Patent•
Network security tap for use with intrusion detection system
07 Apr 2003-
TL;DR: In this article, a system and method is presented for analyzing information in a communication line for unwanted intrusions and for allowing information to be transmitted back into the communication line without disrupting the communication traffic when an intrusion is detected.
Abstract: A system and method is presented for analyzing information in a communication line for unwanted intrusions and for allowing information to be transmitted back into the communication line without disrupting the communication traffic when an intrusion is detected. The system and method includes a security tap connected to a firewall. The security tap is also connected to an intrusion detection device. The intrusion detection device analyzes the information in the communication line for indicia of attempts to compromise the network. When such indicia is detected, the intrusion detection device sends a “kill” data packet back through the security tap and directed back to the communication line to the firewall to instruct the firewall to prevent further communications into the network by the intrusive source. An Ethernet switch or field programmable gate array (FPGA) is incorporated in the security tap to coordinate the transmission of the “kill” data packet to avoid data collisions with data transmissions already existing in the communication line.
Citations
More filters
Patent•
21 Jun 2006TL;DR: In this paper, the authors propose a mechanism to enforce network service-level agreements in a network infrastructure element by copying an application-layer message without disrupting the forwarding of the application layer message.
Abstract: Enforcing network service level agreements in a network infrastructure element comprises receiving, at the network infrastructure element, an application-layer message comprising one or more of the packets; forwarding the application-layer message toward a destination endpoint and concurrently copying the application-layer message without disrupting the forwarding; using the copied application-layer message, discovering one or more applications or services that are using the network; using the copied application-layer message, identifying one or more network-layer condition metrics, and identifying one or more application-layer condition metrics; determining, based on the identified network-layer condition metrics and the application-layer condition metrics, whether one or more conditions of a service level agreement are violated; and in response to determining a violation, performing one or more responsive operations on one or more network elements.
432 citations
Patent•
24 Mar 2005TL;DR: In this paper, the authors present a method for generating a network topology representation based on inspection of application messages at a network device. But the method is limited to the case where the network device receives a request packet, routes the packet to the destination, and extracts and stores correlation information from a copy of the request packet in order to determine application-to-application mapping and calculate application response times.
Abstract: A method is disclosed for generating a network topology representation based on inspection of application messages at a network device. According to one aspect, a network device receives a request packet, routes the packet to the destination, and extracts and stores correlation information from a copy of the request packet. When the network device receives a response packet, it examines the contents of a copy of the response packet using context-based correlation rules and matches the response packet with the appropriate stored request packet correlation information. It analyzes recorded correlation information to determine application-to-application mapping and calculate application response times. Another embodiment inserts custom headers that contain information used to match a response packet with a request packet into request packets.
302 citations
Patent•
23 Feb 2012TL;DR: In this paper, an electronic message is analyzed for malware contained in the message and the analysis may include replaying the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message, if the replayed URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.
Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.
262 citations
Patent•
28 Jul 2006TL;DR: In this article, a dynamic signature creation and enforcement system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap, which is configured to analyze the copy of the network data with a heuristic to determine if the data is suspicious, flag the data as suspicious based on the heuristic determination.
Abstract: A dynamic signature creation and enforcement system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, simulate transmission of the network data to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.
254 citations
Patent•
13 Jun 2006TL;DR: In this paper, a suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap, which is configured to analyze the copy of the network data with a heuristic to flag the data as suspicious and simulate transmission of the data to a destination device.
Abstract: A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to flag the network data as suspicious, and simulate transmission of the network data to a destination device.
248 citations
References
More filters
Patent•
27 Sep 1996
TL;DR: In this article, the authors propose a bypass circuit for monitoring the performance of a dedicated communications medium in a switched data networking environment, in which a probe having bypass circuit allows promiscuous monitoring of all traffic between a switch and a network device, such as a file server, in either direction, and in full duplex mode.
Abstract: A method and apparatus for monitoring the performance of a dedicated communications medium in a switched data networking environment wherein a probe having a bypass circuit allows promiscuous monitoring of all traffic between a switch and a network device, such as a file server, in either direction, and in full duplex mode Additionally, the bypass circuit eliminates the requirement for a separate repeater between the switch and the network device
97 citations
Patent•
13 Nov 1998TL;DR: In this article, the authors divide the surveillance task into two sub-tasks: the first sub-task automatically identifies communications within the network which are to be monitored, and the second subtask also applies a reasoning system to this data in order to configure probes and switches in the network so that identified data can be captured.
Abstract: Control of network surveillance in communications networks is accomplished by dividing the surveillance task into two sub-tasks. The first sub-task automatically identifies communications within the network which are to be monitored. Such identification is accomplished by the application of a reasoning system to data received from the network. The identification of the data to be monitored is received by the second sub-task along with network topology information. The second sub-task also applies a reasoning system to this data in order to configure probes and switches within the network so that the identified data can be captured.
79 citations
Patent•
[...]
TL;DR: An interface device for an ATM network is a modular device which may be interconnected to form a system having various segment arrangements to suit the system operational requirements as discussed by the authors, such as switch side connector, extension side connector and device side connector all on a single card.
Abstract: An interface device for an ATM network permits a plurality of ATM devices to be connected to a single ATM switch port. The interface device, in its preferred embodiment, is a modular device which may be interconnected to form a system having various segment arrangements to suit the system operational requirements. Each interface device may include a switch side connector, extension side connector, and a device side connector all on a single card with the interface device being configured in VSLI architecture, and multiple interface devices interconnected to construct the system segments. In an alternate application, the interface device may be used to replace the computer backplane and provide direct connection between a computer's system components and an ATM network. In still another configuration, the interface device may itself be utilized to interconnect a plurality of computers to form a local area network. In still another application, the interface device may be used to loop back data to an ATM device prior to transmission of the ATM data onto an ATM network.
66 citations
Patent•
29 Jan 1997TL;DR: In this article, a method and apparatus for monitoring data sent between a source node and destination node in a switched network is presented, wherein the switches configure themselves to establish a connection path to a probe switch to receive the monitored data.
Abstract: A method and apparatus for monitoring data sent between a source node and destination node in a switched network, wherein the switches configure themselves to establish a connection path to a probe switch to receive the monitored data. The source and destination are identified along with the probe switch. An originating switch on a path between the source and destination is identified and connections between the originating switch and the probe switch are established. The originating switch sends out a first message and when the probe switch receives the first message, it returns a second message to the originating switch. Each switch between the originating switch and the probe switch that receives the first and second messages configures itself to establish the connection path.
50 citations