Leveraging active firewalls for network intrusion detection and retardation of attack

US 20070133537A1
Filed: 12/08/2005
Published: 06/14/2007
Est. Priority Date: 12/08/2005
Status: Active Grant

First Claim

Patent Images

1. A network filter comprising:

a network interface supporting a plurality of active and inactive ports;

a controller operable to direct traffic on the active ports to a service configured on its respective active port; and

a processing unit operable to receive traffic on the inactive ports and provide a response to the traffic on each of the inactive ports.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network firewall or network filter functions normally to pass data on open ports to a respective service or data source associated with an open port. In addition, traffic arriving on closed ports may be directed to a handler for analysis and response. The handler may analyze and catalog the source and type of traffic arriving on the closed ports. The handler may then send a response with either a fixed response or data tailored to the type and nature of the traffic. The handler may respond slowly to cause the source of the traffic to wait for the response, thereby slowing the speed at which a potential attacker can identify valid targets and proceed past non-valid targets.

Citations

20 Claims

1. A network filter comprising:
- a network interface supporting a plurality of active and inactive ports;
  
  a controller operable to direct traffic on the active ports to a service configured on its respective active port; and
  
  a processing unit operable to receive traffic on the inactive ports and provide a response to the traffic on each of the inactive ports.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network filter of claim 1, wherein the processing unit delays the response to the source of the traffic.
  - 3. The network filter of claim 1, wherein the processing unit manipulates a packet payload size of traffic on the inactive ports to reduce communication bandwidth.
  - 4. The network filter of claim 1, wherein the processing unit manipulates an error response to simulate a high line noise level.
  - 5. The network filter of claim 4, wherein the processing unit notifies an associated entity of a source identity and a nature of the traffic on each of the inactive ports, the associated entity being at least one of a neighboring server and a clearinghouse regarding the traffic on each of the inactive ports.
  - 6. The network filter of claim 1, wherein the processing unit is further operable to categorize the traffic on each of the inactive ports as at least one of benign and a threat.
  - 7. The network filter of claim 1, wherein the processing unit is further operable to categorize the traffic on each of the inactive ports as at least one of coming from a known source and having a predetermined attack profile.

8. A method of reducing network-based attack efficiency using a network filter to block closed ports while providing an appearance of activity comprising:
- passing data traffic on open ports to their respective services;
  
  passing data traffic on closed ports to a handler;
  
  responding to the data traffic on the closed ports with a response corresponding to the nature of the data traffic.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, further comprising:
    - cataloging, at the handler, the type and nature of the data traffic received via the closed port and reporting information corresponding to the data traffic to a network management function.
  - 10. The method of claim 8, further comprising:
    - reporting, to an external entity, information corresponding to the data traffic received via the closed port.
  - 11. The method of claim 8, further comprising:
    - receiving from an external entity information corresponding to attacks observed at another location.
  - 12. The method of claim 8, wherein responding to the data traffic comprises responding with fixed data.
  - 13. The method of claim 8, wherein responding to the data traffic comprises responding with data generated corresponding to the data traffic received via the closed port.
  - 14. The method of claim 8, wherein responding to the data traffic comprises responding with a fixed delay.
  - 15. The method of claim 8, wherein responding to the data traffic comprises responding with a delay of at least 75% of a timeout period specified for the response.

16. A firewall for use in managing network traffic comprising:
- a plurality of ports, each of the plurality of ports is one of assigned to a corresponding service and unassigned;
  
  a processor for analyzing traffic addressed to any of the unassigned ports;
  
  a controller for directing traffic arriving at any of the unassigned ports to the processor;
  
  a network interface coupled to the processor for alerting a network management function of a potential attack responsive to analyzing traffic addressed to any of the unassigned ports.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The firewall of claim 16, wherein the controller is further operable to alert a clearinghouse of a potential attack responsive analyzing traffic addressed to any of the unassigned ports.
  - 18. The firewall of claim 16, wherein the processor is operable to issue a response to traffic addressed to any of the unassigned ports.
  - 19. The firewall of claim 18, wherein the response comprises data unrelated to any corresponding service associate with an assigned port.
  - 20. The firewall of claim 18, wherein the response to traffic addressed to any of the unassigned ports comprises information provided by a clearinghouse supplying network attack data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Frank, Alexander, Oliver, Robert

Granted Patent

US 8,170,020 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1408 by monitoring network traff...

Leveraging active firewalls for network intrusion detection and retardation of attack

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Leveraging active firewalls for network intrusion detection and retardation of attack

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links