PROACTIVE NETWORK ATTACK DEMAND MANAGEMENT

US 20090077632A1
Filed: 09/19/2007
Published: 03/19/2009
Est. Priority Date: 09/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request over a network for a network resource;

applying one or more attack detection rules to the received request;

ignoring the request if the request is part of a detected attack;

segregating the request to a virtual local area network if the request is suspected to be part of an attack; and

servicing the request from the virtual local area network utilizing resources segregated to the virtual local area network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments described and illustrated herein provide one or more of systems, methods, software, and firmware to handle attack generated demand proactively using distributed virtualization. One goal of some such embodiments is to provide a time window of stable operational response within which an intrusion detection system may detect an attack and/or cause a countermeasure against the attacks to be activated. Demand excursions which are not caused by an attack are supported during the variability of demand providing transparent response to legitimate users of the system. These embodiments, and others, are described in greater detail below.

36 Citations

View as Search Results

15 Claims

1. A method comprising:
- receiving a request over a network for a network resource;
  
  applying one or more attack detection rules to the received request;
  
  ignoring the request if the request is part of a detected attack;
  
  segregating the request to a virtual local area network if the request is suspected to be part of an attack; and
  
  servicing the request from the virtual local area network utilizing resources segregated to the virtual local area network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the network is the Internet.
  - 3. The method of claim 1, wherein the resources segregated to the virtual local area network include:
    - one or more virtual machines instantiated on demand as needed to service requests suspected to be a part of one or more identified potential attacks.
  - 4. The method of claim 3, wherein each of the one or more virtual machines includes a server process operating within the virtual machine to service requests.
  - 5. The method of claim 1, wherein one attack detection rule includes:
    - a threshold level, which when reached, causes requests to be classified as part of a specific suspected attack; and
      
      an action rule, the application of which specifies how to handle the request classified as part of the specific suspected attack.
  - 6. The method of claim 1, wherein if a number of requests for a particular network resource reaches a saturation point, subsequent requests for the particular network resource are ignored.
  - 7. The method of claim 6, wherein the saturation point is a number of requests the virtual local area network is able to service over a particular period.

8. A system comprising:
- partitionable processor resources;
  
  a first network interface couplable to a first network;
  
  a second network interface couplable to a second network;
  
  a classification engine operable on one or more of the partitionable processor resources to;
  
  receive network resource requests over the first network interface for resources accessible via the second network interface;
  
  apply one or more attack detection rules to each received resource request to classify each resource request as an attack request, a suspected attack request, or a normal request;
  
  upon first detection of a suspected attack resource request, instantiate a virtual network over the second network interface, the virtual network including one or more virtual machines instantiated on the second network, the virtual machines including processes operative to service the suspect attack resource request; and
  
  sequester the suspect attack resource request and subsequently identified suspect attack resource requests to the virtual network.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the first and second network interfaces are a single network interface couplable to a network capable of carrying network traffic of two or more networks.
  - 10. The system of claim 8, wherein the classification engine is further operable to:
    - instantiate further virtual machines as needed to fulfill suspected attack requests.
  - 11. The system of claim 8, wherein the classification engine is further operable to:
    - send data to a suspected attack analytic processes;
      
      receive data from the suspected attack analytic processes that suspected attack requests are either actually an attack or not an attack.
  - 12. The system of claim 11, wherein if data received from the suspected attack analytic processes indicate that a suspected attack is an attack, the classification engine ignores subsequent requests classified as part of the attack.
  - 13. The system of claim 11, wherein if data received from the suspected attack analytic processes indicate that a suspected attack is not an attack, the classification causes subsequently received requests to be serviced without sequestering.
  - 14. The system of claim 8, wherein the classification engine counts resource requests over a period and classifies requests for multiple resources available over the second network interface.
  - 15. The system of claim 14, wherein the classification engine identifies suspect attacks when requests for a particular resource reach or exceed a threshold amount over the period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Carpenter, Robert, Li, Hong

Granted Patent

US 9,088,605 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 47/125   by balancing the load, e.g....

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 67/10   in which an application is ...

PROACTIVE NETWORK ATTACK DEMAND MANAGEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

PROACTIVE NETWORK ATTACK DEMAND MANAGEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links