METHOD AND DEVICE FOR PREDICTING NETWORK ATTACK ACTION

US 20090307777A1
Filed: 07/16/2008
Published: 12/10/2009
Est. Priority Date: 07/16/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for predicting a network attack action, comprising:

monitoring a network status parameter and obtaining information of an attack action according to a change of the network status parameter;

selecting a subsequent attack action which has a most possibility to happen from a plurality of subsequent attack actions based on the attack action according to a correspondence between the attack action and the plurality of subsequent attack actions, the subsequent attack action which has a likelihood of occurrence having a largest occurrence number among the plurality of subsequent attack actions corresponding to the attack action; and

outputting the subsequent attack action which has a likelihood of occurrence as a predicted network attack action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for predicting a network attack action, including: monitoring a network status parameter and obtaining information of an attack action according to a change of the network status parameter; selecting a subsequent attack action which has a most possibility to happen from a plurality of subsequent attack actions of the attack action according to a correspondence between the attack action and the plurality of subsequent attack actions, the subsequent attack action which has the most possibility to happen being a subsequent attack action with a largest occurrence number among the subsequent attack actions corresponding to the attack action; and outputting the subsequent attack action which has the most possibility to happen as a predicted network attack action. A device for predicting a network attack action including an attack action management unit is also provided. The present invention describes the attack action procedure and the relation among attack actions during the attack action procedure and provides a network pre-warning method for determining which action is to be taken.

Citations

12 Claims

1. A method for predicting a network attack action, comprising:
- monitoring a network status parameter and obtaining information of an attack action according to a change of the network status parameter;
  
  selecting a subsequent attack action which has a most possibility to happen from a plurality of subsequent attack actions based on the attack action according to a correspondence between the attack action and the plurality of subsequent attack actions, the subsequent attack action which has a likelihood of occurrence having a largest occurrence number among the plurality of subsequent attack actions corresponding to the attack action; and
  
  outputting the subsequent attack action which has a likelihood of occurrence as a predicted network attack action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according claim 1, further comprising, if the attack action is a single attack action, searching the subsequent attack action which has a likelihood of occurence from the plurality of subsequent attack actions based on the attack action.
  - 3. The method according to claim 1, further comprising, if the attack action comprises a plurality of possible attack actions, searching a common subsequent attack action among the plurality of possible attack actions which has a likelihood of occurrence.
  - 4. The method according to claim 1, after outputting the subsequent attack action which has a likelihood of occurrence as the predicted network attack action, further comprising,blocking the subsequent attack action which has a likelihood of occurrence;
    - if the process of blocking the subsequent attack action which has a likelihood of occurrence is successful, increasing the occurrence number of an attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence;
      
      if the process of blocking the subsequent attack action which has a likelihood of occurrence is failed, decreasing the occurrence number of the attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence.
  - 5. The method according to claim 1, wherein, increasing or decreasing the occurrence number of the attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence comprises:
    - if the attack action is a single attack action which is uniquely determined, increasing or decreasing the occurrence number of the attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence by 1;
      
      if the attack action is one of a plurality of possible attack actions, increasing or decreasing a possibility coefficient of the attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence by β
      
      /k, β
      
      ranging from 0 to 1 and k being the number of the possible attack actions.
  - 6. The method according to claim 1, before monitoring the network status parameter, further comprising,establishing a correspondence among a name of the attack action, a state of the attack action and a subsequent attack action of the attack action;
    - andestablishing a correspondence among a name of the subsequent attack action, a state of the subsequent attack action, an occurrence number of an attack sequence from the attack action to the subsequent attack action and a policy for blocking the subsequent attack action which has a likelihood of occurrence.
  - 7. The method according to claim 6, after establishing the correspondence, further comprising,judging whether the occurrence number of the attack sequence from the attack action to the subsequent attack action is less than a weight threshold;
    - if the occurrence number of the attack sequence from the attack action to the subsequent attack action is less than the weight threshold, masking the subsequent attack action and a connection from the attack action to the subsequent attack action.
  - 8. The method according to claim 7, comprising, if a previous attack action of a masked subsequent attack action happens, canceling a masking for the masked subsequent attack action and canceling a masking for the connection from the previous attack action to all subsequent attack action of the previous attack action.

9. A device for predicting a network attack action, comprising:
- an attack action management unit adapted to detect a change of a network status parameter, search attack action information according to the change of the network status parameter, and predict a subsequent attack action which has a most possibility to happen from a plurality of subsequent attack actions corresponding to an attack action, according to a correspondence between the attack action and the plurality of subsequent attack actions of the attack action.
- View Dependent Claims (10, 11, 12)
- - 10. The device according to claim 9, further comprising,a warning unit, adapted to block the subsequent attack action which has a likelihood of occurrence predicted by the attack action management unit and update an occurrence number of an attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence.
  - 11. The device according to claim 9, wherein, the warning unit comprises:
    - a response subunit, adapted to block the subsequent attack action; and
      
      a weight management subunit, adapted to update the occurrence number of the attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence.
  - 12. The device according to claim 11, wherein, the weight management subunit updates the occurrence number of the attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence,if the response unit successfully blocks the subsequent attack action which has a likelihood of occurrence, the weight management subunit increases the occurrence number of the attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence;
    - if the response unit fails to block the subsequent attack action which has a likelihood of occurrence, the weight management subunit decreases the occurrence number of the attack sequence from the attack action to the subsequent attack action which has a likelihood of occurrence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Wang, Bo, Zhang, Fengli, Zheng, Niejun, Cao, Zhenqi, Lu, Changyi, Zhang, Chengwei, Fu, Chong, He, Xinggao, Wang, Dunquan

Application Number

US12/174,335
Publication Number

US 20090307777A1
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

METHOD AND DEVICE FOR PREDICTING NETWORK ATTACK ACTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND DEVICE FOR PREDICTING NETWORK ATTACK ACTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links