News Column

Patent Issued for Multi-Layered Application Classification and Decoding

August 5, 2014



By a News Reporter-Staff News Editor at Life Science Weekly -- A patent by the inventors Yang, Siying (Burlingame, CA); Narayanaswamy, Krishna (San Jose, CA), filed on February 6, 2012, was published online on July 22, 2014, according to news reporting originating from Alexandria, Virginia, by NewsRx correspondents (see also Juniper Networks, Inc.).

Patent number 8789180 is assigned to Juniper Networks, Inc. (Sunnyvale, CA).

The following quote was obtained by the news editors from the background information supplied by the inventors: "A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a myriad of different services and communication protocols. Each of the different services and communication protocols exposes the network to different security vulnerabilities.

"Conventional techniques for detecting network attacks use pattern matching. In particular, an intrusion detection system (IDS) device applies regular expressions or sub-string matches to detect defined patterns within a data stream. Multiple patterns may be used in an attempt to improve the accuracy of the attack detection. In order to improve the probability of detecting an attack, the IDS may attempt to identify the type of software application and protocol associated with the data stream. Based on the identification, the IDS selects the appropriate patterns to apply in order to detect a network attack, which is used herein to include viruses or other malicious activity.

"Conventionally, many IDSs associate applications with a static port assignment and use these static port assignments to determine the type of application and protocol associated with a given data stream. Likewise, conventionally a single application operates at the application layer, or layer seven (L7), of the Open Systems Interconnection (OSI) networking model. However, certain software applications now employ dynamic or randomized port assignments rather than conforming to the static port assignments; for example, hacker toolkits may use dynamic port assignments in order to evade detection and containment. Moreover, certain L7 software applications, such as Kazaa.TM. and Yahoo!.RTM. Messenger, utilize other L7 protocols, such as the HyperText Transfer Protocol (HTTP), as transport applications; that is, multiple software applications may concurrently operate within L7 as a 'stack' of software applications."

In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventors' summary information for this patent: "In general, the invention is directed to techniques for detecting and preventing network attacks, such as buffer overflow attacks, network viruses or other malicious activity. More specifically, improved techniques are described herein for identifying the software application and protocol associated with a data stream processed by an intrusion detection system (IDS). For example, as described herein, an IDS capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data when multiple applications are operating at the application layer, or layer seven (L7), of a network. In this way, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport.

"Certain applications, such as Kazaa and Yahoo! Messenger (YMSG), may use another L7 application, such as the HyperText Transfer Protocol (HTTP) or Microsoft's implementation of the Server Message Block (SMB) protocol, also known as the Common Internet File System (CIFS), as a transport layer-like application for transporting application data. The IDS may use various signatures to differentiate, for example, pure HTTP communications, Kazaa-HTTP communications, and YMSG-HTTP communications. The IDS may also use various signatures to detect an application operating over various transports, for example, Kazaa over TCP, Kazaa over UDP, or Kazaa over HTTP over TCP. Other examples include SMB over NETBIOS over TCP, MS AT Scheduler over Microsoft Remote Procedure Calls (MSRPC) over SMB over NETBIOS over TCP, MS AT Scheduler over MSRPC over TCP, MSRPC over SMB over NETBIOS over TCP/139, MSRPC over TCP/135, Microsoft Exchange Directory Service over MSRPC over dynamic TCP port, and Microsoft Workstation Service over MSRPC over SMB over NETBIOS over TCP/139.

"In this manner, the corresponding packet flow may be viewed as a tunneled packet flow in which application data for one application is encapsulated within application data for a different software application. Upon detecting that one type of software application and application layer communication protocol is utilizing another type of software application and application-layer communication protocol as a transport mechanism, the IDS selects an appropriate stack of protocol decoders to decode the tunneled packet flow.

"The IDS may continue to analyze the identity of applications over a communication stream even after the IDS has positively identified one application. Multiple applications may operate within a single application-layer data stream. For example, a single HTTP stream could include pure HTTP data, Kazaa data, and YMSG data. Thus the IDS may continuously monitor the HTTP stream to determine the applications operating over that HTTP stream. The IDS may divide a data stream, such as an HTTP data stream, into a sequence of blocks and attempt to identify an application associated with each block. The IDS may also apply attack signatures to each block to determine whether the block represents malicious data. The IDS may select the attack signatures in accordance with the identification of the application, as various applications may have unique vulnerabilities.

"In one embodiment, a method comprises receiving, with a network device, a packet flow within a network. The method further comprises performing an initial analysis of the packet flow to identify of a first type of software application and application-layer communication protocol associated with the packet flow, and determining whether a second type of software application and application-layer communication protocol is using the first type of software application and application-layer communication protocol as a data transport. When the second type of software application and application-layer communication protocol is using the first type of software application and application-layer communication protocol as a data transport, a subsequent analysis of the packet flow is performed to identify the second type of software application and application-layer communication protocol. A plurality of application-layer decoders are then applied to extract application-layer data for the identified second type of software application encapsulated within the application-layer data associated with the first type of software application. A set of one or more patterns is applied to the extracted application-layer data to determine whether the packet flow represents a network attack. The packet flow is forwarded when the packet flow does not represent a network attack.

"In another embodiment, an intrusion detection system includes a flow analysis module to receive a packet flow, a forwarding component to transmit the packet flow, an application identification module, a plurality of protocol decoders, and a stateful inspection engine. The application identification module is configured to: (i) perform an initial identification of a first type of software application and application-layer communication protocol associated with the packet flow, (ii) to perform a subsequent identification of a second type of software application and application-layer communication protocol, and (iii) to determine whether the second type of application-layer software application and communication protocol is using the first type of application-layer software application and communication protocol as a data transport. The plurality of protocol decoders include a first protocol decoder that is applied to the packet flow to extract first application-layer data for the identified first type of software application and application-layer communication protocol. A second protocol decoder is applied to the first application-layer data to extract second application-layer data for the second type of software application and application-layer communication protocol. The stateful inspection engine applies one or more sets of patterns to the first application-layer data and the second application-layer data to determine whether the packet flow represents a network attack.

"In another embodiment, a computer-readable medium contains instructions to perform the functions described herein. The computer-readable medium may be a computer-readable storage medium, such as a hard disk, random access memory (RAM), read only memory (ROM), programmable ROM (PROM), erasable PROM (EPROM), electronically erasable PROM (EEPROM), flash memory, a compact disc read-only media (CD-ROM), flash memory, or other suitable storage medium. The instructions cause a processor to receive, with a network device, a packet flow within a network, perform an initial analysis of the packet flow to identify of a first type of software application and application-layer communication protocol associated with the packet flow, determine whether a second type of software application and application-layer communication protocol is using the first type of software application and application-layer communication protocol as a data transport, apply a plurality of different decoders to the packet flow to extract from the packet flow application-layer data for the identified second type of software application and application-layer communication protocol that is encapsulated within application-layer data associated with the first type of software application and application-layer communication protocol, and apply a set of patterns to the extracted application-layer data to determine whether the packet flow represents a network attack.

"The techniques described herein may provide several advantages. For example, the techniques described herein may improve the efficiency and accuracy of identification of applications in order to effect intrusion detection and/or intrusion prevention. Likewise, detection of applications that use various means for transporting communications may become possible. For example, the techniques may enable detection of layered software applications at the application layer (L7) of a network. Moreover, the techniques may be applied without radically changing certain IDSs. For example, in some cases, the techniques may be applied by merely updating the software of an IDS without changing the associated hardware. As another example, the techniques may identify malicious packet flows more quickly by identifying the type of application and protocol and tailoring signatures to fit the protocol(s) of that application. Moreover, other systems or devices that identify applications may use the techniques described herein, such as an intrusion prevention system (IPS).

"The details of one or more embodiments of the invention are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the invention will be apparent from the description and drawings, and from the claims."

URL and more information on this patent, see: Yang, Siying; Narayanaswamy, Krishna. Multi-Layered Application Classification and Decoding. U.S. Patent Number 8789180, filed February 6, 2012, and published online on July 22, 2014. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=8789180.PN.&OS=PN/8789180RS=PN/8789180

Keywords for this news article include: Software, Juniper Networks Inc..

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Life Science Weekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters