Applying blocking measures progressively to malicious network traffic

US 20060075496A1
Filed: 11/17/2005
Published: 04/06/2006
Est. Priority Date: 05/20/2003
Status: Active Grant

First Claim

Patent Images

1. A method of responding to a truncated secure session attack, comprising the steps of:

forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;

receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;

incrementing the count in the slot associated with the internet protocol address;

determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;

applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively; and

suspending the blocking measure at the end of the duration.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When a truncated secure session attack is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the attack is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the attack. If the attack is detected, the blocking measure is re-applied, and its duration is adapted. If the attack is no longer detected, the method returns to the state of readiness.

312 Citations

16 Claims

1. A method of responding to a truncated secure session attack, comprising the steps of:
- forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;
  
  receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;
  
  incrementing the count in the slot associated with the internet protocol address;
  
  determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;
  
  applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively; and
  
  suspending the blocking measure at the end of the duration.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied.
  - 3. The method of claim 2, wherein the duration is adapted according to a monotone non-decreasing function of the count.
  - 4. The method of claim 1, wherein the duration is an interval of time.
  - 5. The method of claim 1, wherein the duration is a count of traffic.

6. A method of responding to a truncated secure session attack, comprising the steps of:
- forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;
  
  providing an allow list of leader values of trusted providers;
  
  receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;
  
  incrementing the count in the slot associated with the internet protocol address;
  
  determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;
  
  applying a blocking measure for internet protocol addresses associated with the subset of slots which are not on the allow list, for a duration that is determined adaptively; and
  
  suspending the blocking measure at the end of the duration.

7. A method of responding to a truncated secure session attack, comprising the steps of:
- forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;
  
  receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;
  
  incrementing the count in the slot associated with the internet protocol address;
  
  determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;
  
  applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively;
  
  suspending the blocking measure at the end of the duration and re-testing for the presence of the high count or high count increase; and
  
  adapting the duration and re-applying the blocking measure for the adapted duration.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the duration is adapted in response to a count of a number of times that the blocking measure has been applied.
  - 9. The method of claim 8, wherein the duration is adapted according to a monotone non-decreasing function of the count.
  - 10. The method of claim 7, wherein the duration is an interval of time.
  - 11. The method of claim 7, wherein the duration is a count of traffic.

12. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform method steps for responding to a truncated secure session attack, said method steps comprising:
- forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;
  
  receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;
  
  incrementing the count in the slot associated with the internet protocol address;
  
  determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;
  
  applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively; and
  
  suspending the blocking measure at the end of the duration.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The program storage device of claim 12, wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied.
  - 14. The program storage device of claim 13, wherein the duration is adapted according to a monotone non-decreasing function of the count.
  - 15. The program storage device of claim 12, wherein the duration is an interval of time.
  - 16. The program storage device of claim 12, wherein the duration is a count of traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Jeffries, Clark Debs, Peyravian, Mohammad, Himberger, Kevin David, Carpenter, Brian Edward

Granted Patent

US 7,464,404 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/552   involving long-term monitor...

H04L 63/1458   Denial of Service

H04L 69/22   Parsing or analysis of headers

Applying blocking measures progressively to malicious network traffic

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

312 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Applying blocking measures progressively to malicious network traffic

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

312 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others