Smart intrusion prevention policy

US 10,397,247 B2
Filed: 08/16/2016
Issued: 08/27/2019
Est. Priority Date: 08/16/2016
Status: Active Grant

First Claim

Patent Images

1. A method for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the method comprising:

determining, by one or more computer processors, whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection;

responsive to determining that the new connection is detected, adding, by one or more computer processors, a connection context associated with the new connection to a current connection context in a dynamic event table,wherein;

the connection context is based on one or more of;

an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity and is associated with a respective data packet, and wherein each event in the listing of two or more events is retrieved from a repository;

calculating, by one or more computer processors, a score for each event of two or more events in the dynamic event table based on the current connection context;

generating, by one or more computer processors, an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order;

performing, by one or more computer processors, a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and

responsive to determining that a signature was found for an event among the two or more events, preventing, by one or more computer processors, intrusion of the data packet associated with the event.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data packet is received. The data packet is a unit of data transmitted across a packet-switched network. A determination is made whether a new connection is detected. The data packet is transmitted using the new connection. In response to determining that a new connection is detected, a connection context for the new connection is added to a current connection context in a dynamic event table. The dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of one or more events. Each event of the one or more events is a malicious activity and is retrieved from a repository. A score for each event is calculated based on the current connection context. Each event in the dynamic event table is prioritized based on the calculated score for each event. The event with the highest score receives the highest priority.

14 Citations

View as Search Results

14 Claims

1. A method for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the method comprising:
- determining, by one or more computer processors, whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection;
  
  responsive to determining that the new connection is detected, adding, by one or more computer processors, a connection context associated with the new connection to a current connection context in a dynamic event table,wherein;
  
  the connection context is based on one or more of;
  
  an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity and is associated with a respective data packet, and wherein each event in the listing of two or more events is retrieved from a repository;
  
  calculating, by one or more computer processors, a score for each event of two or more events in the dynamic event table based on the current connection context;
  
  generating, by one or more computer processors, an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order;
  
  performing, by one or more computer processors, a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and
  
  responsive to determining that a signature was found for an event among the two or more events, preventing, by one or more computer processors, intrusion of the data packet associated with the event.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the score for each event of the one or more events in the dynamic event table is the score based on the connection context;
    - andthe connection context includes the type of protocol used in the connection between two computing devices, an operating system type, the operating system version, and the application.
  - 3. The method of claim 1, wherein the step of performing, by one or more computer processors, a signature check of each event of the one or more events in the dynamic event table, comprises:
    - performing, by one or more computer processors, a deep packet inspection to compare one or more signatures in the received data packet to one or more signatures of known malicious activity.
  - 4. The method of claim 1, wherein responsive to determining that a signature was found for an event among the two or more events, preventing, by one or more computer processors, intrusion of the data packet associated with the event is selected from the group consisting of stopping an activity from proceeding when the activity is deemed malicious, discarding the activity when finding matching signatures, resetting the connection and/or blocking traffic from an offending Internet protocol address when finding matching signatures, and sending an alert when matching signatures are found which deem the activity malicious.
  - 5. The method of claim 1, wherein responsive to determining that a signature was found for an event among the two or more events, preventing, by one or more computer processors, intrusion of the data packet associated with the event consists:
    - stopping an activity from proceeding when the activity is deemed malicious, discarding the activity when finding matching signatures, resetting the connection, blocking traffic from an offending Internet protocol address when finding matching signatures, and sending an alert when matching signatures are found which deem the activity malicious.

6. A computer program product for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the computer program product comprising:
- one or more computer readable storage media; and
  
  program instructions stored on the one or more computer readable storage media, the program instructions comprising;
  
  program instructions to determine whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection;
  
  responsive to determining that the new connection is detected, program instructions to add a connection context associated with the new connection to a current connection context in a dynamic event table, wherein;
  
  the connection context is based on one or more of;
  
  an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity, and wherein each event in the listing of two or more events is retrieved from a repository;
  
  program instructions to calculate a score for each event of two or more events in the dynamic event table based on the current connection context;
  
  program instructions to generate an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order;
  
  program instructions to perform a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and
  
  responsive to determining that a signature was found for an event among the two or more events, program instructions to prevent intrusion of the data packet associated with the event.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer program product of claim 6, wherein the score for each event of the one or more events in the dynamic event table is the score based on the connection context;
    - andthe connection context includes the type of protocol used in the connection between two computing devices, an operating system type, the operating system version, and the application.
  - 8. The computer program product of claim 6, wherein the step of performing, by one or more computer processors, a signature check of each event of the one or more events in the dynamic event table, comprises:
    - performing, by one or more computer processors, a deep packet inspection to compare one or more signatures in the received data packet to one or more signatures of known malicious activity.
  - 9. The computer program product of claim 6, wherein responsive to determining that a signature was found for an event among the two or more events, program instructions to prevent intrusion of the data packet associated with the event is selected from the group consisting of program instructions to stop an activity from proceeding when the activity is deemed malicious, program instructions to discard the activity when finding matching signatures, program instructions to reset the connection, program instructions to block traffic from an offending Internet protocol address when finding matching signatures, and program instructions to send an alert when matching signatures are found which deem the activity malicious.
  - 10. The computer program product of claim 6, wherein responsive to determining that a signature was found for an event among the two or more events, program instructions to prevent intrusion of the data packet associated with the event consists:
    - program instructions to stop an activity from proceeding when the activity is deemed malicious, program instructions to discard the activity when finding matching signatures, program instructions to reset the connection, program instructions to block traffic from an offending Internet protocol address when finding matching signatures, and program instructions to send an alert when matching signatures are found which deem the activity malicious.

11. A computer system for prioritizing intrusion events that enhances the efficiency of signature matching of malicious activity, the computer system comprising:
- one or more computer hardware processors;
  
  one or more computer readable storage media; and
  
  program instructions stored on the one or more computer readable storage media for execution by at least one of the one or more computer hardware processors, the program instructions comprising;
  
  program instructions to determine whether a new connection corresponding to a data packet is detected, wherein the data packet is transmitted using the new connection;
  
  responsive to determining that the new connection is detected, program instructions to add a connection context associated with the new connection to a current connection context in a dynamic event table, wherein;
  
  the connection context is based on one or more of;
  
  an operating system type associated with the connection, an operating system version associated with the connection, and a computer application responsible for sending the data packet associated with the connection, and the dynamic event table includes the current connection context, one or more previous connection contexts, and a listing of two or more events, wherein each event of the two or more events is a malicious activity, and wherein each event in the listing of two or more events is retrieved from a repository;
  
  program instructions to calculate a score for each event of two or more events in the dynamic event table based on the current connection context;
  
  program instructions to generate an order for the two or more events according to the calculated score for each respective event, wherein the event with a highest score receives a highest order;
  
  program instructions to perform a signature check of each event having a score greater than or equal to a threshold value among the two or more events according to the generated order; and
  
  responsive to determining that a signature was found for an event among the two or more events, program instructions to prevent intrusion of the data packet associated with the event.
- View Dependent Claims (12, 13, 14)
- - 12. The computer system of claim 11, wherein the score for each event of the one or more events in the dynamic event table is the score based on the connection context;
    - andthe connection context includes the type of protocol used in the connection between two computing devices, an operating system type, the operating system version, and the application.
  - 13. The computer system of claim 11, wherein responsive to determining that a signature was found for an event among the two or more events, program instructions to prevent intrusion of the data packet associated with the event is selected from the group consisting of program instructions to stop an activity from proceeding when the activity is deemed malicious, program instructions to discard the activity when finding matching signatures, program instructions to reset the connection, program instructions to block traffic from an offending Internet protocol address when finding matching signatures, and program instructions to send an alert when matching signatures are found which deem the activity malicious.
  - 14. The computer system of claim 11, wherein responsive to determining that a signature was found for an event among the two or more events, program instructions to prevent intrusion of the data packet associated with the event consists:
    - program instructions to stop an activity from proceeding when the activity is deemed malicious, program instructions to discard the activity when finding matching signatures, program instructions to reset the connection, program instructions to block traffic from an offending Internet protocol address when finding matching signatures, and program instructions to send an alert when matching signatures are found which deem the activity malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chao, Chih-Wen, Chuang, Hsin-Yu, Hsueh, Ming-Pin, Lee, Sheng-Wei
Primary Examiner(s)
Tran, Tri M

Application Number

US15/237,717
Publication Number

US 20180054450A1
Time in Patent Office

1,106 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Smart intrusion prevention policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Smart intrusion prevention policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links