Distributed intrusion response system

US 20050108568A1
Filed: 11/14/2003
Published: 05/19/2005
Est. Priority Date: 11/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method of responding to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and one or more network infrastructures, the method comprising the steps of:

a. monitoring the network system for intrusions;

b. upon detection of an intrusion, identifying one or more sources of the intrusion;

c. identifying one or more enforcement devices of the network system associated with the one or more identified sources; and

d. configuring the identified one or more enforcement devices with one or more policy changes responsive to the detected intrusion.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to respond to intrusions detected on a network system including attached functions and a network infrastructure. The system includes means for receiving from an intrusion detection function information about intrusions, a directory service function for gathering and reporting at least the physical and logical addresses of devices of the network infrastructure associated with the detected intrusions, and a plurality of distributed enforcement devices of the network infrastructure for enforcing policies responsive to the detected intrusions. A policy decision function evaluates the reported detected intrusions and makes a determination whether one or more policy changes are required on the enforcement devices in response to a detected intrusion. A policy manager function configures the distributed enforcement devices with the responsive changed policy or policies. Policy changes rules can vary from no change to complete port blocking on one or more identified enforcement devices associated with the detected intrusion, to redirecting the associated traffic including the intrusion and these policies may be modified or removed over time as warranted by network operation.

Citations

27 Claims

1. A method of responding to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and one or more network infrastructures, the method comprising the steps of:
- a. monitoring the network system for intrusions;
  
  b. upon detection of an intrusion, identifying one or more sources of the intrusion;
  
  c. identifying one or more enforcement devices of the network system associated with the one or more identified sources; and
  
  d. configuring the identified one or more enforcement devices with one or more policy changes responsive to the detected intrusion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as claimed in claim 1 wherein the step of identifying the one or more sources of the intrusions includes the step of identifying a physical address and/or a logical address of each of the one or more identified sources.
  - 3. The method as claimed in claim 2 wherein the physical address information is a MAC address and/or the logical address information is an IP address.
  - 4. The method as claimed in claim 1 wherein the step of monitoring the network for intrusions is performed by an intrusion detection function.
  - 5. The method as claimed in claim 4 wherein the intrusion detection function is a centralized function.
  - 6. The method as claimed in claim 4 wherein the intrusion detection function is a distributed function.
  - 7. The method as claimed in claim 4 wherein the intrusion detection function is an intrusion detection system.
  - 8. The method as claimed in claim 1 wherein the step of identifying the one or more enforcement devices associated with the one or more identified sources includes the step of determining the physical address, logical address, or both for each of the identified one or more enforcement devices.
  - 9. The method as claimed in claim 1 further comprising the step of verifying the identification of the identified one or more sources.
  - 10. The method as claimed in claim 1 wherein the step of configuring the identified one or more enforcement devices with one or more policy changes responsive to the detected intrusion includes the step of configuring the identified one or more enforcement devices to perform one or more functions selected from the group consisting of:
    - blocking complete access to the network services by the identified one or more sources, blocking access by identified logical addresses only, blocking access by an identified access protocol only, limiting bandwidth, limiting exchanges to or from the identified one or more enforcement devices, to or from one or more other network infrastructure devices, or to or from any of the attached functions not identified as an intrusion source, and directing all signals exchanged by the identified one or more sources to a honeypot, a second intrusion detection function, a monitoring device, or a simulation device.
  - 11. The method as claimed in claim 1 wherein the step of configuring the identified one or more enforcement devices with one or more policy changes responsive to the detected intrusion includes the step of configuring the identified one or more enforcement devices to permit connectivity of the identified one or more sources while dampening the level of activity associated with the identified one or more sources to minimize network harm while permitting analysis and auditing of the identified one or more sources and the gathering of forensic evidence.
  - 12. The method as claimed in claim 1 wherein the step of configuring the identified one or more enforcement devices with one or more policy changes includes the steps of first configuring a first set of one or more enforcement devices with a first set of one or more policy changes, monitoring the network system for intrusions and, upon detection of one or more intrusions related to the intrusions causing the first one or more policy changes, configuring a second set of one or more enforcement devices with a second set of one or more policy changes.
  - 13. The method as claimed in claim 12 wherein one or more of the one or more enforcement devices of the second set are enforcement devices of the first set.
  - 14. The method as claimed in claim 1 wherein the identified one or more enforcement devices are selected from the group consisting of network entry devices and centralized switching devices.
  - 15. The method as claimed in claim 1 wherein the one or more policy changes are configured on one or more ports of one or more of the identified one or more enforcement devices.

16. A Distributed Intrusion Response System (DIRS) to respond to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and a network infrastructure, the DIRS comprising:
- a. a directory service function for receiving address information for attached functions and devices of the network infrastructure;
  
  b. a policy manager function for configuring devices of the network infrastructure with policies;
  
  c. means for identifying one or more sources of one or more intrusions; and
  
  d. one or more enforcement devices of the network infrastructure, wherein each enforcement device is configured to enforce policy changes established thereon by the policy manager function in response to one or more detected intrusions.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The DIRS as claimed in claim 16 further comprising a policy decision function configured:
    - a. to receive detected intrusion information from an intrusion detection function;
      
      b. to receive network infrastructure device information from the directory service function;
      
      C. to evaluate whether a policy change or changes is or are required on one or more of the security enforcement devices in response to the detected intrusion information; and
      
      d. to direct the policy manager function to configure one or more identified enforcement devices with determined policy changes upon deciding to do so based upon the evaluation.
  - 18. The DIRS as claimed in claim 17 wherein the policy manager function and the policy decision function are part of a central server of the network infrastructure.
  - 19. The DIRS as claimed in claim 18 wherein the directory service function is part of the central server.
  - 20. The DIRS as claimed in claim 17 wherein the intrusion detection function is provided by an intrusion detection system of the network infrastructure.
  - 21. The DIRS as claimed in claim 17 wherein the intrusion detection function is a distributed intrusion detection function.
  - 22. The DIRS as claimed in claim 17 wherein the intrusion detection function is a centralized intrusion detection function.
  - 23. The DIRS as claimed in claim 16 wherein the one or more network security enforcement devices is selected from the group consisting of routers, switches, access points, gateways, and firewalls.
  - 24. The DIRS as claimed in claim 16 further comprising a network management system for identifying address information for the network security enforcement devices.
  - 25. The DIRS as claimed in claim 24 wherein the network management system communicates with the intrusion detection function.
  - 26. The DIRS as claimed in claim 16 wherein the directory service function is distributed among a plurality of devices of the network infrastructure.
  - 27. The DIRS as claimed in claim 16 further comprising means to validate the accuracy of the identity of the identified one or more sources including a logical address, a physical address, or a location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Bussiere, Richard, Graham, Richard, Roese, John, Harrington, David, Townsend, Mark, Pettit, Steven

Granted Patent

US 7,581,249 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/0236   Filtering by address, proto...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Distributed intrusion response system

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed intrusion response system

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links