Systems and methods for preventing internal network attacks

US 10,169,575 B1
Filed: 03/14/2012
Issued: 01/01/2019
Est. Priority Date: 03/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for preventing internal network attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a subnet of a network, the subnet comprising at least an endpoint host system and an additional endpoint host system;

detecting an intrusion on the endpoint host system, the intrusion on the endpoint host system having bypassed a security feature implemented on a gateway for obstructing attacks across the gateway on systems within the subnet from outside the subnet and thus having breached the network into the subnet and thus being capable of facilitating an internal network attack via the endpoint host system on another endpoint system within the subnet;

implementing a security measure on the additional endpoint host system to prevent the internal network attack based at least in part on detecting the intrusion that breached the network into the subnet and at least in part on the endpoint host system and additional endpoint host system being within the subnet,wherein the security measure comprises a firewall restriction that is implemented on the additional endpoint host system and that regulates network traffic within the subnet between the endpoint host system and the additional endpoint host system, the firewall restriction is implemented by an agent on the additional endpoint host system, thereby employing resources of the additional endpoint host system to prevent the internal network attack beyond resources provided by the endpoint host system and the gateway, andwherein implementing the security measure comprises increasing an aggressiveness of a malware detection policy on the additional endpoint host system and performing a scan for malware on the additional endpoint host system based on the malware detection policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for preventing internal network attacks may include 1) identifying a host system that is within a subnet of a network, 2) detecting an intrusion on the host system, the intrusion on the host system being capable of facilitating an attack via the host system on at least one additional system of the network, 3) identifying at least one additional host system within the subnet of the network, and 4) implementing a security measure on the additional host system to prevent the attack based at least in part on detecting the intrusion and at least in part on the host system and additional host system being within the subnet. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for preventing internal network attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a subnet of a network, the subnet comprising at least an endpoint host system and an additional endpoint host system;
  
  detecting an intrusion on the endpoint host system, the intrusion on the endpoint host system having bypassed a security feature implemented on a gateway for obstructing attacks across the gateway on systems within the subnet from outside the subnet and thus having breached the network into the subnet and thus being capable of facilitating an internal network attack via the endpoint host system on another endpoint system within the subnet;
  
  implementing a security measure on the additional endpoint host system to prevent the internal network attack based at least in part on detecting the intrusion that breached the network into the subnet and at least in part on the endpoint host system and additional endpoint host system being within the subnet,wherein the security measure comprises a firewall restriction that is implemented on the additional endpoint host system and that regulates network traffic within the subnet between the endpoint host system and the additional endpoint host system, the firewall restriction is implemented by an agent on the additional endpoint host system, thereby employing resources of the additional endpoint host system to prevent the internal network attack beyond resources provided by the endpoint host system and the gateway, andwherein implementing the security measure comprises increasing an aggressiveness of a malware detection policy on the additional endpoint host system and performing a scan for malware on the additional endpoint host system based on the malware detection policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein:
    - detecting the intrusion comprises receiving a message from an endpoint agent on the endpoint host system identifying the intrusion;
      
      implementing the security measure comprises transmitting an instruction to an additional endpoint agent on the additional endpoint host system to implement the security measure.
  - 3. The computer-implemented method of claim 1,wherein implementing the security measure comprises relocating a security endpoint agent on the additional endpoint host system to a secure location.
  - 4. The computer-implemented method of claim 1, wherein implementing the security measure comprises adding the firewall restriction to the additional endpoint host system.
  - 5. The computer-implemented method of claim 1, further comprising:
    - identifying a server on the network configured with a first security policy for server transactions not originating from the subnet and a second security policy for server transactions originating from the subnet;
      
      modifying the second security policy to add at least one restriction on server transactions based at least in part on detecting the intrusion.
  - 6. The computer-implemented method of claim 1, wherein the subnet comprises a plurality of host systems connected to the network via the gateway, the gateway comprising the security feature for obstructing the intrusion across the gateway.
  - 7. The computer-implemented method of claim 1:
    - wherein detecting the intrusion comprises determining that the intrusion cannot be automatically remediated by a security system;
      
      further comprising alerting an administrator of the intrusion;
      
      wherein implementing the security measure comprises preventing the internal network attack until the intrusion is remediated.
  - 8. The computer-implemented method of claim 1, wherein:
    - an internal security barrier between host systems in the subnet differs from an external security barrier between the subnet and an outside network;
      
      the intrusion facilitates the internal network attack on the additional endpoint host system by enabling the internal network attack to be launched from within the subnet rather than being subjected to the external security barrier.
  - 9. The computer-implemented method of claim 1, wherein increasing the aggressiveness of the malware detection policy causes the additional endpoint host system to increase usage of the resources of the additional endpoint host system to scan for malware.
  - 10. The computer-implemented method of claim 1, wherein performing the scan for malware comprises scanning for a malware type matching malware identified on the endpoint host system.

11. A system for preventing internal network attacks, the system comprising:
- an identification module programmed to identify a subnet of a network, the subnet comprising at least an endpoint host system and an additional endpoint host system;
  
  a detection module programmed to detect an intrusion on the endpoint host system, the intrusion on the endpoint host system having bypassed a security feature implemented on a gateway for obstructing attacks across the gateway on systems within the subnet from outside the subnet and thus having breached the network into the subnet and thus being capable of facilitating an internal network attack via the endpoint host system on another endpoint system within the subnet;
  
  an implementation module programmed to implement a security measure on the additional endpoint host system to prevent the internal network attack based at least in part on detecting the intrusion that breached the network into the subnet and at least in part on the endpoint host system and additional endpoint host system being within the subnet, wherein the security measure comprises a firewall restriction that is implemented on the additional endpoint host system and that regulates network traffic within the subnet between the endpoint host system and the additional endpoint host system, the firewall restriction is implemented by an agent on the additional endpoint host system, thereby employing resources of the additional endpoint host system to prevent the internal network attack beyond resources provided by the endpoint host system and the gateway, and implementing the security measure comprises increasing an aggressiveness of a malware detection policy on the additional endpoint host system and performing a scan for malware on the additional endpoint host system based on the malware detection policy;
  
  at least one processor configured to execute the identification module, the detection module, and the implementation module.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein:
    - the detection module is programmed to detect the intrusion by receiving a message from an endpoint agent on the endpoint host system identifying the intrusion;
      
      the implementation module is programmed to implement the security measure by transmitting an instruction to an additional endpoint agent on the additional endpoint host system to implement the security measure.
  - 13. The system of claim 11, wherein the implementation module is programmed to implement the security measure by relocating a security endpoint agent on the additional endpoint host system to a secure location.
  - 14. The system of claim 11, wherein the implementation module is programmed to implement the security measure by adding the firewall restriction to the additional endpoint host system.
  - 15. The system of claim 11, wherein the implementation module is further programmed to:
    - identifying a server on the network configured with a first security policy for server transactions not originating from the subnet and a second security policy for server transactions originating from the subnet;
      
      modifying the second security policy to add at least one restriction on server transactions based at least in part on detecting the intrusion.
  - 16. The system of claim 11, wherein the subnet comprises a plurality of host systems connected to the network via the gateway, the gateway comprising the security feature for obstructing the intrusion across the gateway.
  - 17. The system of claim 11, wherein:
    - the detection module is programmed to determine that the intrusion cannot be automatically remediated by a security system;
      
      the implementation module is further programmed to alert an administrator of the intrusion;
      
      the implementation module is programmed to implement the security measure by preventing the internal network attack until the intrusion is remediated.

18. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a subnet of a network, the subnet comprising at least an endpoint host system and an additional endpoint host system;
  
  detect an intrusion on the endpoint host system, the intrusion on the endpoint host system having bypassed a security feature implemented on a gateway for obstructing attacks across the gateway on systems within the subnet from outside the subnet and thus having breached the network into the subnet and thus being capable of facilitating an internal network attack via the endpoint host system on another endpoint system within the subnet;
  
  implement a security measure on the additional endpoint host system to prevent the internal network attack based at least in part on detecting the intrusion that breached the network into the subnet and at least in part on the endpoint host system and additional endpoint host system being within the subnet,wherein the security measure comprises a firewall restriction that regulates network traffic within the subnet between the endpoint host system and the additional endpoint host system, the firewall restriction is implemented by an agent on the additional endpoint host system, thereby employing resources of the additional endpoint host system to prevent the internal network attack beyond resources provided by the endpoint host system and the gateway, andwherein implementing the security measure comprises increasing an aggressiveness of a malware detection policy on the additional endpoint host system and performing a scan for malware on the additional endpoint host system based on the malware detection policy.
- View Dependent Claims (19, 20)
- - 19. The computer-readable-storage medium of claim 18, wherein:
    - the one or more computer-executable instructions cause the computing device to detect the intrusion by causing the computing device to receive a message from an endpoint agent on the endpoint host system identifying the intrusion;
      
      the one or more computer-executable instructions cause the computing device to implement the security measure by causing the computing device to transmit an instruction to an additional endpoint agent on the additional endpoint host system to implement the security measure.
  - 20. The computer-readable-storage medium of claim 18, wherein the one or more computer-executable instructions cause the computing device to implement the security measure by causing the computing device to relocate a security endpoint agent on the additional endpoint host system to a secure location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lototskiy, Alexander
Primary Examiner(s)
Tran, Ellen

Application Number

US13/420,574
Time in Patent Office

2,484 Days
Field of Search

726 1, 726 22, 726 23
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Systems and methods for preventing internal network attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for preventing internal network attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links