System and method for threat detection and response

US 7,463,590 B2
Filed: 07/22/2004
Issued: 12/09/2008
Est. Priority Date: 07/25/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:

(a) comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;

(b) comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;

(c) comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data and common port usage;

(d) comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data;

(e) comparing the packet data to a predetermined set of permissions;

(f) determining that the network packet is associated with an existing network threat based on at least one of the comparison of the packet data to the predetermined set of protocol anomalies, the comparison of the packet data to the predetermined set of threat signatures, the comparison of the first port weighting to the default port weighting, the comparison of the first source weighting to the default source weighting, the comparison of the packet data to the predetermined set of permissions; and

(g) taking at least of one of a plurality of actions in response to the existing network threat.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with varying embodiments of the invention, systems, devices and methods for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats are disclosed.

132 Citations

56 Claims

1. A method for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
- (a) comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
  
  (b) comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
  
  (c) comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data and common port usage;
  
  (d) comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data;
  
  (e) comparing the packet data to a predetermined set of permissions;
  
  (f) determining that the network packet is associated with an existing network threat based on at least one of the comparison of the packet data to the predetermined set of protocol anomalies, the comparison of the packet data to the predetermined set of threat signatures, the comparison of the first port weighting to the default port weighting, the comparison of the first source weighting to the default source weighting, the comparison of the packet data to the predetermined set of permissions; and
  
  (g) taking at least of one of a plurality of actions in response to the existing network threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein the comparison of the packet data to the predetermined set of protocol anomalies further comprises:
    - determining that the packet data includes at least one of the protocol anomalies from the predetermined set of protocol anomalies.
  - 3. The method of claim 1, wherein the comparison of the packet data to the predetermined set of threat signatures further comprises:
    - determining that the packet data includes at least one of the threat signatures from the predetermined set of threat signatures.
  - 4. The method of claim 1, wherein the predetermined set of threat signatures is organized into at least one super set, at least one sub set, and at least one common set.
  - 5. The method of claim 4, wherein the comparison of the packet data to the predetermined set of threat signatures further comprises:
    - determining that the packet data includes at least one of the threat signatures from the super set.
  - 6. The method of claim 5, wherein the comparison of the packet data to the predetermined set of threat signatures further comprises:
    - determining that the packet data includes at least one of the threat signatures from the sub set.
  - 7. The method of claim 6, wherein the comparison of the packet data to the predetermined set of threat signatures further comprises:
    - determining that the packet data includes at least one of the threat signatures from the common set.
  - 8. The method of claim 1, wherein the comparison of the first port weighting to the default port weighting further comprises:
    - determining that the network packet is associated with a first port scan based on the comparison of the first port weighting to the default port weighting.
  - 9. The method of claim 1, wherein the comparison of the first source weighting to the default source weighting further comprises:
    - determining that the network packet is associated with a denial of service attack based on the comparison of the first source weighting to the default source weighting.
  - 10. The method of claim 1, wherein the comparison of the packet data to the predetermined set of permissions further comprises:
    - determining that the packet data fails to demonstrate that the remote source has a requisite permission for connection to the network resource.
  - 11. The method of claim 1, wherein the at least one of the plurality of actions comprises alerting a network management system.
  - 12. The method of claim 1, wherein the at least one of the plurality of actions comprises rejecting the network packet.
  - 13. The method of claim 1, wherein the at least one of the plurality of actions comprises blocking network traffic from the remote source.
  - 14. The method of claim 1, wherein the at least one of the plurality of actions comprises filtering port scan activity.
  - 15. The method of claim 1, wherein the at least one of the plurality of actions comprises throttling network traffic to the network resource.
  - 16. The method of claim 1, wherein the at least one of the plurality of actions comprises throttling network traffic received from to the remote source.
  - 17. The method of claim 1, wherein the at least one of the plurality of actions comprises disabling a network port associated with the network resource.
  - 18. The method of claim 1, further comprising:
    - generating an acknowledgment message to the remote source;
      
      determining that the remote source failed to return a confirmation message; and
      
      determining that the network packet is associated with an existing network threat based on the determining that the remote source failed to return a confirmation message.
  - 19. The method of claim 1, further comprising:
    - comparing the packet data to a first behavior model;
      
      determining that the network packet is associated with an existing network threat based on the comparison of the packet data to the first behavior model.
  - 20. The method of claim 19, wherein the first behavior model is repeatedly updated at a predetermined interval in runtime.
  - 21. The method of claim 1, wherein the existing network threat comprises a port scan.
  - 22. The method of claim 1, wherein the existing network threat comprises a denial of service attack.

23. A network threat detection and response system for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
- (a) a first portion adapted for comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
  
  (b) a second portion adapted for comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
  
  (c) a third portion adapted for comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data;
  
  (d) a fourth portion adapted for comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data;
  
  (e) a fifth portion adapted for comparing the packet data to a predetermined set of permissions;
  
  (f) a sixth portion adapted for determining that the network packet is associated with an existing network threat based on at least one of the comparison of the packet data to the predetermined set of protocol anomalies, the comparison of the packet data to the predetermined set of threat signatures, the comparison of the first port weighting to the default port weighting, the comparison of the first source weighting to the default source weighting, the comparison of the packet data to the predetermined set of permissions; and
  
  (g) a seventh portion adapted for taking at least of one of a plurality of actions in response to the existing network threat.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 24. The system of claim 23, wherein the first portion is further adapted for determining that the packet data includes at least one of the protocol anomalies from the predetermined set of protocol anomalies.
  - 25. The system of claim 23, wherein the second portion is further adapted for determining that the packet data includes at least one of the threat signatures from the predetermined set of threat signatures.
  - 26. The system of claim 23, wherein the predetermined set of threat signatures is organized into at least one super set, at least one sub set, and at least one common set.
  - 27. The system of claim 26, wherein the second portion is further adapted for determining that the packet data includes at least one of the threat signatures from the super set.
  - 28. The system of claim 27, wherein the second portion is further adapted for determining that the packet data includes at least one of the threat signatures from the sub set.
  - 29. The system of claim 28, wherein the second portion is further adapted for determining that the packet data includes at least one of the threat signatures from the common set.
  - 30. The system of claim 23, wherein the third portion is further adapted for determining that the network packet is associated with a first port scan based on the comparison of the first port weighting to the default port weighting.
  - 31. The system of claim 23, wherein the fourth portion is further adapted for determining that the network packet is associated with a denial of service attack based on the comparison of the first source weighting to the default source weighting.
  - 32. The system of claim 23, wherein the fifth portion is further adapted for determining that the packet data fails to demonstrate that the remote source has a requisite permission for connection to the network resource.
  - 33. The system of claim 23, wherein the at least one of the plurality of actions comprises alerting a network management system.
  - 34. The system of claim 23, wherein the at least one of the plurality of actions comprises rejecting the network packet.
  - 35. The system of claim 23, wherein the at least one of the plurality of actions comprises blocking network traffic from the remote source.
  - 36. The system of claim 23, wherein the at least one of the plurality of actions comprises filtering port scan activity.
  - 37. The system of claim 23, wherein the at least one of the plurality of actions comprises throttling network traffic to the network resource.
  - 38. The system of claim 23, wherein the at least one of the plurality of actions comprises throttling network traffic received from to the remote source.
  - 39. The system of claim 23, wherein the at least one of the plurality of actions comprises disabling a network port associated with the network resource.
  - 40. The system of claim 23, further comprising:
    - an eighth portion adapted for generating an acknowledgment message to the remote source, determining that the remote source failed to return a confirmation message, and determining that the network packet is associated with an existing network threat based on the determining that the remote source failed to return a confirmation message.
  - 41. The system of claim 23, further comprising:
    - a ninth portion adapted for comparing the packet data to a first behavior model, and determining that the network packet is associated with an existing network threat based on the comparison of the packet data to the first behavior model.
  - 42. The system of claim 41, wherein the first behavior model is repeatedly updated at a predetermined interval in runtime.

43. A method for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
- (a) comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
  
  determining that the packet data includes at least one of the protocol anomalies from the predetermined set of protocol anomalies;
  
  (b) comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
  
  determining that the packet data includes at least one of the threat signatures from the predetermined set of threat signatures;
  
  (c) utilizing the packet data to generate a first port weighting for the network resource;
  
  determining that the network packet is associated with a first port scan based on a comparison of the first port weighting to a default port weighting;
  
  (d) utilizing the packet data to generate a first source weighting for the remote source;
  
  determining that the network packet is associated with a denial of service attack based on a comparison of the first source weighting to a default source weighting;
  
  (e) comparing the packet data to a predetermined set of permissions;
  
  determining that the packet data fails to demonstrate that the remote source has a requisite permission for connection to the network resource;
  
  (f) associating the network packet with an existing network threat based on at least one of the determining that the packet data includes at least one of the protocol anomalies from the predetermined set of protocol anomalies, determining that the packet data includes at least one of the threat signatures from the predetermined set of threat signatures, determining that the network packet is associated with a first port scan, determining that the network packet is associated with a denial of service attack, determining that the packet data fails to demonstrate that the remote source has a requisite permission for connection to the network resource; and
  
  (g) taking one of a plurality of actions in response to the existing network threat.

44. A device for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, comprising:
- (a) a first portion adapted for comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats;
  
  (b) a second portion adapted for comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats;
  
  (c) a third portion adapted for comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data;
  
  (d) a fourth portion adapted for comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data;
  
  (e) a fifth portion adapted for comparing the packet data to a predetermined set of permissions;
  
  (f) a sixth portion adapted for determining that the network packet is associated with an existing network threat based on at least one of the comparison of the packet data to the predetermined set of protocol anomalies, the comparison of the packet data to the predetermined set of threat signatures, the comparison of the first port weighting to the default port weighting, the comparison of the first source weighting to the default source weighting, the comparison of the packet data to the predetermined set of permissions; and
  
  (g) a seventh portion adapted for taking at least of one of a plurality of actions in response to the existing network threat.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51)
- - 45. The device of claim 44, further comprising:
    - an eighth portion adapted for generating an acknowledgment message to the remote source, determining that the remote source failed to return a confirmation message, and determining that the network packet is associated with an existing network threat based on the determining that the remote source failed to return a confirmation message.
  - 46. The device of claim 44, further comprising:
    - a ninth portion adapted for comparing the packet data to a first behavior model, and determining that the network packet is associated with an existing network threat based on the comparison of the packet data to the first behavior model.
  - 47. The device of claim 44, wherein the device comprises a server blade.
  - 48. The device of claim 44, wherein the device resides on a flash memory.
  - 49. The device of claim 44, wherein the device resides on a disk-on-a-chip.
  - 50. The device of claim 44, wherein the device resides on a disk-on-a-chip that is connectable to an IDE socket of a server.
  - 51. The device of claim 44, wherein the device resides on a disk-on-a-chip installed on a computer blade that is insertable into a PCI slot on an individual host or server.

52. A device for analyzing a network packet received from a remote source and destined for a network resource, the network packet having associated packet data, and for identifying a plurality of network threats, the device comprising:
- a component selected from the set consisting of a flash memory and a disk-on-a-chip, the component including at least one of the set consisting ofan anomaly assessment portion adapted for comparing the packet data to a predetermined set of protocol anomalies, each protocol anomaly indicative of at least one of the plurality of network threats,a signature threat assessment portion adapted for comparing the packet data to a predetermined set of threat signatures, each threat signature indicative of at least one of the plurality of network threats,a port weighting assessment portion adapted for comparing a first port weighting for the network resource to a default port weighting, the first port weighting generated in part based on the packet data and common port usage,a source weighting assessment portion adapted for comparing a first source weighting for the remote source to a default source weighting, the first source weighting generated in part based on the packet data,a permission assessment portion adapted for comparing the packet data to a predetermined set of permissions that are specific to a person.
- View Dependent Claims (53, 54, 55, 56)
- - 53. The device of claim 52, wherein the component further includes:
    - a portion adapted for determining that the network packet is associated with an existing network threat.
  - 54. The device of claim 53, wherein the component further includes:
    - a portion adapted for taking at least of one of a plurality of actions in response to the existing network threat.
  - 55. The device of claim 52, wherein the component is connectable to an IDE or SATA socket of a server.
  - 56. The device of claim 52, wherein the component is installed on a computer blade that is insertable into a PCI slot on an individual host or server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
StrataCloud, Inc. (Exitlag LLC)
Original Assignee
Reflex Security, Inc. (Exitlag LLC)
Inventors
Lunz, Jason, Molnar, John, Black, Nick, Mualem, Hezi I.
Primary Examiner(s)
Yao; Kwang B.
Assistant Examiner(s)
Tran; Tung Q

Application Number

US10/896,461
Publication Number

US 20050018618A1
Time in Patent Office

1,601 Days
Field of Search

370/241, 370/242, 370/252, 370/389, 370/392, 726/1, 726/13, 726 22- 30, 713/153, 713/168, 713176-178, 713187-188, 713/200, 713/201, 713/202, 713/203
US Class Current

370/241
CPC Class Codes

H04L 2463/141 Denial of service attacks a...

H04L 63/1458 Denial of Service

System and method for threat detection and response

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for threat detection and response

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links