Method and apparatus for predicting and preventing attacks in communications networks

US 20030110396A1
Filed: 05/03/2002
Published: 06/12/2003
Est. Priority Date: 05/03/2001
Status: Active Grant

First Claim

Patent Images

1. An apparatus for security management in a data, voice, or video network comprising, in combination:

at least one data collector;

precursor discovery means for identifying, among collected data, at least one precursor of an attack on said network;

at least one monitor for detecting the presence of at least one of said identified precursors on said network; and

at least one means for protecting at least one of said network, one or more associated applications, one or more associated systems, and one or more associated network services when at least one of said identified precursors is detected.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment of a method and apparatus for predicting and preventing network attacks, data is collected from network devices during an attack. The collected data is analyzed to identify specific temporal precursors of the attack. The future network activity is then monitored for the presence of the identified temporal attack precursors. When the presence of a precursor is detected, appropriate protective action is taken. Preferably, all steps in this process occur automatically. In the preferred embodiment, the process is performed under the control of one or more network or element management systems. The possible network domain includes data, voice, and video networks and multiple, interconnected network technologies. In one embodiment, triggers responsive to the presence of the identified precursors are placed into a network or element management system. The preferred embodiment of the invention utilizes machine-learning algorithms for discovering precursors of attacks, but any suitable algorithm may be used. The invention may be used in “attack autopsy” mode only, monitoring mode only, or both. Among other uses, the invention allows integration of Intrusion Detection Systems with Network Management Systems.

187 Citations

23 Claims

1. An apparatus for security management in a data, voice, or video network comprising, in combination:
- at least one data collector;
  
  precursor discovery means for identifying, among collected data, at least one precursor of an attack on said network;
  
  at least one monitor for detecting the presence of at least one of said identified precursors on said network; and
  
  at least one means for protecting at least one of said network, one or more associated applications, one or more associated systems, and one or more associated network services when at least one of said identified precursors is detected.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein at least one of said at least one data collector, said precursor discovery means, said at least one monitor, and said protecting means is implemented via at least one network management system.
  - 3. The apparatus of claim 1, further comprising at least one trigger responsive to detection of said at least one identified precursor and consequently causing said protecting means to be activated.
  - 4. The apparatus of claim 3, wherein at least one of said at least one data collector, said precursor discovery means, said trigger, said at least one monitor, and said protecting means is implemented via at least one network management system.
  - 5. The apparatus of claim 1, wherein said data comprises MIB variables.

6. An apparatus for predicting attacks on a communications network comprising, in combination:
- at least one data collector;
  
  precursor discovery means for identifying at least one precursor of an attack on said network among collected data; and
  
  at least one monitor for detecting the presence of at least one of said identified precursors on said network
- View Dependent Claims (7, 8, 9)
- - 7. The apparatus of claim 6, wherein at least one of said at least one data collector, said precursor discovery means, and said at least one monitor is implemented via one or more network management systems.
  - 8. The apparatus of claim 6, further comprising protective action-taker means activated in response to the detection by said monitor of the presence of at least one of said attack precursors.
  - 9. The apparatus of claim 8, wherein at least one of said at least one data collector, said precursor discovery means, said at least one monitor, and said protective action-taker means is implemented via one or more network management systems

10. An apparatus for preventing attacks in a communications network comprising, in combination:
- at least one monitor for detecting the presence of at least one known temporal precursor of an attack on said network; and
  
  protective means for protecting said network if at least one of said known precursors is detected.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10, wherein said protective means further comprises at least one trigger responsive to the detection of one or more of said known attack precursors.
  - 12. The apparatus of claim 10, wherein at least one of said at least one monitor and said protective means is implemented via one or more network management systems.
  - 13. The apparatus of claim 11, wherein at least one of said at least one monitor, said trigger, and said protective means is implemented via one or more network management systems.

14. A method for security management in a data, voice, or video network comprising the steps, in combination, of:
- collecting data during an attack on said network;
  
  identifying one or more precursors of said attack;
  
  monitoring said network for the presence of one or more of said precursors; and
  
  taking one or more actions to protect at least one of said network, one or more associated applications, one or more associated systems, and one or more associated network services when the presence of any of said precursors is detected.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, further comprising the step of installing a trigger responsive to the detection of said precursors for causing said one or more protective actions to be initiated.
  - 16. The method of claim 14, further comprising the step of utilizing at least one network management systems to perform one or more of said steps of collecting, monitoring, and taking protective action.
  - 17. The method of claim 15, further comprising the step of utilizing at least one network management system to implement one or more of said trigger, said step of collecting, said step of monitoring, and said step of taking protective action.

18. A method for predicting attacks in a communications network comprising the steps, in combination, of:
- collecting data during an attack on said network;
  
  identifying one or more precursors of said attack; and
  
  monitoring said network for the presence of one or more of said attack precursors.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein at least one of said steps of collecting, identifying, and monitoring is performed by a network management system.

20. A method for preventing attacks in a communications network comprising the steps, in combination, of:
- monitoring said network for the presence of one or more known precursors of an attack on said network; and
  
  taking one or more actions to protect said network if the presence of any of said precursors is detected.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, further comprising the step of creating one or more triggers responsive to the detection of one or more of said known attack precursors for causing one or more of said protective actions to be initiated.
  - 22. The method of claim 20, wherein at least one of said steps of monitoring and protective action-taking is performed by a network management system.
  - 23. The method of claim 21, wherein at least one of said steps of monitoring, creating one or more triggers, and protective action-taking is performed by a network management system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.), Scientific Systems Co., Inc.
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Mehra, Ramao K., Cabreen, Joao B.D., Lewis, Lundy M.

Granted Patent

US 7,603,709 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Method and apparatus for predicting and preventing attacks in communications networks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

187 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for predicting and preventing attacks in communications networks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

187 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links