Applying blocking measures progressively to malicious network traffic
First Claim
Patent Images
1. A method of responding progressively to penetrations relating to attacks occurring in time intervals during which no appropriate blocking measure is active, said method comprising:
- applying a blocking measure or suspending the blocking measure in accordance with a state B(t) of the blocking measure at time t for discrete values of t which are integer multiples of a time interval Dt, said discrete values of t representing t=0, Dt, 2*Dt, . . . , J*Dt, wherein J is a positive integer equal to or greater than 2;
wherein if B(t)=1 then the blocking measure is applied and if B(t)=0 then the blocking measure is suspended;
wherein A(t)=1 if an attack has occurred during a time interval Dt immediately preceding time t and A(t)=0 otherwise;
wherein N(t)=A(t)*(1−
B(t));
wherein S(t) is a time stamp indicating the absolute start time of a most recent sequence of time values with consecutive application of the blocking measure;
wherein K(t) is a count of the number of times, within a present epoch of consecutive detections of network anomaly, that the blocking measure has been suspended and then re-applied in response to detection of a persistent network anomaly;
wherein P(t) is a duration of the blocking measure and is a non-decreasing function of K(t);
wherein a specified positive integer L is a maximum permitted value of K(t);
wherein t=0 is a time prior to execution of a loop of J iterations denoted as iterations 1, 2, . . . , J;
wherein at t=0, B(0)=1, A(0)=1, S(0)=0, K(0)=0, and P(0)=P0=I*Dt, wherein I is a positive integer;
wherein B(t), S(t), and K(t) are iteratively computed during execution of the loop such that in each iteration;
B(t+Dt)=N(t)*(1−
B(t))+(1−
N(t)*(1−
B(t)))*if(t+Dt−
S(t)<
P(t) then 1, else
0),
S(t+Dt)=B(t+Dt)*(1−
B(t))*(t+Dt−
S(t))+S(t),
K(t+DT)=min{L,N(t)*(K(t)+1)+(1−
N(t))*B(t)*K(t)},
t=t+DT after B(t+Dt), S(t+Dt), and K(t+Dt) have been determined.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When an anomaly is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the anomaly is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the anomaly. If the anomaly is detected, the blocking measure is re-applied, and its duration is adapted. If the anomaly is no longer detected, the method returns to the state of readiness.
319 Citations
10 Claims
-
1. A method of responding progressively to penetrations relating to attacks occurring in time intervals during which no appropriate blocking measure is active, said method comprising:
-
applying a blocking measure or suspending the blocking measure in accordance with a state B(t) of the blocking measure at time t for discrete values of t which are integer multiples of a time interval Dt, said discrete values of t representing t=0, Dt, 2*Dt, . . . , J*Dt, wherein J is a positive integer equal to or greater than 2; wherein if B(t)=1 then the blocking measure is applied and if B(t)=0 then the blocking measure is suspended; wherein A(t)=1 if an attack has occurred during a time interval Dt immediately preceding time t and A(t)=0 otherwise; wherein N(t)=A(t)*(1−
B(t));wherein S(t) is a time stamp indicating the absolute start time of a most recent sequence of time values with consecutive application of the blocking measure; wherein K(t) is a count of the number of times, within a present epoch of consecutive detections of network anomaly, that the blocking measure has been suspended and then re-applied in response to detection of a persistent network anomaly; wherein P(t) is a duration of the blocking measure and is a non-decreasing function of K(t); wherein a specified positive integer L is a maximum permitted value of K(t); wherein t=0 is a time prior to execution of a loop of J iterations denoted as iterations 1, 2, . . . , J; wherein at t=0, B(0)=1, A(0)=1, S(0)=0, K(0)=0, and P(0)=P0=I*Dt, wherein I is a positive integer; wherein B(t), S(t), and K(t) are iteratively computed during execution of the loop such that in each iteration;
B(t+Dt)=N(t)*(1−
B(t))+(1−
N(t)*(1−
B(t)))*if(t+Dt−
S(t)<
P(t) then 1, else
0),
S(t+Dt)=B(t+Dt)*(1−
B(t))*(t+Dt−
S(t))+S(t),
K(t+DT)=min{L,N(t)*(K(t)+1)+(1−
N(t))*B(t)*K(t)},
t=t+DT after B(t+Dt), S(t+Dt), and K(t+Dt) have been determined. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeTrend Micro Inc.
-
Original AssigneeInternational Business Machines Corporation
-
InventorsJeffries, Clark Debs, Danford, Robert William, Farmer, Kenneth M., Sisk, Robert B., WALTER, MICHAEL A.
-
Primary Examiner(s)Moise, Emmanuel L.
-
Assistant Examiner(s)Davis, Zachary A.
-
Application NumberUS10/442,008Publication NumberTime in Patent Office1,666 DaysField of Search726/2, 726/3, 726/4, 726/11, 726/21, 726/22, 726/23, 726/25, 726/26, 709/224, 709/225, 709/229US Class Current726/23CPC Class CodesH04L 63/1458 Denial of Service
