System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

US 10,701,036 B2
Filed: 06/27/2016
Issued: 06/30/2020
Est. Priority Date: 08/24/2011
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer readable media comprising code for execution, wherein the code is executable by one or more processors to:

detect, by a first node in a network protected from unauthorized external access, a threat that is received at the first node from a source node in the network, the network including at least a plurality of nodes having respective security modules, and wherein the threat is at least one of a violation of a network policy or a violation of a system policy;

create, at the first node, a first firewall policy to block incoming network requests associated with a source address of the source node and outgoing network requests to the source address of the source node, in response to the first node detecting the threat;

block incoming network requests received at the first node from the source node by applying the first firewall policy at the first node;

broadcast an alert from the first node to the respective security modules of the plurality of nodes in the network, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes;

determine, by the first node, whether the source node includes a firewall module; and

communicate, from the first node to the source node, based at least in part on the determination that the source node includes the firewall module, a second firewall policy to be applied by the source node to block outgoing network requests from the source node to the plurality of nodes in the network and to block network requests received at the source node from other nodes.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.

Citations

10 Claims

1. One or more non-transitory computer readable media comprising code for execution, wherein the code is executable by one or more processors to:
- detect, by a first node in a network protected from unauthorized external access, a threat that is received at the first node from a source node in the network, the network including at least a plurality of nodes having respective security modules, and wherein the threat is at least one of a violation of a network policy or a violation of a system policy;
  
  create, at the first node, a first firewall policy to block incoming network requests associated with a source address of the source node and outgoing network requests to the source address of the source node, in response to the first node detecting the threat;
  
  block incoming network requests received at the first node from the source node by applying the first firewall policy at the first node;
  
  broadcast an alert from the first node to the respective security modules of the plurality of nodes in the network, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes;
  
  determine, by the first node, whether the source node includes a firewall module; and
  
  communicate, from the first node to the source node, based at least in part on the determination that the source node includes the firewall module, a second firewall policy to be applied by the source node to block outgoing network requests from the source node to the plurality of nodes in the network and to block network requests received at the source node from other nodes.
- View Dependent Claims (2, 3, 4)
- - 2. The one or more non-transitory computer readable claim 1, wherein the threat includes malware.
  - 3. The one or more non-transitory computer readable claim 1, wherein the code is executable by the one or more processors to further:
    - identify, by the first node, the source address of the source node.
  - 4. The one or more non-transitory computer readable media of claim 1, wherein the broadcast alert includes an identification of the source node.

5. A first node in a network protected from unauthorized external access, the first node comprising:
- a hardware processor; and
  
  a memory storing executable instructions that when executed by the processor cause the hardware processor to;
  
  detect a threat that is received from a source node in the network, the network including at least a plurality of nodes having respective security modules, and wherein the threat is at least one of a violation of a network policy or a violation of a system policy;
  
  create a first firewall policy to block incoming network requests associated with a source address of the source node and outgoing network requests to the source address of the source node, in response to the first node detecting the threat;
  
  block incoming network requests received at the first node from the source node by applying the first firewall policy at the first node; and
  
  broadcast an alert to the respective security modules of the plurality of nodes in the network, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes;
  
  determine, by the first node, whether the source node includes a firewall module; and
  
  communicate, from the first node to the source node, based at least in part on the determination that the source node includes the firewall module, a second firewall policy to the source node to be applied by the source node to block outgoing network requests from the source node to the plurality of nodes in the network and to block network requests received at the source node from other nodes.
- View Dependent Claims (6)
- - 6. The first node of claim 5, wherein the threat includes malware.

7. A method, comprising:
- detecting, by a first node in a network protected from unauthorized external access, a threat that is received from a source node in the network, the network including at least a plurality of nodes having respective security modules, and wherein the threat is at least one of a violation of a network policy or a violation of a system policy;
  
  creating, at the first node, a first firewall policy to block incoming network requests associated with a source address of the source node and outgoing network requests to the source address of the source node, in response to the first node detecting the threat;
  
  blocking incoming network requests received at the first node from the source node by applying the first firewall policy at the first node;
  
  broadcasting an alert from the first node to the respective security modules of the plurality of nodes in the network, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes;
  
  determining, by the first node, whether the source node includes a firewall module; and
  
  communicating, from the first node to the source node, based at least in part on the determination that the source node includes the firewall module, a second firewall policy to be applied by the source node to block outgoing network requests from the source node to the plurality of nodes in the network and to block network requests received at the source node from other nodes.
- View Dependent Claims (8)
- - 8. The method of claim 7, wherein the threat includes malware.

9. One or more non-transitory computer readable media comprising code for execution, wherein the code is executable by one or more processors to:
- create, at a first node in a network, a first firewall policy to block incoming network requests associated with a source address of a source node in the network, wherein the network is protected from unauthorized external access, in response to the first node detecting a threat that is received at the first node from the source node, and wherein the threat is at least one of a violation of a network policy or a violation of a system policy;
  
  block incoming network requests received at the first node from the source node and outgoing network requests to the source address of the source node by applying the first firewall policy at the first node;
  
  broadcast an alert from the first node to respective security modules of a plurality of nodes in the network, the broadcast based, at least in part, on the threat received at the first node from the source node being detected by the first node, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes to block incoming network requests associated with a source address of the source node, wherein the first node is a target of the received threat;
  
  determine, by the first node, whether the source node includes a firewall module; and
  
  communicate, from the first node to the source node, based at least in part on the determination that the source node includes the firewall module, a second firewall policy to be applied by the source node to block outgoing network requests from the source node to the plurality of nodes in the network and to block network requests received at the source node from other nodes.
- View Dependent Claims (10)
- - 10. The one or more non-transitory computer readable claim 9, wherein the threat includes malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Paul, Manabendra, Sudharma, Praveen Ravichandran
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Malinowski, Walter J

Application Number

US15/193,220
Publication Number

US 20170034128A1
Time in Patent Office

1,464 Days
Field of Search

726 1, 726 22- 24
US Class Current
CPC Class Codes

H04L 41/06   Management of faults, event...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links