Automatically protecting network service from network attack
First Claim
1. A system for automatically detecting and responding to a network attack comprising:
- a filter module which receives network messages and blocks known attack messages, thereby reducing the network messages to questionable messages;
a service node coupled to the filter module which receives at least a portion of the questionable messages, thereby forming node questionable messages, and which maintains logical operations associated with the node questionable messages within a restricted region comprising the service node, the service node comprising a monitoring system which identifies a network attack;
a management module coupled to the service node which resets the service node upon the monitoring system identifying the network attack; and
a test node coupled to the management module and comprising a test node monitoring system, the test node replaying the node questionable messages received by the service node at about a time of the network attack, the test node monitoring system identifying a new attack pattern that caused the network attack, the management module adding the new attack pattern to known attack patterns.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for detecting and responding to an attack comprises a filter module, a node, a management module, and a test node. The filter module allows questionable messages to proceed. The node receives the questionable messages and maintains logical operations associated with the questionable messages within a restricted region. The management module resets the service node upon a network attack. The test node replays the node questionable messages to identify a new attack. A method of protecting against a network attack logs questionable messages and directs the questionable messages to a node. The method maintains logical operations associated with the questionable messages within a restricted region and identifies a network attack upon the node, which triggers an intrusion response. The intrusion response resets the node, replays the questionable messages within a test node to identify a new attack message, and adds the new attack message to the known attack messages.
306 Citations
45 Claims
-
1. A system for automatically detecting and responding to a network attack comprising:
-
a filter module which receives network messages and blocks known attack messages, thereby reducing the network messages to questionable messages;
a service node coupled to the filter module which receives at least a portion of the questionable messages, thereby forming node questionable messages, and which maintains logical operations associated with the node questionable messages within a restricted region comprising the service node, the service node comprising a monitoring system which identifies a network attack;
a management module coupled to the service node which resets the service node upon the monitoring system identifying the network attack; and
a test node coupled to the management module and comprising a test node monitoring system, the test node replaying the node questionable messages received by the service node at about a time of the network attack, the test node monitoring system identifying a new attack pattern that caused the network attack, the management module adding the new attack pattern to known attack patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system for automatically detecting and responding to a network attack comprising:
-
a filter module which receives network messages and blocks known attack messages, thereby reducing the network messages to questionable messages;
a service node coupled to the filter module which receives at least a portion of the questionable messages, thereby forming node questionable messages, and which maintains logical operations associated with the node questionable messages within a restricted region comprising the service node, the service node comprising a monitoring system which identifies a network attack;
a management module coupled to the service node which resets the service node upon the monitoring system identifying the network attack;
a tracing system which logs the questionable messages; and
a test node coupled to the tracing system and comprising a test node monitoring system, the tracing system directing the test node to replay the node questionable messages received by the service node at about a time of the network attack, the test node monitoring system identifying a new attack pattern that caused the network attack, the management module adding the new attack pattern to known attack patterns.
-
-
23. A method of automatically protecting a network service from a network attack comprising the steps of:
-
filtering known attack messages from network messages received by the network service, thereby reducing the network messages to questionable messages;
logging the questionable messages;
directing at least a portion of the questionable messages to a service node, thereby forming node questionable messages;
identifying a network attack upon the service node which triggers an intrusion response; and
the intrusion response comprising the steps of;
resetting the service node;
replaying at least a subset of the node questionable messages within a test node to identify a new attack pattern which instituted the network attack; and
adding the new attack pattern to known attack patterns. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
-
45. A computer readable memory comprising computer code for implementing a method of automatically protecting a network service from a network attack, the method of automatically protecting the network service from the network attack comprising the steps of:
-
filtering known attack messages from network messages received by the network service, thereby reducing the network messages to questionable messages;
logging the questionable messages;
directing at least a portion of the questionable messages to a service node, thereby forming node questionable messages;
identifying a network attack upon the service node which triggers an intrusion response; and
the intrusion response comprising the steps of;
resetting the service node;
replaying at least a subset of the node questionable messages within a test node to identify a new attack message which instituted the network attack; and
adding the new attack message to the known attack messages.
-
Specification