WO2010057748A2 - Protection contre l'intrusion de réseau - Google Patents

Protection contre l'intrusion de réseau Download PDF

Info

Publication number
WO2010057748A2
WO2010057748A2 PCT/EP2009/064195 EP2009064195W WO2010057748A2 WO 2010057748 A2 WO2010057748 A2 WO 2010057748A2 EP 2009064195 W EP2009064195 W EP 2009064195W WO 2010057748 A2 WO2010057748 A2 WO 2010057748A2
Authority
WO
WIPO (PCT)
Prior art keywords
received packet
packet
intrusion
flow
analyzing
Prior art date
Application number
PCT/EP2009/064195
Other languages
English (en)
Other versions
WO2010057748A3 (fr
Inventor
Hubertus Franke
Hao Yu
Terry Lee Nelms Ii
David Allen Dennerline
David Paul Lapotin
Original Assignee
International Business Machines Corporation
Ibm United Kingdom Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corporation, Ibm United Kingdom Limited filed Critical International Business Machines Corporation
Priority to CN200980145011.6A priority Critical patent/CN102210133B/zh
Priority to EP09748751.6A priority patent/EP2289221B1/fr
Publication of WO2010057748A2 publication Critical patent/WO2010057748A2/fr
Publication of WO2010057748A3 publication Critical patent/WO2010057748A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/54Store-and-forward switching systems 
    • H04L12/56Packet switching systems
    • H04L12/5601Transfer mode dependent, e.g. ATM
    • H04L2012/5603Access techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0254Stateful filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the invention relates generally to network security, and more specifically to an intrusion protection system which monitors incoming packets and flows in a computer network.
  • IPS Intrusion Prevention System
  • the Internet Security System PAMTM intrusion analysis engine can be interposed between network segments.
  • the IPS can be installed in a firewall or gateway of a computer network.
  • the IPS can analyze incoming message packets for intrusions, such as viruses and worms ("malware"), attempted exploitation of vulnerabilities such as buffer overflows, violations of network policy, and/or denial of service attacks. If the IPS detects an intrusion in a packet, the IPS can automatically block/drop the packet, block the flow associated with the packet, and/or notify an administrator.
  • the administrator can further analyze the notification details, and if he or she determines that the notification is associated with an intrusion, may change the configuration of a firewall to block the intruder, report the event to the authorities, gather forensic evidence, clean any compromised hosts, and/or contact the administrator of the network that was the source of the attack.
  • the IPS can either drop or pass the excess packets which it cannot process. If the packet is not malicious but is dropped (without analysis) due to the overload, this may represent a loss of important data, request or other communication. If the packet is malicious but is allowed to pass through the IPS (without analysis) due to overload, this may harm a device on the destination network. To mitigate the risk, there may be a firewall between the IPS and the destination network that will block some potentially malicious packets.
  • the firewall will block the packet if the packet does not match a permitted flow, i.e., combination of source IP address, source port, destination IP address, destination port and protocol, but may not analyze the packet for viruses or worms or detect an attempted exploitation of vulnerabilities or denial of service attack.
  • a permitted flow i.e., combination of source IP address, source port, destination IP address, destination port and protocol
  • Embodiments of the invention provide improved techniques for use in a network intrusion prevention system or the like.
  • a method comprises the following steps performed by a computing element of a network.
  • a packet of a flow is received, the flow comprising a plurality of packets, wherein the plurality of packets represents data in the network.
  • a network intrusion analysis cost-benefit value is determined representing a benefit for analyzing the received packet for intrusions in relation to a cost for analyzing the received packet for intrusions.
  • the method compares the network intrusion analysis cost-benefit value to a network intrusion analysis cost-benefit threshold to determine whether analyzing the received packet for intrusions before forwarding said received packet is warranted.
  • the received packet Responsive to a determination that analyzing the received packet for intrusions before forwarding the received packet is not warranted, the received packet is forwarded, an indication is made that subsequent packets of the flow should be forwarded, and a determination is made whether the received packet indicates an intrusion after forwarding the received packet.
  • a determination may be made as to whether the received packet indicates an intrusion and, responsive to a determination that the received packet does not indicate an intrusion, the received packet may be forwarded. Still further, responsive to a determination that the received packet indicates an intrusion, the received packet may be discarded and an indication may be made that subsequent packets of the flow should be discarded.
  • FIG. 1 illustrates a distributed computer system including an intrusion prevention system in which embodiments of the present invention may be implemented
  • FIG. 2 illustrates an intrusion prevention management methodology for use by the intrusion prevention management function in FIG. 1;
  • FIG. 3 illustrates an intrusion prevention management methodology with a catch-up mode for use by the intrusion prevention management function in FIG. 1;
  • FIG. 4 illustrates an exemplary flow object suitable for use with an illustrative embodiment of the invention.
  • IPS intrusion prevention system
  • Section I we will describe illustrative embodiments of an IPS as disclosed in related U.S. patent application identified as Serial No. 11/759,427. We will then, in Section II, describe alternate illustrative embodiments that address other issues that can arise with respect to an IPS.
  • FIG. 1 illustrates a distributed computer system (network) generally designated 100 in which principles of the invention are incorporated.
  • a source computer 120 includes a central processing unit (CPU) 121, operating system (O/S) 122, random access memory (RAM) 123 and read only memory (ROM) 124 on a bus 125, a storage 126 and TCP/IP adapter card 128 for Internet 130.
  • Source computer 120 also includes an application 127 which generates data, requests or other messages addressed to a destination subnet 170 or destination computer 160.
  • Source computer 120 is coupled to subnet 170 via an untrusted network 130 (such as the Internet) and an intrusion prevention system (“IPS”) 140, according to principles of the invention.
  • IPS intrusion prevention system
  • IPS 140 can reside in a computing element of the network such as a firewall or gateway device for subnet 170 or reside in a computing element of the network interconnected "in-line" between the network 130 and a router 150 for a subnet 170 as shown in FIG. 1.
  • Destination computer 160 includes a CPU 161, operating system 162, RAM 163 and ROM 164 on a bus 165, a storage unit 166 and a TCP/IP adapter card 168.
  • Destination computer 160 also includes an application 167 which processes data, requests or other messages sent by source computer 120 (and other source devices not shown).
  • IPS 140 includes a CPU 141, operating system 142, RAM 143 and ROM 144 on a bus 145 and a storage unit 146.
  • embodiments of the invention may be implemented in one or more computers, such as source computer 120, IPS 140 and/or destination computer 160, in conjunction with a computer-readable storage medium or other computer program product.
  • an application program e.g., application 127, program 147, intrusion analysis engine 152 or application 167
  • software components thereof including instructions or code for performing the methodologies of the invention, as described herein, may be stored on one or more associated storage devices (e.g., ROM 124, 144 or 164 and/or storage units 126, 146 or 166) and, when ready to be utilized, loaded in whole or in part
  • processors e.g., CPUs 121, 141 or 161.
  • Source computer 120 also includes an intrusion analysis engine 152 (implemented in software and/or hardware) which analyzes incoming packets to detect and block intrusions such as viruses, worms, or other packets which attempt to exploit a vulnerability in the destination computer or cause denial of service attacks.
  • Intrusion analysis engine 152 can also block messages with unwanted content such as pornography and/or spam.
  • a known SNORTTM intrusion analysis engine detects intrusions in packets based on signatures or other patterns of bits in each packet.
  • a known Internet Security System PAMTM intrusion analysis engine detects intrusions in packets based on signatures and patterns, vulnerable host simulation, known malicious behavior, traffic anomalies, protocol anomalies and other types of exploits. PAMTM intrusion analysis engine determines and emulates the state of the application at both the requesting computer and the destination device, and determines if the current packet will exploit a known vulnerability in the destination computer.
  • the destination device is a web/HTTP (Hypertext Transport Protocol) server and the TCP stream contains a Uniform Resource Locator (URL) that is longer than the URL buffer size of the web server
  • PAMTM intrusion analysis engine considers this to be an attempted exploit of the vulnerability by the requester because it will cause a buffer overflow in the web server.
  • the destination device is a web/HTTP server
  • the requester makes a request and the web server responds with an Hypertext Markup Language (HTML) web page with an excessively long tag
  • PAMTM intrusion analysis engine considers this to be an attempted exploit of the vulnerability by the web server because it will cause a tag buffer overflow in the requester's web browser.
  • HTML Hypertext Markup Language
  • PAMTM intrusion analysis engine also detects unusual network traffic presumed to be malicious such as a remote Microsoft Windows shell request, unauthorized attempts to access a root directory or Standard Query Language (SQL) injection of SQL requests in data fields. PAMTM intrusion analysis engine also detects unusual or unnecessary encryption, obfuscation or other techniques to obscure intrusions.
  • SQL Standard Query Language
  • PAMTM intrusion analysis engine also detects traffic anomalies such as unusual network mapping including attempts to identify open ports with an unusual large number of connection requests.
  • IPS 140 also includes an intrusion prevention management program 147 (implemented in hardware and/or software) according to the principles of the invention which determines a composite score for each incoming message packet based on various factors. The higher the composite score the greater the projected or likely benefit/cost ratio for analysis by the intrusion analysis engine 152.
  • One potential benefit is detection of intrusions.
  • the cost can be the time/burden to analyze the packet for intrusions.
  • the composite score is based on the following benefit and cost factors: (a) Protocol type. If a protocol has more associated vulnerabilities or higher risk vulnerabilities, there will be greater likely benefit to analyzing a packet with such a protocol, and therefore a higher composite score. The weight of this factor is based on the number and severity of the known and likely vulnerabilities for each protocol.
  • the packet contains a payload or is just an acknowledgment (without a payload). If there is no payload, then the composite score will be reduced because there is no application protocol contained in the packet and the benefit for conducting the intrusion analysis is low. For example, if the packet is a TCP acknowledgment packet but does not contain a payload, there is little chance that the packet is attempting to exploit a vulnerability in the destination device.
  • the weight of each factor reflects the degree to which the factor affects the benefit/cost of conducting the intrusion analysis. The lower the composite score, the lower the benefit/cost ratio for completely analyzing the packet by intrusion analysis engine 152. If the composite score is below an applicable threshold for composite score, then program 147 will automatically pass the packet to the next hop en route to the destination computer without analysis by the intrusion analysis engine 152. This may be referred to as "fast- forwarding" the packet. However, if the composite score is greater than or equal to the applicable threshold for composite score, then program 147 notifies intrusion analysis engine 152 to completely analyze the packet.
  • each of the aforementioned criteria (a) to (h) can be represented by a function of the packet P such that A(P) .. H(P) yield a value.
  • the individual functions might return a value in different ranges.
  • a composite value can be determined through a decision tree of evaluating various criteria.
  • intrusion analysis engine 152 detects malicious behavior or otherwise determines a high risk associated with the packet, then intrusion analysis engine 152 will drop the packet. Otherwise, intrusion analysis engine 152 will notify program 147 that the packet is not malicious. In response, program 147 will forward the packet to router 150 to route according to a known routing algorithm to the next hop en route to the destination subnet 170 or destination computer 160. The determination of the composite score for each packet takes a much shorter time than would be required by intrusion analysis engine 152 to analyze the packet for intrusions. This allows a greater throughput for IPS 140 and alleviates overload of IPS 140.
  • program 147 In addition to determining the composite score for each packet, if intrusion analysis engine 152 finds a malicious packet on a flow, then program 147 will automatically block/discard all subsequently received packets on the same flow. This has a similar effect as assigning the highest composite score for such a packet, but does not require program 147 to compute the composite score.
  • Program 147 also dynamically adjusts the threshold for the composite score based on the rate of incoming packets compared to the rate that IPS 140 can process them. If the rate of incoming packets is greater than the rate at which IPS 140 (including program 147 and intrusion analysis engine 152) can process them, then program 147 will increase the threshold for composite score so that (statistically) more packets will pass through IPS 140 without a complete, time-consuming analysis by intrusion analysis engine 152. This will reduce the backlog in IPS 140 and allow IPS 140 to keep up with the rate of incoming packets.
  • program 147 will decrease the threshold for composite score so that (statistically) more packets will be analyzed by intrusion analysis engine 152. This will increase security without overloading IPS 140.
  • FIG. 2 illustrates function and operation of intrusion prevention management program 147 and associated functions in more detail.
  • IPS 140 receives a packet and buffers the packet awaiting processing by program 147.
  • program 147 parses the packet and identifies attributes of the packet relevant to determining the composite score or whether the packet should automatically be dropped. These attributes comprise the specific Open System Interconnection (OSI) layer 3 protocol of the packet, the specific OSI layer 4 protocol of the packet, whether IP fragmentation field is set for TCP, whether the packet is merely an acknowledgment without a payload, whether the packet is encrypted, and the identity of the flow associated with the packet (step 202).
  • OSI Open System Interconnection
  • Program 147 determines the layer 3 protocol based on the type field in the data link protocol's header (e.g., the type field in the Ethernet header).
  • Program 147 determines the OSI layer 4 protocol based on the protocol field in the network protocol's header (e.g., IPv4's protocol field).
  • the IP fragmentation field is located at a known location in the packet header based on the type of protocol.
  • Program 147 determines whether the packet is merely an acknowledgment without a payload based on the total length of the packet specified in the IP header.
  • the source IP address, source port, destination IP address, destination port, OSI layer 4 protocol, and optionally the Virtual Local Area Network (VLAN) identifier (ID) attributes identify the flow of which this packet is part.
  • Program 147 performs step 202 without initiating intrusion analysis of the packet, i.e., without analyzing the packet for signatures or patterns of intrusion, or other characteristics of an attempted exploit or denial of service attack, such as provided by ISS
  • program 147 determines if this packet has a flow-based protocol, i.e., a protocol which involves a two-directional communication (decision 204).
  • a two-directional communication includes a setup of the communication, a request, a response and a closure of the communication.
  • flow-based protocols are TCP, User Datagram Protocol (UDP) when the application layer is flow based, and Stream Control Transport Protocol (SCTP).
  • Other protocols such as Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMPv ⁇ ) are not flow-based, and are typically used for broadcast and/or one-way communications such as address resolution or error reporting.
  • ARP Address Resolution Protocol
  • ICMPv ⁇ Internet Control Message Protocol
  • program 147 determines the composite score for packets in the same flow (or whether to automatically drop subsequently received packets in the same flow) based in part on other, previously received packets in the same flow. If the packet is flow-based (decision 204, yes branch), then program 147 determines if this is the first packet in the associated flow (decision 210). If the packet's protocol is flow- based and this is the first packet in the flow (decision 210, yes branch), then program 147 defines a new flow with default attributes for the protocol (step 212).
  • the default attributes for a TCP flow can comprise byte count of zero (meaning that at this time no bytes on this flow have been analyzed), source IP address and port, destination IP address and port, protocol type, number of packets in this flow dropped equal zero (meaning that at this time no bytes of the flow have been dropped), a flag indicating that this flow is not blocked at this time, whether either of the end nodes has an intrusion analysis engine, and the customer's preference for heightened composite score/security in either end node.
  • the default attributes for UDP can be the same as TCP. If this is a second or subsequent packet received in a flow-based message (decision 210, no branch), then program 147 fetches the flow definition associated with this packet (step 220).
  • the flow definition was defined in a previous iteration of decision 210 and step 212.
  • program 147 checks the attribute values for the flow to determine (decision 226) if this message flow is indicated to be automatically dropped without further evaluation (step 228). For example, if a prior packet in the same flow was determined by the analysis engine 152 to be malicious (decision 226), then all of the subsequently received packets in the same flow will automatically be dropped (step 228). If so (decision 226, yes branch), then program 147 drops the packet (step 228). If not (decision 226, no branch), then program 147 determines a composite score for the packet (step 230). The composite score is based on the projected or likely benefit/cost ratio as described above.
  • program 147 proceeds directly from decision 204 to step 230 to determine the composite score for the packet, as described above.
  • program 147 compares the composite score of the packet to a current threshold for composite score (step 240). If the composite score is less than the current threshold (decision 240, no branch), then program 147 does not initiate intrusion analysis of the packet, and instead updates the flow attributes for the associated message (step 242). For example, in step 242, program 147 updates the number of bytes of the message which have been received without detecting an intrusion.
  • program 147 determines if the current rate of incoming packets is below a lower packet-rate-threshold (decision 244). Program 147 determines the current rate of incoming packets by the number of queued packets. If the current rate of incoming packets is below the lower packet-rate-threshold (decision 244, yes branch), then program 147 lowers the current threshold for the composite score (step 246). By lowering the current threshold for the composite score, statistically more subsequent packets will exceed the threshold and be analyzed by intrusion analysis engine 152. While this will slow down IPS 140, it will increase security and can be accommodated by IPS 140.
  • IPS 140 can analyze more incoming packets and still keep pace with the incoming packets. If the current rate of incoming packets is greater than or equal to the lower packet-rate-threshold (decision 244, no branch), then program 147 does not lower the current threshold for composite value.
  • program 147 passes the packet to router 150 to route the unanalyzed packet to the next hop according to the port on which the packet entered the system and the known routing protocol of the router. This is considered "fast- forwarding" of the packet.
  • the next hop is subnet 170.
  • router 150 determines the next hop and forwards the unanalyzed packet to firewall 172 (or other gateway) to subnet 170. After checking the destination IP address, application identifier or other destination indicia contained in the packet's header, firewall (or other gateway) 172 forwards the packet to destination computer 160.
  • program 147 determines if the rate of incoming packets is greater than a rate at which IPS 140 (including program 147 and intrusion analysis engine 152) can process them (decision 250). Program 147 makes this determination by counting the number of packets which have accumulated in packet cache 149 awaiting processing by program 147. If the number of accumulated packets in packet cache 149 awaiting processing is above a predetermined threshold (or if the cache 149 is filled above a predetermined percentage of its capacity) (decision 250, yes branch), then program 147 increases the threshold for the composite score (step 252).
  • program 147 will subsequently pass more packets through IPS 140 to the destination device without a time-consuming analysis by intrusion analysis engine 152. This will reduce the processing time in IPS 140 and therefore, reduce the backlog in IPS 140 and allow IPS 140 to keep up with the current rate of incoming packets. Because the composite score was found in decision 240 to be above the threshold for composite score, program 147 notifies intrusion analysis engine 152 to analyze the packet for intrusions (step 260). Step 260 follows step 252 as well as decision 250, no branch where IPS 140 is keeping up with the rate of incoming packets and does not increase the threshold for composite score.
  • intrusion analysis engine 152 analyzes the packet for intrusions in a known manner as described above.
  • program 147 updates the packet's flow attributes, as described above (step 242).
  • program 147 proceeds to decision 244-248, as described above.
  • Intrusion Prevention Management program 147 can be loaded into IPS computer 140 from a computer readable storage media 180 such as magnetic disk or tape, optical media, DVD, memory stick, etc. or downloaded from the
  • Intrusion analysis engine 152 can be loaded into IPS computer 140 from computer readable storage media 180 such as magnetic disk or tape, optical media, DVD, memory stick, etc. or downloaded from the Internet 130 via TCP/IP adapter card 148.
  • the IPS can take substantial time to inspect individual packets. This in turn can lead to delays of packets through the IPS that can have adverse affects, such as jitter on a Voice over Internet Protocol (VoIP) phone call. Therefore, IPSs often set maximum delays to avoid such adverse affects.
  • VoIP Voice over Internet Protocol
  • the packet is either dropped or so called fast-forwarded, i.e., the packet is allowed to pass without completion or commensuration of the packet inspection, as explained above. Under certain circumstances, this may be in contrast to the main objective of the IPS, namely to inspect every packet.
  • state of the art IPSs maintain state about connections that are setup for instance by TCP/IP connections and attempt to deduce as much as possible about the endpoints, then they emulate the software stacks at the endpoints and attempt to narrow down known exploits at said endpoints.
  • connections of this nature as flows. For instance, the entire content of a webpage can be inspected for potential violations such as tag mismatches. Web pages are transferred as a sequence of packets, and it is desirable to identify intrusions as soon as possible.
  • Section I a main concept is to stop inspecting packets on a flow for which confidence exists, referred to as fast- forwarding. This technique is deployed to enable to deal with oversubscription even if temporary.
  • a main concept in the embodiments of Section II is that such identified fast forwarded packets continue to be inspected, cycles permitting, and allow the IPS to catch up with the inspection and thus restore a fast forwarded flow back into full inspection mode. We refer to this as a "catch-up" mode.
  • the alternate system provides a higher degree of inspection and hence a higher insurance against potential intrusion threats.
  • Section II we provide a mechanism to de-prioritize packets that are inspected in this "catch-up" mode to allow new traffic to be processed.
  • Such mechanism can be implemented in the composite scoring feature described above (described in FIGs. 1 and 2), for instance, by lowering the flow score if the system is in catch-up mode.
  • the mechanism of this alternate embodiment further enables the above system to selectively disable certain inspection features (heuristics) in order to free system resources at the cost of quality of service (QoS).
  • QoS quality of service
  • the alternate embodiment also provides a mechanism to obviscate and/or randomize the mechanism for heuristics selection over time and on the same flow such that any attacker will not be able identify and exploit specific deselected heuristics. It also provides a mechanism to project the benefits of enabling said catch-up mode over the fast-forward mode.
  • the Intrusion Analysis Engine into a front end and a back end.
  • the front end is that part of the inspection that can be accomplished either in parallel or out of order for a set of packets potentially belonging to the same flow; this is typically to
  • the back end is typically that part of the analysis that must be serialized for intra flow packets.
  • the front end receives the network packets, extracts the TCP/IP 5 tuple (source IP address/port, destination IP address/port, and OSI layer 4 protocol) and determines the flow associated with this tuple.
  • the flow maintains all the required state to resume flow inspection when the next packet on the flow arrives.
  • the packets and their respective flows are scored based on various techniques to identify potential threats. In the case of the back end being unable to keep up with the packet load, packet and flows scores are compared against an actively maintained cut-off score. Based on their threat-score, selected packets are either dropped (high threat), or fast forwarded (low threat) in order to ensure continued inspection for unknown and newly arriving connections.
  • FIG. 3 illustrates function and operation of intrusion prevention management program 147 and associated functions according to this embodiment in more detail.
  • IPS 140 receives a packet either from the frontend (network) queue or the backend (flow) queue.
  • IPS 140 buffers the packet awaiting processing by program 147.
  • program 147 parses the packet and identifies attributes of the packet relevant to determining the composite score or whether the packet should automatically be dropped. These attributes comprise the specific Open System Interconnection (OSI) layer 3 protocol of the packet, the specific OSI layer 4 protocol of the packet, whether IP fragmentation field is set for TCP, whether the packet is merely an acknowledgment without a payload, whether the packet is encrypted, and the identity of the flow associated with the packet (step 302).
  • OSI Open System Interconnection
  • Program 147 determines the layer 3 protocol based on the type field in the data link protocol's header (e.g., the type field in the Ethernet header).
  • Program 147 determines the OSI layer 4 protocol based on the protocol field in the network protocol's header (e.g., IPv4's protocol field).
  • the IP fragmentation field is located at a known location in the packet header based on the type of protocol.
  • Program 147 determines whether the packet is merely an acknowledgment without a payload based on the total length of the packet specified in the IP header.
  • the source IP address, source port, destination IP address, destination port, OSI layer 4 protocol, and optionally the Virtual Local Area Network (VLAN) identifier (ID) attributes identify the flow of which this packet is part.
  • VLAN Virtual Local Area Network
  • Program 147 performs step 302 without initiating intrusion analysis of the packet, i.e., without analyzing the packet for signatures or patterns of intrusion, or other characteristics of an attempted exploit or denial of service attack, such as provided by the ISS PAMTM intrusion analysis engine as described above.
  • program 147 determines if this packet has a flow-based protocol, i.e., a protocol which involves a two-directional communication (decision 304).
  • a two-directional communication includes a setup of the communication, a request, a response and a closure of the communication.
  • flow-based protocols are TCP, User Datagram Protocol
  • UDP when the application layer is flow based
  • SCTP Stream Control Transport Protocol
  • Other protocols such as Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMPv ⁇ ) are not flow-based, and are typically used for broadcast and/or one-way communications such as address resolution or error reporting.
  • program 147 determines the composite score for packets in the same flow (or whether to automatically drop subsequently received packets in the same flow) based in part on other, previously received packets in the same flow. If the packet is flow-based (decision 304, yes branch), then program 147 determines if this is the first packet in the associated flow (decision 310).
  • program 147 defines a new flow with default attributes for the protocol (step 312).
  • the default attributes for a TCP flow can comprise byte count of zero (meaning that at this time no bytes on this flow have been analyzed), source IP address and port, destination IP address and port, protocol type, number of packets in this flow dropped equal zero (meaning that at this time no bytes of the flow have been dropped), a flag indicating that this flow is not blocked at this time, whether either of the end nodes has an intrusion analysis engine, and the customer's preference for heightened composite score/security in either end node.
  • the default attributes for UDP can be the same as TCP.
  • program 147 fetches the flow definition associated with this packet (step 320).
  • the flow definition was defined in a previous iteration of decision 310 and step 312.
  • program 147 checks the attribute values for the flow to determine (decision 326) if this message flow is indicated to be automatically dropped without further evaluation (step 328). For example, if a prior packet in the same flow was determined by the analysis engine 152 to be malicious (decision 326), then all of the subsequently received packets in the same flow will automatically be dropped (step 328). If so (decision 326, yes branch), then program 147 drops the packet (step 328). If not (decision 326, no branch), then program 147 determines a composite score for the packet (step 330). The composite score is based on the projected or likely benefit/cost ratio as described above.
  • program 147 proceeds directly from decision 304 to step 330 to determine the composite score for the packet, as described above.
  • program 147 compares the composite score of the packet to a current threshold for composite score (step 340). If the composite score is less than the current threshold (decision 340, no branch), then program 147 does not initiate intrusion analysis of the packet. Rather, program 147 determines whether the flow is set for catch-up mode (decision 380). If so (decision 380, yes branch), the flow is enqueued in the backend queue (step 382) and another message packet is received (step 300). If the flow is not set for catchup mode (decision 380, no branch), program 147 instead updates the flow attributes for the associated message (step 342). For example, in step 342, program 147 updates the number of bytes of the message which have been received without detecting an intrusion.
  • program 147 determines if the current rate of incoming packets is below a lower packet-rate-threshold (decision 344). Program 147 determines the current rate of incoming packets by the number of queued packets. If the current rate of incoming packets is below the lower packet-rate-threshold (decision 344, yes branch), then program 147 lowers the current threshold for the composite score (step 346). By lowering the current threshold for the composite score, statistically more subsequent packets will exceed the threshold and be analyzed by intrusion analysis engine 152. While this will slow down IPS 140, it will increase security and can be accommodated by IPS 140.
  • IPS 140 can analyze more incoming packets and still keep pace with the incoming packets. If the current rate of incoming packets is greater than or equal to the lower packet-rate-threshold (decision 344, no branch), then program 147 does not lower the current threshold for composite value.
  • program 147 passes the packet to router 150 to route the unanalyzed packet to the next hop according to the port on which the packet entered the system and the known routing protocol of the router. This is considered "fast- forwarding" of the packet.
  • the next hop is subnet 170.
  • router 150 determines the next hop and forwards the unanalyzed packet to firewall 172 (or other gateway) to subnet 170. After checking the destination IP address, application identifier or other destination indicia contained in the packet's header, firewall (or other gateway) 172 forwards the packet to destination computer 160.
  • program 147 determines if the rate of incoming packets is greater than a rate at which IPS 140 (including program 147 and intrusion analysis engine 152) can process them (decision 350). Program 147 makes this determination by counting the number of packets which have accumulated in packet cache 149 awaiting processing by program 147. Where IPS 140 is keeping up with the rate of incoming packets (decision 350, no branch) and does not increase the threshold for the composite score, program 147 notifies intrusion analysis engine 152 to analyze the packet for intrusions (step 360) because the composite score was found in decision 340 to be above the threshold for composite score.
  • program 147 increases the threshold for the composite score (step 352). If so, statistically, program 147 will subsequently pass more packets through IPS 140 to the destination device without a time-consuming analysis by intrusion analysis engine 152. This will reduce the processing time in IPS 140 and therefore, reduce the backlog in IPS 140 and allow IPS 140 to keep up with the current rate of incoming packets.
  • Program 147 checks to see whether the given flow is set for catch-up mode (decision 354).
  • program 147 If not (decision 354, no branch), program 147 notifies intrusion analysis engine 152 to analyze the packet for intrusions (step 360). If the flow is set for catch-up mode (decision 354, yes branch), program 147 checks to see whether the packet flow is greater than the threshold (decision 356). If not (decision 356, no branch), then program 147 notifies intrusion analysis engine 152 to analyze the packet for intrusions (step 360).
  • step 358 program 147 unmarks the flow as catch-up mode and instead marks the flow as either auto-drop or auto-forward. If the flow was marked as auto-drop (decision 326, yes branch), all packets in the flow will be discarded (step 328). If the flow is marked as auto-forward (decision 326, no branch), process 328 will resume at step 330 and all packets in the flow will be sent in step 348.
  • intrusion analysis engine 152 analyzes the packet for intrusions in a known manner as described above (step 360).
  • Program 147 determines whether the maximum time has expired (decision 362). If not (decision 362, no branch), program 147 updates the packet's flow attributes, (step 342), then proceeds to decision 344, as described above.
  • program 147 will mark the flow as catch-up mode, auto-drop or auto-fast forward (step 364), then complete the analysis (step
  • Program 147 will then determine whether there are any packets queued for the flow (decision 370). If there are no packets queued for the flow (decision 370, no branch), then program 147 will unmark catch-up mode, then proceed to steps 342-348, as described above.
  • program 147 will then determine whether these packets have a higher priority than the new packet (decision 374). If the queued packets do not have a higher priority than the new packet (decision 374, no branch), then program 147 will set the next packet to come from the backend queue (step 376) before proceeding to steps 342-348, as discussed above. Otherwise (decision 374, yes branch), then program 147 will proceed directly to steps 342-348.
  • packet delays through the IPS will be used as one of the parameters to score a threat.
  • the packet due to network queuing times or at the end of the front end processing has already exceeded is about to exceed, or is expected to exceed the maximum allowed delay
  • the packet is fast-forwarded and the flow is marked as fast-forwarded. Any packet received in the future related to a flow marked fast forwarded is also fast forwarded from there on. If the packet is not fast forwarded, it is released for backend processing that performs the deep inspections (which is typically Layer 5 and above).
  • the composite value may also be influenced by the depth of the packet queue associated with a flow and the mode in which the flow is operated. For example, the fact that a flow is in catch-up mode may be reflected in the composite value. Moreover, a flow that is marked AutoFastForward will never have a high composite value if the catch-up capability is enabled.
  • the advantages of this alternate embodiment lie in how a packet that has been initially identified as fast forward after the first phase is handled. As in the description above, the packet is forwarded to the output port to make the maximum delay. However, rather than dropping the content of the packet, the packet is also inserted into the backend processing, allowing the IPS to continue to inspect the packet, despite the fact that it has been sent to the destined endpoint. This has several benefits, for example:
  • the IPS is theoretically able to catch up with inspection and unless the system is oversubscribed, will then be able to unmark the flow as fast forward. This in turn will reduce the number of uninspected packets and therefore reduce any potential risk that might arise from subsequent packets on this flow.
  • FIG. 4 shows an exemplary flow object suitable for use with an illustrative embodiment of the invention.
  • the flow object is a data structure which represents a given flow.
  • flow object 400 has been expanded to include additional fields.
  • field 410 represents the state by setting condition flags for normal operation, for fast forwarding, for autodrop, and for the catch-up mode.
  • Field 420 includes counters which indicate number of packets that are enqueued or currently processed in the backend for the flow represented by this flow object.
  • Field 430 stores additional state information which may be required for content parsing, such as HTTP, HTML parsing, email, etc.
  • the parts of the deep packet inspection can be turned off selectively based on the state and time slack. This may be implemented by, for instance, augmenting the composite function so as to take the size of the packet queue for the flows into account.
  • packets currently related to fast forwarded flow inspection can be processed at a different priority than packets that belong to flows that are currently inspected inline (i.e., packet delivery is dependent on the outcome of the packet inspection).
  • packet delivery is dependent on the outcome of the packet inspection.

Abstract

L’invention concerne des techniques améliorées que l’on utilise dans un système de prévention d’intrusion ou analogue. Par exemple, un procédé comprend les étapes suivantes exécutées par un élément de calcul d’un réseau. Un paquet d’un flux est reçu, le flux comprenant une pluralité de paquets, et la pluralité de paquets représente des données dans le réseau. Une valeur coûts-avantages d’analyse d’intrusion de réseau est déterminée et représente les avantages de l’analyse du paquet reçu en vue de trouver des intrusions par rapport aux coûts de l’analyse du paquet reçu en vue de trouver des intrusions. Le procédé compare la valeur coûts-avantages d’analyse d’intrusion de réseau à un seuil de coûts-avantages d’analyse d’intrusion de réseau afin de déterminer si l’analyse du paquet reçu en vue de trouver des intrusions avant d’envoyer le paquet reçu est justifiée. S’il est établi que l’analyse du paquet reçu en vue de trouver des intrusions avant d’envoyer le paquet reçu n’est pas justifiée le paquet reçu est envoyé, on indique que les paquets  du flux suivants doivent être envoyés, et on détermine si le paquet reçu indique une intrusion après l’envoi du paquet reçu.
PCT/EP2009/064195 2008-11-18 2009-10-28 Protection contre l'intrusion de réseau WO2010057748A2 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200980145011.6A CN102210133B (zh) 2008-11-18 2009-10-28 网络入侵保护
EP09748751.6A EP2289221B1 (fr) 2008-11-18 2009-10-28 Protection d'un réseau contre l'intrusion

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/273,142 2008-11-18
US12/273,142 US8677473B2 (en) 2008-11-18 2008-11-18 Network intrusion protection

Publications (2)

Publication Number Publication Date
WO2010057748A2 true WO2010057748A2 (fr) 2010-05-27
WO2010057748A3 WO2010057748A3 (fr) 2010-09-16

Family

ID=42173026

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/064195 WO2010057748A2 (fr) 2008-11-18 2009-10-28 Protection contre l'intrusion de réseau

Country Status (6)

Country Link
US (1) US8677473B2 (fr)
EP (1) EP2289221B1 (fr)
KR (1) KR20110089179A (fr)
CN (1) CN102210133B (fr)
TW (1) TW201032542A (fr)
WO (1) WO2010057748A2 (fr)

Families Citing this family (55)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8006303B1 (en) * 2007-06-07 2011-08-23 International Business Machines Corporation System, method and program product for intrusion protection of a network
US8051167B2 (en) * 2009-02-13 2011-11-01 Alcatel Lucent Optimized mirror for content identification
US8797866B2 (en) * 2010-02-12 2014-08-05 Cisco Technology, Inc. Automatic adjusting of reputation thresholds in order to change the processing of certain packets
US8997234B2 (en) * 2011-07-27 2015-03-31 Mcafee, Inc. System and method for network-based asset operational dependence scoring
US8549612B2 (en) * 2011-11-28 2013-10-01 Dell Products, Lp System and method for incorporating quality-of-service and reputation in an intrusion detection and prevention system
US8776243B2 (en) * 2012-04-27 2014-07-08 Ixia Methods, systems, and computer readable media for combining IP fragmentation evasion techniques
CN103686735A (zh) * 2012-09-11 2014-03-26 浙江商业技师学院 基于选择性非零和博弈的无线传感器网络入侵检测方法
TWI476628B (zh) * 2012-09-18 2015-03-11 Univ Kun Shan 以惡意程式特徵分析為基礎之資安風險評估系統
US10136355B2 (en) * 2012-11-26 2018-11-20 Vasona Networks, Inc. Reducing signaling load on a mobile network
EP2953311B1 (fr) * 2013-06-26 2019-01-16 Huawei Technologies Co., Ltd. Procédé d'identification de paquet et dispositif de protection
US10171483B1 (en) * 2013-08-23 2019-01-01 Symantec Corporation Utilizing endpoint asset awareness for network intrusion detection
US20150089655A1 (en) * 2013-09-23 2015-03-26 Electronics And Telecommunications Research Institute System and method for detecting malware based on virtual host
CN103647678A (zh) * 2013-11-08 2014-03-19 北京奇虎科技有限公司 一种网站漏洞在线验证方法及装置
US9345041B2 (en) 2013-11-12 2016-05-17 Vasona Networks Inc. Adjusting delaying of arrival of data at a base station
US10039028B2 (en) 2013-11-12 2018-07-31 Vasona Networks Inc. Congestion in a wireless network
US10341881B2 (en) 2013-11-12 2019-07-02 Vasona Networks, Inc. Supervision of data in a wireless network
US9397915B2 (en) 2013-11-12 2016-07-19 Vasona Networks Inc. Reducing time period of data travel in a wireless network
US9973472B2 (en) 2015-04-02 2018-05-15 Varmour Networks, Inc. Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
US10122753B2 (en) * 2014-04-28 2018-11-06 Sophos Limited Using reputation to avoid false malware detections
US9917851B2 (en) 2014-04-28 2018-03-13 Sophos Limited Intrusion detection using a heartbeat
US20160100315A1 (en) * 2014-05-13 2016-04-07 Adtran, Inc. Detecting and disabling rogue access points in a network
US9888033B1 (en) * 2014-06-19 2018-02-06 Sonus Networks, Inc. Methods and apparatus for detecting and/or dealing with denial of service attacks
TW201605198A (zh) 2014-07-31 2016-02-01 萬國商業機器公司 智慧網路管理裝置以及管理網路的方法
US10630698B2 (en) 2014-12-18 2020-04-21 Sophos Limited Method and system for network access control based on traffic monitoring and vulnerability detection using process related information
US9467476B1 (en) 2015-03-13 2016-10-11 Varmour Networks, Inc. Context aware microsegmentation
US9294442B1 (en) 2015-03-30 2016-03-22 Varmour Networks, Inc. System and method for threat-driven security policy controls
US10193929B2 (en) 2015-03-13 2019-01-29 Varmour Networks, Inc. Methods and systems for improving analytics in distributed networks
US10178070B2 (en) 2015-03-13 2019-01-08 Varmour Networks, Inc. Methods and systems for providing security to distributed microservices
US9438634B1 (en) 2015-03-13 2016-09-06 Varmour Networks, Inc. Microsegmented networks that implement vulnerability scanning
US10165004B1 (en) 2015-03-18 2018-12-25 Cequence Security, Inc. Passive detection of forged web browsers
US9380027B1 (en) 2015-03-30 2016-06-28 Varmour Networks, Inc. Conditional declarative policies
US9525697B2 (en) * 2015-04-02 2016-12-20 Varmour Networks, Inc. Delivering security functions to distributed networks
US9866576B2 (en) 2015-04-17 2018-01-09 Centripetal Networks, Inc. Rule-based network-threat detection
US11418520B2 (en) * 2015-06-15 2022-08-16 Cequence Security, Inc. Passive security analysis with inline active security device
US9483317B1 (en) 2015-08-17 2016-11-01 Varmour Networks, Inc. Using multiple central processing unit cores for packet forwarding in virtualized networks
CN105939314A (zh) * 2015-09-21 2016-09-14 杭州迪普科技有限公司 网络防护方法和装置
US11805106B2 (en) * 2015-10-28 2023-10-31 Qomplx, Inc. System and method for trigger-based scanning of cyber-physical assets
US10783241B2 (en) * 2015-10-28 2020-09-22 Qomplx, Inc. System and methods for sandboxed malware analysis and automated patch development, deployment and validation
US10917428B2 (en) * 2015-10-28 2021-02-09 Qomplx, Inc. Holistic computer system cybersecurity evaluation and scoring
US11070592B2 (en) * 2015-10-28 2021-07-20 Qomplx, Inc. System and method for self-adjusting cybersecurity analysis and score generation
US10735438B2 (en) * 2016-01-06 2020-08-04 New York University System, method and computer-accessible medium for network intrusion detection
US10931713B1 (en) 2016-02-17 2021-02-23 Cequence Security, Inc. Passive detection of genuine web browsers based on security parameters
US10785234B2 (en) * 2016-06-22 2020-09-22 Cisco Technology, Inc. Dynamic packet inspection plan system utilizing rule probability based selection
US11349852B2 (en) * 2016-08-31 2022-05-31 Wedge Networks Inc. Apparatus and methods for network-based line-rate detection of unknown malware
US10931686B1 (en) 2017-02-01 2021-02-23 Cequence Security, Inc. Detection of automated requests using session identifiers
US11190542B2 (en) * 2018-10-22 2021-11-30 A10 Networks, Inc. Network session traffic behavior learning system
PL3654606T3 (pl) * 2018-11-15 2022-04-04 Ovh Sposób i system oczyszczania pakietów danych do przesiewania pakietów danych odbieranych w infrastrukturze usługowej
US11218506B2 (en) * 2018-12-17 2022-01-04 Microsoft Technology Licensing, Llc Session maturity model with trusted sources
US10491613B1 (en) * 2019-01-22 2019-11-26 Capital One Services, Llc Systems and methods for secure communication in cloud computing environments
US11444877B2 (en) * 2019-03-18 2022-09-13 At&T Intellectual Property I, L.P. Packet flow identification with reduced decode operations
US11757837B2 (en) * 2020-04-23 2023-09-12 International Business Machines Corporation Sensitive data identification in real time for data streaming
US11363041B2 (en) * 2020-05-15 2022-06-14 International Business Machines Corporation Protecting computer assets from malicious attacks
US11444971B2 (en) * 2020-10-06 2022-09-13 Nozomi Networks Sagl Method for assessing the quality of network-related indicators of compromise
WO2022231618A1 (fr) * 2021-04-30 2022-11-03 Hewlett-Packard Development Company, L.P. Protection de dispositif informatique contre une attaque potentielle par intrusion dans un réseau optique
US11523293B1 (en) * 2021-10-12 2022-12-06 Levi Gundert Wireless network monitoring system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060268866A1 (en) 2005-05-17 2006-11-30 Simon Lok Out-of-order superscalar IP packet analysis

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020032793A1 (en) * 2000-09-08 2002-03-14 The Regents Of The University Of Michigan Method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic
US7545814B2 (en) * 2002-02-28 2009-06-09 Nokia Corporation Method and system for dynamic remapping of packets for a router
US7305708B2 (en) * 2003-04-14 2007-12-04 Sourcefire, Inc. Methods and systems for intrusion detection
US20050213553A1 (en) 2004-03-25 2005-09-29 Wang Huayan A Method for wireless LAN intrusion detection based on protocol anomaly analysis
US20060037077A1 (en) * 2004-08-16 2006-02-16 Cisco Technology, Inc. Network intrusion detection system having application inspection and anomaly detection characteristics
US20060075481A1 (en) * 2004-09-28 2006-04-06 Ross Alan D System, method and device for intrusion prevention
US7769851B1 (en) * 2005-01-27 2010-08-03 Juniper Networks, Inc. Application-layer monitoring and profiling network traffic
US7143006B2 (en) * 2005-03-23 2006-11-28 Cisco Technology, Inc. Policy-based approach for managing the export of network flow statistical data
US8015605B2 (en) * 2005-08-29 2011-09-06 Wisconsin Alumni Research Foundation Scalable monitor of malicious network traffic
US20070150574A1 (en) * 2005-12-06 2007-06-28 Rizwan Mallal Method for detecting, monitoring, and controlling web services
US8194662B2 (en) * 2006-06-08 2012-06-05 Ilnickl Slawomir K Inspection of data
KR100834570B1 (ko) * 2006-06-23 2008-06-02 한국전자통신연구원 실시간 상태 기반 패킷 검사 방법 및 이를 위한 장치
US8009566B2 (en) * 2006-06-26 2011-08-30 Palo Alto Networks, Inc. Packet classification in a network security device
US7773507B1 (en) * 2006-06-30 2010-08-10 Extreme Networks, Inc. Automatic tiered services based on network conditions
US8984297B2 (en) * 2008-03-13 2015-03-17 The Regents Of The University Of Calfiornia Authenticated adversarial routing
US8693332B2 (en) * 2009-06-30 2014-04-08 New Renaissance Technology And Intellectual Property Flow state aware management of QoS through dynamic aggregate bandwidth adjustments

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060268866A1 (en) 2005-05-17 2006-11-30 Simon Lok Out-of-order superscalar IP packet analysis

Also Published As

Publication number Publication date
US8677473B2 (en) 2014-03-18
CN102210133B (zh) 2014-10-01
KR20110089179A (ko) 2011-08-04
EP2289221B1 (fr) 2014-07-30
US20100125900A1 (en) 2010-05-20
WO2010057748A3 (fr) 2010-09-16
TW201032542A (en) 2010-09-01
CN102210133A (zh) 2011-10-05
EP2289221A2 (fr) 2011-03-02

Similar Documents

Publication Publication Date Title
EP2289221B1 (fr) Protection d'un réseau contre l'intrusion
US9344445B2 (en) Detecting malicious network software agents
US7832009B2 (en) Techniques for preventing attacks on computer systems and networks
US8819821B2 (en) Proactive test-based differentiation method and system to mitigate low rate DoS attacks
US9749340B2 (en) System and method to detect and mitigate TCP window attacks
US9392002B2 (en) System and method of providing virus protection at a gateway
US7797749B2 (en) Defending against worm or virus attacks on networks
US20090037592A1 (en) Network overload detection and mitigation system and method
US20140157405A1 (en) Cyber Behavior Analysis and Detection Method, System and Architecture
EP2139199A2 (fr) Fourniture de politique dynamique dans des dispositifs de sécurité de réseau
US10693890B2 (en) Packet relay apparatus
JP2009534001A (ja) 悪質な攻撃の検出システム及びそれに関連する使用方法
US8006303B1 (en) System, method and program product for intrusion protection of a network
US20140304817A1 (en) APPARATUS AND METHOD FOR DETECTING SLOW READ DoS ATTACK
Arafat et al. A practical approach and mitigation techniques on application layer DDoS attack in web server
WO2023040303A1 (fr) Procédé de commande de trafic de réseau et système associé
Trabelsi et al. Denial of firewalling attacks (dof): The case study of the emerging blacknurse attack
US11431750B2 (en) Detecting and mitigating application layer DDoS attacks
KR100656348B1 (ko) 토큰 버켓을 이용한 대역폭 제어 방법 및 대역폭 제어 장치
Strother Denial of service protection the nozzle
Selvaraj Distributed Denial of Service Attack Detection, Prevention and Mitigation Service on Cloud Environment
Gao Exploiting software-defined networks: DoS attacks and security enhancement
Huici Deployable filtering architectures against large denial-of-service attacks
Garg Throttle Based Approach to Mitigate Distributed Denial of Service Attack
Bansal et al. Entropy Based Detection for DDoS Attack

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980145011.6

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09748751

Country of ref document: EP

Kind code of ref document: A2

WWE Wipo information: entry into national phase

Ref document number: 2009748751

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 20117013858

Country of ref document: KR

Kind code of ref document: A