WO2006031496A3 - Method and apparatus for deep packet inspection - Google Patents

Method and apparatus for deep packet inspection Download PDF

Info

Publication number
WO2006031496A3
WO2006031496A3 PCT/US2005/031644 US2005031644W WO2006031496A3 WO 2006031496 A3 WO2006031496 A3 WO 2006031496A3 US 2005031644 W US2005031644 W US 2005031644W WO 2006031496 A3 WO2006031496 A3 WO 2006031496A3
Authority
WO
Grant status
Application
Patent type
Prior art keywords
plurality
pattern
data
packet inspection
deep packet
Prior art date
Application number
PCT/US2005/031644
Other languages
French (fr)
Other versions
WO2006031496A2 (en )
Inventor
Young H Cho
William Mangione-Smith
Original Assignee
Young H Cho
William Mangione-Smith
Univ California
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Abstract

A system and method is provided for detecting malicious data such as, for example, viruses in a computer network (2). More specifically, system and method utilizes filters to detect pre-identified patterns or threat signatures in a data stream. In one embodiment, a deep packet inspection system for detecting a plurality of malicious programs in a data packet received from a network, wherein each malicious program has a unique pattern comprising a plurality of segments, includes a plurality of pattern detection modules configured to receive one or more data packets in parallel, wherein each of the plurality of pattern detection modules has an output, and one or more long pattern state machines coupled to the outputs of the plurality of pattern detection modules. The deep packet inspection system is configured to detect a pattern of any length at any location within a data packet.
PCT/US2005/031644 2004-09-10 2005-09-07 Method and apparatus for deep packet inspection WO2006031496A3 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US60873204 true 2004-09-10 2004-09-10
US60/608,732 2004-09-10
US66802905 true 2005-04-04 2005-04-04
US60/668,029 2005-04-04

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11574878 US20080189784A1 (en) 2004-09-10 2005-09-07 Method and Apparatus for Deep Packet Inspection

Publications (2)

Publication Number Publication Date
WO2006031496A2 true WO2006031496A2 (en) 2006-03-23
WO2006031496A3 true true WO2006031496A3 (en) 2006-08-24

Family

ID=36060522

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2005/031644 WO2006031496A3 (en) 2004-09-10 2005-09-07 Method and apparatus for deep packet inspection

Country Status (2)

Country Link
US (1) US20080189784A1 (en)
WO (1) WO2006031496A3 (en)

Families Citing this family (56)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007100916A3 (en) 2006-02-28 2008-04-24 Univ Columbia Systems, methods, and media for outputting a dataset based upon anomaly detection
GB2432933B (en) * 2006-03-14 2008-07-09 Streamshield Networks Ltd A method and apparatus for providing network security
GB2432934B (en) * 2006-03-14 2007-12-19 Streamshield Networks Ltd A method and apparatus for providing network security
EP2008188B1 (en) * 2006-03-24 2017-05-31 AVG Netherlands B.V. Software vulnerability exploitation shield
WO2007117585A3 (en) * 2006-04-06 2008-05-15 Smobile Systems Inc System and method for managing malware protection on mobile devices
US8789172B2 (en) 2006-09-18 2014-07-22 The Trustees Of Columbia University In The City Of New York Methods, media, and systems for detecting attack on a digital processing device
US20080155264A1 (en) * 2006-12-20 2008-06-26 Ross Brown Anti-virus signature footprint
US8505092B2 (en) 2007-01-05 2013-08-06 Trend Micro Incorporated Dynamic provisioning of protection software in a host intrusion prevention system
US7930747B2 (en) * 2007-01-08 2011-04-19 Trend Micro Incorporated Host intrusion prevention server
GB0710620D0 (en) * 2007-06-04 2007-07-11 Agilent Technologies Inc Monitoring apparatus and method therefor
US8055599B1 (en) * 2007-07-13 2011-11-08 Werth Larry J Pattern recognition using cycles or traces in an associative pattern memory (APM), vertical sensors, amplitude sampling, adjacent hashes and fuzzy hashes
US8099401B1 (en) * 2007-07-18 2012-01-17 Emc Corporation Efficiently indexing and searching similar data
US9270641B1 (en) * 2007-07-31 2016-02-23 Hewlett Packard Enterprise Development Lp Methods and systems for using keywords preprocessing, Boyer-Moore analysis, and hybrids thereof, for processing regular expressions in intrusion-prevention systems
US7895463B2 (en) 2007-08-28 2011-02-22 Cisco Technology, Inc. Redundant application network appliances using a low latency lossless interconnect link
US7996896B2 (en) 2007-10-19 2011-08-09 Trend Micro Incorporated System for regulating host security configuration
JP4905395B2 (en) * 2008-03-21 2012-03-28 富士通株式会社 Communication monitoring device, a communication monitoring program, and a communication monitoring method
US8677453B2 (en) 2008-05-19 2014-03-18 Cisco Technology, Inc. Highly parallel evaluation of XACML policies
US8094560B2 (en) 2008-05-19 2012-01-10 Cisco Technology, Inc. Multi-stage multi-core processing of network packets
US8667556B2 (en) 2008-05-19 2014-03-04 Cisco Technology, Inc. Method and apparatus for building and managing policies
CN101364895B (en) 2008-09-24 2011-05-04 上海大学 High performance wideband Internet behavior real-time analysis and management system
US8230510B1 (en) * 2008-10-02 2012-07-24 Trend Micro Incorporated Scanning computer data for malicious codes using a remote server computer
US8103764B2 (en) 2008-10-14 2012-01-24 CacheIQ, Inc. Method and apparatus for matching trigger pattern
US8769257B2 (en) * 2008-12-23 2014-07-01 Intel Corporation Method and apparatus for extending transport layer security protocol for power-efficient wireless security processing
US8051167B2 (en) * 2009-02-13 2011-11-01 Alcatel Lucent Optimized mirror for content identification
US20100254225A1 (en) * 2009-04-03 2010-10-07 Schweitzer Iii Edmund O Fault tolerant time synchronization
US8068431B2 (en) * 2009-07-17 2011-11-29 Satyam Computer Services Limited System and method for deep packet inspection
US8867345B2 (en) * 2009-09-18 2014-10-21 Schweitzer Engineering Laboratories, Inc. Intelligent electronic device with segregated real-time ethernet
US9342709B2 (en) 2010-10-27 2016-05-17 Hewlett-Packard Enterprise Development LP Pattern detection
KR20120066408A (en) * 2010-12-14 2012-06-22 한국전자통신연구원 Apparatus for high speed contents inspection to minimize system overhead
US8812256B2 (en) 2011-01-12 2014-08-19 Schweitzer Engineering Laboratories, Inc. System and apparatus for measuring the accuracy of a backup time source
US9398033B2 (en) 2011-02-25 2016-07-19 Cavium, Inc. Regular expression processing automaton
WO2013032473A1 (en) * 2011-08-31 2013-03-07 Hewlett-Packard Development Company, L.P. Tiered deep packet inspection in network devices
US9203805B2 (en) 2011-11-23 2015-12-01 Cavium, Inc. Reverse NFA generation and processing
KR101308086B1 (en) 2012-01-27 2013-09-12 주식회사 시큐아이 Method and apparatus for performing improved deep packet inspection
CN103248609A (en) * 2012-02-06 2013-08-14 同方股份有限公司 System, device and method for detecting data from end to end
US9356844B2 (en) 2012-05-03 2016-05-31 Intel Corporation Efficient application recognition in network traffic
US9154461B2 (en) 2012-05-16 2015-10-06 The Keyw Corporation Packet capture deep packet inspection sensor
KR101558054B1 (en) * 2012-11-19 2015-10-06 삼성에스디에스 주식회사 Anti-malware system and packet processing method in same
US9300591B2 (en) 2013-01-28 2016-03-29 Schweitzer Engineering Laboratories, Inc. Network device
US9270109B2 (en) 2013-03-15 2016-02-23 Schweitzer Engineering Laboratories, Inc. Exchange of messages between devices in an electrical power system
US9620955B2 (en) 2013-03-15 2017-04-11 Schweitzer Engineering Laboratories, Inc. Systems and methods for communicating data state change information between devices in an electrical power system
US9065763B2 (en) 2013-03-15 2015-06-23 Schweitzer Engineering Laboratories, Inc. Transmission of data over a low-bandwidth communication channel
US9426166B2 (en) 2013-08-30 2016-08-23 Cavium, Inc. Method and apparatus for processing finite automata
US9507563B2 (en) 2013-08-30 2016-11-29 Cavium, Inc. System and method to traverse a non-deterministic finite automata (NFA) graph generated for regular expression patterns with advanced features
US9426165B2 (en) 2013-08-30 2016-08-23 Cavium, Inc. Method and apparatus for compilation of finite automata
US9398117B2 (en) 2013-09-26 2016-07-19 Netapp, Inc. Protocol data unit interface
US9419943B2 (en) 2013-12-30 2016-08-16 Cavium, Inc. Method and apparatus for processing of finite automata
US9602532B2 (en) 2014-01-31 2017-03-21 Cavium, Inc. Method and apparatus for optimizing finite automata processing
US9904630B2 (en) * 2014-01-31 2018-02-27 Cavium, Inc. Finite automata processing based on a top of stack (TOS) memory
US10002326B2 (en) 2014-04-14 2018-06-19 Cavium, Inc. Compilation of finite automata based on memory hierarchy
US9438561B2 (en) 2014-04-14 2016-09-06 Cavium, Inc. Processing of finite automata based on a node cache
US9680797B2 (en) 2014-05-28 2017-06-13 Oracle International Corporation Deep packet inspection (DPI) of network packets for keywords of a vocabulary
US20160028746A1 (en) * 2014-07-22 2016-01-28 Verisign, Inc. Malicious code detection
US10009372B2 (en) * 2014-07-23 2018-06-26 Petabi, Inc. Method for compressing matching automata through common prefixes in regular expressions
US10049210B2 (en) * 2015-05-05 2018-08-14 Leviathan Security Group, Inc. System and method for detection of omnientrant code segments to identify potential malicious code
US9967135B2 (en) 2016-03-29 2018-05-08 Schweitzer Engineering Laboratories, Inc. Communication link monitoring and failover

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030014662A1 (en) * 2001-06-13 2003-01-16 Gupta Ramesh M. Protocol-parsing state machine and method of using same
US20030033531A1 (en) * 2001-07-17 2003-02-13 Hanner Brian D. System and method for string filtering
US20030154399A1 (en) * 2002-02-08 2003-08-14 Nir Zuk Multi-method gateway-based network security systems and methods
US20030229780A1 (en) * 2002-03-22 2003-12-11 Re Src Limited Multiconfiguable device masking shunt and method of use
US20040064737A1 (en) * 2000-06-19 2004-04-01 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6715094B2 (en) * 2000-12-20 2004-03-30 Intel Corporation Mult-mode I/O interface for synchronizing selected control patterns into control clock domain to obtain interface control signals to be transmitted to I/O buffers
US20020176378A1 (en) * 2001-05-22 2002-11-28 Hamilton Thomas E. Platform and method for providing wireless data services
US7133409B1 (en) * 2001-07-19 2006-11-07 Richard Willardson Programmable packet filtering in a prioritized chain
US7116663B2 (en) * 2001-07-20 2006-10-03 Pmc-Sierra Ltd. Multi-field classification using enhanced masked matching
US6980992B1 (en) * 2001-07-26 2005-12-27 Mcafee, Inc. Tree pattern system and method for multiple virus signature recognition
US20040059943A1 (en) * 2002-09-23 2004-03-25 Bertrand Marquet Embedded filtering policy manager using system-on-chip
US7584303B2 (en) * 2002-12-20 2009-09-01 Forte 10 Networks, Inc. Lossless, stateful, real-time pattern matching with deterministic memory resources
US7085918B2 (en) * 2003-01-09 2006-08-01 Cisco Systems, Inc. Methods and apparatuses for evaluation of regular expressions of arbitrary size
US7409526B1 (en) * 2003-10-28 2008-08-05 Cisco Technology, Inc. Partial key hashing memory

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040064737A1 (en) * 2000-06-19 2004-04-01 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
US20030014662A1 (en) * 2001-06-13 2003-01-16 Gupta Ramesh M. Protocol-parsing state machine and method of using same
US20030033531A1 (en) * 2001-07-17 2003-02-13 Hanner Brian D. System and method for string filtering
US20030154399A1 (en) * 2002-02-08 2003-08-14 Nir Zuk Multi-method gateway-based network security systems and methods
US20030229780A1 (en) * 2002-03-22 2003-12-11 Re Src Limited Multiconfiguable device masking shunt and method of use

Also Published As

Publication number Publication date Type
WO2006031496A2 (en) 2006-03-23 application
US20080189784A1 (en) 2008-08-07 application

Similar Documents

Publication Publication Date Title
US20120096539A1 (en) Wireless intrusion prevention system and method
US7712134B1 (en) Method and apparatus for worm detection and containment in the internet core
US20130160122A1 (en) Two-stage intrusion detection system for high-speed packet processing using network processor and method thereof
US20080313734A1 (en) DISTRIBUTED SYSTEM AND METHOD FOR THE DETECTION OF eTHREATS
US20100031093A1 (en) Internal tracing method for network attack detection
WO2002023805A3 (en) Monitoring network activity
JP2009037545A (en) Malware resemblance inspection method and device
Sheng et al. MAP: A scalable monitoring system for dependable 802.11 wireless networks
Madhusudan et al. Design of a system for real-time worm detection
JP2005210601A (en) Intrusion detector
JP2012034273A (en) Unauthorized communication detecting system
CN101321171A (en) Method and apparatus for detecting distributed refusal service attack
US20110185418A1 (en) Digital filter correlation engine
KR20110108491A (en) System for detecting malicious script and method for detecting malicious script using the same
US20140075536A1 (en) Detection of infected network devices via analysis of responseless outgoing network traffic
Bulajoul et al. Network intrusion detection systems in high-speed traffic in computer networks
Zhou et al. Modeling and analysis of active benign worms and hybrid benign worms containing the spread of worms
JP2008083751A (en) Network system coping with unauthorized access
CN101848092A (en) Malicious code detection method and device
CN104123496A (en) Rogue software interception method, device and terminal
JP2007157059A (en) Proactive illicit program detection method, detection device and computer program
WO2001099373A3 (en) System and method for security policy
Barbhuiya et al. A host based DES approach for detecting ARP spoofing
Cheng et al. Implementing IDS management on lock-keeper
WO2008084729A1 (en) Application linking virus and dns attacking sender detecting device, its method, and program

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

WWE Wipo information: entry into national phase

Ref document number: 11574878

Country of ref document: US

NENP Non-entry into the national phase in:

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase

Ref document number: 05814991

Country of ref document: EP

Kind code of ref document: A2