Automatic client responses to worm or hacker attacks
First Claim
1. A method of responding to a suspected attack of a computing device on a network, the method comprising:
- receiving notification information indicative of the suspected attack, wherein the notification information contains information including;
at least one network address of a system on the network suspected of being compromised;
an identification of specific software associated with the attack; and
a list of vulnerable applications and operating systems;
responsive to receiving the notification information indicative of the suspected attack, automatically evaluating the notification information, wherein evaluating the notification information is based on factors selected from the group of;
a criticality of one or more vulnerable applications running on an evaluating device;
vulnerability of the applications running on the individual device to the attack;
connectivity of the device to the network and other individual devices; and
the operating system of the individual network device;
selecting at least one automatic client response for the network device based upon the evaluation, wherein the automatic client responses for the network device selected comprise actions selected from the group of;
notifying network administration;
immediately shutting down said device;
shutting down said device in stages;
shutting down selected services running on said device;
updating of anti-virus software; and
activation of anti-virus software;
selective handling of data sent from an address associated with the network device identified as compromised, wherein the selective handling of data sent from the address of the network device identified as compromised is an action selected from;
removing of all data sent from the address of the device identified as compromised;
quarantining of all data sent from the address of the device identified as compromised;
filtering of all data sent from the address of the device identified as compromised; and
executing at least one of the selected responses to reduce consequences of the attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A system in which a networked device automatically evaluates hacker attack notification information and, based thereon, selects and executes responses to the attack. The notification may include information such as the address of the infected system, identification of the specific worm, and a list of vulnerable applications and operating systems. The evaluation is based on factors including criticality and vulnerability of applications running on the system and connectivity of the device. A variety of automatic responses can be selected, including notification of network administration, shutdown of the device or services running on the device, updating and activation of anti-virus software, and selective handling of data sent from the address of the suspect network device. The selection of responses can occur automatically based on rules input during setup or by intervention of network administration.
-
Citations
7 Claims
-
1. A method of responding to a suspected attack of a computing device on a network, the method comprising:
-
receiving notification information indicative of the suspected attack, wherein the notification information contains information including; at least one network address of a system on the network suspected of being compromised; an identification of specific software associated with the attack; and a list of vulnerable applications and operating systems; responsive to receiving the notification information indicative of the suspected attack, automatically evaluating the notification information, wherein evaluating the notification information is based on factors selected from the group of; a criticality of one or more vulnerable applications running on an evaluating device; vulnerability of the applications running on the individual device to the attack; connectivity of the device to the network and other individual devices; and the operating system of the individual network device; selecting at least one automatic client response for the network device based upon the evaluation, wherein the automatic client responses for the network device selected comprise actions selected from the group of; notifying network administration; immediately shutting down said device; shutting down said device in stages; shutting down selected services running on said device; updating of anti-virus software; and activation of anti-virus software; selective handling of data sent from an address associated with the network device identified as compromised, wherein the selective handling of data sent from the address of the network device identified as compromised is an action selected from; removing of all data sent from the address of the device identified as compromised; quarantining of all data sent from the address of the device identified as compromised; filtering of all data sent from the address of the device identified as compromised; and executing at least one of the selected responses to reduce consequences of the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification