System and Method for Identification and Blocking of Unwanted Network Traffic
First Claim
1. A method comprising:
- receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior;
receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature;
determining a source of the network traffic that triggered the first alert and the second alert;
grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert;
assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;
generating an entry in an undesired source database based on the alert group, the entry comprising a first Internet Protocol (IP) address associated with the first alert; and
providing the undesired source database to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the first IP address.
9 Assignments
0 Petitions
Accused Products
Abstract
Network traffic can be prevented from entering a protected network. An alert can be received that can be triggered by network traffic that matches at least one signature that is associated with undesired network behavior. A source of the network traffic that triggered the alert can be determined, and network traffic that originates from the source can be blocked. Blocking the source can include assigning a determination to the alert. It can then be determined whether network traffic from the source should be blocked based on the determination. The source can then be provided to the protected network such that a network device coupled to the protected network can be configured to block network traffic that originates from the source.
22 Citations
20 Claims
-
1. A method comprising:
-
receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior; receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature; determining a source of the network traffic that triggered the first alert and the second alert; grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert; assigning a determination to the alert group, the determination indicating a threat level associated with the alert group; generating an entry in an undesired source database based on the alert group, the entry comprising a first Internet Protocol (IP) address associated with the first alert; and providing the undesired source database to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the first IP address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
an alert analysis facility that; receives alerts from a plurality of intrusion detection systems, the alerts being associated with network traffic comprising a source Internet Protocol (IP) address; groups the alerts into an alert group based upon a common characteristic between the alerts; and assigns a determination to the alerts group, the determination indicating a threat level associated with the alert group; an engine that; receives the alert group from the alert analysis facility; and determines whether to block traffic originating from a first Internet Protocol (IP) address associated with a first alert; and an undesired source database that adds an entry that includes the IP address in response to determining to block the traffic; and a distribution facility that distributes the database to the intrusion detection systems. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium encoded with computer-executable instructions for performing a method, the method comprising:
-
receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior; receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature; determining a source of the network traffic that triggered the first alert and the second alert; grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert; assigning a determination to the alert group, the determination indicating a threat level associated with the alert group; generating an entry in an undesired source database based on the alert group, the entry comprising a first Internet Protocol (IP) address associated with the first alert; and providing the undesired source database to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the first IP address. - View Dependent Claims (18, 19, 20)
-
Specification