Operating a communication network through use of blocking measures for responding to communication traffic anomalies

US 7,594,263 B2
Filed: 02/05/2004
Issued: 09/22/2009
Est. Priority Date: 02/05/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method of operating a communication network, comprising:

autonomously monitoring communication traffic at a communication port for an anomalous traffic;

detecting an anomaly in communication traffic at a plurality of nodes in the communication network, wherein the anomaly is an attack other than a worm or virus;

independently applying, at respective ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that stops the anomalous traffic;

independently determining, at the respective ones of the plurality of nodes, a second blocking measure B such that application of a logical combination of the first blocking measure A and the second blocking measure B stops the anomalous traffic;

applying a logical combination of A and the second blocking measure B given by (A &

!B) to the anomalous traffic, wherein the logical combination (A &

!B) is a less restrictive blocking measure than a logical combination (A &

B); and

enforcing the logical combination (A &

!B), if the logical combination (A &

!B) stops the anomalous traffic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication network is operated by detecting an anomaly in the communication traffic at a plurality of nodes in a communication network. A first blocking measure A is independently applied at respective ones of the plurality of nodes to the anomalous traffic that stops the anomalous traffic. A second blocking measure B is independently determined at the respective ones of the plurality of nodes such that application of a logical combination of the first blocking measure A and the second blocking measure B to the anomalous traffic stops the anomalous traffic.

Citations

27 Claims

1. A method of operating a communication network, comprising:
- autonomously monitoring communication traffic at a communication port for an anomalous traffic;
  
  detecting an anomaly in communication traffic at a plurality of nodes in the communication network, wherein the anomaly is an attack other than a worm or virus;
  
  independently applying, at respective ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that stops the anomalous traffic;
  
  independently determining, at the respective ones of the plurality of nodes, a second blocking measure B such that application of a logical combination of the first blocking measure A and the second blocking measure B stops the anomalous traffic;
  
  applying a logical combination of A and the second blocking measure B given by (A &
  
  !B) to the anomalous traffic, wherein the logical combination (A &
  
  !B) is a less restrictive blocking measure than a logical combination (A &
  
  B); and
  
  enforcing the logical combination (A &
  
  !B), if the logical combination (A &
  
  !B) stops the anomalous traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - independently determining a third blocking measure C, at the respective ones of the plurality of nodes, such that application of a logical combination of (A &
      
      !B) and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A &
      
      !B) stops the anomalous traffic.
  - 3. The method of claim 1, wherein independently determining the second blocking measure B further comprises:
    - applying a logical combination (A &
      
      B) to the anomalous traffic if the logical combination (A &
      
      !B) does not stop the anomalous traffic; and
      
      enforcing the logical combination (A &
      
      B), if the logical combination (A &
      
      B) stops the anomalous traffic.
  - 4. The method of claim 3, further comprising:
    - independently determining a third blocking measure C, at the respective ones of the plurality of nodes, such that application of a logical combination of (A &
      
      B) and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A &
      
      B) stops the anomalous traffic.
  - 5. The method of claim 3, further comprising:
    - determining a third blocking measure C, at the respective ones of the plurality of nodes, such that application of a logical combination of A and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A &
      
      B) does not stop the anomalous traffic.
  - 6. The method of claim 1, wherein detecting an anomaly in the communication traffic comprises:
    - comparing the communication traffic to at least one anomaly factor; and
      
      detecting the anomaly in the communication traffic at the plurality of nodes in the communication network if the at least one anomaly factor is present in the communication traffic.
  - 7. The method of claim 1, further comprising:
    - assigning a severity to the detected anomaly; and
      
      wherein independently applying the first blocking measure A to the anomalous traffic comprises independently applying the first blocking measure A to the anomalous traffic at each of the plurality of nodes in the communication network that stops or reduces the flow of the anomalous traffic based on the severity of the detected anomaly.
  - 8. The method of claim 1, further comprising:
    - intentionally inserting the anomaly in the communication traffic; and
      
      associating the first blocking measure A and the second blocking measure B with the anomaly.

9. A method of operating a communication network, comprising:
- detecting an anomaly in communication traffic at a plurality of nodes in the communication network;
  
  synchronously applying, at respective ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that stops the anomalous traffic;
  
  synchronously determining, at the respective ones of the plurality of nodes, a second blocking measure B such that application of a logical combination of the first blocking measure A and the second blocking measure B stops the anomalous traffic;
  
  applying a logical combination of A and the second blocking measure B given by (A &
  
  !B) to the anomalous traffic, wherein the logical combination (A &
  
  !B) is a less restrictive blocking measure than a logical combination (A &
  
  B); and
  
  enforcing the logical combination (A &
  
  !B), if the logical combination (A &
  
  !B) stops the anomalous traffic.

10. A system for operating a communication network, comprising:
- a processor;
  
  program means executing on the processor including;
  
  means for autonomously monitoring communication traffic at a communication port for an anomalous traffic;
  
  means for detecting an anomaly in communication traffic at a plurality of nodes in the communication network, wherein the anomaly is an attack other than a worm or virus;
  
  means for independently applying, at respective ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that stops the anomalous traffic;
  
  means for independently determining, at the respective ones of the plurality of nodes a, second blocking measure B such that application of a logical combination of the first blocking measure A and the second blocking measure B stops the anomalous traffic;
  
  means for applying a logical combination of A and the second blocking measure B given by (A &
  
  !B) to the anomalous traffic, wherein the logical combination (A &
  
  !B) is a less restrictive blocking measure than a logical combination (A &
  
  B); and
  
  means for enforcing the logical combination (A &
  
  !B), if the logical combination (A &
  
  !B) stops the anomalous traffic.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, further comprising:
    - means for independently determining, at the respective ones of the plurality of nodes, a third blocking measure C such that application of a logical combination of (A &
      
      !B) and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A &
      
      !B) stops the anomalous traffic.
  - 12. The system of claim 10, wherein the means for independently determining the second blocking measure B further comprises:
    - means for applying a logical combination (A &
      
      B) to the anomalous traffic if the logical combination (A &
      
      !B) does not stop the anomalous traffic; and
      
      means for enforcing the logical combination (A &
      
      B), if the logical combination (A &
      
      B) stops the anomalous traffic.
  - 13. The system of claim 12, further comprising:
    - means for independently determining, at the respective ones of the plurality of nodes, a third blocking measure C such that application of a logical combination of (A &
      
      B) and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A &
      
      B) does not stop the anomalous traffic.
  - 14. The system of claim 12, further comprising:
    - means for determining, at the respective ones of the plurality of nodes, a third blocking measure C such that application of a logical combination of A and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A &
      
      B) does not stop the anomalous traffic.
  - 15. The system of claim 10, wherein the means for detecting an anomaly in the communication traffic comprises:
    - means for comparing the communication traffic to at least one anomaly factor; and
      
      means for detecting the anomaly in the communication traffic at the plurality of nodes in the communication network, if the at least one anomaly factor is present in the communication traffic.
  - 16. The system of claim 10, further comprising:
    - means for assigning a severity to the detected anomaly; and
      
      wherein the means for independently applying the first blocking measure A to the anomalous traffic comprises means for independently applying the first blocking measure A to the anomalous traffic at each of the plurality of nodes in the communication network that stops or reduces the flow of the anomalous traffic based on the severity of the detected anomaly.
  - 17. The system of claim 10, further comprising:
    - means for intentionally inserting the anomaly in the communication traffic; and
      
      means for associating the first blocking measure A and the second blocking measure B with the anomaly.

18. A system for operating a communication network, comprising:
- means for detecting an anomaly in communication traffic at a plurality of nodes in the communication network;
  
  means for synchronously applying, at respective ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that stops the anomalous traffic;
  
  means for synchronously determining a second blocking measure B at the respective ones of the plurality of nodes such that application of a logical combination of the first blocking measure A and the second blocking measure B stops the anomalous traffic;
  
  means for applying a logical combination of A and the second blocking measure B given by (A &
  
  !B) to the anomalous traffic, wherein the logical combination (A &
  
  !B) is a less restrictive blocking measure than a logical combination (A &
  
  B); and
  
  means for enforcing the logical combination (A &
  
  !B), if the logical combination (A &
  
  !B) stops the anomalous traffic.

19. A computer program product for operating a communication network, comprising:
- a tangible computer storage medium having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code configured to autonomously monitor communication traffic at a communication port for an anomalous traffic;
  
  computer readable program code configured to detect an anomaly in communication traffic at a plurality of nodes in the communication network, wherein the anomaly is an attack other than a worm or virus;
  
  computer readable program code configured to independently apply, at respective ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that stops the anomalous traffic;
  
  computer readable program code configured to independently determine at the respective ones of the plurality of nodes a second blocking measure B such that application of a logical combination of the first blocking measure A and the second blocking measure B stops the anomalous traffic;
  
  computer readable program code configured to apply a logical combination of A and the second blocking measure B given by (A &
  
  !B) to the anomalous traffic, wherein the logical combination (A &
  
  !B) is a less restrictive blocking measure than a logical combination (A &
  
  B); and
  
  computer readable program code configured to enforce the logical combination (A &
  
  !B), if the logical combination (A &
  
  !B) stops the anomalous traffic.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The computer program product of claim 19, further comprising:
    - computer readable program code configured to independently determine, at the respective ones of the plurality of nodes, a third blocking measure C such that application of a logical combination of (A &
      
      !B) and the third blocking measure C to the anomalous traffic stops the anomalous traffic if the logical combination (A &
      
      !B) stops the anomalous traffic.
  - 21. The computer program product of claim 19, wherein the computer readable program code configured to independently determine the second blocking measure B further comprises:
    - computer readable program code configured to apply a logical combination (A &
      
      B) to the anomalous traffic if the logical combination (A &
      
      !B) does not stop the anomalous traffic; and
      
      computer readable program code configured to enforce the logical combination (A &
      
      B), if the logical combination (A &
      
      B) stops the anomalous traffic.
  - 22. The computer program product of claim 21, further comprising:
    - computer readable program code configured to independently determine, at the respective ones of the plurality of nodes, a third blocking measure C such that application of a logical combination of (A &
      
      B) and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A &
      
      B) stops the anomalous traffic.
  - 23. The computer program product of claim 21, further comprising:
    - computer readable program code configured to determine, at the respective ones of the plurality of nodes, a third blocking measure C such that application of a logical combination of A and the third blocking measure C to the anomalous traffic stops the anomalous traffic, if the logical combination (A &
      
      B) does not stop the anomalous traffic.
  - 24. The computer program product of claim 19, wherein the computer readable program code configured to detect an anomaly in the communication traffic comprises:
    - computer readable program code configured to compare the communication traffic to at least one anomaly factor; and
      
      computer readable program code configured to detect the anomaly in the communication traffic at the plurality of nodes in the communication network, if the at least one anomaly factor is present in the communication traffic.
  - 25. The computer program product of claim 19, further comprising:
    - computer readable program code configured to assign a severity to the detected anomaly; and
      
      wherein the computer readable program code configured to independently apply the first blocking measure A to the anomalous traffic comprises computer readable program code configured to independently apply the first blocking measure A to the anomalous traffic at each of the plurality of nodes in the communication network that stops or reduces the flow of the anomalous traffic based on the severity of the detected anomaly.
  - 26. The computer program product of claim 19, further comprising:
    - computer readable program code configured to intentionally insert the anomaly in the communication traffic; and
      
      computer readable program code configured to associate the first blocking measure A and the second blocking measure B with the anomaly.

27. A computer program product for operating a communication network, comprising:
- a tangible computer storage medium having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code configured to detect an anomaly in communication traffic at a plurality of nodes in the communication network;
  
  computer readable program code configured to synchronously apply, at respective ones of the plurality of nodes, a first blocking measure A to the anomalous traffic that stops the anomalous traffic;
  
  computer readable program code configured to synchronously determine at the respective ones of the plurality of nodes a second blocking measure B such that application of a logical combination of the first blocking measure A and the second blocking measure B stops the anomalous traffic;
  
  computer readable program code configured to apply a logical combination of A and the second blocking measure B given by (A &
  
  !B) to the anomalous traffic, wherein the logical combination (A &
  
  !B) is a less restrictive blocking measure than a logical combination (A &
  
  B); and
  
  computer readable program code configured to enforce the logical combination (A &
  
  !B), if the logical combination (A &
  
  !B) stops the anomalous traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ziraldo, John, Boulanger, Alan, Jeffries, Clark D., Himberger, Kevin
Primary Examiner(s)
Sheikh; Ayza R
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US10/774,017
Publication Number

US 20050177872A1
Time in Patent Office

2,056 Days
Field of Search

726 11- 15, 726 22- 25, 709223-226, 370/235
US Class Current

726/16
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Operating a communication network through use of blocking measures for responding to communication traffic anomalies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Operating a communication network through use of blocking measures for responding to communication traffic anomalies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links