Method and system for reducing scope of self-propagating attack code in network

US 7,596,807 B2
Filed: 10/14/2003
Issued: 09/29/2009
Est. Priority Date: 07/03/2003
Status: Active Grant

First Claim

Patent Images

1. A system for controlling communications over a computer network, the system comprising:

access control devices for the computer network that control communications between compartments of the computer network;

attack detection system for determining whether the computer network may be under attack; and

a control plane for instructing the access control devices to allow network communications between the compartments of the computer network based on a usage model describing legitimate network communications while restricting other network communications between the compartments, in response to attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technique for protecting a communications network, such a computer network, from attack such as self-propagating code violations of security policies, in which the network is divided into “compartments” that are separated by access control devices such as firewalls. The access control devices are then used to stop the spread of self-propagating attack code, the “zero-day” worms, for example. However, the access control devices are configured such that upon activation legitimate in-use network services will not be jeopardized.

82 Citations

View as Search Results

34 Claims

1. A system for controlling communications over a computer network, the system comprising:
- access control devices for the computer network that control communications between compartments of the computer network;
  
  attack detection system for determining whether the computer network may be under attack; and
  
  a control plane for instructing the access control devices to allow network communications between the compartments of the computer network based on a usage model describing legitimate network communications while restricting other network communications between the compartments, in response to attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. A system as claimed in claim 1, wherein the computer network is an enterprise network.
  - 3. A system as claimed in claim 1, wherein the computer network is a service provider network.
  - 4. A system as claimed in claim 1, wherein the computer network is a public network.
  - 5. A system as claimed in claim 1, wherein the access control devices compartmentalize the computer network into separate sub-networks of network devices.
  - 6. A system as claimed in claim 1, wherein the access control devices separate host computers from the computer network.
  - 7. A system as claimed in claim 1, further comprising a network modeling system for generating the usage model.
  - 8. A system as claimed in claim 7, wherein the network modeling system receives flow information describing communications between network devices.
  - 9. A system as claimed in claim 8, wherein the flow information is collected by network communications devices.
  - 10. A system as claimed in claim 8, wherein the flow information is collected by the access control devices.
  - 11. A system as claimed in claim 8, wherein the network modeling system discards flow information between network devices in the computer network and network devices external to the computer network.
  - 12. A system as claimed in claim 7, wherein the network modeling system compares new network communications to the usage model and updates the usage model if the new network communications are not described by the usage model.
  - 13. A system as claimed in claim 1, wherein entries in the usage model comprise source addresses, destination addresses, source ports, and destination ports derived from the network communications.
  - 14. A system as claimed in claim 1, wherein entries in the usage model comprise source addresses, destination addresses, source ports, and destination ports derived from the network communications in addition to time stamp information indicating when the network communication was last detected.
  - 15. A system as claimed in claim 1, wherein entries in the usage model comprise source addresses, destination addresses, source ports, and destination ports derived from the network communications in addition to frequency information indicating a frequency of the network communication.
  - 16. A system as claimed in claim 1, wherein the attack detection system monitors communications over the computer network for attack using signature detection.
  - 17. A system as claimed in claim 1, wherein the attack detection system performs heuristic modeling to determine whether the computer network is under attack.
  - 18. A system as claimed in claim 1, wherein the attack detection system monitors communications over the computer network for attack by monitoring changes in connections between network devices.
  - 19. A system as claimed in claim 1, wherein the control plane receives protocol information and/or port information characteristic of the attack and generates pass and/or blocking rules for the access control devices.
  - 20. A system as claimed in claim 1, wherein the control plane receives protocol information and/or port information characteristic of the attack and generates pass rules and blocking rules for the access control devices, in which the pass rules are generated from the usage model and the blocking rules are generated from the protocol information and/or port information characteristic of the attack.

21. A method for responding to an attack on a computer network, the method comprising:
- generating a usage model for the computer network;
  
  determining whether the computer network may be under attack;
  
  in response to detecting attack, determining characteristics of the attack; and
  
  generating instructions to access control devices compartmentalizing the computer network in response to the characteristics of the attack, wherein the step of generating instructions to the access control devices comprises formulating pass and/or blocking rules for the access control devices in response to protocol characteristics and/or port characteristic of the attack;
  
  issuing the instructions to the access control device which then compartmentalize the computer network by implementing the pass and/or blocking rules.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 22. A method as claimed in claim 21, wherein the step of generating the usage model comprises saving records describing network communications to and from network devices on the computer network.
  - 23. A method as claimed in claim 21, wherein the step of generating the usage model comprises saving records describing network communications between network devices on the computer network.
  - 24. A method as claimed in claim 21, wherein the step of generating the usage model comprises saving records that include port, protocol, source address and destination address of network communications to and from network devices on the computer network.
  - 25. A method as claimed in claim 21, further comprising the step of the access control device compartmentalizing the computer network into separate sub-networks of network devices.
  - 26. A method as claimed in claim 21, further comprising the step of the access control device compartmentalizing the computer network by separating host computers from the computer network.
  - 27. A method as claimed in claim 21, wherein the step of generating a usage model comprises:
    - collecting flow information at network communications devices; and
      
      passing the flow information to a network modeling system.
  - 28. A method as claimed in claim 27, wherein the step of collecting flow information is performed by the access control devices.
  - 29. A method as claimed in claim 21, wherein the step of generating a usage model comprises comparing network communications to the usage model and updating the usage model if the network communications are not described by the usage model.
  - 30. A method as claimed in claim 21, wherein the step of determining whether the computer network may be under attack comprises monitoring network communications for attack signatures.
  - 31. A method as claimed in claim 21, wherein the step of determining whether the computer network may be under attack comprises performing heuristic modeling to determine whether the computer network is under attack.
  - 32. A method as claimed in claim 21, wherein the step of determining whether the computer network may be under attack comprises monitoring changes in connections between network devices.
  - 33. A method as claimed in claim 21, wherein the step of generating instructions to the access control devices comprises generating pass rules and blocking rules for the access control devices, in which the pass rules are generated from the usage model and the blocking rules are generated from protocol and/or port characteristics of the attack.

34. A system for controlling communications over a computer network, the system comprising:
- access control devices for the computer network that control communications between compartments of the computer network;
  
  attack detection system for determining whether the computer network may be under attack; and
  
  a control plane for instructing the access control devices to only allow network communications between the host computers in different compartments of the computer network based on a usage model describing legitimate network communications while restricting all other network communications between the host computers, in response to attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Song, Douglas Joon, Nazario, Jose Oscar, Ptacek, Thomas Henry
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ZECHER, CORDELIA P K

Application Number

US10/684,964
Publication Number

US 20050005017A1
Time in Patent Office

2,177 Days
Field of Search

726/22, 726/13, 726/11
US Class Current

726/11
CPC Class Codes

H04L 63/029 Firewall traversal, e.g. tu...

H04L 63/1408 by monitoring network traff...

Method and system for reducing scope of self-propagating attack code in network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for reducing scope of self-propagating attack code in network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links