Browse Prior Art Database

Actively Slowing a CPU in Response to the Detection of a Signature String

IP.com Disclosure Number: IPCOM000112497D
Original Publication Date: 1994-May-01
Included in the Prior Art Database: 2005-Mar-27
Document File: 4 page(s) / 142K

Publishing Venue

IBM

Related People

Hershey, PC: AUTHOR [+6]

Abstract

This article describes methods for actively slowing the CPU of computers in a high speed network in response to detection of bit patterns that are recognized as potential security exposures. Within a single workstation or machine, the detection of certain bit patterns can result in a slow down of the CPU to allow for further analysis of the potential security breach condition to see if there really is a problem or not. For example, if check digits comprising a Message Authentication Code (MAC) are appended to each message, then on the failure of a MAC to verify, the CPU could be slowed down on the assumption that the network was under some kind of intelligent attack.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 46% of the total text.

Actively Slowing a CPU in Response to the Detection of a Signature
String

      This article describes methods for actively slowing the CPU of
computers in a high speed network in response to detection of bit
patterns that are recognized as potential security exposures.  Within
a single workstation or machine, the detection of certain bit
patterns can result in a slow down of the CPU to allow for further
analysis of the potential security breach condition to see if there
really is a problem or not.  For example, if check digits comprising
a Message Authentication Code (MAC) are appended to each message,
then on the failure of a MAC to verify, the CPU could be slowed down
on the assumption that the network was under some kind of intelligent
attack.  This would both allow more time for further problem
diagnosis and possibly frustrate the intelligent interloper causing
him/her/it to cease generating the problem.  The monitor searching
for undesirable patterns could be either non-adaptive or adaptive, as
described in the patent application.

      Fig. 1 is a block diagram of a digital filter which is the
fundamental building block of the pattern detector.  The digital
filter is composed of three elements: an N-bit wide address register,
an address decoder and a Random Access Memory (RAM).  The N-1 least
significant address output bits of the RAM are fed back as the N-1
most significant bits of the next address.  A single bit of a serial
input data stream serves as the least significant bit of the next
address.  The remaining RAM output bits are used as external output
lines.  (Analogous addressing schemes may also be implemented using a
parallel input data stream.  In this case, the N-k least significant
output bits of the RAM are fed back as the N-k most significant bits
of the next RAM address.  The next k bits of the parallel data stream
form the least significant k bits of the next RAM address.  For
simplicity, we shall consider only a serial input data stream.)

      The RAM is programmed to process the serial input string in the
manner defined by a finite state machine (FSM) implementation of the
desired function to be performed.  For example, the RAM might be
programmed to scan the high-speed input serial data stream for a
pre-defined bit pattern, then output a second pattern when the
pre-defined pattern is detected.  The RAM might also be programmed to
output an algorithmic function of the input data stream, like the
one's complement.  The contents of the RAM may be permanent (i.e.,
Read-Only Memory) or may be loaded by an external device at system
initialization time.

      The ability of the FSM to implement a given algorithm depends
on the complexity of the algorithm.  If the algorithm's complexity is
such that the FSM is inadequate to implement it, then the FSM could
be combined with a microprocessor.  The microprocessor assists the
FSM with the computation of the chosen algorithm.  Therefore an F...