System and method for server based control
US-2018034912-A1 · Feb 1, 2018 · US
Method and device for intrusion detection in a computer network
US2021014257A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021014257-A1 |
| Application number | US-202016922232-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jul 7, 2020 |
| Priority date | Jul 10, 2019 |
| Publication date | Jan 14, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an output of the hardware switch unit being selected for sending the data packet or a copy as a function of data link layer information from the data packet and of a hardware address from a memory of the hardware switch unit. An actual value from a field of the data packet is compared by a hardware filter with a setpoint value for values from this field, the field including data link layer data or network layer data, and the data packet or a copy of the data packet being provided to a computing device as a function of a result of the comparison. The analysis for detecting an intrusion pattern in a network traffic in the computer network id carried out by the computing device.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method for intrusion detection in a computer network, comprising the following steps: receiving a data packet at an input of a hardware switch unit; selecting an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of data link layer information from the data packet and as a function of a hardware address; comparing, by a hardware filter, an actual value from a field of the data packet with a setpoint value for values from the field, the field including data link layer data or network layer data; and providing the data packet or the copy of the data packet to a computing device for analysis as a function of a result of the comparison, the analysis being an analyzing for detecting an intrusion pattern in a network traffic in the computer network and is carried out by the computing device as a function of information from the data packet. 2 . The method as recited in claim 2 , wherein the hardware filter includes a Ternary Content Addressable Memory in which a mask for the setpoint value is stored, the actual value being compared with the mask stored in the Ternary Content Addressable Memory, and wherein it is established as a function of the result of the comparison whether or not a deviation is present. 3 . The method as recited in claim 1 , wherein the setpoint value characterizes a hardware address from a memory of the hardware switch unit, the actual value being determined at the input or the output as a function of data from a hardware address field of a data packet. 4 . The method as recited in claim 1 , wherein the setpoint value characterizes a Medium Access Control address from a memory of the hardware switch unit, the actual value being determined at the input or the output as a function of data from a Medium Access Control address field of a data packet. 5 . The method as recited in claim 1 , wherein the setpoint value characterizes a Virtual Local Area Network, the setpoint value being determined from a memory of the hardware switch unit, the actual value being determined as a function of data, which characterize an association of a data packet at the input or the output with a Virtual Local Area Network. 6 . The method as recited in claim 1 , wherein presence of a deviation is detected, either when the hardware filter at the input or the output for a tagged Virtual Logical Area Network establishes an untagged Virtual Logical Area Network data packet, or when the hardware filter at the input or the output for an untagged Virtual Logical Area Network establishes a tagged Virtual Logical Area Network Data Packet. 7 . The method as recited in claim 1 , wherein presence of a deviation is detected when the hardware filter establishes the data packet at the input or the output having an unknown Ethernet type, or a false checksum, or a false packet length, or a false packet structure. 8 . The method as recited in claim 1 , wherein presence of a deviation is detected when: (i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or (ii) a Transmission Control Protocol or User Datagram Protocol filter at the input or the output establishes a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or (iii) a Precision Time Protocol filter at the input or output establishes a Precision Time Protocol message, the content of which, including time stamp, sequence number, correction field, is stored at least temporarily in a register for context information. 9 . A device for intrusion detection in a computer network, comprising: a system on a chip system, which includes a hardware switch unit, a hardware filter, and a computing device, for the intrusion detection, the system on a chip system configured to: receive a data packet at an input of the hardware switch unit; select an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of data link layer information from the data packet and as a function of a hardware address; compare, by the hardware filter, an actual value from a field of the data packet with a setpoint value for values from the field, the field including data link layer data or network layer data; and provide the data packet or the copy of the data packet to the computing device for analysis as a function of a result of the comparison, the analysis being an analyzing for detecting an intrusion pattern in a network traffic in the computer network and is carried out by the computing device as a function of information from the data packet. 10 . The device as recited in claim 9 , wherein a Ternary Content Addressable Memory, and/or an Address Translation Unit, and/or a Virtual Local Area Network Translation Unit, and/or a Dynamic Host Configuration Protocol filter, and/or a Transmission Control Protocol or User Datagram Protocol filter, and/or a Precision Time Protocol filter, is provided as a hardware filter to check the data packet for the intrusion detection and to provide the data packet or a copy of the data packet to the computing device for the intrusion detection as a function of the result of the check. 11 . A non-transitory computer-readable memory medium on which is stored a computer program for intrusion detection in a computer network, the computer program, when executed by a computer, causing the computer to perform or control the following steps: receiving a data packet at an input of a hardware switch unit; selecting an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of data link layer information from the data packet and as a function of a hardware address; comparing, by a hardware filter, an actual value from a field of the data packet with a setpoint value for values from the field, the field including data link layer data or network layer data; and providing the data packet or the copy of the data packet to a computing device for analysis as a function of a result of the comparison, the analysis being an analyzing for detecting an intrusion pattern in a network traffic in the computer network and is carried out by the computing device as a function of information from the data packet.
Assignees
Inventors
Classifications
in the network layer [OSI layer 3], e.g. X.25 (H04L69/16 takes precedence) · CPC title
in the data link layer [OSI layer 2], e.g. HDLC · CPC title
specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks · CPC title
Filtering policies (mail message filtering H04L51/212) · CPC title
Parsing or analysis of headers · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021014257A1 cover?
- Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an output of the hardware switch unit being selected for sending the data packet or a copy as a function of data link layer information from the data packet and of a hardware address from a memory of the hardware switch unit. An actual value from a field of the data …
- Who is the assignee on this patent?
- Bosch Gmbh Robert
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Jan 14 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).