[go: up one dir, main page]

HK1132078A - Malicious attack detection system and an associated method of use - Google Patents

Malicious attack detection system and an associated method of use Download PDF

Info

Publication number
HK1132078A
HK1132078A HK09110039.3A HK09110039A HK1132078A HK 1132078 A HK1132078 A HK 1132078A HK 09110039 A HK09110039 A HK 09110039A HK 1132078 A HK1132078 A HK 1132078A
Authority
HK
Hong Kong
Prior art keywords
malicious attack
function
internet protocol
address
processor
Prior art date
Application number
HK09110039.3A
Other languages
Chinese (zh)
Inventor
李浩宰
因德拉.古纳万.哈里乔诺
普鲁达维.纳达.努奈伊
尹雨热
Original Assignee
恒接信息科技公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 恒接信息科技公司 filed Critical 恒接信息科技公司
Publication of HK1132078A publication Critical patent/HK1132078A/en

Links

Description

Malicious attack detection system and related methods of use
Technical Field
The present invention relates to server protection, and in particular to an improved technique for detecting and preventing malicious attacks, such as denial of service ("DoS") and port scanning, on servers utilizing a global computer network, such as the internet, which preferably, but not necessarily, occurs at wire speed.
Background
Many organizations, such as companies, network their computers to share information. In addition, these organizations often wish to share at least some information with computers located outside their networks via websites through the use of global computer networks (e.g., the internet). This sharing of information external to the network is accomplished using a computer server that provides a connection to an external computer for networking with a global computer network, such as the internet.
Unfortunately, malicious computer users can use internet connections to interrupt network communications over the internet, access confidential data, or erase data. One example of such an attack is a denial of service ("DoS") attack, where an attacker attempts to deny a victim access to certain resources. Denial-of-service ("DoS") attacks can be implemented by a variety of methods including consuming and exhausting the processor (e.g., CPU), memory, and network connections of a server.
In order to establish a network connection, there must be a two-way communication or handshaking process between the external computer and the server. The basic schematic of the network is generally indicated by the numeral 1 shown in fig. 1. For example, an external (client) computer 2 tends to send a service request to a server via a network 6 (e.g., a global computer network). In response to these requests, the server allocates storage space and processing time, sends responses back to the computer and waits for the computer to reply. A malicious external computer 4 (i.e., an attacker) may send a large number of service requests to the server 3 but never reply to the server. External computers employ a general technique known as "IP address spoofing" 9 to insert IP addresses that appear legitimate or appear to come from a trusted source (computer). IP address spoofing 9 lets the server 3 believe that many connection(s) are requested to be established. The server 3 then waits for a reply that it will never receive, while reserving and consuming memory and processing time. While waiting and still receiving additional data packets, the memory, processing space, or connection to the network of the server 3 is exhausted. Because too much memory is consumed, the server 3 will refuse to service any other legitimate requests 11 from any other legitimate external computer 2. Eventually, the requests will be so many that not only the server 3 cannot provide a connection to the legitimate user, but it may also overflow and block the entire network and server communication via the internet will be substantially closed 8. This can result in loss of e-mail, internet access, and/or web server functionality.
When a malicious attacker pretends to act as a (legitimate) server 5, a further complication arises in that the legitimate external computer or user 2 is no longer responding because it is exhausted (and busy). The attacker 7 can thus request confidential data 12 from other legitimate computers or users 2, and the legitimate computers or users 2 are not necessarily aware of the attack 7 being made by the fake server 5, as shown in fig. 1.
Other examples of these attacks include flooding the server with a large number of data packets in order to consume all of the available bandwidth of the network, thereby denying legitimate users access to the network, or consuming available disk space by having the server execute many programs or scripts.
In addition, a malicious computer user can use port scanning to obtain information about the network communication port, such as checking whether the port is open or closed, or what service or program is using the port. An attacker can check for weaknesses in the services using the ports and use them to gain access to the system, at which point the attacker can erase the data or perform other malicious actions.
In the case of high-speed network traffic, it proves to be crucial for the enterprise to detect malicious attacks and to protect the system from attacks in a timely manner. Wire-speed attack detection is very helpful not only for detecting attacks at the right moment, but also for stopping attacks at the earliest possible detection time. If not properly detected at the right time, the attack can not only penetrate the system and create a large portion of a denial of service ("DoS") attack, but can also cause permanent data loss. The present invention is directed to overcoming one or more of the problems set forth above.
Disclosure of Invention
In accordance with one aspect of the present invention, the present invention includes a denial of service attack and/or port scan detection system for receiving an internet data packet ("TCP/IP" or "IP") and discarding the packet from a server if it is determined that the packet is attempting a denial of service attack or port scan. The packets are preferably, but not necessarily, dropped at wire speed. Wire speed is defined as the processing speed of a ("TCP/IP" or "IP") data packet, which is required in order to detect a denial of service ("DoS") or port scan attack, which is less than or equal to the time required from the entry of a single ("TCP/IP" or "IP") data packet into the system to the entry of the next ("TCP/IP" or "IP") data packet into the system. In other words, the detection process of denial of service ("DoS") and/or port scanning on the previous ("TCP/IP" or "IP") data packet must be successfully completed under current wire speed conditions by the time the next (adjacent) ("TCP/IP" or "IP") data packet arrives, and further, preferably, the detection of such an attack comprises: the system checks whether the source and destination addresses of incoming internet packets match the source and destination addresses of previously stored packets. The system counts the number of packets from the same source or destination IP address during a specified time threshold and prevents attacks by dropping the packets from the system if the count exceeds a certain threshold.
It is preferable, but not necessary, to have a wire-speed denial of service ("DoS") and/or port scan detector, where the servers are deployed to service high bandwidth and high throughput environments, such as "server farm" configurations. The lack of wire speed detection allows many attackers to circumvent (common and traditional) detection techniques because the attackers can also run out of the detection system itself, or the detection system is forced to drop incoming ("TCP/IP" or "IP") data packets, causing significant packets to be lost and delayed.
In accordance with another aspect of the present invention, a malicious attack detection system is disclosed. The system includes a header parsing function for receiving and parsing a header frame of a data packet into header information and an internet protocol ("IP") address; a constraint filtering function for checking the header information for potential malicious attack conditions, wherein if a potential malicious attack condition exists, a constraint filtering result is generated; the comparison function then compares the internet protocol ("IP") addresses to determine whether the internet protocol ("IP") addresses have been previously received; a detection function to determine that if the comparison function has determined that an internet protocol ("IP") address has been previously received, then to constrain the filter result to increase the count, and then to determine whether the count exceeds a predetermined threshold within a predetermined threshold period of time; a control function for providing a control signal to drop at least one data packet from the system based on the detection function determining that the count exceeds a predetermined threshold within a predetermined threshold period of time; and at least one processor configured to provide header parsing, constraint filtering, detection, and control functions.
In accordance with yet another aspect of the present invention, a malicious attack detection system is disclosed. The system includes a header parsing function to receive and parse a header frame of a data packet into header information and an internet protocol ("IP") address at wire speed; a constraint filtering function for checking the header information for potential malicious attack conditions at wire speed, wherein if a potential malicious attack condition exists, a constraint filtering result is generated, wherein the potential malicious attack condition is selected from a group consisting of a denial of service ("DoS") attack or a port scan, wherein the constraint filtering function comprises a plurality of constraints that can be selectively activated; a comparison function compares the internet protocol ("IP") address at wire speed to determine whether an internet protocol ("IP") address has been previously received; a detection function operating at wire speed for determining that if the comparison function has determined that an internet protocol ("IP") address was previously received, then restricting the filtering result to increment a count and then determining whether the count exceeds a predetermined threshold within a predetermined threshold period of time, wherein the detection function comprises a plurality of counters and a corresponding plurality of threshold counter value comparisons and an associated time interval filtering function has a plurality of time intervals and a corresponding plurality of threshold time interval values; a control function operating at the wire speed for providing a control signal to drop at least one data packet from the system based on the detection function determining that the count exceeds the predetermined threshold for the predetermined threshold period of time; at least one processor for providing header parsing, constraint filtering, detection and control functions, and an interface associated with the at least one processor for providing control of the constraint filtering and control functions.
In accordance with yet another aspect of the present invention, a method for detecting a malicious attack with at least one processor is disclosed. The method comprises the following steps: receiving and parsing a header frame of a data packet into header information and an internet protocol ("IP") address; checking the header information for a potential malicious attack condition, wherein if the potential malicious attack condition exists, a constraint filtering result is generated; comparing the internet protocol ("IP") addresses to determine whether an internet protocol ("IP") address has been previously received, determining whether an internet protocol ("IP") address has been previously received during the step of comparing internet protocol ("IP") addresses; determining a number of constraint filter results to determine whether the incremented count exceeds a predetermined threshold within a predetermined threshold time period; and discarding at least one data packet from the system based on the detection function determining that the count exceeds a predetermined threshold within a predetermined threshold time period.
In accordance with yet another aspect of the present invention, a method for detecting a malicious attack with at least one processor is disclosed. The method comprises the following steps: receiving and parsing a header frame of a data packet into header information and an internet protocol ("IP") address at a wire speed; checking the header information for potential malicious attack conditions at wire speed, wherein if a potential malicious attack condition exists, generating a constraint filtering result by selectively activating a plurality of constraints, and selecting the potential malicious attack condition from a group consisting of a denial of service ("DoS") attack or a port scan; comparing internet protocol ("IP") addresses to determine whether an internet protocol ("IP") address has been previously received at wire speed; determining whether an internet protocol ("IP") address has been previously received at wire speed during the step of comparing the IP addresses; determining a number of constraint filter results to determine whether the incremented count exceeds a predetermined threshold within a predetermined threshold time period; and comparing the plurality of counters with the corresponding plurality of threshold counter values and the plurality of time intervals with the corresponding plurality of threshold time interval values, determining that the count exceeds a predetermined threshold within a predetermined threshold time period according to the detection function, and discarding at least one data packet from the system at the wire speed.
These are merely some of the innumerable aspects of the present invention and should not be deemed an all-inclusive listing of the innumerable aspects associated with the present invention. These and other aspects will become apparent to those skilled in the art in view of the following disclosure and drawings.
Drawings
For a more complete understanding of the present invention, reference is made to the accompanying drawings, in which:
FIG. 1 illustrates a general schematic diagram of a computer network illustrating the concepts of a DoS attack, ("IP") Internet protocol address spoofing, fake servers, and other types of malicious attacks known in the art;
FIG. 2 illustrates a schematic diagram of a detection system in accordance with the present invention in the imminent presence of a malicious attack, i.e., denial of service and port scanning; and is
FIG. 3 illustrates a flow chart of a process associated with an impending malicious attack, i.e., denial of service and port scanning, of a detection system in accordance with the present invention.
Detailed Description
In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, and components have not been described in detail so as not to obscure the present invention.
Referring to the drawings, FIG. 1 illustrates a schematic diagram of a malicious attack detection system, such as denial of service ("DoS") and port scanning, generally indicated by the numeral 10, in accordance with the present invention. In the present invention, a header frame is received, such as an "L2" frame commonly associated with Ethernet frames, as indicated by numeral 15, and then passed to a first-in-first-out ("FIFO") memory buffer, generally indicated by numeral 104.
This header frame is also simultaneously loaded into parsing block 20, which parsing block 20 is used to receive the header frame. The header frame is parsed within the parsing block 20 to identify the type of header frame, e.g., L2, and to locate the first byte of other header frames (which is synonymous with "TCP/IP" data packet), e.g., an "L3" header associated with an internet protocol ("IP") header and an "L4" header associated with a transmission control protocol ("TCP") header. The parsing block 20 also locates other header information such as transmission control protocol ("TCP") flags and timing information. The destination internet protocol address ("DIP") and the source internet protocol address ("SIP") 52 are sent to a detection block, generally indicated by numeral 50. In the detection block 50, a destination internet protocol address ("DIP") and a source internet protocol address ("SIP") 52 are sent to an internet protocol ("IP") address storage block 54.
The remaining header information 22, e.g., L2 and/or L3 and/or L4 header frames, as well as transmission control protocol ("TCP") flags and timing information are sent to a constraint filter block, represented by numeral 30. The constraint filter block 30 checks the remaining header information 22 for potential malicious attacks such as denial of service ("DoS") and port scanning. Constraint filter block 30 can include a plurality of constraints, e.g., illustrative constraint 1, indicated by numeral 32, illustrative constraint 2, indicated by numeral 34, up to illustrative constraint N, indicated by numeral 36. In the first constraint filter block 30, the filter conditions are activated and deactivated by a processor interface block denoted by numeral 40 for each detection type. When one or more conditions are detected, constraint filter results 66 are generated and sent to a state machine control block 68 and a count accumulator comparison block (generally represented by numeral 72).
The filter conditions are used to check for each type of imminent malicious attack, i.e., denial of service ("DoS") and port scan. The processor interface block 40 is electrically connected to the constraint filter block 30 and activates and deactivates the filter conditions by the type of detection. The detection block 50 is electrically connected to the header parsing block 20, the constraint filter block 30 and the processor interface block 40. The detection block 50 receives and stores the source and destination internet protocol ("IP") addresses received from the header parsing block 20. The detection block 50 also receives constraint filter results from the constraint filter block 30 and determines whether a threshold attack count is exceeded or a threshold time interval between attacks is exceeded.
Preferably, the detection block 50 includes a content-addressable memory ("CAM") lookup block 64. The CAM lookup block 64 is electrically connected to the header parsing block 20 and receives the source and destination internet protocol ("IP") addresses 52 and looks them up to see if they have already been stored in the memory of the CAM lookup block 64. A content addressable memory ("CAM") is an integrated circuit capable of searching a list at high speed to provide corresponding results. Content addressable memory ("CAM") has a unique memory architecture of very dense integrated digital circuits that is capable of storing information at locations indexed by its content. When retrieving content, only the content is needed by the person. Thus, when compared to any conventional retrieval technique such as linked list, hash table, etc., the retrieval of content requires only two cycles if implemented as a logical array. By its nature, CAM provides important help to speed up the information retrieval process and thus can be used to discover denial of service ("DoS") and port scan attacks at high speed (e.g., wire speed). The CAM lookup block 64 is configured with a list of selector entries. These selector entries are associated with content carrying information. Each selector entry has a corresponding result. When the CAM lookup block 64 receives an input selector, it searches the list of selector entries for a match. By comparing each selector entry to the input selector in parallel, the search is performed at high speed.
If the result of the lookup process is negative, an Internet protocol ("IP") address has not been previously received. If the result of the lookup process is positive, then there is a match and an Internet protocol ("IP") address was previously received. In either case, the match result 70 is sent to an Internet protocol ("IP") memory control block 56 and a count accumulation/comparison block 72.
The match results 70 and constraint filter results 66 are received by a count accumulate/compare block 72. There are a plurality of counters, such as illustrative counter 1, indicated by numeral 74, illustrative counter 2, indicated by numeral 78, up to illustrative counter N, indicated by numeral 82, where each counter is associated with a threshold comparison value, such as illustrative threshold comparison 1, indicated by numeral 76, illustrative threshold comparison 2, indicated by numeral 80, up to illustrative threshold comparison N, indicated by numeral 84. This threshold attack count value is set by the interface block 40. The count accumulation/comparison block 72 is electrically controlled and connected to a count threshold control per attack/attempt type 44 located in the processor interface block 40.
There is also a time interval filter block, indicated by numeral 90, that includes a plurality of time interval values, e.g., an illustrative time interval value 1, indicated by numeral 92, an illustrative time interval value 2, indicated by numeral 96, up to an illustrative time interval N, indicated by numeral 100. Each of the time interval values 92, 96, and 100 is associated with a threshold comparison value, e.g., illustrative threshold comparison 1, indicated by numeral 94, illustrative threshold comparison 2, indicated by numeral 98, up to illustrative threshold comparison N, indicated by numeral 102. The time interval filter block 90 is electrically controlled and connected to a time interval threshold control 46 per attack/attempt type located in the processor interface block 40.
The first constraint filter 66 begins incrementing the count in the count accumulation/comparison block 72 in accordance with the type of constraint in the time interval filter block 90 to see if the incremented count exceeds the count threshold for the defined time interval. If the incremented count exceeds the threshold, then a comparison result and detection type 86 is generated and sent to a frame (e.g., header frame "L2") readout control block 88 and to detection type report generator 48.
The frame (e.g., header frame "L2") read control 88 generates a read control function 89 that is used to discard the associated data packet located in the frame discard block 106, i.e., received from the previously mentioned first-in-first-out (FIFO) memory buffer 104. When a data packet with an associated header frame (e.g., "L2") is dropped, the detection frame report generator 49 is activated and the read data indicates that a data packet with a special header frame (e.g., "L2") has been dropped 108.
The previously mentioned internet protocol ("IP") address storage block 56 receives the match result 70 from the CAM lookup block 64. The internet protocol ("IP") address storage block 56 controls to share a predetermined and possibly limited number of bin files in order to store internet protocol ("IP") addresses, which exist in the detection block 50 according to a predetermined algorithm (e.g., a linked list). The internet protocol ("IP") address storage block 56 generates an assigned internet protocol ("IP") address 57, which is checked in the detection block 50. When the match result 70 from the CAM lookup block 64 is positive, meaning that the internet protocol ("IP") address was previously received, then the assigned internet protocol ("IP") address 57 remains the same, while if the match result 70 from the CAM lookup block 64 is negative, meaning that the internet protocol ("IP") address was not previously received, then the value of the assigned address 57 is incremented to include this new value.
The internet protocol ("IP") address storage block 56 stores the received internet protocol ("IP") address at an address location provided by an assigned internet protocol ("IP") address 57. This allocated internet protocol ("IP") address 57 is provided to the previously mentioned internet protocol ("IP") address storage block 54. During the last half of the state, the update/reset address generation block 58 generates addresses to reset and update the contents of the CAM lookup block 64 with a command to erase an Internet protocol ("IP") address 60 or update an Internet protocol ("IP") address 62.
The state machine control block 68 is electrically connected to the constraint filter block 30 and receives the constraint filter results 66. The state machine control block 68 is also electrically connected to the CAM lookup block 64, the IP address storage control block 56, the internet protocol ("IP") address storage block 54, the update/reset address generation block 58, the count accumulation/comparison block 72, the time interval filter block 90, and the frame readout control block 88, and generates predetermined states to operate these blocks.
The detection block 50 checks for a match between the received source and destination internet protocol ("IP") addresses and increments the count according to the constraint filter results 66. When the count threshold exceeds the time interval threshold, the detection block 50 generates a signal to drop the internet frame from the server network.
When the header parsing block 20 is receiving an internet data packet, this data packet is also received by the frame receiving block 104. The frame receive block 104 operates as a first-in-first-out memory buffer to store the internet frames during the detection process. The frame receive block 104 is electrically connected to a frame drop control block 106. The frame dropping control block 106 receives the internet data packet from the frame receiving block 104. The frame dropping control block 106 is also electrically connected to the detection block 50 via a frame (e.g., header frame "L2") readout control block 88 and receives the readout control signal 89. Depending on whether a denial of service ("DoS") or port scan attack is detected, the detection block 50 notifies the frame drop control block 106 whether the internet frame should be dropped or transmitted to a computer network on a global computer network (e.g., a server network), thereby preventing the attack.
Reference is now made to fig. 3, which is a schematic illustration of a denial of service ("DoS") attack or port scan detection process at wire speed (which is preferred but not required), and which is indicated generally by the numeral 200. In describing the flow diagrams, functional explanations labeled with a number in parentheses refer to the flow blocks bearing that number.
The general operation begins at step <202 >. As also shown in fig. 2, the header frame is parsed within the parsing block 20, as shown at step <204>, to identify the type of header frame, e.g., L2, and to locate the first byte of other header frames (which are synonymous with "TCP/IP" data packet), e.g., an "L3" header associated with an internet protocol ("IP") header and an "L4" header associated with a transmission control protocol ("TCP") header. The parsing block 20 also locates other header information such as transmission control protocol ("TCP") flags and timing information. Such header information 22 (e.g., L2 and/or L3 and/or L4 header frames) as well as transmission control protocol ("TCP") flags and timing information are parsed, represented by process step <206>, and sent to a constraint filter block, represented by numeral 30, shown in fig. 2 and process step <208> shown in fig. 3.
A determination is then made whether a malicious attack is detected, such as a port scan or denial of service ("DoS") attack, as indicated by numeral <212 >. If this determination is negative, then the process returns to the beginning of the process represented by process step <202 >.
If the determination is positive and one or more conditions are detected, then constraint filter results 66 are generated and sent to a state machine control block 68<216>, shown in FIG. 2, and process step <216> is shown in FIG. 3. These constraint filter results are then sent to the count accumulator compare block 72 shown in fig. 2, and shown in fig. 3 is process step <220 >.
At the same time, from process step <206>, the resolved destination internet protocol address ("DIP") and source internet protocol address ("SIP") 52 are sent to a detection block, generally indicated by numeral 50 in fig. 2, and shown on fig. 3 is process step <210 >. In the detection block 50, a destination internet protocol address ("DIP") and a source internet protocol address ("SIP") 52 are sent to an internet protocol ("IP") address storage block 54. Preferably, the detection block 50 includes a content addressable memory ("CAM") lookup block 64. The CAM lookup block 64 receives the source and destination internet protocol ("IP") addresses 52 and looks them up to see if they are already stored in the memory of the CAM lookup block 64, as shown in fig. 2. If the CAM lookup is negative, then the process returns to the beginning of the process as represented by process step <202>, as shown in FIG. 3. If the CAM lookup results in the affirmative, then an Internet protocol ("IP") address storage block 56 stores the received Internet protocol ("IP") address at the address location provided by the assigned Internet protocol ("IP") address 57, as shown in FIG. 2. This allocated internet protocol ("IP") address 57 is provided to the previously mentioned internet protocol ("IP") address storage block 54. During the last half of the state, the update/reset address generation block 58 generates addresses to reset and update the contents of the CAM lookup block 64 with a command to erase an internet protocol ("IP") address 60 or update an internet protocol ("IP") address 62. This processing step is illustrated by <218> in fig. 3. These CAM lookup results are then sent to the count accumulator compare block 72 shown in fig. 2, and shown in fig. 3 is process step <220 >.
Thus, the constraint filter results are then sent to the count accumulator comparison block 72 shown in FIG. 2, and the CAM lookup results are then sent to the count accumulator comparison block 72 shown in FIG. 2, both of which are shown in FIG. 3 by process step <220 >.
A determination is then made whether the detection block 50 also receives the constraint filter results from the constraint filter block 30 and determines whether the threshold attack count is exceeded or whether the threshold time interval between attacks is exceeded as shown in fig. 2 and is process step <222> shown in fig. 3. If this determination is negative, then the process returns to the beginning of the process represented by process step <202 >. If this determination is positive, then the reporting function is activated using either the detection type report generator 48 and/or the detection frame report generator 49 or via the processor interface block 40, which are shown in FIG. 2 and in FIG. 3 is process step <224 >.
The frame receive block 104 operates as a first-in-first-out memory buffer to store the internet frames during the detection process, as shown in fig. 2. The frame receive block 104 is electrically connected to a frame drop control block 106. The frame dropping control block 106 receives the internet data packet from the frame receiving block 104. The frame dropping control block 106 is also electrically connected to the detection block 50 via a frame (e.g., header frame "L2") readout control block 88 and receives the readout control signal 89. Depending on whether denial of service ("DoS") or port scanning is detected, the detection block 50 informs the frame drop control block 106 whether the internet frame should be dropped or transmitted to a computer network (e.g., a server network on a global computer network), thereby preventing an attack, which is shown in fig. 2 at <224>, the frame is either passed or dropped, then a new "L2" header frame is received and the process returns to the beginning process, as shown in fig. 3 at process step <202 >. Preferably, but not necessarily, these are achieved at wire speed.
Thus, there have been shown and described various embodiments of a novel invention. It will be apparent from the foregoing that certain aspects of the invention are not limited by particular details of the examples illustrated herein and it is therefore contemplated that other modifications and applications, or equivalents thereof, will occur to those skilled in the art. The terms "having," including, "and similar terms as used in the foregoing description are used in the sense of" optionally "or" may include, "and not" necessarily. Many changes, modifications, variations and other uses and applications of the subject application will, however, become apparent to those skilled in the art in view of the specification and other drawings. All such changes, modifications, variations, and uses and applications which do not depart from the spirit and scope of the invention are deemed to be covered by the invention which is limited only by the claims which follow.

Claims (26)

1. A malicious attack detection system, comprising:
a header parsing function to receive and parse a header frame of a data packet into header information and an internet protocol ("IP") address;
a constraint filtering function for checking the header information for a potential malicious attack condition, wherein if the potential malicious attack condition exists, a constraint filtering result is generated;
a comparison function that compares the internet protocol ("IP") addresses to determine whether an internet protocol ("IP") address has been previously received;
a detection function to determine that if the comparison function has determined that an internet protocol ("IP") address has been previously received, then to constrain the filter result to increase a count and then to determine whether the count exceeds a predetermined threshold within a predetermined threshold period of time;
a control function for providing a control signal to drop at least one data packet from the system in response to the detection function determining that the count exceeds a predetermined threshold for a predetermined threshold period of time; and
at least one processor configured to provide the header parsing function, the constraint filtering function, the detection function, and the control function.
2. The malicious attack detection system according to claim 1, wherein the potential malicious attack condition includes a denial of service ("DoS") attack.
3. The malicious attack detection system according to claim 1, wherein the potential malicious attack condition includes a port scan.
4. The malicious attack detection system according to claim 1, wherein at least one of the header parsing function, the constraint filtering function, the detection function, and the control function is performed at wire speed.
5. The malicious attack detection system according to claim 1, wherein the constraint filtering function includes a plurality of constraints, the constraints being selectively activatable.
6. The malicious attack detection system according to claim 1, wherein the detection function includes a plurality of counters and a corresponding plurality of threshold counter value comparisons, and an associated time interval filtering function having a plurality of time intervals and a corresponding plurality of threshold time interval values.
7. The malicious attack detection system according to claim 1, wherein the header information is received by at least one first-in-first-out memory buffer.
8. The malicious attack detection system according to claim 1, further comprising an update and storage function provided by the at least one processor to revise the list of internet protocol ("IP") addresses used by the comparison function.
9. The malicious attack detection system according to claim 1, wherein the comparison function uses at least one content addressable memory ("CAM").
10. The malicious attack detection system according to claim 1, further comprising a reporting function provided by the at least one processor to provide a report of a type of imminent malicious attack prior to dropping the at least one data packet from the system, wherein the type of malicious attack is selected from a group consisting of a denial of service ("DoS") attack or a port scan.
11. The malicious attack detection system according to claim 1, further comprising a reporting function provided by the at least one processor operable to indicate at least one dropped data packet from the system.
12. The malicious attack detection system according to claim 1, further comprising an output function provided by the at least one processor to provide an indication of at least one dropped data packet from the system.
13. The malicious attack detection system according to claim 1, further comprising an interface associated with the at least one processor for providing control over the constraint filtering function and the detection function.
14. The malicious attack detection system according to claim 1, further comprising an interface associated with the at least one processor for providing control over the constraint filtering function, the control function, and further comprising a first reporting function for providing a first reporting function of a type of imminent malicious attack prior to dropping at least one data packet from the system, wherein the type of malicious attack is selected from the group consisting of a denial of service ("DoS") attack or a port scan, and further comprising a second reporting function operable to indicate the at least one data packet dropped from the system, wherein the first and second reporting functions are providable by the at least one processor.
15. A malicious attack detection system, comprising:
a header parsing function for receiving and parsing a header frame of a data packet into header information and an internet protocol ("IP") address at a wire speed;
a constraint filtering function for checking the header information for potential malicious attack conditions at wire speed, wherein if a potential malicious attack condition exists, a constraint filtering result is generated, wherein the potential malicious attack condition is selected from a group consisting of a denial of service ("DoS") attack or a port scan, wherein the constraint filtering function comprises a plurality of constraints that can be selectively activated;
a comparison function to compare the internet protocol ("IP") addresses at wire speed to determine if an internet protocol ("IP") address has been previously received;
a detection function operating at wire speed for determining that the constraint filter result increments a count if the comparison function has determined that an internet protocol ("IP") address was previously received and then determines whether the count exceeds a predetermined threshold within a predetermined threshold time period, wherein the detection function includes a plurality of counters and a corresponding plurality of threshold counter value comparisons and an associated time interval filter function having a plurality of time intervals and a corresponding plurality of threshold time interval values;
a control function operating at the wire speed for providing a control signal to drop at least one data packet from the system in response to the detection function determining that the count exceeds a predetermined threshold for a predetermined threshold period of time;
at least one processor configured to provide the header parsing function, constraint filtering function, detection function, and control function; and
an interface associated with the at least one processor for providing control of the constraint filtering function and the control function.
16. A method of detecting a malicious attack with at least one processor, comprising:
receiving and parsing a header frame of a data packet into header information and an internet protocol ("IP") address;
checking the header information for potential malicious attack conditions, wherein if the potential malicious attack conditions exist, a constraint filtering result is generated;
comparing internet protocol ("IP") addresses to determine whether an internet protocol ("IP") address has been previously received;
determining whether an internet protocol ("IP") address has been previously received during the step of comparing the IP addresses;
determining a number of constraint filter results to determine whether the incremented count exceeds a predetermined threshold within a predetermined threshold time period; and
in accordance with a determination by the detection function that the count exceeds a predetermined threshold within a predetermined threshold period of time, at least one data packet is dropped from the system.
17. The method for detecting a malicious attack with at least one processor according to claim 16, wherein the potential malicious attack condition includes a denial of service ("DoS") attack.
18. The method for detecting a malicious attack with at least one processor according to claim 16, wherein the potential malicious attack condition includes a port scan.
19. The method for detecting a malicious attack with at least one processor according to claim 16, wherein the detecting of the malicious attack with the at least one processor is performed at wire speed.
20. The method for detecting a malicious attack with at least one processor according to claim 16, further comprising selectively activating a plurality of constraints after determining the number of constraint filter results.
21. The method of detecting a malicious attack with at least one processor according to claim 16, wherein determining the number of constraint filter results to determine whether the incremented count exceeds the predetermined threshold within the predetermined threshold time period includes utilizing a plurality of counters and a corresponding plurality of threshold counter value comparisons and a plurality of time intervals and a corresponding plurality of threshold time interval values.
22. The method for detecting a malicious attack with at least one processor according to claim 16, further comprising receiving the header information with at least one first-in-first-out memory buffer.
23. The method for detecting a malicious attack with at least one processor according to claim 16, further comprising updating and storing a list of internet protocol ("IP") addresses.
24. The method of detecting a malicious attack with at least one processor according to claim 16, wherein comparing internet protocol ("IP") addresses to determine whether an internet protocol ("IP") address has been previously received includes: at least one content addressable memory ("CAM") is utilized.
25. The method for detecting a malicious attack with at least one processor according to claim 15, further comprising at least one of: the method includes generating a first report of a type of malicious attack prior to dropping at least one data packet from the system, generating a second report indicating the at least one data packet dropped from the system, and generating an output indicating the at least one data packet dropped from the system.
26. A method of detecting a malicious attack with at least one processor, comprising:
receiving and parsing a header frame of a data packet into header information and an internet protocol ("IP") address at a wire speed;
checking the header information for potential malicious attack conditions at wire speed, wherein if a potential malicious attack condition exists, generating a constraint filtering result by selectively activating a plurality of constraints, and selecting the potential malicious attack condition from a group consisting of a denial of service ("DoS") attack or a port scan;
comparing internet protocol ("IP") addresses at the network speed to determine whether an internet protocol ("IP") address has been previously received;
determining, at the wire speed, whether an internet protocol ("IP") address has been previously received during the step of comparing the IP addresses;
determining a number of constraint filter results at the wire speed to determine whether the incremented count exceeds a predetermined threshold within a predetermined threshold time period; and
comparing the plurality of counters with a corresponding plurality of threshold counter values and a plurality of time intervals with a corresponding plurality of threshold time interval values, determining that the count exceeds a predetermined threshold within a predetermined threshold time period according to the detection function, and discarding at least one data packet from the system at wire speed.
HK09110039.3A 2006-04-17 2007-04-13 Malicious attack detection system and an associated method of use HK1132078A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/279,979 2006-04-17

Publications (1)

Publication Number Publication Date
HK1132078A true HK1132078A (en) 2010-02-12

Family

ID=

Similar Documents

Publication Publication Date Title
US20070245417A1 (en) Malicious Attack Detection System and An Associated Method of Use
US12074908B2 (en) Cyber threat deception method and system, and forwarding device
JP3993092B2 (en) Methods to prevent denial of service attacks
US7936682B2 (en) Detecting malicious attacks using network behavior and header analysis
US8677473B2 (en) Network intrusion protection
US7426634B2 (en) Method and apparatus for rate based denial of service attack detection and prevention
US7830898B2 (en) Method and apparatus for inter-layer binding inspection
US7796515B2 (en) Propagation of viruses through an information technology network
US20230367875A1 (en) Method for processing traffic in protection device, and protection device
US11811733B2 (en) Systems and methods for operating a networking device
WO2023040303A1 (en) Network traffic control method and related system
US20230412591A1 (en) Traffic processing method and protection system
CN114024731A (en) Message processing method and device
Boppana et al. Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks
KR102014741B1 (en) Matching method of high speed snort rule and yara rule based on fpga
US20050111447A1 (en) Technique for tracing source addresses of packets
KR102014736B1 (en) Matching device of high speed snort rule and yara rule based on fpga
US7917649B2 (en) Technique for monitoring source addresses through statistical clustering of packets
US20050147037A1 (en) Scan detection
KR102046612B1 (en) The system for defending dns amplification attacks in software-defined networks and the method thereof
HK1132078A (en) Malicious attack detection system and an associated method of use
US20050289245A1 (en) Restricting virus access to a network
KR100714131B1 (en) Apparatus and method for preventing denial of service denial-of-service attack on IPv6 local network
CN117857098A (en) SYN Flood attack defense system based on radix tree