Distributed intrusion response system

US 7,581,249 B2
Filed: 11/14/2003
Issued: 08/25/2009
Est. Priority Date: 11/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method of responding to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and a plurality of interconnection devices, the method comprising the steps of:

a. providing means for one or more attached functions to connect to one or more of a plurality of interconnection devices of the network system;

b. acquiring information about the attached functions seeking access to the network services;

c. determining whether one or more stored policies exist for the attached functions;

d. allowing at least one of the one or more attached functions to access a selectable portion of the network services based on a policy established in one or more of the interconnection devices;

e. monitoring the network system for intrusions;

f. excluding from at least one of the plurality of interconnection devices a policy enforcement module for effecting its own signal transfer policy changes;

g. including in at least one of the plurality of interconnection devices the capability for such interconnection device to change directly its own signal transfer policies;

h. upon detection of one or more intrusions of the network,i. determining a physical address or a logical address for each attached function associated with the source of the intrusion; and

ii. identifying one or more interconnection devices having a policy enforcement module and used by the identified attached function or functions to gain access to the network services;

i. selectively changing one or more signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions; and

j. saving changed policies for the one or more attached functions.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to respond to intrusions detected on a network system including attached functions and a network infrastructure. The system includes means for receiving from an intrusion detection function information about intrusions, a directory service function for gathering and reporting at least the physical and logical addresses of devices of the network infrastructure associated with the detected intrusions, and a plurality of distributed enforcement devices of the network infrastructure for enforcing policies responsive to the detected intrusions. A policy decision function evaluates the reported detected intrusions and makes a determination whether one or more policy changes are required on the enforcement devices in response to a detected intrusion. A policy manager function configures the distributed enforcement devices with the responsive changed policy or policies. Policy changes rules can vary from no change to complete port blocking on one or more identified enforcement devices associated with the detected intrusion, to redirecting the associated traffic including the intrusion and these policies may be modified or removed over time as warranted by network operation.

78 Citations

View as Search Results

27 Claims

1. A method of responding to the detection of an intrusion on a network system that provides network services, the network system including one or more attached functions and a plurality of interconnection devices, the method comprising the steps of:
- a. providing means for one or more attached functions to connect to one or more of a plurality of interconnection devices of the network system;
  
  b. acquiring information about the attached functions seeking access to the network services;
  
  c. determining whether one or more stored policies exist for the attached functions;
  
  d. allowing at least one of the one or more attached functions to access a selectable portion of the network services based on a policy established in one or more of the interconnection devices;
  
  e. monitoring the network system for intrusions;
  
  f. excluding from at least one of the plurality of interconnection devices a policy enforcement module for effecting its own signal transfer policy changes;
  
  g. including in at least one of the plurality of interconnection devices the capability for such interconnection device to change directly its own signal transfer policies;
  
  h. upon detection of one or more intrusions of the network,i. determining a physical address or a logical address for each attached function associated with the source of the intrusion; and
  
  ii. identifying one or more interconnection devices having a policy enforcement module and used by the identified attached function or functions to gain access to the network services;
  
  i. selectively changing one or more signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions; and
  
  j. saving changed policies for the one or more attached functions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 23, 24, 27)
- - 2. The method as claimed in claim 1 wherein the physical address information is a MAC address or the logical address information is an IP address.
  - 3. The method as claimed in claim 1 further comprising the step of employing an intrusion detection device of the network system to perform the function of detecting the one or more intrusions, wherein the intrusion detection device is either a centralized network system device, a plurality of distributed network system devices or a combination of both.
  - 4. The method as claimed in claim 1 wherein the step of identifying the interconnection device used by the attached function includes the step of determining the physical address, logical address, or both for the interconnection device.
  - 5. The method as claimed in claim 1 further comprising the step of verifying the identification of the identified source of the intrusion.
  - 6. The method as claimed in claim 1 wherein the step of selectively changing one or more signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions includes the step of configuring the one or more interconnection devices to perform one or more functions selected from the group consisting of:
    - blocking complete access to the network services by an identified source of a detected intrusion, blocking access by identified logical addresses only, blocking access by an identified access protocol only, limiting bandwidth, limiting exchanges to or from the one or more interconnection devices, to or from one or more other devices of the network system, or to or from any of the attached functions not identified as an intrusion source, and directing all signals exchanged by the identified sources to a honeypot, an intrusion detection device, a monitoring device, or a simulation device.
  - 7. The method as claimed in claim 1 wherein the step of selectively changing one or more signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions includes the step of configuring the one or more interconnection devices to permit connectivity of an identified source of a detected intrusion while dampening the level of activity associated with the identified source to minimize network harm while permitting analysis and auditing of the identified source and the gathering of forensic evidence.
  - 8. The method as claimed in claim 1 wherein the step of selectively changing one or more signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions includes the steps of first configuring a first set of the one or more interconnection devices with a first set of one or more policy changes, monitoring the network system for intrusions and, upon detection of one or more intrusions related to the intrusions causing the first one or more policy changes, configuring a second set of the one or more interconnection devices with a second set of one or more policy changes.
  - 9. The method as claimed in claim 8 wherein one or more of the one or more interconnection devices of the second set are interconnection devices of the first set.
  - 10. The method as claimed in claim 1 wherein the one or more interconnection devices are network entry devices.
  - 11. The method as claimed in claim 1 wherein the one or more signal transfer policy changes are configured on one or more ports of the identified interconnection devices associated with the source of the intrusion.
  - 12. The method as claimed in claim 1 further comprising the step of verifying the identification of the identified source of the intrusion.
  - 23. The method as claimed in claim 1 wherein the identified attached function gains access to the network services through one of the interconnection devices to which it is directly connected.
  - 24. The method as claimed in claim 1 further comprising the step of establishing one or more policies for the one or more attached functions without communicating with a centralized policy server.
  - 27. The method as claimed in claim 1 wherein the at least one of the plurality of interconnection devices further includes an intrusion detection function.

13. A network system including a plurality of attached functions, and the network system including the capability to respond to intrusions thereof, the network system comprising:
- a. an intrusion detection function for identifying one or more sources of one or more intrusions of the network system;
  
  b. a plurality of interconnection devices for transferring signals through the network system, wherein each of the plurality of interconnection devices includes one or more signal transfer policies, wherein at least one of the plurality of interconnection devices includes the function to change directly its own signal transfer policies;
  
  c. a function of a policy enforcement module to change selectively the signal transfer policies of one or more of the plurality of interconnection devices in response to the one or more detected intrusions, wherein at least one of the plurality of interconnection devices excludes the policy enforcement module to establish therein the function to change selectively its own signal transfer policies;
  
  d. means to connect one or more attached functions to one or more of the plurality of interconnection devices;
  
  e. a function to determine whether a stored policy history exists for the one or more attached functions;
  
  f. one or more policies established on one or more of the interconnection devices to allow at least one of the one or more attached functions to access a selectable portion of the network services;
  
  g. a function to determine a physical address or a logical address for the attached function or attached functions identified by the intrusion detection function as the source or sources of the one or more intrusions;
  
  h. a function to identify the one or more interconnection devices having the policy enforcement module and used by the one or more identified attached functions to gain access to the network services; and
  
  i. a function to save modified policies for the one or more attached functions.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 25, 26)
- - 14. The network system as claimed in claim 13 further comprising a directory service function for receiving address information for the attached functions and the interconnection devices.
  - 15. The network system as claimed in claim 14 further comprising a policy manager function for configuring the plurality of interconnection devices with the signal transfer policies.
  - 16. The network system as claimed in claim 15 further comprising a policy decision function configured:
    - a. to receive detected intrusion information from the intrusion detection function;
      
      b. to receive information from the directory service function;
      
      c. to evaluate whether a policy change or changes is or are required on one or more of the interconnection devices in response to the detected intrusion information; and
      
      d. to direct the policy manager function to configure one or more of the plurality of interconnection devices with determined policy changes upon deciding to do so based upon the evaluation.
  - 17. The network system as claimed in claim 16 wherein the policy manager function and the policy decision function are part of a centralized server.
  - 18. The network system as claimed in claim 17 wherein the directory service function is part of the central server.
  - 19. The network system as claimed in claim 13 wherein the intrusion detection function is a centralized intrusion detection function or a distributed intrusion detection function.
  - 20. The network system as claimed in claim 13 wherein the one or more of the plurality of interconnection devices selected for signal transfer policies changes are network entry devices selected based on their local connection to the one or more sources of the one or more intrusions.
  - 21. The network system as claimed in claim 13 further comprising a network management system for identifying address information for the plurality of interconnection devices.
  - 22. The network system as claimed in claim 13 further comprising a function to validate the accuracy of the identity of the identified one or more sources including a logical address, a physical address, or a location.
  - 25. The network system as claimed in claim 13 wherein the one or more identified attached functions gain access to the network services through one of the interconnection devices to which they are directly connected.
  - 26. The network system as claimed in claim 13 wherein the policy enforcement module is configured to establish one or more policies for one or more of the one or more attached functions without communicating with a centralized policy server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Townsend, Mark, Bussiere, Richard, Graham, Richard, Roese, John, Harrington, David, Pettit, Steven
Primary Examiner(s)
Brown, Christopher J

Application Number

US10/713,560
Publication Number

US 20050108568A1
Time in Patent Office

2,111 Days
Field of Search

726/23, 726/11, 726/12, 726/13, 726/22, 713/89, 713/189
US Class Current

726/22
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/0236   Filtering by address, proto...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Distributed intrusion response system

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed intrusion response system

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links