Method and system for protecting computer networks by altering unwanted network data traffic

US 7,657,938 B2
Filed: 10/28/2004
Issued: 02/02/2010
Est. Priority Date: 10/28/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for protecting a computer network, comprising the steps of:

a network security device monitoring network data carried by the computer network;

the network security device analyzing first byte information of the network data to determine whether the network data comprises one of a plurality of intrusion events; and

in response to detecting one of the plurality of intrusion events in the network data, the network security device forwarding the network data to an intended destination on the computer network, the network security device predicting additional network data associated with the detected intrusion event, the network security device altering at least a portion of second byte information of the predicted additional network data and the network security device forwarding the altered second byte information of the predicted additional network data to the intended destination on the computer network prior to arrival of actual additional network data corresponding to the predicted additional network data at the intended destination, thereby causing the actual additional network data to be discarded,otherwise, the network security device passing the first byte information without alteration to the destination in the absence of detecting one of the plurality of intrusion events in the network data.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protecting computer networks by altering unwanted network data traffic. An Intrusion Protection System (IPS) or an Intrusion Detection System (IDS) can monitor network data traffic comprising byte information. This network security device analyzes network data traffic at the byte level to determine whether an intrusion event is present in the network data traffic. If an intrusion event is detected, the network security device alters at least a portion of the relevant byte information to prevent the occurrence of a successful intrusion event at the intended destination. This altered byte information is then passed to the destination by the network security device. If an intrusion event is not present, the network security device passes the byte information without alteration to the destination.

Citations

14 Claims

1. A computer-implemented method for protecting a computer network, comprising the steps of:
- a network security device monitoring network data carried by the computer network;
  
  the network security device analyzing first byte information of the network data to determine whether the network data comprises one of a plurality of intrusion events; and
  
  in response to detecting one of the plurality of intrusion events in the network data, the network security device forwarding the network data to an intended destination on the computer network, the network security device predicting additional network data associated with the detected intrusion event, the network security device altering at least a portion of second byte information of the predicted additional network data and the network security device forwarding the altered second byte information of the predicted additional network data to the intended destination on the computer network prior to arrival of actual additional network data corresponding to the predicted additional network data at the intended destination, thereby causing the actual additional network data to be discarded,otherwise, the network security device passing the first byte information without alteration to the destination in the absence of detecting one of the plurality of intrusion events in the network data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the first byte information of the network data comprises a plurality of bytes, and the monitoring step comprises the steps of:
    - the network security device reading each of the plurality of bytes of the network data; and
      
      the network security device maintaining an application state for each of the plurality of bytes of the network data.
  - 3. The computer-implemented method according to claim 2, wherein said analyzing step comprises the steps of:
    - for each of the plurality of bytes of the network data, the network security device identifying an event corresponding to the application state; and
      
      the network security device determining whether the corresponding event is an intrusion event.
  - 4. The computer-implemented method according to claim 1, wherein the second byte information of the predicted additional network data comprises a plurality of bytes, and the altering step comprises the steps of:
    - the network security device determining the location of the detected intrusion event within the predicted additional network data;
      
      the network security device inspecting each of the plurality of bytes at the location of the detected intrusion event; and
      
      the network security device identifying each of the plurality of bytes that requires alteration to prevent a successful occurrence of the detected intrusion event at the intended destination, the alteration defined by a response plan associated with the detected intrusion event; and
      
      the network security device completing the alteration of each identified byte in accordance with the response plan.
  - 5. The computer-implemented method according to claim 4,wherein the response plan defines response plan bytes for substitution within the second byte information, andthe altering step comprises the network security device substituting the response plan bytes within a location of certain bytes for the second byte information,thereby changing at least a portion of the second byte information for the detected intrusion event in a manner that neutralizes the harmful effects of the detected intrusion event.
  - 6. The computer-implemented method according to claim 4,wherein the response plan defines response plan bytes for injection within the second byte information, andthe altering step comprises the network security device injecting the response plan bytes at a location adjacent to certain bytes for the second byte information.
  - 7. The computer-implemented method according to claim 1, wherein said altering step further comprises the network security device correcting a checksum for the altered portion of the second byte information.

8. A computer-implemented method for protecting a computer network, comprising the steps of:
- a network security device monitoring network data carried by the computer network;
  
  the network security device analyzing first byte information of the network data to determine whether the network data comprises one of a plurality of intrusion events;
  
  in response to detecting one of the plurality of intrusion events in the network data, the network security device forwarding the network data to an intended destination on the computer network, the network security device predicting additional network data associated with the detected intrusion event, the network security device altering at least a portion of second byte information of the predicted additional network data, the second byte information of the predicted additional network data comprising a plurality of bytes, the altering step comprising;
  
  the network security device determining the location of the detected intrusion event within the predicted additional network data, inspecting each of the plurality of bytes at the location of the detected intrusion event,the network security device identifying each of the plurality bytes that requires alteration to prevent a successful occurrence of the detected intrusion event at the destination, the alteration defined by a response plan associated with the detected intrusion event, andthe network security device completing the alteration of each identified byte in accordance with the response plan;
  
  the network security device forwarding the altered second byte information of the predicted additional network data to the intended destination on the computer network prior to arrival of actual additional network data corresponding to the predicted additional network data at the intended destination, thereby causing the actual additional network data to be discarded; and
  
  in the absence of detecting one of the plurality of intrusion events, the network security device passing the first byte information without alteration to the destination.

9. A computer system for protecting a computer network from intrusion by an unauthorized user, the system comprising:
- a network security device communicably coupled to the computer network;
  
  first program instructions to analyze network data transported by the computer network to determine whether the network data comprises one of a plurality of intrusion events and, in the absence of identifying one of the plurality of intrusion events, passing the network data to an intended destination on the computer network; and
  
  second program instructions to respond to the detection of one of the plurality of intrusion events by predicting additional network data associated with the detected intrusion event and altering at least a portion of byte-level information of the predicted additional network data corresponding to the detected intrusion event and forwarding the altered portion of the predicted additional network data to the intended destination on the computer network prior to arrival of actual additional network data corresponding to the predicted additional network data at the intended destination, thereby causing the actual additional network data to be discarded,wherein the first and second program instructions are stored on the network security device for execution by the network security device.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the network security device is positioned in-line with respect to the computer network.
  - 11. The system of claim 9, wherein the network security device is positioned out-of-line with respect to the computer network.
  - 12. The system of claim 9, wherein the network security device comprises an Intrusion Detection System (“
    - IDS”
      
      ).
  - 13. The system of claim 9, wherein the network security device comprises an Intrusion Prevention System (“
    - IPS”
      
      ).

14. A computer-implemented method for protecting a computer network, comprising the steps of:
- a network security device monitoring network data carried by the computer network;
  
  the network security device analyzing the network data to determine whether the network data comprises one of a plurality of intrusion events; and
  
  in the event that the network data fails to comprise one of the plurality of intrusion events, the network security device passing the network data to a destination coupled to the computer network;
  
  in the event that the network data comprises one of the plurality of intrusion events, the network security device forwarding the network data to the destination, the network security device predicting additional network data associated with the detected intrusion event, the network security device altering at least a portion of the predicted additional network data associated with the detected intrusion event and the network security device forwarding the predicted additional network data comprising the portion of altered network data and any remainder of unaltered network data to the destination prior to arrival of actual additional network data corresponding to the predicted additional network data at the destination, thereby preventing the occurrence of the detected intrusion event at the destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Graham, Robert David, Palmer, Bernard Paul Jr.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Zee; Edward

Application Number

US10/978,208
Publication Number

US 20050120243A1
Time in Patent Office

1,923 Days
Field of Search

726/13, 726/22, 726/23, 726/11, 726/12, 726/25, 370/229, 370/230, 370/235
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Method and system for protecting computer networks by altering unwanted network data traffic

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protecting computer networks by altering unwanted network data traffic

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links