Network security system integration

US 7,359,962 B2
Filed: 04/30/2002
Issued: 04/15/2008
Est. Priority Date: 04/30/2002
Status: Active Grant

First Claim

Patent Images

1. A protection system for a first network of machines/hosts, comprising:

a network discovery functionality which scans the first network to identify components present in the first network and their properties;

a management agent which receives a detection signature for a type of attack pertinent to a certain component and/or certain property, the management agent operating to query the network discovery functionality to determine whether the certain component and/or the certain property are among the identified components and/or properties present in the first network and, if so, instantiate the detection signature for that type of attack and otherwise not instantiate the detection signature in order to minimize false detection;

a traffic inspection agent that analyzes network traffic passing from a second network of machines/hosts into the first network of machines/hosts in view of instantiated detection signatures to identify passing content that is potentially harmful to the first network and issue alerts;

a network entrance sentry coupled to receive the network traffic from the traffic inspection agent and which operates to prevent unauthorized access to the first network;

an interlocking functionality supporting delivery of the traffic inspection agent issued alerts to the network entrance sentry; and

the network entrance sentry further operating responsive to the traffic inspection agent issued alert to block the identified passing content that is potentially harmful to the first network from entering the first network.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network discovery functionality, intrusion detector functionality and firewalling functionality are integrated together to form a network security system presenting a self-deploying and self-hardening security defense for a network.

126 Citations

View as Search Results

40 Claims

1. A protection system for a first network of machines/hosts, comprising:
- a network discovery functionality which scans the first network to identify components present in the first network and their properties;
  
  a management agent which receives a detection signature for a type of attack pertinent to a certain component and/or certain property, the management agent operating to query the network discovery functionality to determine whether the certain component and/or the certain property are among the identified components and/or properties present in the first network and, if so, instantiate the detection signature for that type of attack and otherwise not instantiate the detection signature in order to minimize false detection;
  
  a traffic inspection agent that analyzes network traffic passing from a second network of machines/hosts into the first network of machines/hosts in view of instantiated detection signatures to identify passing content that is potentially harmful to the first network and issue alerts;
  
  a network entrance sentry coupled to receive the network traffic from the traffic inspection agent and which operates to prevent unauthorized access to the first network;
  
  an interlocking functionality supporting delivery of the traffic inspection agent issued alerts to the network entrance sentry; and
  
  the network entrance sentry further operating responsive to the traffic inspection agent issued alert to block the identified passing content that is potentially harmful to the first network from entering the first network.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 further including:
    - means for instantiating detection signatures designed to detect and block potentially harmful content on both the traffic inspection agent and the network entrance sentry.
  - 3. The system of claim 1 further comprising means for tailoring the detection signature, prior to instantiation and based on the identified components and/or properties of the first network, as to a specification of what actions are to be taken and what reports to be generated in response to a detected attack.
  - 4. The system of claim 1 wherein components comprise network devices and properties comprise applications running on those network devices.

5. A method for protection of a first network of machines/hosts, comprising:
- scanning the first network to identify components present in the first network and their properties;
  
  receiving a detection signature for a type of attack pertinent to a certain component and/or certain property;
  
  determining whether the certain component and/or the certain property are among the components and/or properties present in the first network identified by scanning;
  
  if so, instantiating the detection signature for that type of attack; and
  
  otherwise not instantiating the detection signature in order to minimize false detection;
  
  analyzing network traffic passing from a second network of machines/hosts into the first network of machines/hosts in view of instantiated detection signatures to identify passing content that is potentially harmful to the first network;
  
  issuing alerts responsive to detection of passing content that is potentially harmful;
  
  receiving the alerts at a firewall which also processes the network traffic and prevents unauthorized access to the first network; and
  
  blocking entrance of the identified passing content that is potentially harmful to the first network at the firewall in response to the received alerts.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5 further including:
    - instantiating detection signatures designed to detect and block entrance of potentially harmful entering content.
  - 7. The method of claim 5 further including tailoring the detection signature, prior to instantiation and based on the identified components and/or properties of the first network, as to a specification of what actions are to be taken and what reports to be generated in response to a detected attack.
  - 8. The method of claim 5 wherein components comprise network devices and properties comprise applications running on those network devices.

9. A network protection system, comprising:
- a network discovery functionality associated with a first network of devices/hosts that scans the first network prior to an attack to detect computer system and network device vulnerabilities to an attack based on the devices/hosts which are present in the first network and provides a notification identifying the detected vulnerabilities of the first network which could potentially be subsequently exploited by such an attack;
  
  a security management agent receiving the notification identifying the detected vulnerabilities and operating to tailor a detection signature to address the vulnerability to attack detected by the network discovery functionality; and
  
  an intrusion detector functionality upon which the tailored detection signature is instantiated by the security management agent prior to attack, the intrusion detector functionality analyzing network traffic received by the first network from a second network of devices/hosts in view of the instantiated detection signature to protect against exploitation of the detected vulnerabilities of the first network in such an attack by identifying entering content that is potentially harmful to the first network and issuing alerts.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system as in claim 9 further including:
    - a firewalling functionality upon which the tailored detection signature is instantiated by the security management agent, the firewalling functionality analyzing network traffic in view of the instantiated detection signature to block the potentially harmful content from entering the first network.
  - 11. The system as in claim 9 further including:
    - a firewalling functionality operating to analyze the network traffic and prevent unauthorized access to the first network;
      
      an interlocking functionality supporting delivery of the issued alert from the intrusion detector functionality to the firewalling functionality; and
      
      the firewalling functionality responding to the intrusion detector functionality issued alert to block the potentially harmful content from entering the first network.
  - 12. The system as in claim 9 wherein the tailored detection signature is configured in the context of the computer system and network device vulnerabilities of the first network to reduce a likelihood that the intrusion detector functionality will generate false positive alerts.
  - 13. The system as in claim 9 wherein the tailored detection signature is configured in the context of the computer system and network device vulnerabilities of the first network to specify certain actions to be taken.
  - 14. The system as in claim 9 wherein the network configuration includes a plurality of zones, and wherein the tailored detection signature is configured in the context of the computer system and network device vulnerabilities of the first network to be applicable to only certain ones of those zones.
  - 15. The system as in claim 9 wherein the network configuration includes identified machines, and wherein the tailored detection signature is configured in the context of the computer system and network device vulnerabilities of the first network to be applicable to only certain ones of those machines.

16. A method for network protection, comprising:
- scanning a first network of devices/hosts prior to an attack to detect computer system and network device vulnerabilities to an attack based on the devices/hosts which are present in the network;
  
  providing a notification the detected vulnerabilities of the first network which could potentially be subsequently exploited by such an attack;
  
  tailoring a detection signature to address the notified vulnerability to attack detected by the scanning step in the context of a configuration of the first network being protected;
  
  instantiating the tailored detection signature on a packet inspection agent prior to attack, the packet inspection agent analyzing network traffic received by the first network from a second network of devices/hosts in view of the instantiated detection signature to protect against exploitation of the detected vulnerabilities of the first network in such an attack by identifying passing content that is potentially harmful to the first network; and
  
  issuing alerts in response to the identified potentially harmful passing content.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method as in claim 16 further including:
    - instantiating the tailored detection signature on an entrance sentry functionality, the entrance sentry functionality analyzing network traffic in view of the instantiated detection signature to block the traffic associated with the potentially harmful passing content from entering the first network.
  - 18. The method as in claim 16 further including:
    - delivering the issued alerts to an entrance sentry functionality; and
      
      blocking entrance of the traffic associated with the detected potentially harmful content at the entrance sentry functionality in response to the delivered alerts.
  - 19. The method as in claim 16 wherein tailoring the detection signature comprises configuring the detection signature in the context of the computer system and network device vulnerabilities of the first network to reduce a likelihood that the packet inspection agent will generate false positive alerts.
  - 20. The method as in claim 16 wherein tailoring the detection signature comprises configuring the detection signature in the context of the computer system and network device vulnerabilities of the first network to specify certain actions to be taken.
  - 21. The method as in claim 16 wherein the network configuration includes a plurality of zones, and wherein tailoring the detection signature comprises configuring the detection signature in the context of the computer system and network device vulnerabilities of the first network to be applicable to only certain ones of those zones.
  - 22. The method as in claim 16 wherein the network configuration includes identified machines, and wherein tailoring the detection signature comprises configuring the detection signature in the context of the computer system and network device vulnerabilities of the first network to be applicable to only certain ones of those machines.

23. A defense system for a first network of machines/hosts, comprising:
- a network discovery functionality operating to scan the first network of machines/hosts to detect computer system and network device vulnerabilities to a future attack;
  
  an intrusion detector functionality operating to monitor traffic entering the first network of machines/hosts from a second network of machines/hosts and identify a current attack from entering content that is potentially harmful to the first network;
  
  a firewalling functionality operating to block unauthorized access to the first network of machines/hosts from the second network and block harmful content received from the second network from entering the first network;
  
  a management agent interconnecting the network discovery functionality, intrusion detector functionality and firewalling functionality together such that a self-deploying and self-hardening security defense is provided for the first network;
  
  wherein the management agent supports the self-deployed security defense by having the network discovery functionality, intrusion detector functionality and firewalling functionality work together to automate threat detection and threat response operations; and
  
  wherein the management agent supports the self-hardening security defense by having the network discovery functionality, intrusion detector functionality and firewalling functionality implement threat detection and threat response operations in a manner that mitigates instances of false detection.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The system of claim 23 wherein the management agent supports self-hardening security defense by instantiating and not instantiating a received detection signature on at least one of the intrusion detector functionality and firewalling functionality based on whether the network discovery functionality scan of the first network indicates that the machines/hosts are vulnerable to an attack to which the detection signature provides a defense.
  - 25. The system of claim 23 wherein the management agent supports self-hardening security defense by selecting when and how a received detection signature is instantiated on at least one of the intrusion detector functionality and firewalling functionality based on the machines/hosts of the first network which are identified by the network discovery functionality scan of the first network.
  - 26. The system of claim 23 wherein the management agent supports self-hardening security defense by modifying detection criteria and response actions of a received detection signature prior to instantiation on at least one of the intrusion detector functionality and firewalling functionality based on the machines/hosts of the first network which are identified by the network discovery functionality scan of the first network.
  - 27. The system of claim 23 wherein the management agent supports self-hardening security defense by tailoring a received detection signature for application to certain machines/hosts of the first network which are identified by the network discovery functionality scan of the first network and instantiating the tailored detection signature on at least one of the intrusion detector functionality and firewalling functionality.

28. A method for providing network defense, comprising:
- using a network discovery functionality operating to scan a first network of machines/hosts to detect computer system and network device vulnerabilities to a future attack, an intrusion detector functionality operating to monitor traffic entering the first network of machines/hosts from a second network of machines/hosts and identify a current attack from entering content that is potentially harmful to the first network and a firewalling functionality operating to block unauthorized access to the first network of machines/hosts from the second network and block harmful content received from the second network from entering the first network,integrating the network discovery functionality, intrusion detector functionality and firewalling functionality together such that a self-deploying and self-hardening security defense is provided for the first network of machines/hosts;
  
  wherein integrating achieves the self-deploying security defense by having the network discovery functionality, intrusion detector functionality and firewalling functionality work together to automate threat detection and threat response operations and achieves the self-hardening security defense by having the network discovery functionality, intrusion detector functionality and firewalling functionality implement threat detection and threat response operations in a manner that mitigates instances of false detection.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The method of claim 28 wherein integrating supports self-hardening security defense by instantiating and not instantiating a received detection signature on at least one of the intrusion detector functionality and firewalling functionality based on whether the network discovery functionality scan of the first network indicates that the machines/hosts are vulnerable to an attack to which the detection signature provides a defense.
  - 30. The method of claim 28 wherein integrating supports self-hardening security defense by selecting when and how a received detection signature is instantiated on at least one of the intrusion detector functionality and firewalling functionality based on the machines/hosts of the first network which are identified by the network discovery functionality scan of the first network.
  - 31. The method of claim 28 wherein integrating supports self-hardening security defense by modifying detection criteria and response actions of a received detection signature prior to instantiation on at least one of the intrusion detector functionality and firewalling functionality based on the machines/hosts of the first network which are identified by the network discovery functionality scan of the first network.
  - 32. The method of claim 28 wherein integrating supports self-hardening security defense by tailoring a received detection signature for application to certain machines/hosts of the first network which are identified by the network discovery functionality scan of the first network and instantiating the tailored detection signature on at least one of the intrusion detector functionality and firewalling functionality.

33. A defense system for a first network of machines/hosts, comprising:
- a traffic inspection agent that recognizes, from an analysis of passing network traffic concerning the first network of machines/hosts, that a new machine has been installed on the first network, the agent issuing a scan trigger in response thereto;
  
  a network discovery function, operating responsive to the issued scan trigger, for scanning the first network, finding the new machine, and identifying a network vulnerability to an attack which is attributable to the presence of the new machine; and
  
  the traffic inspection agent responding to the identified network vulnerability to instantiate a detection signature for detecting possible exploitation of that vulnerability to attack in connection with network traffic received by the first network from a second network of machines/hosts connected to the first network.
- View Dependent Claims (34, 35, 36)
- - 34. The system as in claim 33 wherein the traffic inspection agent further operates to tailor the detection signature to a configuration of the first network.
  - 35. The system as in claim 33 further comprising:
    - a network entrance sentry operating to prevent unauthorized access to the first network;
      
      wherein the traffic inspection agent further operates to instantiate a detection signature on the network entrance sentry for detecting possible exploitation of that vulnerability and blocking second network originated traffic associated with that possible exploitation from entering the first network.
  - 36. The system as in claim 33 wherein the analysis of passing second network originated network traffic performed by the traffic inspection agent infers presence of the new machine on the first network from detection of unrecognizable information in a packet header.

37. A method for defense of a first network of machines/hosts, comprising:
- analyzing passing network traffic concerning the first network of machines/hosts to recognize that a new machine has been installed on the first network;
  
  issuing a scan trigger in response thereto;
  
  scanning the first network in response to the scan trigger to find the new machine and identify a network vulnerability to an attack which is attributable to the presence of the new machine; and
  
  instantiating a detection signature in response to the identified vulnerability for detecting possible exploitation of that vulnerability in connection with network traffic received by the first network from a second network of machines/hosts connected to the first network.
- View Dependent Claims (38, 39, 40)
- - 38. The method as in claim 37 further including tailoring the detection signature to a configuration of the first network.
  - 39. The method as in claim 37 further comprising:
    - instantiating a detection signature at an entrance to the first network for detecting possible exploitation of that vulnerability and blocking second network originated traffic associated with that possible exploitation from entering the first network.
  - 40. The method as in claim 37 wherein analyzing comprises:
    - examining a header portion of packets in the passing network traffic; and
      
      inferring presence of the new machine in the first network from detection of unrecognizable information in the packet header portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Smith, Brian, Cantrell, Craig, McHale, John, Willebeek-LeMair, Marc, Cox, Dennis
Primary Examiner(s)
JACOBS, LASHONDA T

Application Number

US10/136,889
Publication Number

US 20030204632A1
Time in Patent Office

2,177 Days
Field of Search

709/203, 709223-224, 709226-229, 709/249, 709/227, 709/228, 713201-202, 726/22, 726/23, 726/24, 726/25
US Class Current

709/223
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Network security system integration

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Network security system integration

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links