Automatic Signature Propagation Network

US 20080086772A1
Filed: 10/09/2007
Published: 04/10/2008
Est. Priority Date: 10/09/2006
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a network(s) including a plurality of intelligent security agents distributed across the network(s) comprising:

identifying an on-going attack through behavioral analysis protection in said network(s);

creating a generic attack signature rule of DoS and Worms attack through said behavioral analysis;

propagating said created generic attack signature to a controller;

wherein said controller receives said created generic attack signature from an intelligent security agent and, based on generic signature attributes parameters and propagation rules, said controller selects and updates a black list associated with each of said plurality of intelligent security agents distributed across said network(s) with said created generic attack signature.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed security system wherein intelligent security agents (i.e., agent devices) share security incident information between themselves via a controller. An adaptive security decision making involving network worms (non-SMTP worms) and DoS floods attacks is also described; wherein the Worms and DoS flood digital signatures are generated to assist in intrusion prevention process.

Citations

21 Claims

1. A method implemented in a network(s) including a plurality of intelligent security agents distributed across the network(s) comprising:
- identifying an on-going attack through behavioral analysis protection in said network(s);
  
  creating a generic attack signature rule of DoS and Worms attack through said behavioral analysis;
  
  propagating said created generic attack signature to a controller;
  
  wherein said controller receives said created generic attack signature from an intelligent security agent and, based on generic signature attributes parameters and propagation rules, said controller selects and updates a black list associated with each of said plurality of intelligent security agents distributed across said network(s) with said created generic attack signature.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said generic attack signature attributes parameters regarding DoS attacks and/or worm attacks further comprising any of, or a combination of, the following attributes:
    - accuracy level of signature, worm characteristic level, attack rate, attack direction, and generality type.
  - 3. The method of claim 1, wherein a generic signature rule is generated from multiple footprint types with each footprint type assigned an accuracy score and based on that a generic signature accuracy score is set.
  - 4. The method of claim 1 wherein a generic signature rule is assigned an attribute representing three generality levels:
    - (1) generic (g) for attack signatures that are effective for all registered networks;
      
      (2) generic/source for attack signatures that are effective in blocking attack traffic originating from a source network; and
      
      (3) generic/target for attack signatures limited to a target network.
  - 5. The method of claim 1, wherein a generic attack signature is assigned a dynamic worm score, wherein said worm score is set based on a positive or negative score weight function and the footprint types and values included in the generic signature.
  - 6. The method of claim 1, wherein said network(s) is any of a combination of the following:
    - local area network, wide area network, or the Internet.

7. A method implemented in a controller communicating with a plurality of intelligent security agents distributed across a network, said method comprising:
- receiving at least one created generic signature of DoS or Worm attack from an intelligent security agent over said network, said attack generic signature created through behavioral analysis;
  
  propagating, based on generic signature attributes parameters and propagation rules, said received at least one created generic attack signature to said plurality of intelligent security agents,wherein a black list associated with each of said plurality of intelligent security agents distributed across said network is dynamically updated with said propagated at least one created generic attack signature, said update performed via an external update mechanism associated with each of said plurality of intelligent security agents distributed across said network.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, wherein said generic signature attributes parameters further comprising any of, or a combination of, the following:
    - accuracy level of signature, worm characteristic level, attack rate, attack direction, and generality type.
  - 9. The method of claim 7, wherein a generic signature rule is generated from multiple footprint types with each footprint type assigned an accuracy score and based on that a generic signature accuracy score is set.
  - 10. The method of claim 7 wherein a generic signature rule is assigned an attribute representing three generality levels:
    - (1) generic for attack signatures that are effective for all registered networks;
      
      (2) generic/source for attack signatures that are effective in blocking attack traffic originating from a source network; and
      
      (3) generic/target for attack signatures limited to a target network.

11. An article of manufacture comprising a computer usable medium having computer readable program code embodied therein, said medium comprising:
- computer readable program code for identifying DoS and Worm attacks based on behavioral analysis;
  
  computer readable program code creating a generic attack signature that characterized said attacks through said behavioral analysis based on attack signature information regarding DoS attacks and/or worm attacks;
  
  computer readable program code propagating said created generic attack signature to a controller;
  
  wherein said controller receives said created generic attack signature from an intelligent security agent and, based on signature attributes parameters and propagation rules, said controller selects and updates a black list associated with each of said plurality of intelligent security agents distributed across said network with said a created generic attack signature.
- View Dependent Claims (12, 13)
- - 12. The article of manufacture of claim 11, wherein said generic attack signature information regarding DoS attacks and/or worm attacks further comprising any of, or a combination of, the following attributes:
    - accuracy level of signature, worm characteristic level, attack rate, attack direction, and generality type.
  - 13. The article of manufacture of claim 11, wherein computer readable program code additionally generates a generic signature rule from multiple footprint types with each footprint type assigned an accuracy score and based on that a generic signature accuracy score is set.

14. A distributed security system comprising:
- a plurality of intelligent security agents distributed across a network, said intelligent security agents comprising;
  
  a black list identifying a plurality of signatures used in restricting packet flow in said network;
  
  a generic signature creating module to create a generic attack signature through behavioral analysis;
  
  a propagation mechanism to propagate said created generic attack signature to a controller;
  
  an external update mechanism to receive updates to said black list from said controller;
  
  a denial of service module forwarding attack signature information regarding said DoS attack to said generic signature creating module;
  
  an anti-scan behavioral module forwarding attack signature information regarding said worm attack to said generic signature creating module, said generic attack signature information, after being created by the generic attack signature creation module, regarding said worm and DoS attack further including any of or a combination of the following attributes;
  
  accuracy level of footprint, worm characteristic level, attack rate, attack direction, and generality type; and
  
  said controller communicating with each of said plurality of said intelligent security agents over said network, said controller receiving the created generic attack signatures from at least one intelligent security agent and said controller, based on generic signature attributes parameters and propagation rules, updating a black list associated with each of said plurality of intelligent security agents distributed across said network with said created generic signature, said update performed via an external update mechanism associated with each of said plurality of intelligent security agents distributed across said network.
- View Dependent Claims (15, 16)
- - 15. The distributed security system of claim 14, wherein a generic signature rule is generated from multiple footprint types with each footprint type assigned an accuracy score and based on that a generic signature accuracy score is set.
  - 16. The distributed security system of claim 14, wherein said generic signatures are propagated between said security agents distributed across a network based on generic attack signature information and/or attributes and a set of pre-defined rules.

17. An article of manufacture comprising a computer usable medium having computer readable program code embodied therein comprising:
- computer readable program code for maintaining a black list identifying a plurality of signatures used in restricting packet flow in said network;
  
  computer readable program code for creating a generic attack signature through behavioral analysis regarding a denial of service (DoS) attack or a worm attack;
  
  computer readable program code for propagating said created attack generic signature to a controller based on a signature attributes parameters and propagation rules;
  
  computer readable program code for receiving updates to said black list from said controller;
  
  computer readable program code for forwarding attack signature information regarding said DoS attack to said generic signature creating module, said generic attack signature, after the generic attack signature is created, regarding said DoS attack comprising any of, or a combination of, the following attributes;
  
  accuracy level, worm characteristic level, attack rate, attack direction, and generality type.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The article of manufacture of claim 17, wherein said controller communicating with each of said plurality of said intelligent security agents over said network, said controller receiving automatically created generic attack signatures from at least one intelligent security agent and said controller dynamically updating a black list associated with each of said plurality of intelligent security agents distributed across said network with said automatically created generic attack signature, said update performed via an external update mechanism associated with each of said plurality of intelligent security agents distributed across said network.
  - 19. The article of manufacture of claim 17, wherein a signature rule is generated from multiple footprint types with each footprint type assigned an accuracy score and based on that a generic signature accuracy score is set.
  - 20. The article of manufacture of claim 19, wherein the signature rule is assigned an attribute representing three generality levels:
    - (1) generic for attack signatures that are effective for all registered networks;
      
      (2) generic/source for attack signatures that are effective in blocking attack traffic originating from a source network; and
      
      (3) generic/target for attack signatures limited to a target network.
  - 21. The article of manufacture of claim 17, wherein an generic attack signature is assigned a dynamic worm score, wherein said worm score is set based on a positive or negative score weight function and the footprint types and values included in the generic signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
Chesla, Avi

Granted Patent

US 8,510,834 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Automatic Signature Propagation Network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic Signature Propagation Network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links