SYSTEM, METHOD AND PROGRAM PRODUCT FOR IDENTIFYING NETWORK-ATTACK PROFILES AND BLOCKING NETWORK INTRUSIONS

US 20080141332A1
Filed: 12/11/2006
Published: 06/12/2008
Est. Priority Date: 12/11/2006
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for generating an attack profile, said method comprising the steps of:

identifying a set of messages from a same source IP address sent to a plurality of different destination IP addresses of a same company during an interval of time, where each of said messages contains a respective signature characteristic of a malicious message;

determining first and second messages of said set that are correlated to each other as part of a same attack based on frequency of occurrence of said first message, frequency of occurrence of said second message in said set and similarity in a number of occurrences of said first message in said set to a number of occurrences of said second message in said set, wherein said first message has a first signature and said second message has a second, different signature; and

generating and recording an attack profile based on a combination of said first and second messages.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, method and program product for generating an attack profile. A set of messages from a same source IP address sent to a plurality of different destination IP addresses of a same company during an interval of time is identified. Each of the messages contains a respective signature characteristic of a malicious message. First and second messages of the set that are correlated to each other as part of a same attack are determined based on frequency of occurrence of the first message, frequency of occurrence of the second message in the set and similarity in a number of occurrences of the first message in the set to a number of occurrences of the second message in the set. The first message has a first signature and the second message has a second, different signature. An attack profile based on a combination of the first and second messages is generated and recorded. A rule can be automatically generated to detect a combination of the first and second messages.

74 Citations

View as Search Results

9 Claims

1. A computer implemented method for generating an attack profile, said method comprising the steps of:
- identifying a set of messages from a same source IP address sent to a plurality of different destination IP addresses of a same company during an interval of time, where each of said messages contains a respective signature characteristic of a malicious message;
  
  determining first and second messages of said set that are correlated to each other as part of a same attack based on frequency of occurrence of said first message, frequency of occurrence of said second message in said set and similarity in a number of occurrences of said first message in said set to a number of occurrences of said second message in said set, wherein said first message has a first signature and said second message has a second, different signature; and
  
  generating and recording an attack profile based on a combination of said first and second messages.
- View Dependent Claims (2, 3, 4)
- - 2. A computer implemented method as set forth in claim 1 further comprising the step of automatically generating a rule to detect a combination of said first and second messages.
  - 3. A computer implemented method as set forth in claim 1 further comprising the step of installing said rule a firewall.
  - 4. A computer implemented method as set forth in claim 1 further comprising the step of automatically generating a rule to block a combination of said first and second messages, and installing said rule in a firewall.

5. A system for generating an attack profile, said system comprising:
- means for identifying a set of messages from a same source IP address sent to a plurality of different destination IP addresses of a same company during an interval of time, where each of said messages contains a respective signature characteristic of a malicious message;
  
  means for determining first and second messages of said set that are correlated to each other as part of a same attack based on frequency of occurrence of said first message, frequency of occurrence of said second message in said set and similarity in a number of occurrences of said first message in said set to a number of occurrences of said second message in said set, wherein said first message has a first signature and said second message has a second, different signature; and
  
  means for generating and recording an attack profile based on a combination of said first and second messages.
- View Dependent Claims (6, 7, 8)
- - 6. A system as set forth in claim 5 further comprising means for automatically generating a rule to detect a combination of said first and second messages.
  - 7. A system as set forth in claim 5 further comprising means for installing said rule a firewall.
  - 8. A system as set forth in claim 5 further comprising means for automatically generating a rule to block a combination of said first and second messages, and installing said rule in a firewall.

9. A computer program product for generating an attack profile, said computer program product comprising:
- a computer readable media;
  
  first program instructions to identify a set of messages from a same source IP address sent to a plurality of destination IP addresses during an interval of time, where each of said messages contains a respective signature characteristic of a malicious message;
  
  second program instructions to receive an identification of a signature of interest, and in response, determine that said signature of interest was contained in messages that were sent only to a subset of said destination IP addresses and there were other messages containing other signatures that were sent to one or more other of said destination IP addresses, wherein one of these other destination IP addresses did not send to or receive from the subset of destination IP addresses any messages containing malicious signatures, and in response, discard said one other message from the set;
  
  third program instructions, for execution after said second program instructions, to determine first and second messages remaining in said set that are correlated to each other as part of a same attack based on frequency of occurrence of said first message, frequency of occurrence of said second message in said set and similarity in a number of occurrences of said first message in said set to a number of occurrences of said second message in said set, wherein said first message has a first signature and said second message has a second, different signature; and
  
  fourth program instructions to generate and record an attack profile based on a combination of said first and second messages; and
  
  whereinsaid first, second, third and fourth program instructions are recorded on said media in functional form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Treinen, James J.

Granted Patent

US 8,056,115 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

SYSTEM, METHOD AND PROGRAM PRODUCT FOR IDENTIFYING NETWORK-ATTACK PROFILES AND BLOCKING NETWORK INTRUSIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD AND PROGRAM PRODUCT FOR IDENTIFYING NETWORK-ATTACK PROFILES AND BLOCKING NETWORK INTRUSIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links