Method and system for reducing scope of self-propagating attack code in network
First Claim
Patent Images
1. A system for controlling communications over a computer network, the system comprising:
- access control devices for the computer network that control communications between compartments of the computer network;
attack detection system for determining whether the computer network may be under attack; and
a control plane for instructing the access control devices to allow network communications between the compartments of the computer network based on a usage model describing legitimate network communications while restricting other network communications between the compartments, in response to attack.
2 Assignments
0 Petitions
Accused Products
Abstract
Technique for protecting a communications network, such a computer network, from attack such as self-propagating code violations of security policies, in which the network is divided into “compartments” that are separated by access control devices such as firewalls. The access control devices are then used to stop the spread of self-propagating attack code, the “zero-day” worms, for example. However, the access control devices are configured such that upon activation legitimate in-use network services will not be jeopardized.
82 Citations
34 Claims
-
1. A system for controlling communications over a computer network, the system comprising:
-
access control devices for the computer network that control communications between compartments of the computer network; attack detection system for determining whether the computer network may be under attack; and a control plane for instructing the access control devices to allow network communications between the compartments of the computer network based on a usage model describing legitimate network communications while restricting other network communications between the compartments, in response to attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for responding to an attack on a computer network, the method comprising:
-
generating a usage model for the computer network; determining whether the computer network may be under attack; in response to detecting attack, determining characteristics of the attack; and generating instructions to access control devices compartmentalizing the computer network in response to the characteristics of the attack, wherein the step of generating instructions to the access control devices comprises formulating pass and/or blocking rules for the access control devices in response to protocol characteristics and/or port characteristic of the attack; issuing the instructions to the access control device which then compartmentalize the computer network by implementing the pass and/or blocking rules. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A system for controlling communications over a computer network, the system comprising:
-
access control devices for the computer network that control communications between compartments of the computer network; attack detection system for determining whether the computer network may be under attack; and a control plane for instructing the access control devices to only allow network communications between the host computers in different compartments of the computer network based on a usage model describing legitimate network communications while restricting all other network communications between the host computers, in response to attack.
-
Specification