Network threat detection and mitigation

US 20070157306A1
Filed: 12/30/2005
Published: 07/05/2007
Est. Priority Date: 12/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

automatically detecting undesired network traffic at a switch belonging to a network;

mirroring the undesired traffic to a security management device;

determining a source of the undesired traffic;

redirecting traffic from the source; and

automatically sending a policy to a switch to block traffic from the source;

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Citations

24 Claims

1. A method, comprising:
- automatically detecting undesired network traffic at a switch belonging to a network;
  
  mirroring the undesired traffic to a security management device;
  
  determining a source of the undesired traffic;
  
  redirecting traffic from the source; and
  
  automatically sending a policy to a switch to block traffic from the source;
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein automatically detecting undesired network traffic comprises:
    - measuring a ratio of Address Resolution Protocol (ARP) requests to ARP replies in a network traffic stream; and
      
      comparing the measured ratio to a threshold ratio.
  - 3. The method of claim 1, wherein automatically detecting undesired network traffic comprises:
    - measuring a ratio of Transmission Control Protocol (TCP) SYN packets to TCP ACK packets in a network traffic stream; and
      
      comparing the measured ratio to a threshold.
  - 4. The method of claim 1, wherein determining the source comprises determining a Media Access Control (MAC) address of the source.
  - 5. The method of claim 1, further comprising determining a destination for the undesired traffic.
  - 6. The method of claim 5, wherein the source and destination addresses are Internet Protocol (IP) addresses.
  - 7. The method of claim 6, wherein determining the source and destination addresses comprises extracting a source IP address and a destination IP address from a header of an IP packet in the undesired traffic.
  - 8. The method of claim 1, wherein redirecting traffic from the source comprises reformulating an ARP table of the source to cause traffic originating from the source to be sent to the security management device.
  - 9. The method of claim 8, wherein reformulating an ARP table of the source further comprises causing traffic originating from the source to be sent to an address of the security management device.
  - 10. The method of claim 1, wherein redirecting comprises redirecting traffic from the source to the security management device based at least in part on one or more of access control lists (ACL(s)), policy-based routing, virtual local area network (VLAN) identifications (IDs), Hypertext Transfer Protocol (HTTP) information, or Extensible Markup Language (XML) tags.
  - 11. The method of claim 1, wherein sending the policy to a switch comprises sending the policy to a switch that is nearest to the source.

12. A system, comprising:
- a switch to automatically detect undesired traffic on a network;
  
  a security management device coupled with the switch to;
  
  receive undesired traffic mirrored from the switch;
  
  determine a source of the harmful traffic;
  
  redirect traffic sent from the source; and
  
  automatically send a policy to a switch to block traffic from the source; and
  
  a network management server coupled to the security management device;
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, where the security management device is virtually in-line within the network.
  - 14. The system of claim 12, wherein the security management device redirects traffic from the source to the security management device based at least in part on one or more of access control lists (ACL(s)), policy-based routing, virtual local area network (VLAN) identifications (IDs), Hypertext Transfer Protocol (HTTP) information, or Extensible Markup Language (XML) tags.
  - 15. The system of claim 12, wherein the security management device receives undesired traffic on a dedicated port.

16. An apparatus, comprising:
- means for automatically detecting undesired network traffic at a switch belonging to a network;
  
  means for mirroring the harmful traffic to a security management device;
  
  means for determining a source of the harmful traffic;
  
  means for redirecting traffic from the source; and
  
  means for automatically sending a policy to a switch to block traffic from the source;
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The apparatus of claim 16, wherein the means for automatically detecting undesired network traffic further comprises:
    - means for measuring a ratio of Address Resolution Protocol (ARP) requests to ARP replies in a network traffic stream; and
      
      means for comparing the measured ratio to a threshold ratio.
  - 18. The apparatus of claim 16, wherein the means for automatically detecting undesired network traffic comprises:
    - means for measuring a ratio of Transmission Control Protocol (TCP) SYN packets to TCP ACK packets in a network traffic stream; and
      
      means for comparing the measured ratio to a threshold.
  - 19. The apparatus of claim 16, wherein the means for determining the source comprises means for determining a Media Access Control (MAC) address of the source.
  - 20. The apparatus of claim 16, further comprising means for determining a destination for the undesired traffic.
  - 21. The method of claim 16, wherein the means for redirecting traffic from the source comprises means for reformulating an ARP table of the source to cause traffic originating from the source to be sent to the security management device.
  - 22. The apparatus of claim 16, wherein the means for reformulating an ARP table of the source further comprises means for causing traffic originating from the source to be sent to an address of the security management device.
  - 23. The apparatus of claim 16, wherein the means for redirecting further comprises means for redirecting traffic from the source to the security management device based at least in part on one or more of access control lists (ACL(s)), policy-based routing, virtual local area network (VLAN) identifications (IDs), Hypertext Transfer Protocol (HTTP) information, or Extensible Markup Language (XML) tags.
  - 24. The apparatus of claim 16, wherein the means for automatically sending the policy to a switch comprises means for sending the policy to a switch that is nearest to the source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Extreme Networks, Inc.
Inventors
Kashyap, Prakash, Elrod, Craig

Granted Patent

US 8,255,996 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

Network threat detection and mitigation

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Network threat detection and mitigation

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links