-
公开(公告)号:US08010685B2
公开(公告)日:2011-08-30
申请号:US11272461
申请日:2005-11-09
申请人: Sumeet Singh , George Varghese , Michael Ayres , Michael Semanko , Bashir Eghbali , Travis G Newhouse
发明人: Sumeet Singh , George Varghese , Michael Ayres , Michael Semanko , Bashir Eghbali , Travis G Newhouse
CPC分类号: H04L63/0245 , H04L63/145
摘要: A method and apparatus is described to select a representative signature for use in identifying content in a packet stream. The method may comprise receiving the packet stream and obtaining content from a data payload of the packet. Thereafter, a plurality of signatures is identified from the content and a complexity score or a frequency score is determined based on the content. A signature of the plurality of signatures is then selected as the representative signature based on the complexity score or the frequency score.
摘要翻译: 描述了一种方法和装置来选择用于识别分组流中的内容的代表性签名。 该方法可以包括从分组的数据有效载荷接收分组流并获得内容。 此后,根据内容识别多个签名,并且基于内容来确定复杂度分数或频率分数。 然后,基于复杂度分数或频率得分,选择多个签名的签名作为代表签名。
-
2.发明申请公开(公告)号:US20080307524A1
公开(公告)日:2008-12-11
申请号:US11547944
申请日:2004-12-01
申请人: Sumeet Singh , George Varghese , Cristi Estan , Stefan Savage
发明人: Sumeet Singh , George Varghese , Cristi Estan , Stefan Savage
CPC分类号: H04L63/1416 , G06F21/55 , H04L9/002 , H04L9/3236 , H04L9/3247 , H04L2209/60 , H04L2463/141
摘要: Network worms or viruses are a growing threat to the security of public and private networks and the individual computers that make up those networks. A content sifting method if provided that automatically generates a precise signature for a worm or virus that can then be used to significantly reduce the propagation of the worm elsewhere in the network or eradicate the worm altogether. The content sifting method is complemented by a value sampling method that increases the throughput of network traffic that can be monitored. Together, the methods track the number of times invariant strings appear in packets and the network address dispersion of those packets including variant strings. When an invariant string reaches a particular threshold of appearances and address dispersion, the string is reported as a signature for suspected worm.
摘要翻译: 网络蠕虫或病毒对构成这些网络的公共和私有网络以及个别计算机的安全性日益增长。 如果提供的内容筛选方法自动生成针对蠕虫或病毒的精确签名,然后可以将蠕虫或病毒用于显着减少网络中其他地方的蠕虫传播或彻底消除蠕虫。 内容筛选方法补充了一种增加可监控网络流量吞吐量的值抽样方法。 这些方法一起跟踪数据包中出现不变字符串的次数以及包括变体字符串的数据包的网络地址色散。 当不变字符串达到特定的出现阈值和地址分散时,字符串将被报告为可疑蠕虫的签名。
-
3.发明授权公开(公告)号:US08296842B2
公开(公告)日:2012-10-23
申请号:US11547944
申请日:2004-12-01
申请人: Sumeet Singh , George Varghese , Cristi Estan , Stefan Savage
发明人: Sumeet Singh , George Varghese , Cristi Estan , Stefan Savage
IPC分类号: H04L29/06
CPC分类号: H04L63/1416 , G06F21/55 , H04L9/002 , H04L9/3236 , H04L9/3247 , H04L2209/60 , H04L2463/141
摘要: Network worms or viruses are a growing threat to the security of public and private networks and the individual computers that make up those networks. A content sifting method if provided that automatically generates a precise signature for a worm or virus that can then be used to significantly reduce the propagation of the worm elsewhere in the network or eradicate the worm altogether. The content sifting method is complemented by a value sampling method that increases the throughput of network traffic that can be monitored. Together, the methods track the number of times invariant strings appear in packets and the network address dispersion of those packets including variant strings. When an invariant string reaches a particular threshold of appearances and address dispersion, the string is reported as a signature for suspected worm.
摘要翻译: 网络蠕虫或病毒对构成这些网络的公共和私有网络以及个别计算机的安全性日益增长。 如果提供的内容筛选方法自动生成针对蠕虫或病毒的精确签名,然后可以将蠕虫或病毒用于显着减少网络中其他地方的蠕虫传播或彻底消除蠕虫。 内容筛选方法补充了一种增加可监控网络流量吞吐量的值抽样方法。 这些方法一起跟踪数据包中出现不变字符串的次数以及包括变体字符串的数据包的网络地址色散。 当不变字符串达到特定的出现阈值和地址分散时,字符串将被报告为可疑蠕虫的签名。
-
4.发明授权公开(公告)号:US07966658B2
公开(公告)日:2011-06-21
申请号:US10822226
申请日:2004-04-08
申请人: Sumeet Singh , George Varghese , Cristi Estan , Stefan Savage
发明人: Sumeet Singh , George Varghese , Cristi Estan , Stefan Savage
IPC分类号: G08B23/00
CPC分类号: H04L63/1416 , G06F21/55 , H04L9/002 , H04L9/3236 , H04L9/3247 , H04L2209/60 , H04L2463/141
摘要: Detecting attacks against computer systems by automatically detecting signatures based on predetermined characteristics of the intrusion. One aspect looks for commonalities among a number of different network messages, and establishes an intrusion signature based on those commonalities. Data reduction techniques, such as a hash function, are used to minimize the amount of resources which are necessary to establish the commonalities. In an embodiment, signatures are created based on the data reduction hash technique. Frequent signatures are found by reducing the signatures using that hash technique. Each of the frequent signatures is analyzed for content, and content which is spreading is flagged as being a possible attack. Additional checks can also be carried out to look for code within the signal, to look for spam, backdoors, or program code.
摘要翻译: 通过基于入侵的预定特征自动检测签名来检测对计算机系统的攻击。 一个方面寻找许多不同网络消息之间的共同点,并根据这些共同点建立入侵签名。 使用诸如哈希函数的数据缩减技术来最小化建立共同点所需的资源量。 在一个实施例中,基于数据缩减散列技术创建签名。 通过使用该散列技术减少签名来发现频繁的签名。 对每个频繁签名进行内容分析,将正在扩展的内容标记为可能的攻击。 还可以进行附加检查,以查找信号中的代码,查找垃圾邮件,后门程序或程序代码。
-
公开(公告)号:US07602780B2
公开(公告)日:2009-10-13
申请号:US11271310
申请日:2005-11-09
IPC分类号: H04L12/56
CPC分类号: H04L45/00 , H04L45/60 , H04L45/745 , H04L63/145 , H04L67/327
摘要: A method and apparatus is described for identifying content in a packet. The method may obtain data sample from the packet where the data sample is in a predetermined window at an initial offset point in the packet. For each offset point, a first stage of processing on the data sample may be performed to identify if the data sample corresponds to potentially relevant reference string. A more focused second stage of processing may then be carried out on the data sample to identify if the data sample corresponds to potentially relevant reference string. Thereafter, an even more focused third stage of processing may be carried out on the data sample to obtain a third stage result. If the data sample passes all three stages of processing, a predefined action is identified which is associated with a reference string corresponding to the data sample.
摘要翻译: 描述了用于识别分组中的内容的方法和装置。 该方法可以从分组中的初始偏移点处的数据样本在预定窗口中获取数据样本。 对于每个偏移点,可以执行关于数据样本的第一级处理以识别数据样本是否对应于潜在相关的参考串。 然后可以对数据样本执行更集中的第二阶段处理,以识别数据样本是否对应于潜在相关的参考字符串。 此后,可以对数据样本进行更加集中的第三阶段处理,以获得第三阶段结果。 如果数据样本通过所有三个处理阶段,则识别与对应于数据样本的参考串相关联的预定义动作。
-
公开(公告)号:US07535909B2
公开(公告)日:2009-05-19
申请号:US11271209
申请日:2005-11-09
申请人: Sumeet Singh , George Varghese
发明人: Sumeet Singh , George Varghese
IPC分类号: H04L12/28
CPC分类号: H04L12/2854 , H04L69/22
摘要: A method and apparatus is described to process packets in a network. The method may comprise receiving the packet and determining a length K of the packet. If the length of the packet is less than a reference length M then no analysis may be performed on the packet. However, if the packet length K is not less than M, the method may determine if the packet length K is at least greater than a reference window size WRef. When the packet length is greater than WRef then a window size W for the processing of the packets is set equal to WRef; and the packet length is less than WRef then a window size W for the processing of the packets is set equal to the packet size K. Thereafter, the packet is processed using the window size W.
摘要翻译: 描述了一种在网络中处理分组的方法和装置。 该方法可以包括接收分组并确定分组的长度K. 如果分组的长度小于参考长度M,则不能对分组执行分析。 然而,如果分组长度K不小于M,则该方法可以确定分组长度K是否至少大于参考窗口大小WRef。 当分组长度大于WRef时,用于处理分组的窗口大小W被设置为等于WRef; 并且分组长度小于WRef,则将用于处理分组的窗口大小W设置为等于分组大小K.然后,使用窗口大小W处理分组。
-
公开(公告)号:US20060098652A1
公开(公告)日:2006-05-11
申请号:US11271310
申请日:2005-11-09
申请人: Sushil Singh , George Varghese , John Huber , Sumeet Singh
发明人: Sushil Singh , George Varghese , John Huber , Sumeet Singh
IPC分类号: H04L12/56
CPC分类号: H04L45/00 , H04L45/60 , H04L45/745 , H04L63/145 , H04L67/327
摘要: A method and apparatus is described for identifying content in a packet. The method may obtain data sample from the packet where the data sample is in a predetermined window at an initial offset point in the packet. For each offset point, a first stage of processing on the data sample may be performed to identify if the data sample corresponds to potentially relevant reference string. A more focused second stage of processing may then be carried out on the data sample to identify if the data sample corresponds to potentially relevant reference string. Thereafter, an even more focused third stage of processing may be carried out on the data sample to obtain a third stage result. If the data sample passes all three stages of processing, a predefined action is identified which is associated with a reference string corresponding to the data sample.
-
8.发明授权System and method to process data packets in a network using stateful decision trees 有权使用有状态决策树处理网络中数据包的系统和方法公开(公告)号:US07813350B2
公开(公告)日:2010-10-12
申请号:US11551932
申请日:2006-10-23
IPC分类号: H04L12/28
CPC分类号: H04L47/10 , H04L43/50 , H04L45/742 , H04L45/745 , H04L47/22 , H04L47/2441 , H04L47/32
摘要: A method and device to process a packet received by a network device is described. The method may comprise analyzing the packet to identify at least one set of a plurality of sets, mapping the at least one set to at least one functional unit, and performing functionality associated with the at least one functional unit. Analyzing the packet to identify at least one of a plurality of sets may comprise determining when the packet includes at least one set identifier, and identifying the at least one set based on the at least one set identifier. A set status identifier may be defined for each set, the set status identifier indicating when set identifiers associated with a corresponding set are detected in the packet. The device may be a router, switch or any other device that processes digital data e.g., packet data including packets headers, payload or the like.
摘要翻译: 描述了一种处理由网络设备接收的分组的方法和设备。 该方法可以包括分析分组以识别多个集合中的至少一个集合,将至少一个集合映射到至少一个功能单元,以及执行与至少一个功能单元相关联的功能。 分析分组以识别多个集合中的至少一个集合可以包括确定分组何时包括至少一个集合标识符,以及基于至少一个集合标识符来识别该至少一个集合。 可以为每个集合定义集合状态标识符,所设置的状态标识符指示何时在分组中检测到与对应集合相关联的集合标识符。 该设备可以是处理数字数据的路由器,交换机或任何其他设备,例如包括分组报头,有效载荷等的分组数据。
-
公开(公告)号:US20060098687A1
公开(公告)日:2006-05-11
申请号:US11271209
申请日:2005-11-09
申请人: Sumeet Singh , George Varghese
发明人: Sumeet Singh , George Varghese
IPC分类号: H04J3/16
CPC分类号: H04L12/2854 , H04L69/22
摘要: A method and apparatus is described to process packets in a network. The method may comprise receiving the packet and determining a length K of the packet. If the length of the packet is less than a reference length M then no analysis may be performed on the packet. However, if the packet length K is not less than M, the method may determine if the packet length K is at least greater than a reference window size WRef. When the packet length is greater than WRef then a window size W for the processing of the packets is set equal to WRef; and the packet length is less than WRef then a window size W for the processing of the packets is set equal to the packet size K. Thereafter, the packet is processed using the window size W.
摘要翻译: 描述了一种在网络中处理分组的方法和装置。 该方法可以包括接收分组并确定分组的长度K. 如果分组的长度小于参考长度M,则不能对分组执行分析。 然而,如果分组长度K不小于M,则该方法可以确定分组长度K是否至少大于参考窗口大小W ref。 当分组长度大于W 时,用于处理分组的窗口大小W被设置为等于W<< 并且分组长度小于W ,则用于处理分组的窗口大小W被设置为等于分组大小K.然后,使用窗口大小W处理分组。
-
10.发明申请公开(公告)号:US20060098585A1
公开(公告)日:2006-05-11
申请号:US11271133
申请日:2005-11-09
申请人: Sumeet Singh , George Varghese
发明人: Sumeet Singh , George Varghese
IPC分类号: H04L12/26
CPC分类号: H04L63/1416 , H04L69/22
摘要: A method and apparatus for detecting malicious attacks is described. The method may comprise obtaining routing information from a packet communicated via a network and maintaining a count of packets associated with a device associated with the routing information. For example, the routing information may a source or destination IP address, a port number, or any other routing information. The device may be classified as a potentially malicious device when the count exceeds a threshold. The count may be incremented when the TCP SYN flag is set and the TCP ACK flag is not set. An embodiment comprises obtaining a source hash of the source IP address and a destination hash of the destination IP address. Thereafter, the source hash and the destination hash may be mapped to multi stage filters. The device associated with the packet may then be selectively categorizing as a suspicious device.
摘要翻译: 描述了用于检测恶意攻击的方法和装置。 该方法可以包括从经由网络传送的分组获取路由信息,并且维护与与路由信息相关联的设备相关联的分组的计数。 例如,路由信息可以是源或目的地IP地址,端口号或任何其他路由信息。 当计数超过阈值时,该设备可能被分类为潜在的恶意设备。 当TCP SYN标志置1且未设置TCP ACK标志时,计数可能会增加。 一个实施例包括获得源IP地址的源散列和目的地IP地址的目的地散列。 此后,源散列和目的地散列可以被映射到多级过滤器。 然后可以将与分组相关联的设备有选择地分类为可疑设备。
-
-
-
-
-
-
-
-
-
搜索结果
48 条记录 (耗时 0.025 秒)
