公开(公告)号：US08789180B1

公开(公告)日：2014-07-22

申请号：US13367183

申请日：2012-02-06

申请人： Siying Yang ,  Krishna Narayanaswamy

发明人： Siying Yang ,  Krishna Narayanaswamy

IPC分类号： G06F12/14

CPC分类号： H04L63/0245 ,  G06F21/554 ,  H04L12/00 ,  H04L12/4633 ,  H04L47/2475 ,  H04L47/2483 ,  H04L63/02 ,  H04L63/0263 ,  H04L63/1416 ,  H04L63/168 ,  H04L67/00 ,  H04L69/22

摘要： An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this was, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.

摘要翻译： 描述了入侵检测系统，其能够应用多个堆叠（分层）应用层解码器，以从在应用层操作的多个应用或第七层（L7）产生的隧道化分组流提取封装的应用层数据， ，一个网络堆栈。 这就是说，即使当一个或多个软件应用程序利用其他软件应用程序进行数据传输以产生来自网络设备的数据包流时，IDS也能执行应用程序识别和解码。 当应用于给定的分组或分组流时，协议解码器可以被动态地交换，重用和堆叠（分层）。

公开(公告)号：US08321595B2

公开(公告)日：2012-11-27

申请号：US13092532

申请日：2011-04-22

申请人： Krishna Narayanaswamy ,  Siying Yang

发明人： Krishna Narayanaswamy ,  Siying Yang

IPC分类号： G06F15/16

CPC分类号： H04L43/10 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/10 ,  H04L63/1408

摘要： A method may include receiving a communication from a client device and identifying a port number, a protocol and a destination associated with the communication. The method may also include identifying a first application being executed by the first client device based on the port number, the protocol and the destination associated with the first communication.

摘要翻译： 一种方法可以包括从客户端设备接收通信并识别端口号，协议和与该通信相关联的目的地。 该方法还可以包括基于与第一通信相关联的端口号，协议和目的地识别由第一客户端设备执行的第一应用。

公开(公告)号：US08112800B1

公开(公告)日：2012-02-07

申请号：US11937163

申请日：2007-11-08

申请人： Siying Yang ,  Krishna Narayanaswamy

发明人： Siying Yang ,  Krishna Narayanaswamy

IPC分类号： G06F12/14

CPC分类号： H04L63/0245 ,  G06F21/554 ,  H04L12/00 ,  H04L12/4633 ,  H04L47/2475 ,  H04L47/2483 ,  H04L63/02 ,  H04L63/0263 ,  H04L63/1416 ,  H04L63/168 ,  H04L67/00 ,  H04L69/22

摘要： An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this was, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.

摘要翻译： 描述了入侵检测系统，其能够应用多个堆叠（分层）应用层解码器，以从在应用层操作的多个应用或第七层（L7）产生的隧道化分组流提取封装的应用层数据， ，一个网络堆栈。 这就是说，即使当一个或多个软件应用程序利用其他软件应用程序进行数据传输以产生来自网络设备的数据包流时，IDS也能执行应用程序识别和解码。 当应用于给定的分组或分组流时，协议解码器可以被动态地交换，重用和堆叠（分层）。

公开(公告)号：US07953895B1

公开(公告)日：2011-05-31

申请号：US11682993

申请日：2007-03-07

申请人： Krishna Narayanaswamy ,  Siying Yang

发明人： Krishna Narayanaswamy ,  Siying Yang

IPC分类号： G06F15/16

CPC分类号： H04L43/10 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/10 ,  H04L63/1408

摘要： A method may include receiving a communication from a client device and identifying a port number, a protocol and a destination associated with the communication. The method may also include identifying a first application being executed by the first client device based on the port number, the protocol and the destination associated with the first communication.

摘要翻译： 一种方法可以包括从客户端设备接收通信并识别端口号，协议和与该通信相关联的目的地。 该方法还可以包括基于与第一通信相关联的端口号，协议和目的地识别由第一客户端设备正在执行的第一应用。

公开(公告)号：US08484385B2

公开(公告)日：2013-07-09

申请号：US13616333

申请日：2012-09-14

申请人： Krishna Narayanaswamy ,  Siying Yang

发明人： Krishna Narayanaswamy ,  Siying Yang

IPC分类号： G06F15/16

CPC分类号： H04L43/10 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/10 ,  H04L63/1408

摘要： A method may include receiving a communication from a client device and identifying a port number, a protocol and a destination associated with the communication. The method may also include identifying a first application being executed by the first client device based on the port number, the protocol and the destination associated with the first communication.

公开(公告)号：US09398043B1

公开(公告)日：2016-07-19

申请号：US12409634

申请日：2009-03-24

申请人： Siying Yang

发明人： Siying Yang

IPC分类号： H04L29/06

CPC分类号： H04L63/1441

摘要： An intrusion detection system inspects encapsulated packet flows and, upon detecting a malicious encapsulated packet flow, may close an encapsulated network session corresponding to the malicious flow or drop sub-packets of the malicious flow without acting against non-malicious sub-packets and/or sessions. In one example, a network device includes a flow analysis module that receives a packet flow packets, each packet comprising a packet header and one or more sub-packets each corresponding to respective network sessions, an attack detection module that identifies at least one of the network sessions as a malicious network session, a policy action module that executes a policy action on the sub-packet corresponding to the malicious network session based on the identification of the malicious network session, and a forwarding component that forms a reconstructed packet comprising the packet header and the sub-packets excluding the sub-packet corresponding to the malicious network session and forwards the reconstructed packet.

摘要翻译： 入侵检测系统检查封装的分组流，并且在检测到恶意封装的分组流时，可以关闭与恶意流相对应的封装的网络会话或丢弃恶意流的子分组，而不对非恶意的分组和/或 会话 在一个示例中，网络设备包括流分析模块，其接收分组流分组，每个分组包括分组报头和每个对应于相应网络会话的一个或多个子分组;攻击检测模块，其识别至少一个 网络会话作为恶意网络会话，基于恶意网络会话的识别，对与恶意网络会话相对应的子分组执行策略动作的策略动作模块，以及形成包含该分组的重构分组的转发组件 头和除了与恶意网络会话相对应的子分组的子分组，并转发重构的分组。

公开(公告)号：US08291495B1

公开(公告)日：2012-10-16

申请号：US11835923

申请日：2007-08-08

申请人： Bryan Burns ,  Siying Yang ,  Julien Sobrier

发明人： Bryan Burns ,  Siying Yang ,  Julien Sobrier

IPC分类号： G06F11/00

CPC分类号： H04L63/0254 ,  H04L63/1441 ,  H04L63/168

摘要： An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.

摘要翻译： 描述了入侵检测系统（IDS）设备，其包括用于从客户端接收第一分组流并从服务器接收第二分组流的流分析模块。 IDS包括将第一分组流发送到服务器的转发组件和到客户端的第二分组流以及状态检查引擎，以将一组或多组模式应用于第一分组流，以确定第一分组流是否代表 网络攻击 IDS还包括应用识别模块，用于执行与第一分组流相关联的软件应用和通信协议的类型的初始识别，并且根据第二分组流来重新评估软件应用和协议的类型的标识。 IDS可能有助于消除假阳性和假阴性攻击识别。