Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-01-15
2003-06-10
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S241000, C709S241000
Reexamination Certificate
active
06578147
ABSTRACT:
TECHNICAL FIELD OF THE INVENTION
This invention relates to computer networks, and more particularly to prevention of unauthorized access to a local network from computers external to the local network.
BACKGROUND OF THE INVENTION
Prevention of unauthorized access by outsiders to a computer network is a part of any network management program. This security problem has been complicated by recent trends in internetworking of a previously isolated private networks with value added networks, public networks (such as the internet), and with the networks of other enterprises.
Firewalls are one approach to preventing unauthorized access. Essentially, a firewall is a control layer inserted between an enterprise's network and the outside. It permits only some traffic to pass through. The firewall is configured by the administrator of the local network based on the enterprise's security policy. For example, the firewall may block traffic of a certain type, traffic from certain addresses, or traffic from all but a predetermined set of addresses.
Techniques used by network intruders for penetrating network system security have evolved in pace with sophisticated methods for detecting the intruders. Detection methods include software solutions, specifically, software intrusion detection systems, which continually monitor network traffic and look for known patterns of attack.
When an intrusion detection system detects inappropriate activity, it generates appropriate alarms and provides other responses while the attack is occurring. For example, the intrusion detection system might report the attack, log the attack, and terminate the misused connection.
One approach to intrusion detection relies on known patterns of unauthorized activity, referred to as “signatures”. These signatures are stored, and, in real time, compared to the packet flow incoming to the network. If a match is found, the incoming datastream is assumed to be misused.
Many existing intrusion detection systems are hostbased rather than network based. A host-based system resides on a particular host computer and detects only attacks to that host. A network-based system is connected at some point on a local network and detects attacks across the entire local network.
As an example of network-based intrusion detection, one known pattern of unauthorized access is associated with “IP spoofing”, whereby an intruder sends messages to a computer with an IP address indicating that the message is from a trusted port. To engage in IP spoofing, the intruder must first use a variety of techniques to find an IP address of a trusted port and must then modify the packet headers so that it appears that the packets are coming from that port. This activity results in a signature that can be detected when matched to a previously stored signature of the same activity.
SUMMARY OF THE INVENTION
One aspect of the invention is a method of detecting unauthorized access on a network as indicated by signature analysis of packet traffic on the network. A plurality of intrusion detection sensors are connected at a network entry point associated with an internetworking device, such as a router or switch. The packet load to the sensors is “load balanced”, such that said packets are distributed at least at a session-based level. The load balancing may be at a lower (packet-based) level, which tends to more evenly distribute the load on each sensor but requires additional processing external to the sensors or requires sharing of session-level data between sensors. The sensors are used to detect signatures indicated by the packets. Packets indicating a composite signature from multiple sessions are delivered to a network analyzer, which detects the composite signatures. The results of the detection performed by the sensors and the network analyzer are used to determine if there is an attempt to gain unauthorized access to the network.
An advantage of the invention is that it provides a processor-based intrusion detection system that can keep up with the high traffic throughput of today's networks. Existing sensors may be used, and the solution provided by the invention is easily scalable.
REFERENCES:
patent: 5032979 (1991-07-01), Hecht et al.
patent: 5101402 (1992-03-01), Chiu et al.
patent: 5278901 (1994-01-01), Shieh et al.
patent: 5414833 (1995-05-01), Hershey et al.
patent: 5448724 (1995-09-01), Hayashi
patent: 5488715 (1996-01-01), Wainwright
patent: 5493689 (1996-02-01), Waclawsky et al.
patent: 5524238 (1996-06-01), Miller et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5568471 (1996-10-01), Hershey et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5621889 (1997-04-01), Lermuzeaux et al.
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5774660 (1998-06-01), Brendel et al.
patent: 5793763 (1998-08-01), Mayes et al.
patent: 5796942 (1998-08-01), Esbensen
patent: 5798706 (1998-08-01), Kraemer et al.
patent: 5805801 (1998-09-01), Holloway et al.
patent: 5826014 (1998-10-01), Coley et al.
patent: 5918021 (1999-06-01), Aditya
patent: 5919257 (1999-07-01), Trostle
patent: 5931946 (1999-08-01), Terada et al.
patent: 5958009 (1999-09-01), Friedrich et al.
patent: 5991881 (1999-11-01), Conklin et al.
patent: 6088796 (2000-07-01), Cianfrocca et al.
patent: 6167538 (2000-12-01), Neufeld et al.
patent: 6279113 (2001-08-01), Vaidya
patent: 6321338 (2001-11-01), Porras et al.
Microsoft Press; Microsoft Corporation, Microsoft Press Computer Dictionary. 1997, 3rd Edition, pp. 415 and 454, , includes 2 pages (printouts).*
Scambray, J., Infoworld Publications, Inc., Package Detects most Intrusions. Feb. 1998, vol. 20, pp. 43, 48.*
Millikin, M., Horizon House Publications,Inc., Managing Intranet Complexity with Open-System Tools. Aug. 1997, vol. 31, pp. S10-S12, includes 5 pages (printouts).*
Thomas, B., Business Wire, Enigma Logic Introduces Safe Word AS Advanced Client Server Sofware Fore Secure User Authentication. May 1995, Section 1, includes 2 pages (printouts).*
“Preliminary Report on Advanced Security Audit Trail Analysis on UNIX,” N. Habra et al., pp. 1-34 (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Sep. 1994.
“Idiot-Users Guide,” M. Crosbie, et al., pp. 1-63, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Sep. 1996.
“Use of A Taxonomy of Security Faults,” T. Aslam, et al., pp. 1-10, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Sep. 1996.
“Artificial Intelligence and Intrusion Detection: Current and Future Directions,” Jeremy Frank, pp. 1-12, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Jun. 1994.
“An Application of Pattern Matching in Intrusion Detection”, S. Kumar, et al., pp. 1-55, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Jun. 1994.
“A Software Architecture to Support Misuse Intrusion Detection”, S. Kumar, et al., pp. 1-17, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Mar. 1995.
“Defending a Computer System Using Autonomous Agents”, M. Crosbie, et al., pp. 1-11, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Mar. 1994.
Master Thesis entitled USTAT A Real-time Intrusion Detection System for UNIX, University of California, K. Ilgun, pp. 1-204, (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Nov. 1992.
“A Weakness in the 4.2BSD Unix TCP/IP Software”, R. Morris, 4 pages, (found at http://www.cs.purdue.edu/coast/archive/data/categ30.html), Feb., 1985.
“A Best-Case Network Performance Model”, S.M. Bellovin, pp. 1-10, (found at http://www.cs.purdue.edu/coast/archive/data/categ30.html), Feb. 1992.
“OARnet Security Procedures”, K. Varadhan, pp. 1-14, (found at http://www.cs.purdue.edu/coast/archive/data/categ30.html), Sep. 1992.
“Paving The Road To Network Security Or The Value Of Small Cobblestones”, H. Orman, et al., pp. 1-17, (found at http://www.cs.purdue.edu/coast/archive/data/categ30.html), May 1994.
“Packets Found on an Internet”, S. Bellovin, pp. 1-6, (found at http://www.cs.purdue.edu/coast/archive/data/categ30.html), Aug. 1993.
“Security Probl
Lathem Gerald S.
Shanklin Steven D.
Baker & Botts L.L.P.
Cisco Technology Inc.
Ha Leynna
Hayes Gail
LandOfFree
Parallel intrusion detection sensors with load balancing for... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Parallel intrusion detection sensors with load balancing for..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Parallel intrusion detection sensors with load balancing for... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3149986