Security alerting system with network blockade policy based on alert transmission activity
First Claim
1. A method performed by a server that is part of a network for processing alert messages from a Security Alerting System executing on a host indicating a potential compromise of a protected resource, comprising:
- determining if a number of buffer contents comprising said alert messages received from said host within a predefined time interval satisfies a predefined criteria, wherein said alert messages are generated by said Security Alerting System, wherein said number comprises only valid buffer contents received from said host;
determining whether said received buffer content comprises a replayed buffer content;
triggering, by said server, in response to said number of buffer contents comprising said alert messages received from said host within said predefined time interval failing to satisfy said predefined criteria, a blocking of access of said host to services of said network except for communications of said Security Alerting System executing on said host with said server; and
restoring said blocked access of said host to said network when a valid buffer content is received from said host.
6 Assignments
0 Petitions
Accused Products
Abstract
A security alerting system is provided with a network blockage policy based on alert transmission activity. Alert messages from a Security Alerting System executing on a host indicating a potential compromise of a protected resource are processed by determining if a number of buffer contents received from the host within a predefined time interval satisfies a predefined criteria, the buffer content comprising one or more of the alert messages from the Security Alerting System; and blocking a network connection of the host if the number of buffer contents received from the host within the predefined time interval does not satisfy the predefined criteria. The blocked network connection of the host can optionally be restored when a valid buffer content is received from the host. The predefined criteria is based on the alerting activity of the host.
-
Citations
20 Claims
-
1. A method performed by a server that is part of a network for processing alert messages from a Security Alerting System executing on a host indicating a potential compromise of a protected resource, comprising:
-
determining if a number of buffer contents comprising said alert messages received from said host within a predefined time interval satisfies a predefined criteria, wherein said alert messages are generated by said Security Alerting System, wherein said number comprises only valid buffer contents received from said host; determining whether said received buffer content comprises a replayed buffer content; triggering, by said server, in response to said number of buffer contents comprising said alert messages received from said host within said predefined time interval failing to satisfy said predefined criteria, a blocking of access of said host to services of said network except for communications of said Security Alerting System executing on said host with said server; and restoring said blocked access of said host to said network when a valid buffer content is received from said host. - View Dependent Claims (2, 3, 4, 5, 16, 18)
-
-
6. A non-transitory machine-readable recordable storage medium for storing one or more software programs implemented by a server that is part of a network for processing alert messages from a Security Alerting System executing on a host indicating a potential compromise of a protected resource, wherein the one or more software programs when executed by one or more processing devices implement the following steps:
-
determining if a number of buffer contents comprising said alert messages received from said host within a predefined time interval satisfies a predefined criteria, wherein said alert messages are generated by said Security Alerting System, wherein said number comprises only valid buffer contents received from said host; determining whether said received buffer content comprises a replayed buffer content; triggering, by said server, in response to said number of buffer contents comprising said alert messages received from said host within said predefined time interval failing to satisfy said predefined criteria, a blocking of access of said host to services of said network except for communications of said Security Alerting System executing on said host with said server; and restoring said blocked access of said host to said network when a valid buffer content is received from said host. - View Dependent Claims (12, 13, 14, 15, 19)
-
-
7. A server apparatus that is part of a network for processing an alert message from a Security Alerting System executing on a host indicating a potential compromise of a protected resource, the server apparatus comprising:
-
a memory; and at least one hardware device, coupled to the memory, operative to implement the following steps; determine if a number of buffer contents comprising said alert messages received from said host within a predefined time interval satisfies a predefined criteria, wherein said alert messages are generated by said Security Alerting System, wherein said number comprises only valid buffer contents received from said host; determining whether said received buffer content comprises a replayed buffer content; trigger, by said server, in response to said number of buffer contents comprising said alert messages received from said host within said predefined time interval failing to satisfy said predefined criteria, a blocking of access of said host to services of said network except for communications of said Security Alerting System executing on said host with said server; and restore said blocked access of said host to said network when a valid buffer content is received from said host. - View Dependent Claims (8, 9, 10, 11, 17, 20)
-
Specification