WO2007005544B1 - Active packet content analyzer for communications network - Google Patents
Active packet content analyzer for communications networkInfo
- Publication number
- WO2007005544B1 WO2007005544B1 PCT/US2006/025436 US2006025436W WO2007005544B1 WO 2007005544 B1 WO2007005544 B1 WO 2007005544B1 US 2006025436 W US2006025436 W US 2006025436W WO 2007005544 B1 WO2007005544 B1 WO 2007005544B1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- match
- search engine
- network search
- signature
- network
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
Abstract
An active packet inspection device for a communications network, comprises a first terminal and a second terminal each adapted to couple the appliance in-line in the network and communicate data packets with network devices. A packet processor is coupled to the first terminal and second terminal and configured to normalize the data packets. A network search engine coupled to the packet processor and the memory, and configured to compare the data packets with the stored signatures, and when a match is found and other specified conditions are met, to perform an action identified in an associated rule. In one aspect, the network search engine includes a network search engine controller and a network search engine table including a memory configured to store a plurality of replicated signatures. Advantages of the invention include the ability to perform deep packet inspections actively on a communications network at high-speed.
Claims
1. An active packet content analyzer for a communications network, comprising: a first terminal and a second terminal each adapted to couple the active packet content analyzer in-line in the communications network and to communicate data packets with network devices; a packet processor coupled to the first terminal and the second terminal, the packet processor configured to mask a portion of the data packets for resulting in an unmasked portion of the data packets, the packet processor further configured to provide the unmasked portion of the data packets for evaluation; and a network search engine coupled to the packet processor and configured to compare the unmasked portion of the data packets with stored signatures, and when a match between the unmasked portion of the data packets and the stored signatures is found, to perform an action identified in an associated rule.
2. The active packet content analyzer of claim 1 , wherein: the network search engine includes multiple entries for each stored signature, where each signature is replicated a number of times and staggered with respect to one another; and search time is reduced in proportion to the number of replicated stored signatures.
3. The active packet content analyzer of claim 2, wherein: the network search engine includes 16 entries for each stored signature, where each signature is replicated 16 times and staggered with respect to one another.
4. The active packet content analyzer of claim 1 , wherein: the network search engine includes a network search engine controller and a network search engine table including a memory configured to store the signatures, where each signature is replicated a number of times and staggered with respect to one another; and search time is reduced in proportion to the number of replicated stored signatures.
5. The active packet content analyzer of claim 4, wherein: the network search engine table includes 16 entries for each stored signature, where each signature is replicated 16 times and staggered with respect to one another. 16
6. The active packet content analyzer of claim 1 , wherein: the actions taken by the analyzer based on a signature match, other conditions match and associated rule include at least one of alert on match, drop on match, log on match and replace on match.
7. The active packet content analyzer of claim 2, wherein: the actions taken by the analyzer based on a signature match and associated rule include at least one of alert on match, drop on match, log on match and replace on match.
8. The active packet content analyzer of claim 4, wherein: the actions taken by the deep packet content analyzer based on a signature match and associated rule include at least one of alert on match, drop on match, log on match and replace on match.
9. The active packet content analyzer of claim 1 , further comprising: a user interface to an administrative computer; and wherein the administrative computer is configured to communicate with the network search engine to upload rules to the network search engine.
10. The active packet content analyzer of claim 2, further comprising: a user interface to an administrative computer; and wherein the administrative computer is configured to communicate with the network search engine to upload rules to the network search engine.
11. A method of monitoring a communications network using an active packet content analyzer coupled in-line in the network, the active deep packet content analyzer including a packet processor and a network search engine, the method comprising the steps of: receiving data packets; masking a portion of the data packets to result in an unmasked portion of the data packets; comparing unmasked portion of the data packets with stored signatures; and when a match between the unmasked portion of the data packets and the stored signatures is found, performing an action identified in an associated rule.
12. The method of claim 11 , further comprising the step of: storing multiple entries for each stored signature, where each signature is replicated a number of times and staggered with respect to one another; and wherein search time is reduced in proportion to the number of replicated stored 17
signatures.
13. The method of claim 12, wherein: the network search engine includes 16 entries for each stored signature, where each signature is replicated 16 times and staggered with respect to one another.
14. The method of claim 11 , wherein the network search engine includes a network search engine controller and a network search engine table, further comprising the step of: storing multiple entries for each stored signature in the network search table, where each signature is replicated a number of times and staggered with respect to one another; and wherein search time is reduced in proportion to the number of replicated stored signatures.
15. The method of claim 14, wherein: the network search engine table includes 16 entries for each stored signature, where each signature is replicated 16 times and staggered with respect to one another.
16. The method of claim 1 1 , wherein: the step of performing an action identified in an associated rule includes at least one of alert on match, drop on match, log on match and replace on match.
17. The method of claim 12, wherein: the step of performing an action identified in an associated rule includes at least one of alert on match, drop on match, log on match and replace on match.
18. The method of claim 14, wherein: the step of performing an action identified in an associated rule includes at least one of alert on match, drop on match, log on match and replace on match.
19. The method of claim 11 , further comprising the step of: communicating with the network search engine to upload rules to the network search engine.
20. The method of claim 12, further comprising the step of: communicating with the network search engine to upload rules to the network search engine.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06785878.7A EP1908219B1 (en) | 2005-07-01 | 2006-06-19 | Active packet content analyzer for communications network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/174,248 | 2005-07-01 | ||
US11/174,248 US7499412B2 (en) | 2005-07-01 | 2005-07-01 | Active packet content analyzer for communications network |
Publications (3)
Publication Number | Publication Date |
---|---|
WO2007005544A2 WO2007005544A2 (en) | 2007-01-11 |
WO2007005544A3 WO2007005544A3 (en) | 2008-06-12 |
WO2007005544B1 true WO2007005544B1 (en) | 2008-07-24 |
Family
ID=37589384
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2006/025436 WO2007005544A2 (en) | 2005-07-01 | 2006-06-19 | Active packet content analyzer for communications network |
Country Status (3)
Country | Link |
---|---|
US (1) | US7499412B2 (en) |
EP (1) | EP1908219B1 (en) |
WO (1) | WO2007005544A2 (en) |
Families Citing this family (66)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7613179B2 (en) * | 2003-11-26 | 2009-11-03 | Nortel Networks Limited | Technique for tracing source addresses of packets |
US8331234B1 (en) | 2004-09-08 | 2012-12-11 | Q1 Labs Inc. | Network data flow collection and processing |
US8320242B2 (en) * | 2004-12-24 | 2012-11-27 | Net Optics, Inc. | Active response communications network tap |
US7760859B2 (en) * | 2005-03-07 | 2010-07-20 | Net Optics, Inc. | Intelligent communications network tap port aggregator |
US20070081526A1 (en) * | 2005-09-27 | 2007-04-12 | Accton Technology Corporation | Network switch device |
US7970878B1 (en) * | 2005-11-16 | 2011-06-28 | Cisco Technology, Inc. | Method and apparatus for limiting domain name server transaction bandwidth |
US7738403B2 (en) * | 2006-01-23 | 2010-06-15 | Cisco Technology, Inc. | Method for determining the operations performed on packets by a network device |
US8295275B2 (en) * | 2006-03-20 | 2012-10-23 | Intel Corporation | Tagging network I/O transactions in a virtual machine run-time environment |
US8041804B2 (en) * | 2006-05-25 | 2011-10-18 | Cisco Technology, Inc. | Utilizing captured IP packets to determine operations performed on packets by a network device |
US8769091B2 (en) | 2006-05-25 | 2014-07-01 | Cisco Technology, Inc. | Method, device and medium for determining operations performed on a packet |
KR100772523B1 (en) * | 2006-08-01 | 2007-11-01 | 한국전자통신연구원 | Apparatus for detecting intrusion using pattern and method thereof |
US7853679B2 (en) * | 2007-03-12 | 2010-12-14 | Citrix Systems, Inc. | Systems and methods for configuring handling of undefined policy events |
US7865589B2 (en) | 2007-03-12 | 2011-01-04 | Citrix Systems, Inc. | Systems and methods for providing structured policy expressions to represent unstructured data in a network appliance |
AU2008225150A1 (en) * | 2007-03-12 | 2008-09-18 | Citrix Systems, Inc. | Systems and methods for configuring, applying and managing object-oriented policy expressions for a network device |
US8631147B2 (en) * | 2007-03-12 | 2014-01-14 | Citrix Systems, Inc. | Systems and methods for configuring policy bank invocations |
US7853678B2 (en) * | 2007-03-12 | 2010-12-14 | Citrix Systems, Inc. | Systems and methods for configuring flow control of policy expressions |
US7870277B2 (en) * | 2007-03-12 | 2011-01-11 | Citrix Systems, Inc. | Systems and methods for using object oriented expressions to configure application security policies |
US8490148B2 (en) | 2007-03-12 | 2013-07-16 | Citrix Systems, Inc | Systems and methods for managing application security profiles |
US20080306815A1 (en) * | 2007-06-06 | 2008-12-11 | Nebuad, Inc. | Method and system for inserting targeted data in available spaces of a webpage |
US7853689B2 (en) * | 2007-06-15 | 2010-12-14 | Broadcom Corporation | Multi-stage deep packet inspection for lightweight devices |
US7903576B2 (en) * | 2007-08-07 | 2011-03-08 | Net Optics, Inc. | Methods and arrangement for utilization rate display |
US7898984B2 (en) * | 2007-08-07 | 2011-03-01 | Net Optics, Inc. | Enhanced communication network tap port aggregator arrangement and methods thereof |
US8094576B2 (en) * | 2007-08-07 | 2012-01-10 | Net Optic, Inc. | Integrated switch tap arrangement with visual display arrangement and methods thereof |
US20090064287A1 (en) * | 2007-08-28 | 2009-03-05 | Rohati Systems, Inc. | Application protection architecture with triangulated authorization |
US8434140B2 (en) * | 2007-11-06 | 2013-04-30 | Barracuda Networks, Inc. | Port hopping and seek you peer to peer traffic control method and system |
KR101112204B1 (en) * | 2007-12-04 | 2012-03-09 | 한국전자통신연구원 | Mobile Advertisement Method |
US7773529B2 (en) | 2007-12-27 | 2010-08-10 | Net Optic, Inc. | Director device and methods thereof |
KR101425621B1 (en) * | 2008-01-15 | 2014-07-31 | 삼성전자주식회사 | Method and system for sharing contents securely |
US9100268B2 (en) * | 2008-02-27 | 2015-08-04 | Alcatel Lucent | Application-aware MPLS tunnel selection |
US8094560B2 (en) * | 2008-05-19 | 2012-01-10 | Cisco Technology, Inc. | Multi-stage multi-core processing of network packets |
US8667556B2 (en) | 2008-05-19 | 2014-03-04 | Cisco Technology, Inc. | Method and apparatus for building and managing policies |
US20090288104A1 (en) * | 2008-05-19 | 2009-11-19 | Rohati Systems, Inc. | Extensibility framework of a network element |
US8677453B2 (en) | 2008-05-19 | 2014-03-18 | Cisco Technology, Inc. | Highly parallel evaluation of XACML policies |
US20100070471A1 (en) * | 2008-09-17 | 2010-03-18 | Rohati Systems, Inc. | Transactional application events |
KR100964375B1 (en) * | 2008-10-31 | 2010-06-17 | 한국전자통신연구원 | Interception Method |
CN101771627B (en) | 2009-01-05 | 2015-04-08 | 武汉邮电科学研究院 | Equipment and method for analyzing and controlling node real-time deep packet on internet |
US8954725B2 (en) * | 2009-05-08 | 2015-02-10 | Microsoft Technology Licensing, Llc | Sanitization of packets |
US9813448B2 (en) | 2010-02-26 | 2017-11-07 | Ixia | Secured network arrangement and methods thereof |
US9019863B2 (en) * | 2010-02-26 | 2015-04-28 | Net Optics, Inc. | Ibypass high density device and methods thereof |
US8737197B2 (en) | 2010-02-26 | 2014-05-27 | Net Optic, Inc. | Sequential heartbeat packet arrangement and methods thereof |
US8755293B2 (en) | 2010-02-28 | 2014-06-17 | Net Optics, Inc. | Time machine device and methods thereof |
US9749261B2 (en) | 2010-02-28 | 2017-08-29 | Ixia | Arrangements and methods for minimizing delay in high-speed taps |
EP2540048B1 (en) | 2010-02-28 | 2019-07-17 | Keysight Technologies Singapore (Sales) Pte. Ltd. | Gigabits zero-delay tap and methods thereof |
CN102196478B (en) * | 2010-03-01 | 2014-10-22 | 中兴通讯股份有限公司 | Diagnosis method and system for failure of network management system |
US9122877B2 (en) | 2011-03-21 | 2015-09-01 | Mcafee, Inc. | System and method for malware and network reputation correlation |
US8885506B2 (en) * | 2011-06-14 | 2014-11-11 | Broadcom Corporation | Energy efficiency ethernet with assymetric low power idle |
US9106680B2 (en) * | 2011-06-27 | 2015-08-11 | Mcafee, Inc. | System and method for protocol fingerprinting and reputation correlation |
US10140049B2 (en) | 2012-02-24 | 2018-11-27 | Missing Link Electronics, Inc. | Partitioning systems operating in multiple domains |
US8931043B2 (en) | 2012-04-10 | 2015-01-06 | Mcafee Inc. | System and method for determining and using local reputations of users and hosts to protect information in a network environment |
US9137205B2 (en) | 2012-10-22 | 2015-09-15 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US9565213B2 (en) | 2012-10-22 | 2017-02-07 | Centripetal Networks, Inc. | Methods and systems for protecting a secured network |
US9203806B2 (en) | 2013-01-11 | 2015-12-01 | Centripetal Networks, Inc. | Rule swapping in a packet network |
US9906445B2 (en) * | 2013-02-01 | 2018-02-27 | Texas Instruments Incorporated | Packet processing match and action pipeline structure with dependency calculation removing false dependencies |
US9124552B2 (en) | 2013-03-12 | 2015-09-01 | Centripetal Networks, Inc. | Filtering network data transfers |
US20140269299A1 (en) * | 2013-03-14 | 2014-09-18 | Hewlett-Packard Development Company, L.P. | Network controller normalization of network traffic |
US9094445B2 (en) | 2013-03-15 | 2015-07-28 | Centripetal Networks, Inc. | Protecting networks from cyber attacks and overloading |
CN103384281B (en) * | 2013-06-26 | 2016-08-24 | 天津汉柏汉安信息技术有限公司 | A kind of method preventing EZVPN dialing failed |
US9264370B1 (en) | 2015-02-10 | 2016-02-16 | Centripetal Networks, Inc. | Correlating packets in communications networks |
US9866576B2 (en) | 2015-04-17 | 2018-01-09 | Centripetal Networks, Inc. | Rule-based network-threat detection |
JP2017011580A (en) * | 2015-06-24 | 2017-01-12 | キヤノン株式会社 | Communication device, control method, and program |
US9917856B2 (en) | 2015-12-23 | 2018-03-13 | Centripetal Networks, Inc. | Rule-based network-threat detection for encrypted communications |
US11729144B2 (en) | 2016-01-04 | 2023-08-15 | Centripetal Networks, Llc | Efficient packet capture for cyber threat analysis |
US10503899B2 (en) | 2017-07-10 | 2019-12-10 | Centripetal Networks, Inc. | Cyberanalysis workflow acceleration |
US10333898B1 (en) | 2018-07-09 | 2019-06-25 | Centripetal Networks, Inc. | Methods and systems for efficient network protection |
US11316823B2 (en) | 2020-08-27 | 2022-04-26 | Centripetal Networks, Inc. | Methods and systems for efficient virtualization of inline transparent computer networking devices |
US11362996B2 (en) | 2020-10-27 | 2022-06-14 | Centripetal Networks, Inc. | Methods and systems for efficient adaptive logging of cyber threat incidents |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5648965A (en) | 1995-07-07 | 1997-07-15 | Sun Microsystems, Inc. | Method and apparatus for dynamic distributed packet tracing and analysis |
JP3214454B2 (en) * | 1998-09-03 | 2001-10-02 | 日本電気株式会社 | Packet processing device with built-in program |
US6882654B1 (en) | 2000-11-14 | 2005-04-19 | Cisco Technology, Inc. | Packet data analysis with efficient buffering scheme |
US6895005B1 (en) * | 2001-04-23 | 2005-05-17 | Sprint Spectrum L.P. | Business logic server for facilitating the transmission of a data download to a mobile wireless unit |
US7203173B2 (en) | 2002-01-25 | 2007-04-10 | Architecture Technology Corp. | Distributed packet capture and aggregation |
AU2003299960A1 (en) * | 2002-12-20 | 2004-07-22 | Metanetworks Inc. | Packet inspection |
US7082044B2 (en) * | 2003-03-12 | 2006-07-25 | Sensory Networks, Inc. | Apparatus and method for memory efficient, programmable, pattern matching finite state machine hardware |
US7463590B2 (en) * | 2003-07-25 | 2008-12-09 | Reflex Security, Inc. | System and method for threat detection and response |
US8181258B2 (en) * | 2003-11-26 | 2012-05-15 | Agere Systems Inc. | Access control list constructed as a tree of matching tables |
-
2005
- 2005-07-01 US US11/174,248 patent/US7499412B2/en active Active
-
2006
- 2006-06-19 EP EP06785878.7A patent/EP1908219B1/en active Active
- 2006-06-19 WO PCT/US2006/025436 patent/WO2007005544A2/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
EP1908219A4 (en) | 2016-08-10 |
EP1908219A2 (en) | 2008-04-09 |
US20070002769A1 (en) | 2007-01-04 |
US7499412B2 (en) | 2009-03-03 |
WO2007005544A2 (en) | 2007-01-11 |
WO2007005544A3 (en) | 2008-06-12 |
EP1908219B1 (en) | 2018-03-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2007005544B1 (en) | Active packet content analyzer for communications network | |
Jiang et al. | Identifying suspicious activities through dns failure graph analysis | |
US9794263B2 (en) | Technologies for access control | |
US7665128B2 (en) | Method and apparatus for reducing firewall rules | |
US20080060074A1 (en) | Intrusion detection system, intrusion detection method, and communication apparatus using the same | |
CN104917739B (en) | The recognition methods of false account and device | |
WO2007002466A3 (en) | Access control list processor | |
CN106506242A (en) | A kind of Network anomalous behaviors and the accurate positioning method and system of flow monitoring | |
CN107634964B (en) | WAF (Wireless Access Filter) testing method and device | |
CN101505314A (en) | P2P data stream recognition method, apparatus and system | |
Kwon et al. | A length-aware cuckoo filter for faster IP lookup | |
US8248937B2 (en) | Packet forwarding device and load balance method thereof | |
US20140036921A1 (en) | Systems and Methods for Deep Packet Inspection with a Virtual Machine | |
CN107181605A (en) | Message detecting method and system, contents extraction device, flow matches device | |
CN110048899A (en) | A kind of log detection method, device, terminal and server | |
CN108076149B (en) | Session maintaining method and device | |
CN104376012B (en) | A kind of reconnection method that goes offline of web application, device and system | |
CN108279970A (en) | The switching method and apparatus of browser kernel | |
CN103795565A (en) | Network event correlation analysis method and device | |
Abrardo et al. | Decision fusion with corrupted reports in multi-sensor networks: A game-theoretic approach | |
JP2006319693A (en) | Abnormal communication detecting apparatus | |
JP5258676B2 (en) | Rule information changing method, management apparatus and program in firewall | |
KR20050074903A (en) | Fast rule lookup with arbitrary ip range configurations | |
US20100138181A1 (en) | Testing apparatus | |
CN106657087B (en) | Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006785878 Country of ref document: EP |