Security alerting system with network blockade policy based on alert transmission activity

US 10,104,104 B1
Filed: 06/20/2013
Issued: 10/16/2018
Est. Priority Date: 06/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method performed by a server that is part of a network for processing alert messages from a Security Alerting System executing on a host indicating a potential compromise of a protected resource, comprising:

determining if a number of buffer contents comprising said alert messages received from said host within a predefined time interval satisfies a predefined criteria, wherein said alert messages are generated by said Security Alerting System, wherein said number comprises only valid buffer contents received from said host;

determining whether said received buffer content comprises a replayed buffer content;

triggering, by said server, in response to said number of buffer contents comprising said alert messages received from said host within said predefined time interval failing to satisfy said predefined criteria, a blocking of access of said host to services of said network except for communications of said Security Alerting System executing on said host with said server; and

restoring said blocked access of said host to said network when a valid buffer content is received from said host.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security alerting system is provided with a network blockage policy based on alert transmission activity. Alert messages from a Security Alerting System executing on a host indicating a potential compromise of a protected resource are processed by determining if a number of buffer contents received from the host within a predefined time interval satisfies a predefined criteria, the buffer content comprising one or more of the alert messages from the Security Alerting System; and blocking a network connection of the host if the number of buffer contents received from the host within the predefined time interval does not satisfy the predefined criteria. The blocked network connection of the host can optionally be restored when a valid buffer content is received from the host. The predefined criteria is based on the alerting activity of the host.

Citations

20 Claims

1. A method performed by a server that is part of a network for processing alert messages from a Security Alerting System executing on a host indicating a potential compromise of a protected resource, comprising:
- determining if a number of buffer contents comprising said alert messages received from said host within a predefined time interval satisfies a predefined criteria, wherein said alert messages are generated by said Security Alerting System, wherein said number comprises only valid buffer contents received from said host;
  
  determining whether said received buffer content comprises a replayed buffer content;
  
  triggering, by said server, in response to said number of buffer contents comprising said alert messages received from said host within said predefined time interval failing to satisfy said predefined criteria, a blocking of access of said host to services of said network except for communications of said Security Alerting System executing on said host with said server; and
  
  restoring said blocked access of said host to said network when a valid buffer content is received from said host.
- View Dependent Claims (2, 3, 4, 5, 16, 18)
- - 2. The method of claim 1, further comprising the step of issuing a heartbeat gap alert if a valid buffer content is not received from said host within a predefined time interval.
  - 3. The method of claim 1, wherein said predefined criteria comprises receiving one or more valid buffer contents from said host within said predefined time interval.
  - 4. The method of claim 1, wherein said blocking of said access of said host to said network is triggered when more than β
    - time intervals have elapsed without receiving a valid buffer content, for parameter setting β
      
      >
      
      |B|/τ
      
      , where |B| is a buffer size and τ
      
      denotes an estimate of a maximum number of alerts written by said host per time interval under non-adversarial conditions.
  - 5. The method of claim 1, wherein said predefined criteria is based on alerting activity of said host.
  - 16. The method of claim 1, wherein said blocking of said access of said host to said network is triggered when more than a predefined number of time intervals have elapsed without receiving a valid buffer content, where said predefined number of time intervals is based on a buffer size and an estimate of a maximum number of alerts written by said host per time interval under non-adversarial conditions.
  - 18. The method of claim 1, further comprising the step of filtering one or more redundant messages.

6. A non-transitory machine-readable recordable storage medium for storing one or more software programs implemented by a server that is part of a network for processing alert messages from a Security Alerting System executing on a host indicating a potential compromise of a protected resource, wherein the one or more software programs when executed by one or more processing devices implement the following steps:
- determining if a number of buffer contents comprising said alert messages received from said host within a predefined time interval satisfies a predefined criteria, wherein said alert messages are generated by said Security Alerting System, wherein said number comprises only valid buffer contents received from said host;
  
  determining whether said received buffer content comprises a replayed buffer content;
  
  triggering, by said server, in response to said number of buffer contents comprising said alert messages received from said host within said predefined time interval failing to satisfy said predefined criteria, a blocking of access of said host to services of said network except for communications of said Security Alerting System executing on said host with said server; and
  
  restoring said blocked access of said host to said network when a valid buffer content is received from said host.
- View Dependent Claims (12, 13, 14, 15, 19)
- - 12. The non-transitory machine-readable recordable storage medium of claim 6, further comprising the step of issuing a heartbeat gap alert if a valid buffer content is not received from said host within a predefined time interval.
  - 13. The non-transitory machine-readable recordable storage medium of claim 6, wherein said predefined criteria comprises receiving one or more valid buffer contents from said host within said predefined time interval.
  - 14. The non-transitory machine-readable recordable storage medium of claim 6, wherein said predefined criteria is based on alerting activity of said host.
  - 15. The non-transitory machine-readable recordable storage medium of claim 6, wherein said blocking of said access of said host to said network is triggered when more than β
    - time intervals have elapsed without receiving a valid buffer content, for parameter setting β
      
      >
      
      |B|/τ
      
      , where |B| is a buffer size and τ
      
      denotes an estimate of a maximum number of alerts written by said host per time interval under non-adversarial conditions.
  - 19. The non-transitory machine-readable recordable storage medium of claim 6, further comprising the step of filtering one or more redundant messages.

7. A server apparatus that is part of a network for processing an alert message from a Security Alerting System executing on a host indicating a potential compromise of a protected resource, the server apparatus comprising:
- a memory; and
  
  at least one hardware device, coupled to the memory, operative to implement the following steps;
  
  determine if a number of buffer contents comprising said alert messages received from said host within a predefined time interval satisfies a predefined criteria, wherein said alert messages are generated by said Security Alerting System, wherein said number comprises only valid buffer contents received from said host;
  
  determining whether said received buffer content comprises a replayed buffer content;
  
  trigger, by said server, in response to said number of buffer contents comprising said alert messages received from said host within said predefined time interval failing to satisfy said predefined criteria, a blocking of access of said host to services of said network except for communications of said Security Alerting System executing on said host with said server; and
  
  restore said blocked access of said host to said network when a valid buffer content is received from said host.
- View Dependent Claims (8, 9, 10, 11, 17, 20)
- - 8. The server apparatus of claim 7, wherein said at least one hardware device is further configured to issue a heartbeat gap alert if a valid buffer content is not received from said host within a predefined time interval.
  - 9. The server apparatus of claim 7, wherein said predefined criteria comprises receiving one or more valid buffer contents from said host within said predefined time interval.
  - 10. The server apparatus of claim 7, wherein said blocking of said access of said host to said network is triggered when more than β
    - time intervals have elapsed without receiving a valid buffer content, for parameter setting β
      
      >
      
      |B|/τ
      
      , where |B| is a buffer size and τ
      
      denotes an estimate of a maximum number of alerts written by said host per time interval under non-adversarial conditions.
  - 11. The server apparatus of claim 7, wherein said predefined criteria is based on alerting activity of said host.
  - 17. The server apparatus of claim 7, wherein said blocking of said access of said host to said network is triggered when more than a predefined number of time intervals have elapsed without receiving a valid buffer content, where said predefined number of time intervals is based on a buffer size and an estimate of a maximum number of alerts written by said host per time interval under non-adversarial conditions.
  - 20. The server apparatus of claim 7, wherein said at least one hardware device is further configured to filter one or more redundant messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Juels, Ari, Triandopoulos, Nikolaos, Bowers, Kevin D.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Bell, Kalish

Application Number

US13/922,724
Time in Patent Office

1,944 Days
Field of Search

713168, 713150-152, 713160, 713161, 713176, 726 4, 726 22, 726 23, 726 25, 726 26
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/2107   File encryption

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

Security alerting system with network blockade policy based on alert transmission activity

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security alerting system with network blockade policy based on alert transmission activity

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links