US2009313339A1PendingUtilityA1

Method and apparatus for tracing packets

Assignee: MILLIKEN WALTER CLARKPriority: Jun 19, 2000Filed: Oct 10, 2008Published: Dec 17, 2009
Est. expiryJun 19, 2020(expired)· nominal 20-yr term from priority
H04L 63/145H04L 51/212G06F 21/562
56
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method for performing source path isolation in a network. The system comprises an intrusion detection system (IDS), a source path isolation server (SS 1 ) and at least one router configured to operate as a source path isolation router (SR 1 ) operating within an autonomous system. When IDS detects a malicious packet, a message is sent to SS 1. SS 1 in turn generates a query message (QM) containing at least a portion of the malicious packet. Then, QM is sent to participating routers located one hop away. SR 1 uses the query message to determine if it has observed the malicious packet by comparing it with locally stored information about packets having passed through SR 1. SR 1 sends a reply to SS 1, and SS 1 uses the reply to identify the ingress point into the network of the malicious packet.

Claims

exact text as granted — not AI-modified
1 - 20 . (canceled) 
   
   
       21 . A system for determining a point of entry of a malicious packet into a network using a representation of the malicious packet, the system comprising:
 an intrusion detection system for detecting the malicious packet in the network; and   an isolation server responsive to operation of the intrusion detection system, for isolating the malicious packet;   wherein the system is operable such that the point of entry of the malicious packet is determined.   
   
   
       22 . The system of  claim 21  and wherein the isolation server further comprises: computer code for generating a message containing identification information about the malicious packet. 
   
   
       23 . The system of  claim 22  and wherein the isolation server further comprises: computer code for forwarding the message to certain of a plurality of routers displaced one hop away from the server. 
   
   
       24 . The system of  claim 23  and wherein the certain of the plurality of routers comprises:
 computer code for generating a hash value of the identification information;   computer code for establishing a bit map of hash values representative of those of packets which are transmitted through the certain of the plurality of routers; and   computer code for comparing the hash value against the hash values.   
   
   
       25 . A computer program product embodied on a computer readable medium for determining whether a target packet has been encountered in a network, comprising:
 computer code for sending a message identifying the target packet to at least one network component;   computer code for receiving a reply containing information associated with the target packet from the at least one network component; and   computer code for processing the reply to extract the information; and   computer code for using the information, wherein the computer program product is operable such that it is determined whether the target packet has been encountered in the network.   
   
   
       26 . The computer program product of  claim 25  and wherein a detection device is incorporated into a server including at least a portion of the computer code. 
   
   
       27 . The computer program product of  claim 25  and wherein the network further includes a host, the host including capability for placing packets onto the network. 
   
   
       28 . The computer program product of  claim 25  and wherein the computer code for sending operates to include the target packet into the message. 
   
   
       29 . The computer program product of  claim 25  and wherein the message comprises a representation of the target packet. 
   
   
       30 . The computer program product of  claim 29  and wherein the representation is a hash of at least a portion of the target packet. 
   
   
       31 . The computer program product of  claim 25  and wherein the at least one network component is located one hop away from a server. 
   
   
       32 . The computer program product of  claim 25  and wherein the at least one network component is located more than one hop away from a server. 
   
   
       33 . The computer program product of  claim 25  and wherein a first component of the at least one network component forwards the reply to another of the at least one network component. 
   
   
       34 . The computer program product of  claim 33  and wherein the first component is a router. 
   
   
       35 . The computer program product of  claim 25  and wherein the information is hash information derived from hashing at least a portion of the message to obtain a query hash value. 
   
   
       36 . The computer program product of  claim 25  and wherein the computer code for determining is accomplished using a source path isolation technique. 
   
   
       37 . The computer program product of  claim 36  and wherein the source path isolation technique includes a breadth-first search. 
   
   
       38 . The computer program product of  claim 36  and wherein the source path isolation technique includes a depth-first search. 
   
   
       39 . A method for determining whether a target packet has been encountered in a network, comprising:
 sending a message identifying the target packet to at least one network component;   receiving a reply containing information associated with the target packet from the at least one network component; and   processing the reply to extract the information; and   using the information, wherein it is determined whether the target packet has been encountered in the network.

Join the waitlist — get patent alerts

Track US2009313339A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.