公开(公告)号：US07768921B2

公开(公告)日：2010-08-03

申请号：US11589645

申请日：2006-10-30

申请人： Harshad Nakil ,  Bryan Burns ,  Ankur Singla

发明人： Harshad Nakil ,  Bryan Burns ,  Ankur Singla

IPC分类号： G08B23/00

CPC分类号： H04L63/1425

摘要： In general, the invention is directed to techniques of identifying an infected network device in a computer network where traffic to and from the infected network device is not necessarily routed through a single point on the computer network. For example, individual line cards in network devices count incoming network flows from network devices in host tables. The host tables of all line cards of all participating network devices are then correlated. It is then determined whether the number of flows from a network device outweighs the number of flows to the network device to a significant degree. If so, the network device may be considered suspicious. Packets from a suspicious network device may be rerouted to a network security device for more thorough inspection.

摘要翻译： 通常，本发明涉及识别计算机网络中感染的网络设备的技术，其中来往和来自被感染的网络设备的流量不一定通过计算机网络上的单个点路由。 例如，网络设备中的各个线路卡从主机表中的网络设备计数传入的网络流。 然后，所有参与的网络设备的所有线路卡的主机表相关。 然后确定来自网络设备的流量是否大大超过了到网络设备的流量的数量。 如果是这样，网络设备可能被认为是可疑的。 来自可疑网络设备的数据包可能会重新路由到网络安全设备以进行更全面的检查。

公开(公告)号：US20080101234A1

公开(公告)日：2008-05-01

申请号：US11589645

申请日：2006-10-30

申请人： Harshad Nakil ,  Bryan Burns ,  Ankur Singla

发明人： Harshad Nakil ,  Bryan Burns ,  Ankur Singla

IPC分类号： H04J1/16

CPC分类号： H04L63/1425

摘要： In general, the invention is directed to techniques of identifying an infected network device in a computer network where traffic to and from the infected network device is not necessarily routed through a single point on the computer network. For example, individual line cards in network devices count incoming network flows from network devices in host tables. The host tables of all line cards of all participating network devices are then correlated. It is then determined whether the number of flows from a network device outweighs the number of flows to the network device to a significant degree. If so, the network device may be considered suspicious. Packets from a suspicious network device may be rerouted to a network security device for more thorough inspection.

摘要翻译： 通常，本发明涉及识别计算机网络中感染的网络设备的技术，其中来往和来自被感染的网络设备的流量不一定通过计算机网络上的单个点路由。 例如，网络设备中的各个线路卡从主机表中的网络设备计数传入的网络流。 然后，所有参与的网络设备的所有线路卡的主机表相关。 然后确定来自网络设备的流量是否大大超过了到网络设备的流量的数量。 如果是这样，网络设备可能被认为是可疑的。 来自可疑网络设备的数据包可能会重新路由到网络安全设备以进行更全面的检查。

公开(公告)号：US08341724B1

公开(公告)日：2012-12-25

申请号：US12339948

申请日：2008-12-19

申请人： Bryan Burns ,  Vladimir Sukhanov

发明人： Bryan Burns ,  Vladimir Sukhanov

IPC分类号： H04L29/06

CPC分类号： H04L63/0428 ,  H04L63/1416 ,  H04L63/145 ,  H04L67/14 ,  H04L69/22 ,  H04L2463/144

摘要： Techniques are described for blocking unidentified encrypted communication sessions. In one embodiment, a device includes an interface to receive a packet, an application identification module to attempt to identify an application associated with the packet, an encryption detection module to determine whether the packet is encrypted when the application identification module is unable to identify an application associated with the packet, and an attack detection module to determine whether the packet is associated with a network attack, to forward the packet when the packet is not associated with a network attack, and to take a response when the packet is associated with a network attack, wherein the encryption detection module sends a message to the attack detection module that indicates whether the packet is encrypted, wherein when the message indicates that packet is encrypted, the attack detection module determines that the packet is associated with a network attack.

摘要翻译： 描述了阻止未识别的加密通信会话的技术。 在一个实施例中，一种设备包括用于接收分组的接口，用于尝试识别与所述分组相关联的应用的应用识别模块，加密检测模块，用于当所述应用识别模块不能识别所述分组时确定所述分组是否被加密 与分组关联的应用，以及攻击检测模块，用于确定分组是否与网络攻击相关联，以在分组不与网络攻击相关联时转发分组，以及当分组与网络攻击相关联时采取响应 网络攻击，其中所述加密检测模块向所述攻击检测模块发送指示所述分组是否被加密的消息，其中当所述消息指示所述分组被加密时，所述攻击检测模块确定所述分组与网络攻击相关联。

公开(公告)号：US08291495B1

公开(公告)日：2012-10-16

申请号：US11835923

申请日：2007-08-08

申请人： Bryan Burns ,  Siying Yang ,  Julien Sobrier

发明人： Bryan Burns ,  Siying Yang ,  Julien Sobrier

IPC分类号： G06F11/00

CPC分类号： H04L63/0254 ,  H04L63/1441 ,  H04L63/168

摘要： An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.

摘要翻译： 描述了入侵检测系统（IDS）设备，其包括用于从客户端接收第一分组流并从服务器接收第二分组流的流分析模块。 IDS包括将第一分组流发送到服务器的转发组件和到客户端的第二分组流以及状态检查引擎，以将一组或多组模式应用于第一分组流，以确定第一分组流是否代表 网络攻击 IDS还包括应用识别模块，用于执行与第一分组流相关联的软件应用和通信协议的类型的初始识别，并且根据第二分组流来重新评估软件应用和协议的类型的标识。 IDS可能有助于消除假阳性和假阴性攻击识别。

公开(公告)号：US07904961B2

公开(公告)日：2011-03-08

申请号：US11738059

申请日：2007-04-20

申请人： Qingming Ma ,  Bryan Burns ,  Krishna Narayanaswamy ,  Vipin Rawat ,  Michael Chuong Shieh

发明人： Qingming Ma ,  Bryan Burns ,  Krishna Narayanaswamy ,  Vipin Rawat ,  Michael Chuong Shieh

IPC分类号： G06F11/00

CPC分类号： H04L63/1416 ,  G06F21/552 ,  G06F21/74 ,  G06F21/76 ,  G06F2221/2105 ,  H04L63/0227

摘要： This disclosure describes techniques for determining whether network traffic contains one or more computer security threats. In order to determine whether a symbol stream conforms to the symbol pattern, a security device stores a full deterministic finite automaton (fDFA) that accepts streams of symbols that conform to the symbol pattern. The security device also creates a partial deterministic finite automaton (pDFA) that includes nodes that correspond to the nodes in the fDFA that have the highest visitation levels. The security device processes each symbol in the symbol stream using the pDFA until a symbol causes the pDFA to transition to a failure node or to an accepting node. If the symbol causes the pDFA to transition to the failure node, the security device processes the symbol and subsequent symbols in the symbol stream using the fDFA.

摘要翻译： 本公开描述了用于确定网络流量是否包含一个或多个计算机安全威胁的技术。 为了确定符号流是否符合符号模式，安全设备存储接受符合符号模式的符号流的完全确定性有限自动机（fDFA）。 安全设备还创建一个部分确定性有限自动机（pDFA），其中包含与fDFA中具有最高访问级别的节点相对应的节点。 安全设备使用pDFA处理符号流中的每个符号，直到符号导致pDFA转换到故障节点或接受节点。 如果符号导致pDFA转换到故障节点，则安全设备使用fDFA处理符号流中的符号和后续符号。

公开(公告)号：US08914878B2

公开(公告)日：2014-12-16

申请号：US12432325

申请日：2009-04-29

申请人： Bryan Burns ,  Krishna Narayanaswamy

发明人： Bryan Burns ,  Krishna Narayanaswamy

IPC分类号： H04L29/06 ,  G06F21/00

CPC分类号： H04L63/1441 ,  H04L63/14 ,  H04L63/1416 ,  H04L2463/144

摘要： This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.

摘要翻译： 本公开描述了用于确定网络会话是否源于自动化软件代理的技术。 在一个示例中，诸如路由器的网络设备包括用于接收网络会话的分组的网络接口，基于多个度量来计算网络会话数据的多个分数的机器人检测模块，其中， 度量对应于由自动化软件代理发起的网络会话的特征，以从多个分数的聚合中产生聚合分数，并且当聚合分数超过一个分数时，确定网络会话由自动软件代理发起 阈值，以及当网络会话被确定为由自动化软件代理发起时执行编程响应的攻击检测模块。 每个分数表示网络会话由自动化软件代理发起的可能性。

公开(公告)号：US08621621B1

公开(公告)日：2013-12-31

申请号：US13333358

申请日：2011-12-21

申请人： Bryan Burns ,  Alex Waterman

发明人： Bryan Burns ,  Alex Waterman

IPC分类号： G06F12/14

CPC分类号： H04L63/145 ,  G06F21/54 ,  G06F21/568 ,  H04L63/1416

摘要： A computing device may receive content from a content source. The content may include software code that is executable by a web browser, and may be directed to another computing device. The computing device may inject security content into the content. The security content may include software instructions to enable the web browser to detect malicious software content within the content. The computing device may communicate the content to the other computing device.

公开(公告)号：US08261352B2

公开(公告)日：2012-09-04

申请号：US12468454

申请日：2009-05-19

申请人： Qingming Ma ,  Bryan Burns ,  Sheng Li ,  Na Liu ,  Xuejun Wu ,  Shan Yu ,  Li Zheng

发明人： Qingming Ma ,  Bryan Burns ,  Sheng Li ,  Na Liu ,  Xuejun Wu ,  Shan Yu ,  Li Zheng

IPC分类号： G06F21/06

CPC分类号： H04L63/1416

摘要： A method includes receiving a data unit, determining whether a current state, associated with a deterministic finite automata (DFA) that includes a portion of states in a bitmap and a remaining portion of states in a DFA table, is a bitmap state or not, and determining whether a value corresponding to the data unit is greater than a threshold value, when it is determined that the current state is not a bitmap state. The method further includes determining whether the current state is insensitive, when it is determined that the value corresponding to the data unit is greater than the threshold value, where insensitive means that each next state is a same state for the current state, and selecting a default state, as a next state for the current, when it is determined that the current state is insensitive.

摘要翻译： 一种方法包括接收数据单元，确定与包括位图中的状态的一部分和DFA表中的剩余部分状态的确定性有限自动机（DFA）相关联的当前状态是否为位图状态， 以及当确定当前状态不是位图状态时，确定对应于所述数据单元的值是否大于阈值。 该方法还包括当确定对应于数据单元的值大于阈值时确定当前状态是否不敏感，其中不确定意味着每个下一状态对于当前状态是相同的状态，并且选择 默认状态，作为当前的下一状态，当确定当前状态不敏感时。

公开(公告)号：US20080263665A1

公开(公告)日：2008-10-23

申请号：US11738059

申请日：2007-04-20

申请人： Qingming Ma ,  Bryan Burns ,  Krishna Narayanaswamy ,  Vipin Rawat ,  Michael Chuong Shieh

发明人： Qingming Ma ,  Bryan Burns ,  Krishna Narayanaswamy ,  Vipin Rawat ,  Michael Chuong Shieh

IPC分类号： G06F11/00

CPC分类号： H04L63/1416 ,  G06F21/552 ,  G06F21/74 ,  G06F21/76 ,  G06F2221/2105 ,  H04L63/0227

摘要： This disclosure describes techniques for determining whether network traffic contains one or more computer security threats. In order to determine whether a symbol stream conforms to the symbol pattern, a security device stores a full deterministic finite automaton (fDFA) that accepts streams of symbols that conform to the symbol pattern. The security device also creates a partial deterministic finite automaton (pDFA) that includes nodes that correspond to the nodes in the fDFA that have the highest visitation levels. The security device processes each symbol in the symbol stream using the pDFA until a symbol causes the pDFA to transition to a failure node or to an accepting node. If the symbol causes the pDFA to transition to the failure node, the security device processes the symbol and subsequent symbols in the symbol stream using the fDFA.

摘要翻译： 本公开描述了用于确定网络流量是否包含一个或多个计算机安全威胁的技术。 为了确定符号流是否符合符号模式，安全设备存储接受符合符号模式的符号流的完全确定性有限自动机（fDFA）。 安全设备还创建一个部分确定性有限自动机（pDFA），其中包含与fDFA中具有最高访问级别的节点相对应的节点。 安全设备使用pDFA处理符号流中的每个符号，直到符号导致pDFA转换到故障节点或接受节点。 如果符号导致pDFA转换到故障节点，则安全设备使用fDFA处理符号流中的符号和后续符号。

公开(公告)号：US20110055921A1

公开(公告)日：2011-03-03

申请号：US12607107

申请日：2009-10-28

申请人： Krishna Narayanaswamy ,  Bryan Burns ,  Venkata Rama Raju Manthena

发明人： Krishna Narayanaswamy ,  Bryan Burns ,  Venkata Rama Raju Manthena

IPC分类号： H04L29/06 ,  G06F15/18

CPC分类号： H04L63/1458 ,  H04L63/1416

摘要： A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.

摘要翻译： 网络安全设备对流量执行三阶段分析，以识别恶意客户端。 在一个示例中，设备包括攻击检测模块，在第一阶段期间，在第二阶段期间，监视与受保护网络设备的网络连接，以监视多个网络会话的多种类型的事务，当用于 所述连接超过连接阈值，并且在第三阶段期间，当与所述至少一种类型的事务相关联的参数超过事务类型时，监视与所述至少一种类型的事务的事务起始的网络地址相关联的通信 阈。 当来自所述至少一个网络地址的所述多种类型的交易中的至少一种交易的交易超过客户端交易阈值时，所述设备相对于所述网络地址中的至少一个执行编程动作。