System and method for preventing network misuse

US 7,467,410 B2
Filed: 05/15/2007
Issued: 12/16/2008
Est. Priority Date: 06/04/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method comprising:

identifying a plurality of data signatures relevant to computer security;

designating an alert condition value for each data signature based on each data signature itself and contextual information associated with a respective data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; and

creating a table comprising the contextual information, the data signatures, and the alert condition values.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for preventing misuse conditions on a data network are described. Embodiments of the system and method evaluate potential network misuse signatures by analyzing variables such as the state of the network and/or target, the context in which the potential misuse signatures are detected, the response/reaction of the target and/or the fingerprint of the target. These and other variables may be factored in to the misuse determination, either alone, or in combination.

Citations

20 Claims

1. A computer-implemented method comprising:
- identifying a plurality of data signatures relevant to computer security;
  
  designating an alert condition value for each data signature based on each data signature itself and contextual information associated with a respective data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; and
  
  creating a table comprising the contextual information, the data signatures, and the alert condition values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising detecting a data signature by evaluating communications at an application layer level between a target and a suspect.
  - 3. The method of claim 1, further comprising correlating a detected data signature with an application layer fingerprint of a target to determine to what extent the target is vulnerable to said detected data signature.
  - 4. The method of claim 1, further comprising evaluating contextual information related to a detected data signature by comparing the contextual information and the detected data signature to the table in order to determine a likelihood that a target is under an attack.
  - 5. The method of claim 1, further comprising assigning an alert condition value to a detected data signature based on a comparison of contextual information and the detected data signature to data in the table.
  - 6. The method of claim 3, wherein said fingerprint includes an operating system version of said target.
  - 7. The method of claim 3, wherein said fingerprint includes a processor type of said target.
  - 8. The method of claim 1, further comprising generating an alert condition upon determining a target is vulnerable to a detected data signature.
  - 9. The method as in claim 1, further comprising listening for a response from a target in response to a detected data signature.

10. A computer-implemented method comprising:
- designating an alert condition value for each of a plurality of data signatures based on each data signature itself and contextual information associated with a particular data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; and
  
  creating a table comprising the columns of data signatures, contextual information, and alert condition values.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising identifying a data signature encapsulated in an application layer data field and directed at a target using an application layer protocol.
  - 12. The method of claim 10, further comprising evaluating a context of a detected data signature by one of reviewing the application layer data field type and reviewing an application layer protocol type.
  - 13. The method of claim 10, further comprising comparing context of a detected data signature to the table.
  - 14. The method of claim 10, further comprising determining whether a detected data signature poses a threat based on an assessed context of said detected data signature relative to the table.
  - 15. The method of claim 10, further comprising assigning an alert condition value to a detected data signature based on a comparison of its context to data in the table.
  - 16. The method of claim 10, further comprising identifying the plurality of data signatures relevant to computer security.

17. A machine-readable physical medium having program code stored thereon which, when executed by a machine, causes said machine to perform the operations of:
- designating a relative alert condition value to each data signature of a plurality of data signatures based on each data signature itself and contextual information associated with a respective data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the relative alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information;
  
  creating a table comprising the contextual information, the data signatures, and the relative alert condition values; and
  
  evaluating contextual information related to a detected data signature by comparing contextual information associated with the detected data signature to the table in order to determine a likelihood that a target is under attack.
- View Dependent Claims (18, 19, 20)
- - 18. The machine-readable physical medium of claim 17, further comprising program code to cause said machine to perform the operations of:
    - assigning a relative alert condition value to the detected data signature based on the evaluation of the contextual information.
  - 19. The machine-readable physical medium of claim 17, further comprising program code to cause said machine to perform the operations of:
    - correlating said detected data signature with a fingerprint of the target to determine to what extent said target is vulnerable to said data signature.
  - 20. The machine-readable physical medium of claim 17, further comprising program code to cause said machine to perform the operations of:
    - evaluating a context of the detected data signature by one of reviewing the application layer data field type and reviewing the application layer protocol type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Graham, Robert David, Kavaler, Peter
Primary Examiner(s)
Nalven; Andrew L

Application Number

US11/749,040
Publication Number

US 20070214088A1
Time in Patent Office

581 Days
Field of Search

709/225, 709/223, 713/201, 713/200, 726/25, 726/23
US Class Current

726/23
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

System and method for preventing network misuse

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for preventing network misuse

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links