SYSTEM, METHOD AND PROGRAM PRODUCT FOR IDENTIFYING NETWORK-ATTACK PROFILES AND BLOCKING NETWORK INTRUSIONS
First Claim
1. A computer implemented method for generating an attack profile, said method comprising the steps of:
- identifying a set of messages from a same source IP address sent to a plurality of different destination IP addresses of a same company during an interval of time, where each of said messages contains a respective signature characteristic of a malicious message;
determining first and second messages of said set that are correlated to each other as part of a same attack based on frequency of occurrence of said first message, frequency of occurrence of said second message in said set and similarity in a number of occurrences of said first message in said set to a number of occurrences of said second message in said set, wherein said first message has a first signature and said second message has a second, different signature; and
generating and recording an attack profile based on a combination of said first and second messages.
1 Assignment
0 Petitions
Accused Products
Abstract
System, method and program product for generating an attack profile. A set of messages from a same source IP address sent to a plurality of different destination IP addresses of a same company during an interval of time is identified. Each of the messages contains a respective signature characteristic of a malicious message. First and second messages of the set that are correlated to each other as part of a same attack are determined based on frequency of occurrence of the first message, frequency of occurrence of the second message in the set and similarity in a number of occurrences of the first message in the set to a number of occurrences of the second message in the set. The first message has a first signature and the second message has a second, different signature. An attack profile based on a combination of the first and second messages is generated and recorded. A rule can be automatically generated to detect a combination of the first and second messages.
74 Citations
9 Claims
-
1. A computer implemented method for generating an attack profile, said method comprising the steps of:
-
identifying a set of messages from a same source IP address sent to a plurality of different destination IP addresses of a same company during an interval of time, where each of said messages contains a respective signature characteristic of a malicious message; determining first and second messages of said set that are correlated to each other as part of a same attack based on frequency of occurrence of said first message, frequency of occurrence of said second message in said set and similarity in a number of occurrences of said first message in said set to a number of occurrences of said second message in said set, wherein said first message has a first signature and said second message has a second, different signature; and generating and recording an attack profile based on a combination of said first and second messages. - View Dependent Claims (2, 3, 4)
-
-
5. A system for generating an attack profile, said system comprising:
-
means for identifying a set of messages from a same source IP address sent to a plurality of different destination IP addresses of a same company during an interval of time, where each of said messages contains a respective signature characteristic of a malicious message; means for determining first and second messages of said set that are correlated to each other as part of a same attack based on frequency of occurrence of said first message, frequency of occurrence of said second message in said set and similarity in a number of occurrences of said first message in said set to a number of occurrences of said second message in said set, wherein said first message has a first signature and said second message has a second, different signature; and means for generating and recording an attack profile based on a combination of said first and second messages. - View Dependent Claims (6, 7, 8)
-
-
9. A computer program product for generating an attack profile, said computer program product comprising:
-
a computer readable media; first program instructions to identify a set of messages from a same source IP address sent to a plurality of destination IP addresses during an interval of time, where each of said messages contains a respective signature characteristic of a malicious message; second program instructions to receive an identification of a signature of interest, and in response, determine that said signature of interest was contained in messages that were sent only to a subset of said destination IP addresses and there were other messages containing other signatures that were sent to one or more other of said destination IP addresses, wherein one of these other destination IP addresses did not send to or receive from the subset of destination IP addresses any messages containing malicious signatures, and in response, discard said one other message from the set; third program instructions, for execution after said second program instructions, to determine first and second messages remaining in said set that are correlated to each other as part of a same attack based on frequency of occurrence of said first message, frequency of occurrence of said second message in said set and similarity in a number of occurrences of said first message in said set to a number of occurrences of said second message in said set, wherein said first message has a first signature and said second message has a second, different signature; and fourth program instructions to generate and record an attack profile based on a combination of said first and second messages; and
whereinsaid first, second, third and fourth program instructions are recorded on said media in functional form.
-
Specification