Information security – Monitoring or scanning of software or data including attack... – Intrusion detection
Reexamination Certificate
2004-09-29
2009-02-24
Moise, Emmanuel L. (Department: 2437)
Information security
Monitoring or scanning of software or data including attack...
Intrusion detection
Reexamination Certificate
active
07496962
ABSTRACT:
A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.
REFERENCES:
patent: 4570157 (1986-02-01), Kodaira
patent: 4857912 (1989-08-01), Everett et al.
patent: 4912748 (1990-03-01), Horii et al.
patent: 5193192 (1993-03-01), Seberger
patent: 5459841 (1995-10-01), Flora-Holmquist et al.
patent: 5796942 (1998-08-01), Esbensen
patent: 5901307 (1999-05-01), Potter et al.
patent: 5917821 (1999-06-01), Gobuyan et al.
patent: 5963942 (1999-10-01), Igata
patent: 5995963 (1999-11-01), Nanba et al.
patent: 6141686 (2000-10-01), Jackowski et al.
patent: 6199181 (2001-03-01), Rechef et al.
patent: 6219786 (2001-04-01), Cunningham et al.
patent: 6321338 (2001-11-01), Porras et al.
patent: 6324656 (2001-11-01), Gleichauf et al.
patent: 6334121 (2001-12-01), Primeaux et al.
patent: 6343362 (2002-01-01), Ptacek et al.
patent: 6393474 (2002-05-01), Eichert et al.
patent: 6499107 (2002-12-01), Gleichauf et al.
patent: 6587876 (2003-07-01), Mahon et al.
patent: 6590885 (2003-07-01), Jorgensen
patent: 6678824 (2004-01-01), Cannon et al.
patent: 6754826 (2004-06-01), Challenger et al.
patent: 6772196 (2004-08-01), Kirsch et al.
patent: 6789202 (2004-09-01), Ko et al.
patent: 6851061 (2005-02-01), Holland et al.
patent: 6957348 (2005-10-01), Flowers et al.
patent: 6983323 (2006-01-01), Cantrell et al.
patent: 6999998 (2006-02-01), Russell
patent: 7032114 (2006-04-01), Moran
patent: 7065657 (2006-06-01), Moran
patent: 7073198 (2006-07-01), Flowers et al.
patent: 7076803 (2006-07-01), Bruton et al.
patent: 7096503 (2006-08-01), Magdych et al.
patent: 7113789 (2006-09-01), Boehmke
patent: 7133916 (2006-11-01), Schunemann
patent: 7134141 (2006-11-01), Crosbie et al.
patent: 7152105 (2006-12-01), McClure et al.
patent: 7257630 (2007-08-01), Cole et al.
patent: 7305708 (2007-12-01), Norton et al.
patent: 7310688 (2007-12-01), Chin
patent: 7313695 (2007-12-01), Norton et al.
patent: 7317693 (2008-01-01), Roesch et al.
patent: 7363656 (2008-04-01), Weber et al.
patent: 2002/0035639 (2002-03-01), Xu
patent: 2002/0083344 (2002-06-01), Vairavan
patent: 2002/0112185 (2002-08-01), Hodges
patent: 2002/0165707 (2002-11-01), Call
patent: 2003/0014662 (2003-01-01), Gupta et al.
patent: 2003/0065817 (2003-04-01), Benchetrit et al.
patent: 2003/0083847 (2003-05-01), Schertz et al.
patent: 2003/0093517 (2003-05-01), Tarquini
patent: 2003/0101353 (2003-05-01), Tarquini et al.
patent: 2004/0034773 (2004-02-01), Balabine et al.
patent: 2004/0123153 (2004-06-01), Wright et al.
patent: 2004/0193943 (2004-09-01), Amgelino et al.
patent: 2004/0268358 (2004-12-01), Darling et al.
patent: 2005/0005169 (2005-01-01), Kelekar
patent: 2005/0044422 (2005-02-01), Cantrell et al.
patent: 2005/0108393 (2005-05-01), Banerjee et al.
patent: 2005/0113941 (2005-05-01), Li et al.
patent: 2005/0114700 (2005-05-01), Barrie et al.
patent: 2005/0160095 (2005-07-01), Dick et al.
patent: 2005/0172019 (2005-08-01), Williamson et al.
patent: 2005/0188079 (2005-08-01), Motsinger et al.
patent: 2005/0268331 (2005-12-01), Le et al.
patent: 2005/0268332 (2005-12-01), Le et al.
patent: 2006/0174337 (2006-08-01), Bernoth
patent: 2006/0265748 (2006-11-01), Potok
patent: 2006/0294588 (2006-12-01), Lahann et al.
patent: 2007/0288579 (2007-12-01), Schunemann
patent: 2008/0168561 (2008-07-01), Durie et al.
U.S. Appl. No. 10/843,353, filed May 2004, Roesch et al., System and Method for Determining Characteristics of a Network and Analyzing Vulnerabilities.
U.S. Appl. No. 10/843,373, filed May 2004, Roesch et al., Systems and Methods for Identifying the Services of a Network.
U.S. Appl. No. 10/843,374, filed May 2004, Roesch et al., System and Methods for Determining Characteristics of a Network Based on Flow Analysis.
U.S. Appl. No. 10/843,375, filed May 2004, Roesch et al., Systems and Methods for Determining Characteristics of a Network and Assessing Confidence.
U.S. Appl. No. 10/843,398, filed May 2004, Roesch et al., Systems and Methods for Determining Characteristics of a Network.
U.S. Appl. No. 10/843,459, filed May 2004, Roesch et al., Systems and Methods for Determining Characteristics of a Network and Enforcing Policy.
U.S. Appl. No. 10/898,220, filed Jul. 2004, Norton et al., Methods and Systems for Multi-Pattern Searching.
U.S. Appl. No. 11/272,033, filed Nov. 2005, Dempster et al., Systems and Methods for Identifying the Client Applications of a Network.
U.S. Appl. No. 11/272,034, filed Nov. 2005, Vogel, III et al., Systems and Methods for Modifying Network Map Attributes.
U.S. Appl. No. 11/272,035, filed Nov. 2005, Gustafson et al., Intrusion Event Correlation with Network Discovery Information.
U.S. Appl. No. 11/493,934, filed Jul. 2006, Roesch et al., Device, System and Method for Analysis of Fragments in a Fragment Train.
U.S. Appl. No. 11/501,776, filed Aug. 2006, Roesch et al., Device, System and Method for Analysis of Segments in a Transmission Control Protocol (TCP) Session.
U.S. Appl. No. 11/711,876, filed Feb. 2007, Sturges et al., Device, System and Method for Timestamp Analysis of Segments in a Transmission Control Protocol (TCP) Session.
U.S. Appl. No. 11/785,609, filed Apr. 2007, Norton et al., Methods and Systems for Multi-Pattern Searching.
U.S. Appl. No. 11/905,980, filed Oct. 2007, Roesch, Device, System and Method for Use of Micro-Policies in Intrusion Detection/Prevention.
U.S. Appl. No. 12/010,900, filed Jan. 2008, Norton et al., Methods and Systems for Multi-Pattern Searching.
U.S. Appl. No. 12/149,196, filed Apr. 2008, Rittermann, Real-Time User Awareness for a Computer Network.
U.S. Appl. No. 12/230,338, filed Aug. 2008, Sturges et al., Speed and Memory Optimization of Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) Rule Processing.
Aho et al., “Efficient String Matching: An Aid to Bibliographic Search,”Communications from the ACM(Jun. 1975), vol. 18, No. 6, pp. 333-340.
Tarjan, et al., “Storing a Sparse Table,” Communications of the ACM (Nov. 1979), vol. 2, No. 11, pp. 606-620.
T. Ptacek, et al., “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Jan. 1998, pp. 1-63.
N. Chase, “Active Server pp. 3.0 from Scratch” (Dec. 1999), Searching for products section, 13 pp.
B. Krishnamurthy, “Web Protocols and Practice,” (May 1, 2001), pp. 518-520.
U. Shankar and V. Paxson,Active Mapping: Resisting NIDS Evasion Without Altering Traffic, Proc. IEEE Symposium on Security and Privacy. May 2003, pp. 1-18.
D. Roelker, “HTTP IDS Evasions Revisited” (Aug. 1, 2003) [online] (retrieved on Nov. 9, 2006). Retrieved from the Internet <URL: http://docs.idsresearch.org/http—ids—evasions.pdf>.
Norton et al., “Multi-Pattern Search Engine Aho-Corasick State Machine” (Mar. 17, 2004), Version 2.0, 36 pp.
M. Norton, “Optimizing Pattern Matching for Intrusion Detection” (Jul. 4, 2004) [online] (retrieved on Nov. 9, 2006). Retrieved from the Internet <URL: http://docs.idsresearch.org/OptimizingPatternMatchingForIDS.pdf>.
Norton et al., “Sourcefire Optimizing Pattern Matching for Intrusion Detection” (Sep. 2004), 14 pp.
J
Norton Marc A.
Roelker Daniel J.
Abyaneh Ali S
Moise Emmanuel L.
Posz Law Group , PLC
Sourcefire, Inc.
LandOfFree
Intrusion detection strategies for hypertext transport protocol does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Intrusion detection strategies for hypertext transport protocol, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Intrusion detection strategies for hypertext transport protocol will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4121187