Method of responding to a truncated secure session attack

US 7,464,404 B2
Filed: 11/17/2005
Issued: 12/09/2008
Est. Priority Date: 05/20/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of responding to a truncated secure session attack, comprising the steps of:

forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;

receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;

incrementing the count in the slot associated with the internet protocol address;

determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;

applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively;

suspending the blocking measure at the end of the duration; and

wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied, an interval of time and a count of traffic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When a truncated secure session attack is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the attack is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the attack. If the attack is detected, the blocking measure is re-applied, and its duration is adapted. If the attack is no longer detected, the method returns to the state of readiness.

294 Citations

5 Claims

1. A method of responding to a truncated secure session attack, comprising the steps of:
- forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;
  
  receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;
  
  incrementing the count in the slot associated with the internet protocol address;
  
  determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;
  
  applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively;
  
  suspending the blocking measure at the end of the duration; and
  
  wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied, an interval of time and a count of traffic.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein the duration is adapted according to a monotone non-decreasing function of the count.

3. A method of responding to a truncated secure session attack, comprising the steps of:
- forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;
  
  providing an allow list of leader values of trusted providers;
  
  receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;
  
  incrementing the count in the slot associated with the internet protocol address;
  
  determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;
  
  applying a blocking measure for internet protocol addresses associated with the subset of slots which are not on the allow list, for a duration that is determined adaptively;
  
  suspending the blocking measure at the end of the duration; and
  
  wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied, an interval of time and a count of traffic.

4. A method of responding to a truncated secure session attack, comprising the steps of:
- forming a direct table having a plurality of slots associated with leader values of internet protocol addresses, each slot having a leaf to keep a count of packets in a pre-specified time interval;
  
  receiving an inbound packet having a header value that distinguishes it as the earliest essential step above transmission control protocol, and an internet protocol address;
  
  incrementing the count in the slot associated with the internet protocol address;
  
  determining at the end of the pre-specified time interval whether a subset of the slots have a high count or high count increase over previous time intervals;
  
  applying a blocking measure for internet protocol addresses associated with the subset of slots for a duration that is determined adaptively;
  
  suspending the blocking measure at the end of the duration and re-testing for the presence of the high count or high count increase;
  
  adapting the duration and re-applying the blocking measure for the adapted duration; and
  
  wherein the duration is determined adaptively in response to a count of a number of times that the blocking measure has been applied, an interval of time and a count of traffic.
- View Dependent Claims (5)
- - 5. The method of claim 4, wherein the duration is adapted according to a monotone non-decreasing function of the count.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Carpenter, Brian Edward, Himberger, Kevin David, Jeffries, Clark Debs, Peyravian, Mohammad
Primary Examiner(s)
Moise, Emmanuel L
Assistant Examiner(s)
GERGISO, TECHANE

Application Number

US11/283,380
Publication Number

US 20060075496A1
Time in Patent Office

1,118 Days
Field of Search

726/2, 726/3, 726/4, 726/11, 726/21, 726/22, 726/23, 726/25, 726/26, 726/14, 726/24, 709/224, 709/226, 709/229
US Class Current

726/14
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/552   involving long-term monitor...

H04L 63/1458   Denial of Service

H04L 69/22   Parsing or analysis of headers

Method of responding to a truncated secure session attack

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

294 Citations

5 Claims

Specification

Use Cases

Quick Links

Others

Method of responding to a truncated secure session attack

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

294 Citations

5 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others