ESCALATION SECURITY METHOD FOR USE IN SOFTWARE DEFINED NETWORKS

US 20150089566A1
Filed: 09/24/2013
Published: 03/26/2015
Est. Priority Date: 09/24/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method for performing an escalation security policy in a software defined network (SDN), the method is being performed by a central controller of the SDN, comprising:

receiving at least one attack indication performed against at least one destination server;

upon determination, respective of at least one attack indication, that an attack is being performed against the at least one destination server, for each client sending traffic to the at least one destination server;

determining a risk state for a user of the each client;

obtaining an escalation security policy respective of the determined risk state of the user, wherein the escalation security policy defines a sequence of at least one challenge action for challenging the each client, an order and at least one condition for execution of the sequence of at least one challenge action; and

causing network elements of the SDN to divert incoming traffic from the each client to security servers connected to the SDN and configured to perform the at least one challenge action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for performing an escalation security policy in a software defined network (SDN) includes receiving at least one attack indication performed against at least one destination server; upon determination that an attack is being performed against the at least one destination server, for each client sending traffic to the at least one destination server: determining a risk state for a user of the each client; obtaining an escalation security policy respective of the determined risk state of the user, wherein the escalation security policy defines a sequence of at least one challenge action for challenging the each client, an order and at least one condition for execution of the sequence of at least one challenge action; and causing network elements of the SDN to divert incoming traffic from the each client to security servers connected to the SDN and configured to perform the at least one challenge action.

43 Citations

View as Search Results

27 Claims

1. A method for performing an escalation security policy in a software defined network (SDN), the method is being performed by a central controller of the SDN, comprising:
- receiving at least one attack indication performed against at least one destination server;
  
  upon determination, respective of at least one attack indication, that an attack is being performed against the at least one destination server, for each client sending traffic to the at least one destination server;
  
  determining a risk state for a user of the each client;
  
  obtaining an escalation security policy respective of the determined risk state of the user, wherein the escalation security policy defines a sequence of at least one challenge action for challenging the each client, an order and at least one condition for execution of the sequence of at least one challenge action; and
  
  causing network elements of the SDN to divert incoming traffic from the each client to security servers connected to the SDN and configured to perform the at least one challenge action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, further comprising:
    - monitoring at least one of health and load of each of the security servers; and
      
      switching over to a redundant security server when a respective security server is determined to be nonfunctional or overloaded.
  - 3. The method of claim 2, further comprising:
    - load balancing clients'"'"' traffic among the security servers performing the same challenge action, when the respective security server is determined to be overloaded.
  - 4. The method of claim 1, further comprising checking the identity of the user using at least one of:
    - a source Internet protocol (IP) address of its respective client, application layer parameters, and an identity manager device.
  - 5. The method of claim 1, wherein diverting the incoming traffic further comprising:
    - diverting the incoming traffic to the security servers according to the order of execution of the sequence of the at least one action and the condition defined in the respective execution security policy.
  - 6. The method of claim 5, wherein the at least one condition defined in the escalation policy includes at least one of:
    - a status of the attack and a status of the at least one challenge action.
  - 7. The method of claim 6, further comprising:
    - selecting a first challenge action out of the at least one challenge action, wherein the first challenge action is selected respective of the risk state, the status of the attack, and a sequence order defined in the escalation security policy;
      
      selecting a security server out of the security servers configured to perform the first challenge action; and
      
      causing the network elements of the SDN to divert incoming traffic to the selected security server.
  - 8. The method of claim 7, further comprising:
    - checking the status of the first challenge action;
      
      selecting a second challenge action, when the status of the first challenge action indicates that the first challenge action has passed;
      
      selecting a security server out of the security servers configured to perform the second challenge action; and
      
      causing the network elements of the SDN to divert incoming traffic to the selected security server.
  - 9. The method of claim 8, wherein the second challenge action is more aggressive than the first challenge action.
  - 10. The method of claim 8, further comprising:
    - programing a peer network element to block the incoming traffic if the status of the challenge action indicates that any of the first and second challenge actions has failed during a predefined number of consecutive challenge attempts.
  - 11. The method of claim 8, further comprising:
    - computing a route from the each client to the at least one destination server, when the attack is mitigated and when the status of the challenge action indicates that any of the first and second challenge actions has passed; and
      
      diverting traffic to the at least one destination server over the computed route.
  - 12. The method of claim 5, wherein causing network elements of the SDN to divert incoming traffic from the each client to security servers further comprising:
    - at least one of;
      
      programming each network element in the SDN to forward a packet based on a diversion value designated in a packet diversion field; and
      
      configuring a flow table of each network element.
  - 13. The method of claim 12, wherein programming each network element in the SDN to forward a packet based on a diversion value further comprising:
    - instructing at least one peer network element in the SDN to mark a diversion field in each packet in the incoming traffic addressed to the security servers, wherein each network element in the SDN receiving the packet with the marked diversion field is programmed to divert the packet to security servers.
  - 14. The method of claim 1, wherein the attack indication includes at least one of:
    - an attack alarm from an attack detection device, a high number of active connections, a high number of packets received per second, an indication that an incoming traffic is from an Internet Protocol (IP) address included in a black list, an indication received from a client authentication service, geo-analysis information, a type of content accessed by the client, and behavioral analysis.
  - 15. The method of claim 1, wherein the user risk state is assigned with a deterministic value.
  - 16. The method of claim 15, wherein the user risk state is determined based on a plurality of security risk indication parameters, wherein the security risk indication parameters include at least a pre-compiled list of trusted clients per IP address, a reputation score per IP address, a reputation score per geographical region, application layer parameters, a client unique identification token, the user identity, a client affiliation, a type of content accessed by the client, a challenge action result and behavioral analysis.
  - 17. The method of claim 1, wherein the at least one challenge action includes any one of:
    - a SYN cookie, a web redirect, a JavaScript redirect, and CAPTCHA.
  - 18. The method of claim 1, wherein the escalation security policy is realized through a state machine, wherein the central controller maintains at least one state machine for the each user.
  - 19. The method of claim 1, wherein the at least one peer network element is a network element of the SDN through which the incoming traffic addressed to the at least one destination server flows through.
  - 20. The method of claim 19, wherein an OpenFlow protocol is utilized for communication between the network elements and the central controller.
  - 21. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the computerized method according to claim 1.

22. A system for performing an escalation security policy in a software defined network (SDN), comprising:
- a processor;
  
  a network-interface module for communicating with the SDN;
  
  a memory connected to the processor and configured to contain a plurality of instructions that when executed by the processor configure the system to;
  
  receive at least one attack indication performed against at least one destination server;
  
  upon determination, respective of at least one attack indication, that an attack is being performed against the at least one destination server, for each client sending traffic to the at least one destination server;
  
  determine a risk state for a user of the each client;
  
  obtain an escalation security policy respective of the determined user risk state, wherein the escalation security policy defines a sequence of at least one challenge action for challenging the each client, an order and at least one condition for execution of the sequence of at least one challenge action; and
  
  cause network elements of the SDN to divert incoming traffic from the each client to security servers connected to the SDN and configured to perform the at least one challenge action.
- View Dependent Claims (23)
- - 23. The system of claim 22, wherein the network-interface module is configured to interface with the SDN through a SDN network controller, wherein the SDN network controller is configured to communicate and program network elements of the SDN.

24. A system for performing an escalation security policy in a software defined network (SDN), comprising:
- a network-interface module for communicating with the SDN;
  
  a system-interface for receiving at least one attack indication performed against at least one destination server;
  
  an escalation module for determining whether an attack is being performed against the at least one destination server, wherein upon determination of that the attack is being perform, the escalation module is configured to;
  
  determine a risk state for a user for the each client sending traffic to the at least one destination server;
  
  obtain an escalation security policy respective of the determined user risk state, wherein the escalation security policy defines a sequence of at least one challenge action for challenging the each client, an order and at least one condition for execution of the sequence of at least one challenge action; and
  
  a diversion module for causing network elements of the SDN to divert incoming traffic from the each client to security servers connected to the SDN and configured to perform the at least one challenge action.
- View Dependent Claims (25, 26, 27)
- - 25. The system of claim 24, wherein the network-interface module is configured to interface with the SDN through a SDN network controller, wherein the SDN network controller is configured to communicate and program network elements of the SDN.
  - 26. The system of claim 24, wherein the system interface is configured to interface with an external system, wherein the external system is any one of an attack detection tool and an identity manager device.
  - 27. The system of claim 25, wherein an OpenFlow protocol is utilized for communication between the network elements and any of at least one of the SDN network controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
CHESLA, Avi

Application Number

US14/035,367
Publication Number

US 20150089566A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

ESCALATION SECURITY METHOD FOR USE IN SOFTWARE DEFINED NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

ESCALATION SECURITY METHOD FOR USE IN SOFTWARE DEFINED NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links