Automatically protecting network service from network attack

US 20060015715A1
Filed: 07/16/2004
Published: 01/19/2006
Est. Priority Date: 07/16/2004
Status: Abandoned Application

First Claim

Patent Images

1. A system for automatically detecting and responding to a network attack comprising:

a filter module which receives network messages and blocks known attack messages, thereby reducing the network messages to questionable messages;

a service node coupled to the filter module which receives at least a portion of the questionable messages, thereby forming node questionable messages, and which maintains logical operations associated with the node questionable messages within a restricted region comprising the service node, the service node comprising a monitoring system which identifies a network attack;

a management module coupled to the service node which resets the service node upon the monitoring system identifying the network attack; and

a test node coupled to the management module and comprising a test node monitoring system, the test node replaying the node questionable messages received by the service node at about a time of the network attack, the test node monitoring system identifying a new attack pattern that caused the network attack, the management module adding the new attack pattern to known attack patterns.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting and responding to an attack comprises a filter module, a node, a management module, and a test node. The filter module allows questionable messages to proceed. The node receives the questionable messages and maintains logical operations associated with the questionable messages within a restricted region. The management module resets the service node upon a network attack. The test node replays the node questionable messages to identify a new attack. A method of protecting against a network attack logs questionable messages and directs the questionable messages to a node. The method maintains logical operations associated with the questionable messages within a restricted region and identifies a network attack upon the node, which triggers an intrusion response. The intrusion response resets the node, replays the questionable messages within a test node to identify a new attack message, and adds the new attack message to the known attack messages.

306 Citations

45 Claims

1. A system for automatically detecting and responding to a network attack comprising:
- a filter module which receives network messages and blocks known attack messages, thereby reducing the network messages to questionable messages;
  
  a service node coupled to the filter module which receives at least a portion of the questionable messages, thereby forming node questionable messages, and which maintains logical operations associated with the node questionable messages within a restricted region comprising the service node, the service node comprising a monitoring system which identifies a network attack;
  
  a management module coupled to the service node which resets the service node upon the monitoring system identifying the network attack; and
  
  a test node coupled to the management module and comprising a test node monitoring system, the test node replaying the node questionable messages received by the service node at about a time of the network attack, the test node monitoring system identifying a new attack pattern that caused the network attack, the management module adding the new attack pattern to known attack patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1 wherein the filter module comprises a frontend computer.
  - 3. The system of claim 1 wherein the filter module comprises a router, a switch, a bridge, or a combination thereof.
  - 4. The system of claim 1 wherein the filter module comprises a portion of the service node.
  - 5. The system of claim 1 wherein the restricted region further comprises a backend.
  - 6. The system of claim 5 wherein the backend comprises a backend monitoring system.
  - 7. The system of claim 1:
    - wherein the service node comprises a first service node, the logical operations comprise first logical operations, the restricted region comprises a first restricted region, the monitoring system comprises a first monitoring system, and the network attack comprises a first network attack; and
      
      further comprising a second service node.
  - 8. The system of claim 7 wherein:
    - the second service node comprises a second monitoring system;
      
      the second service node receives a subset of the questionable messages; and
      
      the second service node maintains second logical operations associated with the subset of the questionable messages within a second restricted region comprising the second service node.
  - 9. The system of claim 8 wherein the second monitoring system identifies a second network attack.
  - 10. The system of claim 8 wherein the first service node further comprise a first backend.
  - 11. The system of claim 10 wherein the second service node further comprises a second backend.
  - 12. The system of claim 11 wherein the first and second backends comprise a single node.
  - 13. The system of claim 1 further comprising additional service nodes.
  - 14. The system of claim 1 wherein the management module comprises a separate node.
  - 15. The system of claim 1 wherein the management module and the filter module comprise a single node.
  - 16. The system of claim 1 wherein the service node comprises a virtual machine.
  - 17. The system of claim 1 wherein the service node comprises a stand alone computer.
  - 18. The system of claim 1 further comprising a tracing system coupling the management module to the test node.
  - 19. The system of claim 18 wherein the tracing system logs the questionable messages.
  - 20. The system of claim 19 wherein the tracing system controls replay of the node questionable messages on the test node.
  - 21. The system of claim 1 wherein the management module controls replay of the node questionable messages on the test node.

22. A system for automatically detecting and responding to a network attack comprising:
- a filter module which receives network messages and blocks known attack messages, thereby reducing the network messages to questionable messages;
  
  a service node coupled to the filter module which receives at least a portion of the questionable messages, thereby forming node questionable messages, and which maintains logical operations associated with the node questionable messages within a restricted region comprising the service node, the service node comprising a monitoring system which identifies a network attack;
  
  a management module coupled to the service node which resets the service node upon the monitoring system identifying the network attack;
  
  a tracing system which logs the questionable messages; and
  
  a test node coupled to the tracing system and comprising a test node monitoring system, the tracing system directing the test node to replay the node questionable messages received by the service node at about a time of the network attack, the test node monitoring system identifying a new attack pattern that caused the network attack, the management module adding the new attack pattern to known attack patterns.

23. A method of automatically protecting a network service from a network attack comprising the steps of:
- filtering known attack messages from network messages received by the network service, thereby reducing the network messages to questionable messages;
  
  logging the questionable messages;
  
  directing at least a portion of the questionable messages to a service node, thereby forming node questionable messages;
  
  identifying a network attack upon the service node which triggers an intrusion response; and
  
  the intrusion response comprising the steps of;
  
  resetting the service node;
  
  replaying at least a subset of the node questionable messages within a test node to identify a new attack pattern which instituted the network attack; and
  
  adding the new attack pattern to known attack patterns.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 24. The method of claim 23 further comprising the step of maintaining logical operations associated with the node questionable messages within a restricted region which comprises the service node.
  - 25. The method of claim 23 wherein the step of filtering the known attack messages comprises applying filter rules to the network messages.
  - 26. The method of claim 25 wherein the step of adding the new attack pattern to the known attack patterns comprises modifying an existing filter rule.
  - 27. The method of claim 25 wherein the step of adding the new attack pattern to the known attack patterns comprises adding a new filter rule.
  - 28. The method of claim 23 wherein the step of filtering the known attack messages comprises comparing the network messages to a set of fingerprints for the known attack messages.
  - 29. The method of claim 23 wherein the step of filtering the known attack messages comprises comparing the network messages to a list of network addresses, network prefixes, or network ports associated with the known attack messages.
  - 30. The method of claim 23 wherein the step of filtering the known attack messages comprises using Bayesian filtering to statistically identify the known attack messages.
  - 31. The method of claim 23 wherein the step of identifying the network attack comprises identifying invalid invocations of system resources.
  - 32. The method of claim 23 wherein the step of identifying the network attack comprises scanning files in search of unauthorized changes.
  - 33. The method of claim 23 wherein the step of identifying the network attack comprises scanning processes in search of unauthorized priority elevations of processes.
  - 34. The method of claim 23 wherein the step of identifying the network attack comprises identifying invalid system calls.
  - 35. The method of claim 23 wherein the step of identifying the network attack comprises checking for disallowed variations in system resources.
  - 36. The method of claim 23 wherein the step of replaying at least the subset of the node questionable messages comprises replaying the node questionable messages which had active operations in progress on the service node at the time of the network attack.
  - 37. The method of claim 23 wherein the step of replaying at least the subset of the node questionable messages comprises replaying the node questionable messages which were received within a time period of the network attack.
  - 38. The method of claim 37 wherein the step of replaying at least the subset of the node questionable messages further comprises replaying the node questionable messages which were received within a longer time period of the network attack upon determining the time period was insufficient for identifying the new attack message.
  - 39. The method of claim 23 wherein the step of replaying at least the subset of the node questionable messages comprises replaying the node questionable messages in reverse chronological order until the new attack message is identified.
  - 40. The method of claim 23 wherein the step of replaying at least the subset of the node questionable messages comprises the steps of:
    - classifying the subset of the node questionable messages into a suspect group and a non-suspect group; and
      
      replaying the suspect group.
  - 41. The method of claim 40 wherein the step of replaying at least the subset of the node questionable messages comprises the steps of:
    - determining that the suspect group does not include the new attack message; and
      
      replaying the non-suspect group.
  - 42. The method of claim 23 further comprising the step of recording state changes to the service node.
  - 43. The method of claim 42 wherein the step of resetting the service node comprises applying the state changes to the service node.
  - 44. The method of claim 43 wherein a system operator reviews post-attack state changes before applying the post-attack state changes to the service node.

45. A computer readable memory comprising computer code for implementing a method of automatically protecting a network service from a network attack, the method of automatically protecting the network service from the network attack comprising the steps of:
- filtering known attack messages from network messages received by the network service, thereby reducing the network messages to questionable messages;
  
  logging the questionable messages;
  
  directing at least a portion of the questionable messages to a service node, thereby forming node questionable messages;
  
  identifying a network attack upon the service node which triggers an intrusion response; and
  
  the intrusion response comprising the steps of;
  
  resetting the service node;
  
  replaying at least a subset of the node questionable messages within a test node to identify a new attack message which instituted the network attack; and
  
  adding the new attack message to the known attack messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Anderson, Eric

Application Number

US10/893,597
Publication Number

US 20060015715A1
Time in Patent Office

Days
Field of Search
US Class Current

713/154
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Automatically protecting network service from network attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

306 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Automatically protecting network service from network attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

306 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links