Automated containment of network intruder

US 20070192862A1
Filed: 12/21/2004
Published: 08/16/2007
Est. Priority Date: 05/12/2004
Status: Abandoned Application

First Claim

Patent Images

1. A system for containing traffic in a data communications network, the system comprising:

one or more switching devices;

an intrusion detection system to determine the identity of an intruder; and

a server, operatively coupled to the intrusion detector, adapted to automatically;

generate an isolation rule associating the identified intruder with an isolation action; and

install the isolation rule on each of the one or more one or more switching devices;

wherein each of the one or more switching devices executes the isolation action upon receipt of a protocol data unit (PDU) from the identified intruder.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention in the preferred embodiment features a system (200) and method for automatically segregating harmful traffic from other traffic at a plurality of network nodes including switches and routers. In the preferred embodiment, the system (200) comprises an intrusion detection system (105) to determine the identity of an intruder and a server (130) adapted to automatically install an isolation rule on the one or more network nodes (114, 115, 116) to quarantine packets from the intruder. The isolation rule in the preferred embodiment is a virtual local area network (VLAN) rule or access control list (ACL) rule that causes the network node to route any packets from the intruder into a quarantine VLAN or otherwise isolate the traffic from other network traffic. In large networks, the isolation rule may be installed on a select plurality of network nodes under the gateway router (104) associated with the node at which the intruder first entered the network (100).

189 Citations

16 Claims

1. A system for containing traffic in a data communications network, the system comprising:
- one or more switching devices;
  
  an intrusion detection system to determine the identity of an intruder; and
  
  a server, operatively coupled to the intrusion detector, adapted to automatically;
  
  generate an isolation rule associating the identified intruder with an isolation action; and
  
  install the isolation rule on each of the one or more one or more switching devices;
  
  wherein each of the one or more switching devices executes the isolation action upon receipt of a protocol data unit (PDU) from the identified intruder.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the identity of the intruder is a media access control address (MAC) address.
  - 3. The system of claim 1, wherein the identity of the intruder is an Internet Protocol (IP) address.
  - 4. The system of claim 1, wherein the isolation rule is a virtual local area network (VLAN) rule adapted to place one or more PDUs associated with the identified intruder into a quarantine VLAN.
  - 5. The system of claim 1, wherein the isolation rule is an access control list (ACL) rule adapted to segregate one or more PDUs associated with the identified intruder from the PDUs from one or more end stations supported by the one or more switching devices.
  - 6. The system of claim 1, wherein the one or more switching devices are associated with a default gateway, and the server is further adapted to:
    - identify the default gateway; and
      
      identify the one or more switching devices on which to install the isolation rule.
  - 7. The system of claim 6, wherein the default gateway is one of a plurality of routers, and where the server is adapted to identify the default gateway by issuing a query for address resolution protocol (ARP) information to each of one of a plurality of routers.
  - 8. The system of claim 1, wherein the intrusion detection system is selected from the group consisting of:
    - a firewall and intrusion prevention system.
  - 9. The system of claim 1, wherein the isolation rule is transmitted to the one or more one or more switching devices in a computer readable script.

10. A system for containing a client device in a network comprising one or more routers including a first router associated with a network segment including the client device, the system comprising:
- one or more switches operatively connected to the network segment associated with the first router; and
  
  a central management node adapted to;
  
  receive an intrusion detection with a source address from an intrusion detection entity, the source address associated with the client device;
  
  identify the first router from among the one or more routers;
  
  generate a rule to map PDUs having the source address associated with the client device to an penalty virtual local area network (VLAN) separate from other network traffic; and
  
  transmit the rule to each of said one or more switches;
  
  wherein each of the one or more switches causes PDUs having the source address associated with the client device to the penalty VLAN.

11. A method for containing traffic in a data communications network having one or more switching devices, the method comprising the steps of:
- identifying an intruder in a network;
  
  automatically generating an isolation rule associating the identified intruder with an isolation action; and
  
  installing the isolation rule on each of the one or more one or more switching devices;
  
  wherein each of the one or more switching devices executes the isolation action upon receipt of a PDU from the identified intruder.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein the intruder is identified by a media access control address (MAC) address.
  - 13. The method of claim 11, wherein the intruder is identified by an Internet Protocol (IP) address.
  - 14. The method of claim 11, wherein the isolation rule is a virtual local area network (VLAN) rule adapted to place one or more PDUs associated with the identified intruder into a quarantine VLAN.
  - 15. The method of claim 11, wherein the isolation rule is an access control list (ACL) rule adapted to segregate one or more PDUs associated with the identified intruder from the PDUs from one or more end stations supported by the one or more switching devices.
  - 16. The method of claim 11, wherein the one or more switching devices are associated with a default gateway, and wherein the method further includes the steps of:
    - identifying the default gateway; and
      
      identifying the one or more switching devices on which to install the isolation rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John Matthews, Vincent Vermeulen
Original Assignee
John Matthews, Vincent Vermeulen
Inventors
Vermeulen, Vincent, Matthews, John

Application Number

US11/568,914
Publication Number

US 20070192862A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Automated containment of network intruder

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

189 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Automated containment of network intruder

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

189 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links