System and Method for Identification and Blocking of Unwanted Network Traffic

US 20150222652A1
Filed: 04/13/2015
Published: 08/06/2015
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior;

receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature;

determining a source of the network traffic that triggered the first alert and the second alert;

grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert;

assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;

generating an entry in an undesired source database based on the alert group, the entry comprising a first Internet Protocol (IP) address associated with the first alert; and

providing the undesired source database to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the first IP address.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network traffic can be prevented from entering a protected network. An alert can be received that can be triggered by network traffic that matches at least one signature that is associated with undesired network behavior. A source of the network traffic that triggered the alert can be determined, and network traffic that originates from the source can be blocked. Blocking the source can include assigning a determination to the alert. It can then be determined whether network traffic from the source should be blocked based on the determination. The source can then be provided to the protected network such that a network device coupled to the protected network can be configured to block network traffic that originates from the source.

22 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior;
  
  receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature;
  
  determining a source of the network traffic that triggered the first alert and the second alert;
  
  grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert;
  
  assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;
  
  generating an entry in an undesired source database based on the alert group, the entry comprising a first Internet Protocol (IP) address associated with the first alert; and
  
  providing the undesired source database to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the first IP address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein generating the entry further comprises:
    - determining that a second IP address associated with the second alert is a spoofed IP address; and
      
      disregarding the second IP address from the undesired source database in response to determining that the second IP address is a spoofed IP address.
  - 3. The method of claim 1, wherein generating the entry further comprises:
    - determining that traffic associated with the second alert is a Universal Datagram Protocol (UDP) traffic; and
      
      disregarding a second IP address associated with the second alert in response to determining that the traffic UDP traffic.
  - 4. The method of claim 1, wherein generating the entry further comprises:
    - determining that the first IP address is associated with a geolocation, wherein the first IP address in included in the entry in response to determining that the first IP address is associated with the geolocation.
  - 5. The method of claim 1, wherein generating the entry further comprises:
    - determining that the alert group includes more than a predetermined number of reconnaissance activities; and
      
      determining that the first IP address is associated with a reconnaissance activity, wherein the first IP address in included in the entry in response to determining that the alert group includes more than the predetermined number of reconnaissance activities.
  - 6. The method of claim 1, wherein generating the entry further comprises:
    - determining that the alert group includes more than a predetermined number of alerts from matched signatures received by a predetermined number of target devices in a predetermined period of time.
  - 7. The method of claim 6, further comprising:
    - determining that the generating of the entry resulted in an excess number of entries in the undesired source database; and
      
      increasing at least one of the predetermined number of alerts, the predetermined number of target devices, and the predetermined period of time.
  - 8. The method of claim 6, further comprising:
    - determining that the undesired source database includes an insufficient number of entries; and
      
      decreasing at least one of the predetermined number of alerts, the predetermined number of target devices, and the predetermined period of time.

9. A system comprising:
- an alert analysis facility that;
  
  receives alerts from a plurality of intrusion detection systems, the alerts being associated with network traffic comprising a source Internet Protocol (IP) address;
  
  groups the alerts into an alert group based upon a common characteristic between the alerts; and
  
  assigns a determination to the alerts group, the determination indicating a threat level associated with the alert group;
  
  an engine that;
  
  receives the alert group from the alert analysis facility; and
  
  determines whether to block traffic originating from a first Internet Protocol (IP) address associated with a first alert; and
  
  an undesired source database that adds an entry that includes the IP address in response to determining to block the traffic; and
  
  a distribution facility that distributes the database to the intrusion detection systems.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the engine further:
    - determines that a second IP address associated with a second alert is a spoofed IP address; and
      
      disregards the second IP address in response to determining that the second IP address is a spoofed IP address.
  - 11. The system of claim 9, wherein the engine further:
    - determines that traffic associated with the second alert is a Universal Datagram Protocol (UDP) traffic; and
      
      disregards a second IP address associated with the second alert in response to determining that the traffic UDP traffic.
  - 12. The system of claim 9, wherein the engine further:
    - determines that the first IP address is associated with a geolocation; and
      
      determines to block the traffic in response to determining that the first IP address is associated with the geolocation.
  - 13. The system of claim 9, wherein the engine further:
    - determines that the alert group includes more than a predetermined number of reconnaissance activities; and
      
      determines that the first IP address is associated with a reconnaissance activity; and
      
      determines to block the traffic in response determining that the alert group includes more than the predetermined number of reconnaissance activities.
  - 14. The method of claim 9, wherein the engine further:
    - determines that the alert group includes more than a predetermined number of alerts from matched signatures received by a predetermined number of target devices in a predetermined period of time; and
      
      determines to block the traffic in response determining that the alert group includes more than the predetermined number of alerts by the predetermined number of target devices in the predetermined period of time.
  - 15. The method of claim 14, wherein the engine further:
    - determines that the generating of the entry resulted in an excess number of entries in the undesired source database; and
      
      increases at least one of the predetermined number of alerts, the predetermined number of target devices, and the predetermined period of time.
  - 16. The method of claim 14, wherein the engine further:
    - determines that the undesired source database includes an insufficient number of entries; and
      
      decreases at least one of the predetermined number of alerts, the predetermined number of target devices, and the predetermined period of time.

17. A non-transitory computer-readable medium encoded with computer-executable instructions for performing a method, the method comprising:
- receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior;
  
  receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature;
  
  determining a source of the network traffic that triggered the first alert and the second alert;
  
  grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert;
  
  assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;
  
  generating an entry in an undesired source database based on the alert group, the entry comprising a first Internet Protocol (IP) address associated with the first alert; and
  
  providing the undesired source database to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the first IP address.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, wherein in generating the entry the method further comprises:
    - determining that a second IP address associated with the second alert is a spoofed IP address; and
      
      disregarding the second IP address from the undesired source database in response to determining that the second IP address is a spoofed IP address.
  - 19. The computer-readable medium of claim 17, wherein in generating the entry the method further comprises:
    - determining that traffic associated with the second alert is a Universal Datagram Protocol (UDP) traffic; and
      
      disregarding a second IP address associated with the second alert in response to determining that the traffic UDP traffic.
  - 20. The computer-readable medium of claim 17, wherein in generating the entry the method further comprises:
    - determining that the first IP address is associated with a geolocation, wherein the first IP address in included in the entry in response to determining that the first IP address is associated with the geolocation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Ramsey, Jon R., Banerjee, Uday, Haber, Wayne Howard, Hubbard, Michael Joseph

Granted Patent

US 9,338,180 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 16/24575   using context

H04L 63/02   for separating internal fro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

System and Method for Identification and Blocking of Unwanted Network Traffic

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Identification and Blocking of Unwanted Network Traffic

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links