Distributed intrusion response system
First Claim
1. A method of responding to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and a plurality of interconnection devices, the method comprising the steps of:
- a. providing means for one or more attached functions to connect to one or more of a plurality of interconnection devices of the network system;
b. acquiring information about the attached functions seeking access to the network services;
c. determining whether one or more stored policies exist for the attached functions;
d. allowing at least one of the one or more attached functions to access a selectable portion of the network services based on a policy established in one or more of the interconnection devices;
e. monitoring the network system for intrusions;
f. excluding from at least one of the plurality of interconnection devices a policy enforcement module for effecting its own signal transfer policy changes;
g. including in at least one of the plurality of interconnection devices the capability for such interconnection device to change directly its own signal transfer policies;
h. upon detection of one or more intrusions of the network,i. determining a physical address or a logical address for each attached function associated with the source of the intrusion; and
ii. identifying one or more interconnection devices having a policy enforcement module and used by the identified attached function or functions to gain access to the network services;
i. selectively changing one or more signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions; and
j. saving changed policies for the one or more attached functions.
13 Assignments
0 Petitions
Accused Products
Abstract
A system and method to respond to intrusions detected on a network system including attached functions and a network infrastructure. The system includes means for receiving from an intrusion detection function information about intrusions, a directory service function for gathering and reporting at least the physical and logical addresses of devices of the network infrastructure associated with the detected intrusions, and a plurality of distributed enforcement devices of the network infrastructure for enforcing policies responsive to the detected intrusions. A policy decision function evaluates the reported detected intrusions and makes a determination whether one or more policy changes are required on the enforcement devices in response to a detected intrusion. A policy manager function configures the distributed enforcement devices with the responsive changed policy or policies. Policy changes rules can vary from no change to complete port blocking on one or more identified enforcement devices associated with the detected intrusion, to redirecting the associated traffic including the intrusion and these policies may be modified or removed over time as warranted by network operation.
78 Citations
27 Claims
-
1. A method of responding to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and a plurality of interconnection devices, the method comprising the steps of:
-
a. providing means for one or more attached functions to connect to one or more of a plurality of interconnection devices of the network system; b. acquiring information about the attached functions seeking access to the network services; c. determining whether one or more stored policies exist for the attached functions; d. allowing at least one of the one or more attached functions to access a selectable portion of the network services based on a policy established in one or more of the interconnection devices; e. monitoring the network system for intrusions; f. excluding from at least one of the plurality of interconnection devices a policy enforcement module for effecting its own signal transfer policy changes; g. including in at least one of the plurality of interconnection devices the capability for such interconnection device to change directly its own signal transfer policies; h. upon detection of one or more intrusions of the network, i. determining a physical address or a logical address for each attached function associated with the source of the intrusion; and ii. identifying one or more interconnection devices having a policy enforcement module and used by the identified attached function or functions to gain access to the network services; i. selectively changing one or more signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions; and j. saving changed policies for the one or more attached functions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 23, 24, 27)
-
-
13. A network system including a plurality of attached functions, and the network system including the capability to respond to intrusions thereof, the network system comprising:
-
a. an intrusion detection function for identifying one or more sources of one or more intrusions of the network system; b. a plurality of interconnection devices for transferring signals through the network system, wherein each of the plurality of interconnection devices includes one or more signal transfer policies, wherein at least one of the plurality of interconnection devices includes the function to change directly its own signal transfer policies; c. a function of a policy enforcement module to change selectively the signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions, wherein at least one of the plurality of interconnection devices excludes the policy enforcement module to establish therein the function to change selectively its own signal transfer policies; d. means to connect one or more attached functions to one or more of the plurality of interconnection devices; e. a function to determine whether a stored policy history exists for the one or more attached functions; f. one or more policies established on one or more of the interconnection devices to allow at least one of the one or more attached functions to access a selectable portion of the network services; g. a function to determine a physical address or a logical address for the attached function or attached functions identified by the intrusion detection function as the source or sources of the one or more intrusions; h. a function to identify the one or more interconnection devices having the policy enforcement module and used by the one or more identified attached functions to gain access to the network services; and i. a function to save modified policies for the one or more attached functions. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 25, 26)
-
Specification