Exploit-based worm propagation mitigation
Granted: August 23, 2011
Patent Number:
8006306
A system, method and computer program product for exploit-based worm detection and mitigation are disclosed. The system, method, and computer program product are configured to identify a signature representing content prevalent in network traffic, determine if the traffic including the signature exhibits propagation, determine if the traffic including the signature exhibits connectedness, and generate a worm signature based on the signature if the signature exhibits both connectedness…
Establishing a split-terminated communication connection through a stateful firewall, with network transparency
Granted: July 19, 2011
Patent Number:
7984160
A method and apparatus are provided for establishing a split-terminated client-server communication connection through a stateful firewall, with network transparency. In an environment in which a pair of network intermediaries is employed to optimize client-server communications, a first intermediary intercepts a client request for a new connection. The first intermediary probes the network for a counterpart near the server, and opens an optimized communication session with a second…
Cooperative proxy auto-discovery and connection interception
Granted: May 31, 2011
Patent Number:
7953869
In a network supporting transactions between clients and servers and proxies that are interposable in a network path between at least one client and at least one server, wherein a pair of proxies can modify a packet stream between a client and a server such that packet data from the client to the server is transformed at a client-side proxy of the proxy pair and untransformed at a server-side proxy of proxy pair and such that packet data from the server to the client is transformed at…
Method and apparatus for grouping nodes based on connection characteristics
Granted: May 24, 2011
Patent Number:
7949737
Techniques for correlating different results of role grouping includes receiving two sets of grouping of nodes on a network, grouping of the nodes according to connection characteristics of the nodes in the groups, each of the sets having associated identifications and correlating associated identifications of one set with those of the other set so that the two groups have the same identifications, if the member hosts of each set of groups have nearly identical connection habits.
Flow logging for connection-based anomaly detection
Granted: April 19, 2011
Patent Number:
7929534
A plurality of flow collector devices is disposed to collect flow information on a network. Duplicate flow records received from the flow collectors are eliminated by determining whether a pair of flow records has the same, source and destination flow identifiers and were received within a predefined time-period. Non-duplicated flow records received from the plurality of flow collector devices are stored and used to produces a connection table that maps each node on the network to a…
Content-based segmentation scheme for data compression in storage and transmission including hierarchical segment representation
Granted: December 14, 2010
Patent Number:
7852237
In a coding system, input data within a system is encoded. The input data might include sequences of symbols that repeat in the input data or occur in other input data encoded in the system. The encoding includes determining a target segment size, determining a window size, identifying a fingerprint within a window of symbols at an offset in the input data, determining whether the offset is to be designated as a cut point and segmenting the input data as indicated by the set of cut…
Rules-based transaction prefetching using connection end-point proxies
Granted: December 14, 2010
Patent Number:
7853699
Network proxies reduce server latency in response to series of requests from client applications. Network proxies intercept messages clients and a server. Intercepted client requests are compared with rules. When client requests match a rule, additional request messages are forwarded to the server on behalf of a client application. In response to the additional request messages, the server provides corresponding response messages. A network proxy intercepts and caches the response…
Transaction accelerator for client-server communications systems
Granted: December 7, 2010
Patent Number:
7849134
In a network having transaction acceleration, for an accelerated transaction, a client directs a request to a client-side transaction handler that forwards the request to a server-side transaction handler, which in turn provides the request, or a representation thereof, to a server for responding to the request. The server sends the response to the server-side transaction handler, which forwards the response to the client-side transaction handler, which in turn provides the response to…
Service curve mapping
Granted: November 23, 2010
Patent Number:
7839781
A method for configuring service curves for managing the output port of a networking device includes the following steps. A multitude of traffic classes is defined, each traffic class being characterized by a bandwidth and a delay priority. A multitude of traffic service curves is computed, each of the plurality of traffic service curves is associated with a different one of the multitude of traffic classes. At least one of the multitude of traffic classes service curves is characterized…
Device to protect victim sites during denial of service attacks
Granted: November 16, 2010
Patent Number:
7836498
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to…
Connection table for intrusion detection
Granted: November 2, 2010
Patent Number:
7827272
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores…
Feedback mechanism to minimize false assertions of a network intrusion
Granted: August 10, 2010
Patent Number:
7774839
A graphical user interface for an intrusion detection system is described. The graphical user interface includes a field that depicts a summary of anomalies identified as part of a event that is detected in a network, the summary indicating event severity details of the event and an alert action region including a control to permit a user to snooze future alerts related to the event in the summary for a period of time.
System for selecting a proxy pair based on configurations of autodiscovered proxies on a network
Granted: August 3, 2010
Patent Number:
7769834
Network devices include proxies and where multiple proxies are present on a network, they can probe to determine the existence of other proxies. Where more than two proxies are present and thus different proxy pairings are possible, the proxies are programmed to determine which proxies should form a proxy pair. Marked probe packets are used by proxies to discover each other and probing is done such a connection can be eventually formed even if some probe packets fail due to the marking.…
Role grouping of hosts in computer networks
Granted: July 27, 2010
Patent Number:
7764626
Techniques to assign nodes in a network to groups of nodes are described. The techniques include representing hosts in the network by property vectors that encode information about the hosts, identifying properties of the property vector by integers in the property vector for the host and determining proximity of hosts according to the property vectors and grouping the hosts according to the determined proximity.
Stackable aggregation for connection based anomaly detection
Granted: July 20, 2010
Patent Number:
7760653
A system includes a plurality of collector devices that are disposed to collect statistical information on packets that are sent between nodes on a network. The system also includes a stackable aggregator that receives network data from the plurality of collector devices, and which produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The stackable aggregator includes a manager blade, a database blade, and…
Thwarting source address spoofing-based denial of service attacks
Granted: June 22, 2010
Patent Number:
7743134
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to…
Denial of service attacks characterization
Granted: June 22, 2010
Patent Number:
7743415
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of data monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to…
Data segmentation using shift-varying predicate function fingerprinting
Granted: June 8, 2010
Patent Number:
7733910
Shift-varying segmentation uses a shift-varying predicate function to evaluate input data within a sliding window to determine if the current sliding window position should be a segment boundary. The shift-varying predicate function is a function of both the input data within the sliding window and the position of the sliding window relative to a previous segment boundary or the beginning of the input data. The shift-varying predicate function includes a containment property and may…
Connection based detection of scanning attacks
Granted: May 11, 2010
Patent Number:
7716737
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores…
Port tracking on dynamically negotiated ports
Granted: April 27, 2010
Patent Number:
7706273
Techniques for tracking dynamically negotiated port connections in a network include collecting statistical information on packets that are sent between nodes on a network, inspecting packets of control connections to detect payload fragments that denote ephemeral port negotiation and producing a mapping from a ephemeral connection flow_id to a control connection flow_id. The techniques also include checking the flow_id to see whether a flow record maps to a control connection.
