SYSTEMS AND METHODS FOR SELF-TUNING NETWORK INTRUSION DETECTION AND PREVENTION

US 20150033340A1
Filed: 07/23/2014
Published: 01/29/2015
Est. Priority Date: 07/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method of mitigating intrusions via a computer network, comprising:

identifying, by a vulnerability assessment tool, a current vulnerability of a private network;

determining, by the vulnerability assessment tool, a signature of an attack configured to exploit the current vulnerability;

comparing, by a network security device, the signature with active and inactive signatures stored in a signature repository to identify an inactive signature corresponding to the signature of the attack configured to exploit the current vulnerability;

automatically activating, by the network security device responsive to the comparison, the identified inactive signature; and

using, by an intrusion detector, the activated signature to analyze data packets received via the private network to detect an exploits.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and method of the present disclosure are directed to a network security tool. In some embodiments, the tool identifies a current vulnerability of a private network. The tool can determine a signature of an attack configured to exploit the current vulnerability. The tool can comparing the signature with active and inactive signatures stored in a signature repository. The tool can compare the signatures to identify an inactive signature corresponding to the signature of the attack configured to exploit the current vulnerability. The tool can automatically activate, responsive to the comparison, the identified inactive signature. The tool can use the activated signature to identify an exploit based on data packets received via the private network.

Citations

20 Claims

1. A method of mitigating intrusions via a computer network, comprising:
- identifying, by a vulnerability assessment tool, a current vulnerability of a private network;
  
  determining, by the vulnerability assessment tool, a signature of an attack configured to exploit the current vulnerability;
  
  comparing, by a network security device, the signature with active and inactive signatures stored in a signature repository to identify an inactive signature corresponding to the signature of the attack configured to exploit the current vulnerability;
  
  automatically activating, by the network security device responsive to the comparison, the identified inactive signature; and
  
  using, by an intrusion detector, the activated signature to analyze data packets received via the private network to detect an exploits.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - identifying, by the vulnerability assessment tool, a second active signature stored in the signature repository;
      
      obtaining, by the network security device, a plurality of signatures corresponding to one or more active vulnerabilities of the private network;
      
      automatically deactivating, by the network security device, the second signature responsive to the second signature being absent from the plurality of signatures corresponding to the one or more active vulnerabilities of the private network.
  - 3. The method of claim 1, further comprising:
    - continuously monitoring network traffic of the private network via one or more activity logs;
      
      identifying, based on the monitoring, a second current vulnerability of the private network;
      
      determining a second signature of a second attack configured to exploit the second current vulnerability;
      
      comparing the second signature with the active and inactive signatures stored in the signature repository;
      
      determining, based on the comparison, that the second signature corresponds to an active signature stored in the signature repository; and
      
      using, by the intrusion detector, the active signature corresponding to the second signature to identify a second exploit based on data packets received via the private network.
  - 4. The method of claim 1, further comprising:
    - identifying a plurality of current vulnerabilities of the private network;
      
      identifying a plurality of signatures corresponding to the plurality of current vulnerabilities;
      
      comparing the plurality of signatures with the active and inactive signatures stored in the signature repository;
      
      automatically activating, responsive to the comparison, inactive signatures stored in the signature repository that correspond to the plurality of signatures; and
      
      automatically deactivating, responsive to the comparison, active signatures stored in the signature repository that do not correspond to the plurality of signatures.
  - 5. The method of claim 1, further comprising:
    - receiving an indication that the current vulnerability is resolved; and
      
      automatically deactivating, responsive to the indication, the signature corresponding to the current vulnerability.
  - 6. The method of claim 1, further comprising:
    - using a fuzzy logic algorithm to determine the signature of the attack configured to exploit the current vulnerability.
  - 7. The method of claim 1, further comprising:
    - identifying a second current vulnerability of the private network;
      
      determining a second signature of a second attack configured to exploit the second current vulnerability;
      
      comparing the second signature with the active and inactive signatures stored in the signature repository;
      
      determining, based on the comparison, that the second signature does not correspond to active or inactive signatures stored in the signature repository; and
      
      automatically generating, based on the comparison, a new signature based on the second signature; and
      
      activating and storing the new signature in the signature repository for use by the intrusion detector.
  - 8. The method of claim 1, wherein the signature comprises an attack pattern.
  - 9. The method of claim 1, further comprising:
    - receiving a plurality of logs of network activity associated with computing devices of the protected network; and
      
      determining, based on the plurality of logs, a pattern indicative of a signature of an attack.
  - 10. The method of claim 1, further comprising:
    - monitoring, by the intrusion detector, the data packets of the private network to identify the exploit based on the active signature corresponding to the second signature;
      
      responsive to identifying the second exploit, generating an alert; and
      
      providing the alert to an administrator device of the private network.
  - 11. The method of claim 1, further comprising:
    - obtaining, via a public network, updates on current vulnerabilities established by a plurality of users of the public network.

12. A system for mitigating intrusions via a computer network, comprising:
- a vulnerability assessment tool configured to identify a current vulnerability of a private network and determine a signature of an attack configured to exploit the current vulnerability;
  
  a network security device configured to;
  
  compare the signature with active and inactive signatures stored in a signature repository to identify an inactive signature corresponding to the signature of the attack configured to exploit the current vulnerability;
  
  automatically activate, responsive to the comparison, the identified inactive signature; and
  
  deactivate, responsive to the comparison, an active signature stored in the signature repository that does not correspond to the signature of the attack configured to exploit the current vulnerability; and
  
  an intrusion detector configured to use the activated signature to identify an exploit based on data packets received via the private network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein:
    - the vulnerability assessment tool is further configured to identify a second current vulnerability of the private network and determine a second signature of a second attack configured to exploit the second current vulnerability;
      
      the network security device is further configured to;
      
      compare the second signature with the active and inactive signatures stored in the signature repository;
      
      determine, based on the comparison, that the second signature corresponds to an active signature stored in the signature repository; and
      
      the intrusion detector is further configured to use the active signature corresponding to the second signature to identify a second exploit based on data packets received via the private network.
  - 14. The system of claim 12, wherein:
    - the vulnerability assessment tool is further configured to identify a plurality of current vulnerabilities of the private network and identify a plurality of signatures corresponding to the plurality of current vulnerabilities; and
      
      the network security device is further configured to;
      
      compare the plurality of signatures with the active and inactive signatures stored in the signature repository;
      
      automatically activate, responsive to the comparison, inactive signatures stored in the signature repository that correspond to the plurality of signatures; and
      
      automatically deactivate, responsive to the comparison, active signatures stored in the signature repository that do not correspond to the plurality of signatures.
  - 15. The system of claim 12, further configured to:
    - receive an indication that the current vulnerability is resolved; and
      
      automatically deactivate, responsive to the indication, the signature corresponding to the current vulnerability.
  - 16. The system of claim 12, wherein the vulnerability assessment tool is further configured to:
    - use a fuzzy logic algorithm to determine the signature of the attack configured to exploit the current vulnerability.
  - 17. The system of claim 12, wherein:
    - the vulnerability assessment tool is further configured to identify a second current vulnerability of the private network and determine a second signature of a second attack configured to exploit the second current vulnerability; and
      
      the network security device is further configured to;
      
      compare the second signature with the active and inactive signatures stored in the signature repository;
      
      determine, based on the comparison, that the second signature does not correspond to active or inactive signatures stored in the signature repository; and
      
      automatically generate, based on the comparison, a new signature based on the second signature; and
      
      activate and store the new signature in the signature repository for use by the intrusion detector.
  - 18. The system of claim 12, wherein the signature comprises an attack pattern.
  - 19. The system of claim 12, wherein the vulnerability assessment tool is further configured to:
    - receive a plurality of logs of network activity associated with computing devices of the protected network; and
      
      determine, based on the plurality of logs, a pattern indicative of a signature of a attack.
  - 20. The system of claim 12, wherein the intrusion detector is further configured to:
    - monitor the data packets of the private network to identify the exploit based on the active signature corresponding to the second signature;
      
      responsive to identifying the second exploit, generate an alert; and
      
      provide the alert to an administrator device of the private network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crypteia Networks S.A. (PCCW Limited)
Original Assignee
Crypteia Networks S.A. (PCCW Limited)
Inventors
Giokas, Ioannis

Granted Patent

US 9,319,425 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

SYSTEMS AND METHODS FOR SELF-TUNING NETWORK INTRUSION DETECTION AND PREVENTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SELF-TUNING NETWORK INTRUSION DETECTION AND PREVENTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links