Mitigation and mitigation management of attacks in networked systems

US 20060242694A1
Filed: 11/08/2005
Published: 10/26/2006
Est. Priority Date: 11/08/2004
Status: Abandoned Application

First Claim

Patent Images

1. A computer program product residing on a computer readable medium for producing recommended mitigation plans to mitigate intrusions in a networked system, the program comprising instructions for causing a processor to:

manage mitigation plans stored in a database; and

communicate with network devices on the network system to implement and maintain the mitigation plans.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a plurality of collector devices that are disposed to collect statistical information on packets that are sent between nodes on a network. The system also includes a stackable aggregator that receives network data from the plurality of collector devices, and which produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The stackable aggregator includes a manager blade, a database blade, and two or more, analyzer blades.

Citations

23 Claims

1. A computer program product residing on a computer readable medium for producing recommended mitigation plans to mitigate intrusions in a networked system, the program comprising instructions for causing a processor to:
- manage mitigation plans stored in a database; and
  
  communicate with network devices on the network system to implement and maintain the mitigation plans.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer program product of claim 1 wherein instructions to manage include instructions to manage mitigation related tables in the database.
  - 3. The computer program product of claim 2 wherein instructions to manage include a collection of C++ classes that mediate between classes that implement an abstract interface for mitigation devices.
  - 4. The computer program product of claim 1 wherein instructions to manage include instructions to analyze events and build a list of hosts that are misbehaving.
  - 5. The computer program product of claim 1 wherein the computer program product accesses a do-not-block list, which is a collection of hosts and networks expressed as Classless Inter-domain Routing (CIDR) blocks that are too important to be mitigated, which collection are not automatically mitigated.
  - 6. The computer program product of claim 1 wherein the computer program product accesses a device detail data structure that is a collection of configuration details needed to perform mitigation actions using a specific device.
  - 7. The computer program product of claim 1 wherein the computer program product accesses a mitigation actions data structure which is a description of a task to be performed as part of a mitigation plan, including a device and a list of all network nodes that will be directly targeted.
  - 8. The computer program product of claim 1 wherein the computer program product accesses a mitigation plan data structure, which is a collection of actions to be taken, indexed by a non-empty set of network nodes that will be affected by each action.
  - 9. The computer program product of claim 1 wherein the computer program product, wherein data associated with active mitigation plans is not modified by any code outside of the mitigation engine.

10. A computer program product for an intrusion detection system to produce recommended mitigation plans, comprises instructions for causing a processor to:
- use unicast routing and unicast reverse path forwarding protocols to provide a route based black hole process to advertise a more specific route for misbehaving hosts than available on the network, associated with its null interface.
- View Dependent Claims (11, 12)
- - 11. The computer program product of claim 10 wherein unicast reverse path forwarding causes packets to be dropped if the packets were sent from an affected host, and the packets arrive at a router through an interface other than the interface expected for the traffic.
  - 12. The computer program product of claim 10 wherein the computer program product, causes packets sent to the affected host to be routed to the mitigation host, which is configured to send the packets to its null interface where packets are dropped.

13. A computer program product residing on a computer readable medium for producing recommended mitigation plans to mitigate intrusions in a networked system, the program comprising instructions for causing a processor to:
- disable hosts by turning off a specific port on the switch based on a list of every switch that the user wants to be considered for disabling hosts by turning off a specific port.
- View Dependent Claims (14, 15, 16)
- - 14. The computer program product of claim 13 wherein the computer program product, gathers data from switches in the list.
  - 15. The computer program product of claim 13 wherein the computer program product, includes instructions to gathers data from switches in the list.
  - 16. The computer program product of claim 13 wherein the instructions to gather data from switches in the list includes instructions to:
    - periodically verify that the device information has not changed.

17. A mitigation plan detail interface comprises:
- a first section for listing active mitigation plans, which are actions that the user has specifically activated;
  
  a second section for listing inactive mitigation plans, which are actions that the user has decided not to accept.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The interface of claim 17, wherein an action ID (sequence number) appears in the interface so that the user can view the actions in the order of recommendation.
  - 19. The interface of claim 17, wherein the interface includes three columns of information to depict a severity of an ongoing event, a first column is updated dynamically to display current data second column “
    - detection”
      
      displays data at the time of detection and “
      
      Historical,”
      
      which displays historical data pertaining to the host and with each column including a count of host pairs as well as traffic level.
  - 20. The interface of claim 19, wherein the detection column and the historical column are juxtaposed each other to clearly delineate normal behavior and anomalous behavior that caused the event to be triggered.
  - 21. The interface of claim 19, wherein the current column shows up to date information that changes according to changes in the event, and which will drop to zero if the event is effectively mitigated.

22. A system, comprising:
- a plurality of collector devices disposed to collect statistical information on packets sent between nodes on a network;
  
  a stackable aggregator device that receives network data from the plurality of collector devices, the aggregator device producing a connection table that maps each node on the network to a record that stores information about traffic to or from the node, the stackable aggregator comprising;
  
  a manager blade, a database blade, and two or more, analyzer blades and wherein each blade includes a mitigation engine to manage mitigation plans stored in a database and to communicate with network devices to implement and maintain mitigation plans.

23. A computer program product for minimizing effects of configuration errors or accidental bad mitigation plans in a intrusion detection system, comprises instructions to:
- manage mitigation plans in a database;
  
  communicate with network devices to implement and maintain mitigation plans; and
  
  log all configuration changes to the network devices by a time stamp in order to undo mitigation plan based changes to recover from a configuration error resulting from a mitigation action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology Incorporated
Original Assignee
Riverbed Technology Incorporated
Inventors
Weber, Daniel, Gold, Jeffrey

Application Number

US11/269,169
Publication Number

US 20060242694A1
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

Mitigation and mitigation management of attacks in networked systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation and mitigation management of attacks in networked systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links