Attack defending system and attack defending method

US 7,464,407 B2
Filed: 08/20/2003
Issued: 12/09/2008
Est. Priority Date: 08/20/2002
Status: Active Grant

First Claim

Patent Images

1. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe decoy device comprises:

an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, andthe firewall device comprises;

a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;

a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and

a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device, whereinthe destination selector comprises a memory for storing as the distribution condition a guiding list containing a set of IP addresses unused in the internal network, the destination selector selecting the decoy device when a destination IP address of the input IP packet matches an unused IP address contained in the guiding list.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attack defending system allows effective defense against attacks from external networks even when a communication system uses a communication path encryption technique such as SSL. A firewall device and a decoy device are provided. The firewall device refers to the header of an input IP packet and, when it is determined that the input IP packet is suspicious, it is guided into the decoy device. The decoy device monitors a process providing a service to detect the presence or absence of attacks. When an attack has been detected, an alert including the attack-source IP address is sent to the firewall device so as to reject subsequent packets from attack source.

Citations

30 Claims

1. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe decoy device comprises:
- an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, andthe firewall device comprises;
  
  a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
  
  a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
  
  a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device, whereinthe destination selector comprises a memory for storing as the distribution condition a guiding list containing a set of IP addresses unused in the internal network, the destination selector selecting the decoy device when a destination IP address of the input IP packet matches an unused IP address contained in the guiding list.
- View Dependent Claims (2, 3, 4)
- - 2. The attack defending system according to claim 1, wherein the firewall device further comprises:
    - a distribution condition updating section for updating the distribution condition depending on whether the attack detector detects an attack based on the input IP packet transferred to the decoy device.
  - 3. The attack defending system according to claim 1, wherein the filtering condition manager stores the filtering condition with a limited validity period, which corresponds to the header information of the input IP packet forwarded to the decoy device, wherein, when the limited validity period has elapsed, a default filtering condition is returned to the packet filter.
  - 4. The attack defending system according to claim 3, wherein the filtering condition manager comprises:
    - a condition generator for generating a filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet; and
      
      a filtering condition controller for dynamically updating the filtering condition according to the filtering condition generated by the condition generator.

5. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe decoy device comprises:
- an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, andthe firewall device comprises;
  
  a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
  
  a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
  
  a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device,wherein the destination selector comprises;
  
  a packet buffer for storing input IP packets; and
  
  a monitor for monitoring reception of a destination unreachable message after an input IP packet has been transferred from the packet buffer to the internal network,wherein, when the monitor detects the reception of the destination unreachable message for the input IP packet, the input IP packet is transferred from the packet buffer to the decoy device.
- View Dependent Claims (6, 7, 8)
- - 6. The attack defending system according to claim 5, wherein the firewall device further comprises:
    - a distribution condition updating section for updating the distribution condition depending on whether the attack detector detects an attack based on the input IP packet transferred to the decoy device.
  - 7. The attack defending system according to claim 5, wherein the filtering condition manager stores the filtering condition with a limited validity period, which corresponds to the header information of the input IP packet forwarded to the decoy device, wherein, when the limited validity period has elapsed, a default filtering condition is returned to the packet filter.
  - 8. The attack defending system according to claim 7, wherein the filtering condition manager comprises:
    - a condition generator for generating a filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet; and
      
      a filtering condition controller for dynamically updating the filtering condition according to the filtering condition generated by the condition generator.

9. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe decoy device comprises:
- an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, andthe firewall device comprises;
  
  a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
  
  a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
  
  a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device,wherein the filtering condition manager comprises;
  
  a condition generator for generating a filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet; and
  
  a filtering condition controller for dynamically updating the filtering condition according to the filtering condition generated by the condition generator.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The attack defending system according to claim 9, wherein the header information of an input IP packet includes at least one of a source IP address and a destination IP address thereof,wherein the destination selector selects a destination of the input IP packet depending on whether the header information of the input IP packet satisfies the distribution condition.
  - 11. The attack defending system according to claim 9, wherein the firewall device further comprises:
    - a distribution condition updating section for updating the distribution condition depending on whether the attack detector detects an attack based on the input IP packet transferred to the decoy device.
  - 12. The attack defending system according to claim 9, wherein the filtering condition manager stores the filtering condition with a limited validity period, which corresponds to the header information of the input IP packet forwarded to the decoy device, wherein, when the limited validity period has elapsed, a default filtering condition is returned to the packet filter.
  - 13. The attack defending system according to claim 12, wherein the filtering condition manager comprises:
    - a condition generator for generating a filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet; and
      
      a filtering condition controller for dynamically updating the filtering condition according to the filtering condition generated by the condition generator.

14. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe decoy device comprises:
- an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device,an event memory for temporarily storing events related to at least network input/output, file input/output, and process creation/termination, andan event manager for analyzing cause-effect relations of the events stored in the event memory to form links among the events; and
  
  the firewall device comprises;
  
  a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
  
  a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
  
  a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The attack defending system according to claim 14, wherein the header information of an input IP packet includes at least one of a source IP address and a destination IP address thereof,wherein the destination selector selects a destination of the input IP packet depending on whether the header information of the input IP packet satisfies the distribution condition.
  - 16. The attack defending system according to claim 14, wherein the firewall device further comprises:
    - a distribution condition updating section for updating the distribution condition depending on whether the attack detector detects an attack based on the input IP packet transferred to the decoy device.
  - 17. The attack defending system according to claim 14, wherein the filtering condition manager stores the filtering condition with a limited validity period, which corresponds to the header information of the input IP packet forwarded to the decoy device, wherein, when the limited validity period has elapsed, a default filtering condition is returned to the packet filter.
  - 18. The attack defending system according to claim 17, wherein the filtering condition manager comprises:
    - a condition generator for generating a filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet; and
      
      a filtering condition controller for dynamically updating the filtering condition according to the filtering condition generated by the condition generator.
  - 19. The attack defending system according to claim 14, wherein the attack detector detects an attack from an execution status of the service process according to a rule having at least one of domain constraint and type constraint added thereto.
  - 20. The attack defending system according to claim 19, wherein the attack detector searches the links to extract at least, a generation event of a process generating an event to be inspected and a network reception event by which the event to be inspected is generated, when determination is made based on the domain constraint and the type constraint.

21. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe decoy device comprises:
- an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, andthe firewall device comprises;
  
  a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
  
  a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition; and
  
  a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device,wherein the attack detector detects an attack from an execution status of the service process according to a rule having at least one of domain constraint and type constraint added thereto.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The attack defending system according to claim 21, wherein the header information of an input IP packet includes at least one of a source IP address and a destination IP address thereof,wherein the destination selector selects a destination of the input IP packet depending on whether the header information of the input IP packet satisfies the distribution condition.
  - 23. The attack defending system according to claim 21, wherein the firewall device further comprises:
    - a distribution condition updating section for updating the distribution condition depending on whether the attack detector detects an attack based on the input IP packet transferred to the decoy device.
  - 24. The attack defending system according to claim 21, wherein the filtering condition manager stores the filtering condition with a limited validity period, which corresponds to the header information of the input IP packet forwarded to the decoy device, wherein, when the limited validity period has elapsed, a default filtering condition is returned to the packet filter.
  - 25. The attack defending system according to claim 24, wherein the filtering condition manager comprises:
    - a condition generator for generating a filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet; and
      
      a filtering condition controller for dynamically updating the filtering condition according to the filtering condition generated by the condition generator.

26. An attack defending system provided at an interface between an internal network and an external network, comprising a computer having a processor and a memory to execute software recorded on a tangible medium, the software implementing a decoy device and a firewall device, wherein the firewall device inputs an input IP packet from the external network and forwards it to one of the decoy device and the internal network, whereinthe decoy device comprises:
- an attack detector for detecting presence or absence of an attack by executing a service process for the input IP packet transferred from the firewall device, andthe firewall device comprises;
  
  a packet filter for determining whether the input IP packet inputted from the external network is to be accepted, based on header information of the input IP packet and a filtering condition corresponding to the input IP packet;
  
  a destination selector for selecting one of the internal network and the decoy device as a destination of the input IP packet accepted by the packet filter, based on the header information of the input IP packet and a distribution condition;
  
  a filtering condition manager for managing the filtering condition depending on whether the attack detector detects an attack based on the input IP packet forwarded to the decoy device; and
  
  a mirroring device for copying at least a file system from a server on the internal network to the decoy device, wherein when an attack is detected by the decoy device, the mirroring device copies at least the file system from the server on the internal network to the decoy device.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The attack defending system according to claim 26, wherein the header information of an input IP packet includes at least one of a source IP address and a destination IP address thereof,wherein the destination selector selects a destination of the input IP packet depending on whether the header information of the input IP packet satisfies the distribution condition.
  - 28. The attack defending system according to claim 26, wherein the firewall device further comprises:
    - a distribution condition updating section for updating the distribution condition depending on whether the attack detector detects an attack based on the input IP packet transferred to the decoy device.
  - 29. The attack defending system according to claim 26, wherein the filtering condition manager stores the filtering condition with a limited validity period, which corresponds to the header information of the input IP packet forwarded to the decoy device, wherein, when the limited validity period has elapsed, a default filtering condition is returned to the packet filter.
  - 30. The attack defending system according to claim 29, wherein the filtering condition manager comprises:
    - a condition generator for generating a filtering condition corresponding to a combination of an attack category of an attack detected by the attack detector and address information of the input IP packet; and
      
      a filtering condition controller for dynamically updating the filtering condition according to the filtering condition generated by the condition generator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Yamagata, Masaya, Nakae, Masayuki
Primary Examiner(s)
Brown; Christopher J

Application Number

US10/643,864
Publication Number

US 20040172557A1
Time in Patent Office

1,938 Days
Field of Search

726/22, 726/11, 713/182, 713/187, 713/188
US Class Current

726/22
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Attack defending system and attack defending method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Attack defending system and attack defending method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links