PATTERN-BASED NETWORK DEFENSE MECHANISM

US 20080295173A1
Filed: 08/14/2007
Published: 11/27/2008
Est. Priority Date: 05/21/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

tracking traffic flow patterns in a network independent from any payload data in the flow;

comparing the traffic flow patterns with a set of predefined patterns; and

triggering an event responsive to a match between a subset of the traffic flow patterns and the predefined patterns.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method, system and machine accessible medium for pattern based network defense. The traffic flow in a network is tracked independently form the payload data in the flow. The traffic flow pattern is compared with a set of predefined malicious traffic patterns descriptions. An event is triggered responsive to a match between a subset of the traffic patterns and the predefined malicious traffic descriptions.

Citations

23 Claims

1. A method comprising:
- tracking traffic flow patterns in a network independent from any payload data in the flow;
  
  comparing the traffic flow patterns with a set of predefined patterns; and
  
  triggering an event responsive to a match between a subset of the traffic flow patterns and the predefined patterns.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein tracking traffic flow patterns further comprises:
    - receiving data in a predefined format via a plurality of networked communication devices, the predefined format containing information about traffic flow.
  - 3. The method of claim 1 further comprising:
    - tracking Network layer (Layer
      
      3) and Transport layer (Layer
      
      4) traffic in an Open System Interconnection (OSI) computer communication model.
  - 4. The method of claim 1, wherein comparing the traffic comprises:
    - uploading a plurality of malicious network traffic pattern definitions;
      
      accessing the tracked traffic flow; and
      
      scanning the tracked traffic for subsets which match the malicious traffic patterns.
  - 5. The method of claim 4, wherein scanning the tracked traffic comprises:
    - searching for an incremental call sequence; and
      
      counting a number of occurrences of a particular pattern in the tracked traffic responsive to finding the call sequence.
  - 6. The method of claim 5 wherein the incremental call sequence is one of an incremental host address call sequence or an incremental port number call sequence.
  - 7. The method of claim 4, wherein uploading a plurality of malicious network traffic patterns comprises:
    - reading a plurality of malicious traffic pattern descriptions from one of a file or a user interface entry;
      
      validating the syntax and semantics of the malicious traffic pattern descriptions; and
      
      activating the malicious traffic pattern descriptions.
  - 8. The method of claim 1, wherein triggering an event comprises:
    - triggering an event for automatic reaction against a detected network threat, the event comprising at least one of exporting information about detected malicious traffic, logging data related to the malicious traffic, sending notification to an administrator of an attacked node, blocking traffic from a host who generates the detected malicious traffic, closing an attacked port, additional algorithmic analyses.

9. A system comprising:
- an element to capture information about traffic flow;
  
  a data holder to retain traffic flow patterns independently from any payload data in the flow;
  
  an interface to receive malicious traffic patterns definitions;
  
  a comparator to compare the tracked traffic flow patterns with a set of the predefined patterns; and
  
  an interface to trigger an event in response to a match between a subset of the traffic flow patterns and the predefined patterns.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein a data holder comprises:
    - a data structure to receive and persist data in a predefined format about data flow from a plurality of networked communication devices.
  - 11. The system of claim 10, wherein the data structure receives and persist Network layer (Layer 3) and Transport layer (Layer 4).
  - 12. The system of claim 9, wherein the interface to receive malicious traffic patterns definitions further comprises:
    - an agent to read a plurality of malicious traffic patterns descriptions from one of a file and a user interface entry;
      
      a parser to validate a syntax and semantics of the malicious traffic patterns descriptions; and
      
      a data buffer to persists the patterns.
  - 13. The system of claim 9 wherein the comparator further comprises:
    - a sequence checker to identify incremental call sequence; and
      
      a counter to count the occurrences of a particular pattern in the tracked traffic flow.
  - 14. The system of claim 13 wherein the incremental call sequence is one of an incremental host address call sequence or an incremental port number call sequence.
  - 15. The system of claim 9, wherein the interface to trigger an event comprises:
    - an interface to trigger an event to automatically react to a detected network threat, the event comprising at least one of exporting information about detected malicious traffic, logging data related to the malicious traffic, sending notification to an administrator of an attacked node, blocking traffic from a host who generates the detected malicious traffic, closing an attacked port, or additional algorithmic analyses.

16. A machine accessible medium that provides instructions that, if executed by a machine, will cause the machine to execute operations comprising:
- tracking traffic flow patterns in a network independently from any payload data in the flow;
  
  comparing the traffic flow patterns with a set of predefined patterns; and
  
  triggering an event responsive to a match between a subset of the traffic flow patterns and the predefined patterns.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The machine accessible medium of claim 16, wherein tracking traffic flow patterns further comprises:
    - receiving data in a predefined format about data flow through a plurality of networked communication devices.
  - 18. The machine accessible medium of claim 16, further providing instructions that, if executed by the machine, will cause the machine to perform further operations, comprising:
    - tracking Network layer (Layer
      
      3) and Transport layer (Layer
      
      4) traffic in an Open System Interconnection (OSI) computer communication model.
  - 19. The machine accessible medium of claim 16, wherein comparing the traffic comprises:
    - uploading a plurality of malicious network traffic pattern definitions;
      
      accessing the tracked traffic flow; and
      
      scanning the tracked traffic for subsets which match the malicious traffic patterns.
  - 20. The machine accessible medium of claim 19, wherein scanning the tracked traffic comprises:
    - searching for an incremental call sequence; and
      
      counting a number of occurrences of a particular pattern in the tracked traffic.
  - 21. The machine accessible medium of claim 20 wherein the incremental call sequence is one of an incremental host address call sequence or an incremental port number call sequence.
  - 22. The machine accessible medium of claim 19, wherein uploading a plurality of malicious network traffic patterns comprises:
    - reading a plurality of malicious traffic pattern descriptions from one of a file or a user interface entry;
      
      validating the syntax and semantics of the malicious traffic pattern descriptions; and
      
      activating the malicious traffic pattern descriptions.
  - 23. The machine accessible medium of claim 16, wherein triggering an event comprises:
    - triggering an event for automatic reaction against a detected network threat, the event comprising at least one of exporting information about detected malicious traffic, logging data related to the malicious traffic, sending notification to an administrator of an attacked node, blocking traffic from a host who generates the detected malicious traffic, closing an attacked port, additional algorithmic analyses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP AG (SAP SE)
Original Assignee
SAP AG (SAP SE)
Inventors
Tsvetanov, Tsvetomir Iliev

Application Number

US11/838,812
Publication Number

US 20080295173A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

PATTERN-BASED NETWORK DEFENSE MECHANISM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

PATTERN-BASED NETWORK DEFENSE MECHANISM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links