Automatic Signature Propagation Network
First Claim
Patent Images
1. A method implemented in a network(s) including a plurality of intelligent security agents distributed across the network(s) comprising:
- identifying an on-going attack through behavioral analysis protection in said network(s);
creating a generic attack signature rule of DoS and Worms attack through said behavioral analysis;
propagating said created generic attack signature to a controller;
wherein said controller receives said created generic attack signature from an intelligent security agent and, based on generic signature attributes parameters and propagation rules, said controller selects and updates a black list associated with each of said plurality of intelligent security agents distributed across said network(s) with said created generic attack signature.
1 Assignment
0 Petitions
Accused Products
Abstract
A distributed security system wherein intelligent security agents (i.e., agent devices) share security incident information between themselves via a controller. An adaptive security decision making involving network worms (non-SMTP worms) and DoS floods attacks is also described; wherein the Worms and DoS flood digital signatures are generated to assist in intrusion prevention process.
-
Citations
21 Claims
-
1. A method implemented in a network(s) including a plurality of intelligent security agents distributed across the network(s) comprising:
-
identifying an on-going attack through behavioral analysis protection in said network(s); creating a generic attack signature rule of DoS and Worms attack through said behavioral analysis; propagating said created generic attack signature to a controller; wherein said controller receives said created generic attack signature from an intelligent security agent and, based on generic signature attributes parameters and propagation rules, said controller selects and updates a black list associated with each of said plurality of intelligent security agents distributed across said network(s) with said created generic attack signature. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method implemented in a controller communicating with a plurality of intelligent security agents distributed across a network, said method comprising:
-
receiving at least one created generic signature of DoS or Worm attack from an intelligent security agent over said network, said attack generic signature created through behavioral analysis; propagating, based on generic signature attributes parameters and propagation rules, said received at least one created generic attack signature to said plurality of intelligent security agents, wherein a black list associated with each of said plurality of intelligent security agents distributed across said network is dynamically updated with said propagated at least one created generic attack signature, said update performed via an external update mechanism associated with each of said plurality of intelligent security agents distributed across said network. - View Dependent Claims (8, 9, 10)
-
-
11. An article of manufacture comprising a computer usable medium having computer readable program code embodied therein, said medium comprising:
-
computer readable program code for identifying DoS and Worm attacks based on behavioral analysis; computer readable program code creating a generic attack signature that characterized said attacks through said behavioral analysis based on attack signature information regarding DoS attacks and/or worm attacks; computer readable program code propagating said created generic attack signature to a controller; wherein said controller receives said created generic attack signature from an intelligent security agent and, based on signature attributes parameters and propagation rules, said controller selects and updates a black list associated with each of said plurality of intelligent security agents distributed across said network with said a created generic attack signature. - View Dependent Claims (12, 13)
-
-
14. A distributed security system comprising:
-
a plurality of intelligent security agents distributed across a network, said intelligent security agents comprising; a black list identifying a plurality of signatures used in restricting packet flow in said network; a generic signature creating module to create a generic attack signature through behavioral analysis; a propagation mechanism to propagate said created generic attack signature to a controller; an external update mechanism to receive updates to said black list from said controller; a denial of service module forwarding attack signature information regarding said DoS attack to said generic signature creating module; an anti-scan behavioral module forwarding attack signature information regarding said worm attack to said generic signature creating module, said generic attack signature information, after being created by the generic attack signature creation module, regarding said worm and DoS attack further including any of or a combination of the following attributes;
accuracy level of footprint, worm characteristic level, attack rate, attack direction, and generality type; andsaid controller communicating with each of said plurality of said intelligent security agents over said network, said controller receiving the created generic attack signatures from at least one intelligent security agent and said controller, based on generic signature attributes parameters and propagation rules, updating a black list associated with each of said plurality of intelligent security agents distributed across said network with said created generic signature, said update performed via an external update mechanism associated with each of said plurality of intelligent security agents distributed across said network. - View Dependent Claims (15, 16)
-
-
17. An article of manufacture comprising a computer usable medium having computer readable program code embodied therein comprising:
-
computer readable program code for maintaining a black list identifying a plurality of signatures used in restricting packet flow in said network; computer readable program code for creating a generic attack signature through behavioral analysis regarding a denial of service (DoS) attack or a worm attack; computer readable program code for propagating said created attack generic signature to a controller based on a signature attributes parameters and propagation rules; computer readable program code for receiving updates to said black list from said controller; computer readable program code for forwarding attack signature information regarding said DoS attack to said generic signature creating module, said generic attack signature, after the generic attack signature is created, regarding said DoS attack comprising any of, or a combination of, the following attributes;
accuracy level, worm characteristic level, attack rate, attack direction, and generality type. - View Dependent Claims (18, 19, 20, 21)
-
Specification