Method of responding to a truncated secure session attack
First Claim
1. A method of responding to a truncated secure session attack, comprising the steps of:
- forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;
receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;
incrementing the count in the slot associated with the internet protocol address;
determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;
applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively;
suspending the blocking measure at the end of the duration; and
wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied, an interval of time and a count of traffic.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When a truncated secure session attack is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the attack is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the attack. If the attack is detected, the blocking measure is re-applied, and its duration is adapted. If the attack is no longer detected, the method returns to the state of readiness.
294 Citations
5 Claims
-
1. A method of responding to a truncated secure session attack, comprising the steps of:
-
forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval; receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address; incrementing the count in the slot associated with the internet protocol address; determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals; applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively; suspending the blocking measure at the end of the duration; and wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied, an interval of time and a count of traffic. - View Dependent Claims (2)
-
-
3. A method of responding to a truncated secure session attack, comprising the steps of:
-
forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval; providing an allow list of leader values of trusted providers; receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address; incrementing the count in the slot associated with the internet protocol address; determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals; applying a blocking measure for internet protocol addresses associated with the subset of slots which are not on the allow list, for a duration that is determined adaptively; suspending the blocking measure at the end of the duration; and wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied, an interval of time and a count of traffic.
-
-
4. A method of responding to a truncated secure session attack, comprising the steps of:
-
forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval; receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address; incrementing the count in the slot associated with the internet protocol address; determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals; applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively; suspending the blocking measure at the end of the duration and re-testing for the presence of the high count or high count increase; adapting the duration and re-applying the blocking measure for the adapted duration; and wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied, an interval of time and a count of traffic. - View Dependent Claims (5)
-
Specification