WO2007005544B1 - Active packet content analyzer for communications network - Google Patents

Active packet content analyzer for communications network

Info

Publication number
WO2007005544B1
WO2007005544B1 PCT/US2006/025436 US2006025436W WO2007005544B1 WO 2007005544 B1 WO2007005544 B1 WO 2007005544B1 US 2006025436 W US2006025436 W US 2006025436W WO 2007005544 B1 WO2007005544 B1 WO 2007005544B1
Authority
WO
WIPO (PCT)
Prior art keywords
match
search engine
network search
signature
network
Prior art date
Application number
PCT/US2006/025436
Other languages
French (fr)
Other versions
WO2007005544A2 (en
WO2007005544A3 (en
Inventor
Eldad Matityahu
Robert E Shaw
Khalid Masood
Ali-Moosa R Syed
Siuman Hui
Bhagyashri Bhagvat
Anis Ur Rahman
Original Assignee
Net Optics Inc
Eldad Matityahu
Robert E Shaw
Khalid Masood
Ali-Moosa R Syed
Siuman Hui
Bhagyashri Bhagvat
Anis Ur Rahman
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Net Optics Inc, Eldad Matityahu, Robert E Shaw, Khalid Masood, Ali-Moosa R Syed, Siuman Hui, Bhagyashri Bhagvat, Anis Ur Rahman filed Critical Net Optics Inc
Priority to EP06785878.7A priority Critical patent/EP1908219B1/en
Publication of WO2007005544A2 publication Critical patent/WO2007005544A2/en
Publication of WO2007005544A3 publication Critical patent/WO2007005544A3/en
Publication of WO2007005544B1 publication Critical patent/WO2007005544B1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload

Abstract

An active packet inspection device for a communications network, comprises a first terminal and a second terminal each adapted to couple the appliance in-line in the network and communicate data packets with network devices. A packet processor is coupled to the first terminal and second terminal and configured to normalize the data packets. A network search engine coupled to the packet processor and the memory, and configured to compare the data packets with the stored signatures, and when a match is found and other specified conditions are met, to perform an action identified in an associated rule. In one aspect, the network search engine includes a network search engine controller and a network search engine table including a memory configured to store a plurality of replicated signatures. Advantages of the invention include the ability to perform deep packet inspections actively on a communications network at high-speed.

Claims

AMENDED CLAIMS received by the International Bureau on 08April 2008 (08.04.08)
1. An active packet content analyzer for a communications network, comprising: a first terminal and a second terminal each adapted to couple the active packet content analyzer in-line in the communications network and to communicate data packets with network devices; a packet processor coupled to the first terminal and the second terminal, the packet processor configured to mask a portion of the data packets for resulting in an unmasked portion of the data packets, the packet processor further configured to provide the unmasked portion of the data packets for evaluation; and a network search engine coupled to the packet processor and configured to compare the unmasked portion of the data packets with stored signatures, and when a match between the unmasked portion of the data packets and the stored signatures is found, to perform an action identified in an associated rule.
2. The active packet content analyzer of claim 1 , wherein: the network search engine includes multiple entries for each stored signature, where each signature is replicated a number of times and staggered with respect to one another; and search time is reduced in proportion to the number of replicated stored signatures.
3. The active packet content analyzer of claim 2, wherein: the network search engine includes 16 entries for each stored signature, where each signature is replicated 16 times and staggered with respect to one another.
4. The active packet content analyzer of claim 1 , wherein: the network search engine includes a network search engine controller and a network search engine table including a memory configured to store the signatures, where each signature is replicated a number of times and staggered with respect to one another; and search time is reduced in proportion to the number of replicated stored signatures.
5. The active packet content analyzer of claim 4, wherein: the network search engine table includes 16 entries for each stored signature, where each signature is replicated 16 times and staggered with respect to one another. 16
6. The active packet content analyzer of claim 1 , wherein: the actions taken by the analyzer based on a signature match, other conditions match and associated rule include at least one of alert on match, drop on match, log on match and replace on match.
7. The active packet content analyzer of claim 2, wherein: the actions taken by the analyzer based on a signature match and associated rule include at least one of alert on match, drop on match, log on match and replace on match.
8. The active packet content analyzer of claim 4, wherein: the actions taken by the deep packet content analyzer based on a signature match and associated rule include at least one of alert on match, drop on match, log on match and replace on match.
9. The active packet content analyzer of claim 1 , further comprising: a user interface to an administrative computer; and wherein the administrative computer is configured to communicate with the network search engine to upload rules to the network search engine.
10. The active packet content analyzer of claim 2, further comprising: a user interface to an administrative computer; and wherein the administrative computer is configured to communicate with the network search engine to upload rules to the network search engine.
11. A method of monitoring a communications network using an active packet content analyzer coupled in-line in the network, the active deep packet content analyzer including a packet processor and a network search engine, the method comprising the steps of: receiving data packets; masking a portion of the data packets to result in an unmasked portion of the data packets; comparing unmasked portion of the data packets with stored signatures; and when a match between the unmasked portion of the data packets and the stored signatures is found, performing an action identified in an associated rule.
12. The method of claim 11 , further comprising the step of: storing multiple entries for each stored signature, where each signature is replicated a number of times and staggered with respect to one another; and wherein search time is reduced in proportion to the number of replicated stored 17
signatures.
13. The method of claim 12, wherein: the network search engine includes 16 entries for each stored signature, where each signature is replicated 16 times and staggered with respect to one another.
14. The method of claim 11 , wherein the network search engine includes a network search engine controller and a network search engine table, further comprising the step of: storing multiple entries for each stored signature in the network search table, where each signature is replicated a number of times and staggered with respect to one another; and wherein search time is reduced in proportion to the number of replicated stored signatures.
15. The method of claim 14, wherein: the network search engine table includes 16 entries for each stored signature, where each signature is replicated 16 times and staggered with respect to one another.
16. The method of claim 1 1 , wherein: the step of performing an action identified in an associated rule includes at least one of alert on match, drop on match, log on match and replace on match.
17. The method of claim 12, wherein: the step of performing an action identified in an associated rule includes at least one of alert on match, drop on match, log on match and replace on match.
18. The method of claim 14, wherein: the step of performing an action identified in an associated rule includes at least one of alert on match, drop on match, log on match and replace on match.
19. The method of claim 11 , further comprising the step of: communicating with the network search engine to upload rules to the network search engine.
20. The method of claim 12, further comprising the step of: communicating with the network search engine to upload rules to the network search engine.
PCT/US2006/025436 2005-07-01 2006-06-19 Active packet content analyzer for communications network WO2007005544A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP06785878.7A EP1908219B1 (en) 2005-07-01 2006-06-19 Active packet content analyzer for communications network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/174,248 2005-07-01
US11/174,248 US7499412B2 (en) 2005-07-01 2005-07-01 Active packet content analyzer for communications network

Publications (3)

Publication Number Publication Date
WO2007005544A2 WO2007005544A2 (en) 2007-01-11
WO2007005544A3 WO2007005544A3 (en) 2008-06-12
WO2007005544B1 true WO2007005544B1 (en) 2008-07-24

Family

ID=37589384

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/025436 WO2007005544A2 (en) 2005-07-01 2006-06-19 Active packet content analyzer for communications network

Country Status (3)

Country Link
US (1) US7499412B2 (en)
EP (1) EP1908219B1 (en)
WO (1) WO2007005544A2 (en)

Families Citing this family (66)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7613179B2 (en) * 2003-11-26 2009-11-03 Nortel Networks Limited Technique for tracing source addresses of packets
US8331234B1 (en) 2004-09-08 2012-12-11 Q1 Labs Inc. Network data flow collection and processing
US8320242B2 (en) * 2004-12-24 2012-11-27 Net Optics, Inc. Active response communications network tap
US7760859B2 (en) * 2005-03-07 2010-07-20 Net Optics, Inc. Intelligent communications network tap port aggregator
US20070081526A1 (en) * 2005-09-27 2007-04-12 Accton Technology Corporation Network switch device
US7970878B1 (en) * 2005-11-16 2011-06-28 Cisco Technology, Inc. Method and apparatus for limiting domain name server transaction bandwidth
US7738403B2 (en) * 2006-01-23 2010-06-15 Cisco Technology, Inc. Method for determining the operations performed on packets by a network device
US8295275B2 (en) * 2006-03-20 2012-10-23 Intel Corporation Tagging network I/O transactions in a virtual machine run-time environment
US8041804B2 (en) * 2006-05-25 2011-10-18 Cisco Technology, Inc. Utilizing captured IP packets to determine operations performed on packets by a network device
US8769091B2 (en) 2006-05-25 2014-07-01 Cisco Technology, Inc. Method, device and medium for determining operations performed on a packet
KR100772523B1 (en) * 2006-08-01 2007-11-01 한국전자통신연구원 Apparatus for detecting intrusion using pattern and method thereof
US7853679B2 (en) * 2007-03-12 2010-12-14 Citrix Systems, Inc. Systems and methods for configuring handling of undefined policy events
US7865589B2 (en) 2007-03-12 2011-01-04 Citrix Systems, Inc. Systems and methods for providing structured policy expressions to represent unstructured data in a network appliance
AU2008225150A1 (en) * 2007-03-12 2008-09-18 Citrix Systems, Inc. Systems and methods for configuring, applying and managing object-oriented policy expressions for a network device
US8631147B2 (en) * 2007-03-12 2014-01-14 Citrix Systems, Inc. Systems and methods for configuring policy bank invocations
US7853678B2 (en) * 2007-03-12 2010-12-14 Citrix Systems, Inc. Systems and methods for configuring flow control of policy expressions
US7870277B2 (en) * 2007-03-12 2011-01-11 Citrix Systems, Inc. Systems and methods for using object oriented expressions to configure application security policies
US8490148B2 (en) 2007-03-12 2013-07-16 Citrix Systems, Inc Systems and methods for managing application security profiles
US20080306815A1 (en) * 2007-06-06 2008-12-11 Nebuad, Inc. Method and system for inserting targeted data in available spaces of a webpage
US7853689B2 (en) * 2007-06-15 2010-12-14 Broadcom Corporation Multi-stage deep packet inspection for lightweight devices
US7903576B2 (en) * 2007-08-07 2011-03-08 Net Optics, Inc. Methods and arrangement for utilization rate display
US7898984B2 (en) * 2007-08-07 2011-03-01 Net Optics, Inc. Enhanced communication network tap port aggregator arrangement and methods thereof
US8094576B2 (en) * 2007-08-07 2012-01-10 Net Optic, Inc. Integrated switch tap arrangement with visual display arrangement and methods thereof
US20090064287A1 (en) * 2007-08-28 2009-03-05 Rohati Systems, Inc. Application protection architecture with triangulated authorization
US8434140B2 (en) * 2007-11-06 2013-04-30 Barracuda Networks, Inc. Port hopping and seek you peer to peer traffic control method and system
KR101112204B1 (en) * 2007-12-04 2012-03-09 한국전자통신연구원 Mobile Advertisement Method
US7773529B2 (en) 2007-12-27 2010-08-10 Net Optic, Inc. Director device and methods thereof
KR101425621B1 (en) * 2008-01-15 2014-07-31 삼성전자주식회사 Method and system for sharing contents securely
US9100268B2 (en) * 2008-02-27 2015-08-04 Alcatel Lucent Application-aware MPLS tunnel selection
US8094560B2 (en) * 2008-05-19 2012-01-10 Cisco Technology, Inc. Multi-stage multi-core processing of network packets
US8667556B2 (en) 2008-05-19 2014-03-04 Cisco Technology, Inc. Method and apparatus for building and managing policies
US20090288104A1 (en) * 2008-05-19 2009-11-19 Rohati Systems, Inc. Extensibility framework of a network element
US8677453B2 (en) 2008-05-19 2014-03-18 Cisco Technology, Inc. Highly parallel evaluation of XACML policies
US20100070471A1 (en) * 2008-09-17 2010-03-18 Rohati Systems, Inc. Transactional application events
KR100964375B1 (en) * 2008-10-31 2010-06-17 한국전자통신연구원 Interception Method
CN101771627B (en) 2009-01-05 2015-04-08 武汉邮电科学研究院 Equipment and method for analyzing and controlling node real-time deep packet on internet
US8954725B2 (en) * 2009-05-08 2015-02-10 Microsoft Technology Licensing, Llc Sanitization of packets
US9813448B2 (en) 2010-02-26 2017-11-07 Ixia Secured network arrangement and methods thereof
US9019863B2 (en) * 2010-02-26 2015-04-28 Net Optics, Inc. Ibypass high density device and methods thereof
US8737197B2 (en) 2010-02-26 2014-05-27 Net Optic, Inc. Sequential heartbeat packet arrangement and methods thereof
US8755293B2 (en) 2010-02-28 2014-06-17 Net Optics, Inc. Time machine device and methods thereof
US9749261B2 (en) 2010-02-28 2017-08-29 Ixia Arrangements and methods for minimizing delay in high-speed taps
EP2540048B1 (en) 2010-02-28 2019-07-17 Keysight Technologies Singapore (Sales) Pte. Ltd. Gigabits zero-delay tap and methods thereof
CN102196478B (en) * 2010-03-01 2014-10-22 中兴通讯股份有限公司 Diagnosis method and system for failure of network management system
US9122877B2 (en) 2011-03-21 2015-09-01 Mcafee, Inc. System and method for malware and network reputation correlation
US8885506B2 (en) * 2011-06-14 2014-11-11 Broadcom Corporation Energy efficiency ethernet with assymetric low power idle
US9106680B2 (en) * 2011-06-27 2015-08-11 Mcafee, Inc. System and method for protocol fingerprinting and reputation correlation
US10140049B2 (en) 2012-02-24 2018-11-27 Missing Link Electronics, Inc. Partitioning systems operating in multiple domains
US8931043B2 (en) 2012-04-10 2015-01-06 Mcafee Inc. System and method for determining and using local reputations of users and hosts to protect information in a network environment
US9137205B2 (en) 2012-10-22 2015-09-15 Centripetal Networks, Inc. Methods and systems for protecting a secured network
US9565213B2 (en) 2012-10-22 2017-02-07 Centripetal Networks, Inc. Methods and systems for protecting a secured network
US9203806B2 (en) 2013-01-11 2015-12-01 Centripetal Networks, Inc. Rule swapping in a packet network
US9906445B2 (en) * 2013-02-01 2018-02-27 Texas Instruments Incorporated Packet processing match and action pipeline structure with dependency calculation removing false dependencies
US9124552B2 (en) 2013-03-12 2015-09-01 Centripetal Networks, Inc. Filtering network data transfers
US20140269299A1 (en) * 2013-03-14 2014-09-18 Hewlett-Packard Development Company, L.P. Network controller normalization of network traffic
US9094445B2 (en) 2013-03-15 2015-07-28 Centripetal Networks, Inc. Protecting networks from cyber attacks and overloading
CN103384281B (en) * 2013-06-26 2016-08-24 天津汉柏汉安信息技术有限公司 A kind of method preventing EZVPN dialing failed
US9264370B1 (en) 2015-02-10 2016-02-16 Centripetal Networks, Inc. Correlating packets in communications networks
US9866576B2 (en) 2015-04-17 2018-01-09 Centripetal Networks, Inc. Rule-based network-threat detection
JP2017011580A (en) * 2015-06-24 2017-01-12 キヤノン株式会社 Communication device, control method, and program
US9917856B2 (en) 2015-12-23 2018-03-13 Centripetal Networks, Inc. Rule-based network-threat detection for encrypted communications
US11729144B2 (en) 2016-01-04 2023-08-15 Centripetal Networks, Llc Efficient packet capture for cyber threat analysis
US10503899B2 (en) 2017-07-10 2019-12-10 Centripetal Networks, Inc. Cyberanalysis workflow acceleration
US10333898B1 (en) 2018-07-09 2019-06-25 Centripetal Networks, Inc. Methods and systems for efficient network protection
US11316823B2 (en) 2020-08-27 2022-04-26 Centripetal Networks, Inc. Methods and systems for efficient virtualization of inline transparent computer networking devices
US11362996B2 (en) 2020-10-27 2022-06-14 Centripetal Networks, Inc. Methods and systems for efficient adaptive logging of cyber threat incidents

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5648965A (en) 1995-07-07 1997-07-15 Sun Microsystems, Inc. Method and apparatus for dynamic distributed packet tracing and analysis
JP3214454B2 (en) * 1998-09-03 2001-10-02 日本電気株式会社 Packet processing device with built-in program
US6882654B1 (en) 2000-11-14 2005-04-19 Cisco Technology, Inc. Packet data analysis with efficient buffering scheme
US6895005B1 (en) * 2001-04-23 2005-05-17 Sprint Spectrum L.P. Business logic server for facilitating the transmission of a data download to a mobile wireless unit
US7203173B2 (en) 2002-01-25 2007-04-10 Architecture Technology Corp. Distributed packet capture and aggregation
AU2003299960A1 (en) * 2002-12-20 2004-07-22 Metanetworks Inc. Packet inspection
US7082044B2 (en) * 2003-03-12 2006-07-25 Sensory Networks, Inc. Apparatus and method for memory efficient, programmable, pattern matching finite state machine hardware
US7463590B2 (en) * 2003-07-25 2008-12-09 Reflex Security, Inc. System and method for threat detection and response
US8181258B2 (en) * 2003-11-26 2012-05-15 Agere Systems Inc. Access control list constructed as a tree of matching tables

Also Published As

Publication number Publication date
EP1908219A4 (en) 2016-08-10
EP1908219A2 (en) 2008-04-09
US20070002769A1 (en) 2007-01-04
US7499412B2 (en) 2009-03-03
WO2007005544A2 (en) 2007-01-11
WO2007005544A3 (en) 2008-06-12
EP1908219B1 (en) 2018-03-21

Similar Documents

Publication Publication Date Title
WO2007005544B1 (en) Active packet content analyzer for communications network
Jiang et al. Identifying suspicious activities through dns failure graph analysis
US9794263B2 (en) Technologies for access control
US7665128B2 (en) Method and apparatus for reducing firewall rules
US20080060074A1 (en) Intrusion detection system, intrusion detection method, and communication apparatus using the same
CN104917739B (en) The recognition methods of false account and device
WO2007002466A3 (en) Access control list processor
CN106506242A (en) A kind of Network anomalous behaviors and the accurate positioning method and system of flow monitoring
CN107634964B (en) WAF (Wireless Access Filter) testing method and device
CN101505314A (en) P2P data stream recognition method, apparatus and system
Kwon et al. A length-aware cuckoo filter for faster IP lookup
US8248937B2 (en) Packet forwarding device and load balance method thereof
US20140036921A1 (en) Systems and Methods for Deep Packet Inspection with a Virtual Machine
CN107181605A (en) Message detecting method and system, contents extraction device, flow matches device
CN110048899A (en) A kind of log detection method, device, terminal and server
CN108076149B (en) Session maintaining method and device
CN104376012B (en) A kind of reconnection method that goes offline of web application, device and system
CN108279970A (en) The switching method and apparatus of browser kernel
CN103795565A (en) Network event correlation analysis method and device
Abrardo et al. Decision fusion with corrupted reports in multi-sensor networks: A game-theoretic approach
JP2006319693A (en) Abnormal communication detecting apparatus
JP5258676B2 (en) Rule information changing method, management apparatus and program in firewall
KR20050074903A (en) Fast rule lookup with arbitrary ip range configurations
US20100138181A1 (en) Testing apparatus
CN106657087B (en) Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2006785878

Country of ref document: EP