Network intrusion mitigation

US 7,676,841 B2
Filed: 02/01/2005
Issued: 03/09/2010
Est. Priority Date: 02/01/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for mitigating against a cyber attack on a network, the method comprising:

receiving an IP address of an infected device and a signature identifier from an intrusion detection system at a cyber attack mitigation control center in response to the intrusion detection system detecting an event that represents a threat to the network at one or more locations on the network, wherein the intrusion detection system checks data packets travelling through the network against a predefined signature;

locating, by the cyber attack mitigation control center, a physical port associated with the threat in response to receiving the IP address by;

a) querying, by the cyber attack mitigation control center, an address table corresponding to a first router or a first switch to determine a port associated with the IP address on the router or the switch,b) if the port associated with the IP address is not connected to the infected device, navigating to a second router or to a second switch connected to the port associated with the IP address of the first router or to the first switch, andc) navigating to additional routers and/or switches by repeating a) and b) until the physical port associated with the infected device is located; and

automatically shutting off the physical port associated with the infected device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described are methods and apparatus, including computer program products, for mitigating against a cyber attack on a network. An indication is received from an intrusion detection system that an event has occurred representing a threat to the network. Upon receiving the event from the intrusion detection system, automated processes determine a port associated with the threat and automatically block the port.

313 Citations

30 Claims

1. A computer-implemented method for mitigating against a cyber attack on a network, the method comprising:
- receiving an IP address of an infected device and a signature identifier from an intrusion detection system at a cyber attack mitigation control center in response to the intrusion detection system detecting an event that represents a threat to the network at one or more locations on the network, wherein the intrusion detection system checks data packets travelling through the network against a predefined signature;
  
  locating, by the cyber attack mitigation control center, a physical port associated with the threat in response to receiving the IP address by;
  
  a) querying, by the cyber attack mitigation control center, an address table corresponding to a first router or a first switch to determine a port associated with the IP address on the router or the switch,b) if the port associated with the IP address is not connected to the infected device, navigating to a second router or to a second switch connected to the port associated with the IP address of the first router or to the first switch, andc) navigating to additional routers and/or switches by repeating a) and b) until the physical port associated with the infected device is located; and
  
  automatically shutting off the physical port associated with the infected device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 further comprising identifying a physical address of the network device using the locating steps.
  - 3. The method of claim 2 wherein the physical address comprises a media access control address.
  - 4. The method of claim 2 further comprising preventing the network from assigning another logical address to any device having the identified physical address.
  - 5. The method of claim 4 where preventing further comprises employing DHCP to prevent the network from assigning another logical address to any device having the identified physical address.
  - 6. The method of claim 1 further comprising preventing the infected device from reconnecting to the network.
  - 7. The method of claim 1 wherein the address table comprises one or more routing tables maintained by routers in the network.
  - 8. The method of claim 1 further comprising periodically querying one or more routers of the network to build a list of active interfaces on each router or the logical ports corresponding to each active interface.
  - 9. The method of claim 1 further comprising automatically transmitting an electronic notification of the received event to a predefined list of users.
  - 10. The method of claim 9 further comprising automatically changing a frequency of notification when a predefined number of events are received within a predefined period of time.
  - 11. The method of claim 1 further comprising re-enabling the physical port after a device associated with the threat has been cleaned.
  - 12. The method of claim 1 wherein navigating to the physical port occurs without a network map.
  - 13. The method of claim 1 wherein automatically shutting off the physical port occurs without the use of a filter.
  - 14. The method of claim 1 wherein locating comprises employing CDP protocol.
  - 15. The method of claim 1 further comprising:
    - scanning a device to determine if all necessary patches have been installed; and
      
      automatically shutting off the physical port associated with the scanned device if it is determined that all of the necessary patches have not been installed.
  - 16. The method of claim 15 wherein the scanned device is a device that has been reactivated.
  - 17. The method of claim 1 further comprising displaying an element in a graphical user interface associated with the cyber attack mitigation control center, the element being configured to receive user input to select from a set of states comprising an inactive state, an active state, or both, wherein the active state includes automatically detecting and shutting down the physical port associate with the infected device indentified in the received information and the inactive state includes not automatically reacting to received information.
  - 18. The method of claim 1 wherein receiving comprises downloading as a CSV file.

19. A system for mitigating against a cyber attack on a network, the system comprising:
- a communications network; and
  
  a computing device in communication with the communications network, the computing device being configured to;
  
  receive an IP address of an infected device and a signature identifier from an intrusion detection system at a cyber attack mitigation control center in response to the intrusion detection system detecting an event that represents a threat to the network at one or more locations on the network, wherein the intrusion detection system checks data packets travelling through the network against a predefined signature;
  
  locate, by the cyber attack mitigation control center, a physical port associated with the threat in response to receiving the IP address by;
  
  a) querying, by the cyber attack mitigation control center, an address table corresponding to a first router or a first switch to determine a port associated with the IP address on the router or the switch,b) if the port associated with the IP address is not connected to the infected device, navigating to a second router or to a second switch connected to the port associated with the IP address of the first router or to the first switch, andc) navigating to additional routers and/or switches by repeating a) and b) until the physical port associated with the infected device is located; and
  
  automatically shut off the physical port associated with the infected device.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The system of claim 19 wherein the computing device further comprises a segmentation module configured to automatically block a plurality of ports associated with a logical segment of the network.
  - 21. The system of claim 20 wherein the logical segment of the network comprises a segment associated with enterprise functionality.
  - 22. The system of claim 20 wherein the logical segment of the network comprises a segment associated with production, testing, or general computing.
  - 23. The system of claim 19, further comprising:
    - a interface generation module configured to generate a graphical user interface to associate a user with a port management module, a filtering module, a segmentation module, or any combination thereof.

24. A computer program product, tangibly embodied in a computer-readable storage medium, for mitigating against a cyber attack on a network, the computer program product including instructions being operable to cause data processing apparatus to:
- receive an IP address of an infected device and a signature identifier from an intrusion detection system at a cyber attack mitigation control center in response to the intrusion detection system detecting an event that represents a threat to the network at one or more locations on the network, wherein the intrusion detection system checks data packets travelling through the network against a predefined signature;
  
  locate, by the cyber attack mitigation control center, a physical port associated with the threat in response to receiving the IP address by;
  
  a) querying, by the cyber attack mitigation control center, an address table corresponding to a first router or a first switch to determine a port associated with the IP address on the router or the switch,b) if the port associated with the IP address is not connected to the infected device, navigating to a second router or to a second switch connected to the port associated with the IP address of the first router or to the first switch, andc) navigating to additional routers and/or switches by repeating a) and b) until the physical port associated with the infected device is located; and
  
  automatically shut down the physical port associated with the infected device.

25. A computer-implemented method for mitigating against a cyber attack on a network, the method comprising:
- receiving an IP address of an infected device and a signature identifier from an intrusion detection system at a cyber attack mitigation control center in response to the intrusion detection system detecting an event that represents a threat to the network at one or more locations on the network, wherein the intrusion detection system checks data packets travelling through the network against a predefined signature;
  
  locating, by the cyber attack mitigation control center, a physical port associated with the threat in response to receiving the IP address by;
  
  a) querying, by the cyber attack mitigation control center, an address table corresponding to a first router or a first switch to determine a port associated with the IP address on the router or the switch,b) if the port associated with the IP address is not connected to the infected device, navigating to a second router or to a second switch connected to the port associated with the IP address of the first router or to the first switch, andc) navigating to additional routers and/or switches by repeating a) and b) until the physical port associated with the infected device is located; and
  
  automatically blocking the physical port.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The method of claim 25 wherein automatically blocking the physical port further comprises employing an extended access control list.
  - 27. The method of claim 26 wherein automatically blocking further comprises applying the extended access control list to one or more routers associated with a region selected by a user.
  - 28. The method of claim 25 wherein locating comprises determining a logical grouping of interfaces associated with a segment of the network.
  - 29. The method of claim 28 wherein automatically blocking comprises blocking each physical port associated with a device included in the logical grouping.
  - 30. The method of claim 25 comprising blocking one or more protocol ports in response to receiving the IP address, wherein the protocol port is a Hypertext Transfer Protocol port, a Transmission Control Protocol port, a User Datagram Protocol port, a Hypertext Transfer Protocol Secure port, or any combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FMR LLC
Original Assignee
FMR LLC
Inventors
Brady, Michael, Subramaniam, Shekhar, Donnegan, George, Gelfenshteyn, Alexander, Zaheer, Khurram, McGuire, Roger, Sobchuk, Gregory M., Shetty, Ramesh
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/049,628
Publication Number

US 20060174342A1
Time in Patent Office

1,862 Days
Field of Search

726 11- 14, 726 22- 24
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Network intrusion mitigation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

313 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Network intrusion mitigation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

313 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links