 2005-12-21 华北计算机系统工程研究所 Method for improving fire wall performance
CN100490438C (en) * 2002-02-22 2009-05-20 联想(北京)有限公司 Method for fire wall package filtering dynamic switch H.323 protocol communication channel

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182580A1 (en) 2001-05-04 2003-09-25 Lee Jai-Hyoung Network traffic flow control system
WO2003094418A1 (en) 2002-04-30 2003-11-13 Intelliguard I.T. Pty Ltd A.C.N. 098 700 344 A packet filtering system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008070549A2 (en) * 2006-12-01 2008-06-12 Sonus Networks, Inc. Filtering and policing for defending against denial of service attacks a network
WO2008070549A3 (en) * 2006-12-01 2009-02-12 Sonus Networks Inc Filtering and policing for defending against denial of service attacks a network
US7672336B2 (en) 2006-12-01 2010-03-02 Sonus Networks, Inc. Filtering and policing for defending against denial of service attacks on a network
US7804774B2 (en) 2006-12-01 2010-09-28 Sonus Networks, Inc. Scalable filtering and policing mechanism for protecting user traffic in a network
US7940657B2 (en) 2006-12-01 2011-05-10 Sonus Networks, Inc. Identifying attackers on a network
WO2010074900A1 (en) * 2008-12-23 2010-07-01 Interdigital Patent Holdings, Inc. Unsolicited communication mitigation

Also Published As

Publication number Publication date
EP1805963A1 (en) 2007-07-11
CN101036369A (en) 2007-09-12
ATE461578T1 (en) 2010-04-15
US7490235B2 (en) 2009-02-10
DE602005020045D1 (en) 2010-04-29
US20060080733A1 (en) 2006-04-13
US7805604B2 (en) 2010-09-28
CN101036369B (en) 2011-02-23
EP1805963B1 (en) 2010-03-17
US20090125714A1 (en) 2009-05-14

Similar Documents

Publication Publication Date Title
US7490235B2 (en) Offline analysis of packets
JP6086968B2 (en) System and method for local protection against malicious software
EP2413559B1 (en) Real-time network monitoring and security
US8291498B1 (en) Computer virus detection and response in a wide area network
US7457965B2 (en) Unauthorized access blocking apparatus, method, program and system
JP4764930B2 (en) Behavior-based traffic identification (BTD) for distributed denial of service (DDoS) attack protection
EP2158740B1 (en) Processing packet flows
US7796515B2 (en) Propagation of viruses through an information technology network
US7830898B2 (en) Method and apparatus for inter-layer binding inspection
WO2006098900A2 (en) Method and apparatus for securing a computer network
JP2009534001A (en) Malicious attack detection system and related use method
US20070289014A1 (en) Network security device and method for processing packet data using the same
US7761915B2 (en) Terminal and related computer-implemented method for detecting malicious data for computer network
US10171492B2 (en) Denial-of-service (DoS) mitigation based on health of protected network device
US9143524B2 (en) Propagation of malicious code through an information technology network
US7856573B2 (en) WPAR halted attack introspection stack execution detection
US7568231B1 (en) Integrated firewall/virus scanner system, method, and computer program product
US20110173675A9 (en) Propagation of malicious code through an information technology network
Paul et al. SYN FLOODING ATTACK PREVENTION USING A NOVEL APPROACH: HRTE ALGORITHM AND COMPARATIVE ANALYSIS WITH OPTIMIZING ALGORITHM
Shafiq et al. Detection and prevention of distributed denial of services attacks by collaborative effort of software agents, first prototype implementation
Abouzakhar et al. Counteracting network distributed attacks: an intelligent approach to minimise the TCP/IP protocol threats using agents technology
Zheng et al. Active Technologies to Contain Internet Worm

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 200580033978.7

Country of ref document: CN

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2005801396

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2005801396

Country of ref document: EP