Dynamic network protection
First Claim
Patent Images
1. A method for protecting a network, the method comprising:
- measuring in real-time a property of traffic entering the network;
analyzing, by an attack detection module, the property in real-time using at least one detection algorithm in order to detect an attack;
upon detection of the attack, developing, by a signature detection module, a plurality of signatures each of which characterizes packets participating in the detected attack, and organizing the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack;
using a filtering algorithm, filtering the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network;
periodically analyzing, by the attack detection module, the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm; and
upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, increasing a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein analyzing comprises analyzing the property using the at least one fuzzy logic detection algorithm,wherein measuring the property comprises determining a parameter characteristic of the traffic, and wherein analyzing the property comprises fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, andwherein fuzzifying the parameter comprises determining a degree of membership using the input membership function, and wherein analyzing the property further comprises applying the degree of membership to an output membership function.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for protecting a network from an attack includes measuring a property of traffic entering the network, and analyzing the property using at least one fuzzy logic algorithm in order to detect the attack.
114 Citations
66 Claims
-
1. A method for protecting a network, the method comprising:
-
measuring in real-time a property of traffic entering the network; analyzing, by an attack detection module, the property in real-time using at least one detection algorithm in order to detect an attack; upon detection of the attack, developing, by a signature detection module, a plurality of signatures each of which characterizes packets participating in the detected attack, and organizing the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; using a filtering algorithm, filtering the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network; periodically analyzing, by the attack detection module, the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm; and upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, increasing a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein analyzing comprises analyzing the property using the at least one fuzzy logic detection algorithm, wherein measuring the property comprises determining a parameter characteristic of the traffic, and wherein analyzing the property comprises fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, and wherein fuzzifying the parameter comprises determining a degree of membership using the input membership function, and wherein analyzing the property further comprises applying the degree of membership to an output membership function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. Apparatus for protecting a network, the apparatus comprising:
-
an interface; and a network security processor, which comprises; an attack detection module, which is adapted to monitor, via the interface, traffic entering the network, to measure in real-time a property of the traffic, and to analyze the property in real-time using at least one detection algorithm in order to detect an attack; a signature detection module, which is adapted, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; and a filtering module, which is adapted to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, wherein the attack detection module is adapted to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, and wherein the network security processor is adapted, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the attack detection module is adapted to analyze the property using the at least one fuzzy logic detection algorithm, wherein the attack detection module is adapted to measure the property by determining a parameter characteristic of the traffic, to analyze the property by fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, to fuzzify the parameter by determining a degree of membership using the input membership function, and to analyze the property by applying the degree of membership to an output membership function. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A computer software product for protecting a network, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to measure in real-time a property of traffic entering the network, to analyze the property in real-time using at least one detection algorithm in order to detect an attack, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack, to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, and, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
- OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures, wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the instructions cause the computer to analyze the property using the at least one fuzzy logic detection algorithm, to measure the property by determining a parameter characteristic of the traffic, to analyze the property by fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, to fuzzify the parameter by determining a degree of membership using the input membership function, and to analyze the property by applying the degree of membership to an output membership function. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- OR”
-
52. A method for protecting a network, the method comprising:
-
measuring in real-time a property of traffic entering the network; analyzing, by an attack detection module, the property in real-time using at least one detection algorithm in order to detect an attack; upon detection of the attack, developing, by a signature detection module, a plurality of signatures each of which characterizes packets participating in the detected attack, and organizing the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; using a filtering algorithm, filtering the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network; periodically analyzing, by the attack detection module, the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm; and upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, increasing a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein analyzing comprises analyzing the property using the at least one fuzzy logic detection algorithm, wherein measuring the property comprises determining a parameter characteristic of the traffic, and wherein analyzing the property comprises fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, and wherein determining the parameter comprises measuring a first parameter and a second parameter characteristic of the traffic, and wherein fuzzifying the parameter comprises; fuzzifying the first parameter and the second parameter using the input membership function, so as to determine a first degree of membership and a second degree of membership in the input membership function for the first parameter and the second parameter, respectively; and combining the first degree of membership and the second degree of membership in order to determine a combined degree of membership. - View Dependent Claims (53, 54, 55)
-
-
56. Apparatus for protecting a network, the apparatus comprising:
-
an interface; and a network security processor, which comprises; an attack detection module, which is adapted to monitor, via the interface, traffic entering the network, to measure in real-time a property of the traffic, and to analyze the property in real-time using at least one detection algorithm in order to detect an attack; a signature detection module, which is adapted, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; and a filtering module, which is adapted to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, wherein the attack detection module is adapted to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, wherein the network security processor is adapted, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the attack detection module is adapted to analyze the property using the at least one fuzzy logic detection algorithm, and wherein the attack detection module is adapted to measure the property by determining a parameter characteristic of the traffic, to analyze the property by fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, to determine the parameter by measuring a first parameter and a second parameter characteristic of the traffic, and to fuzzify the parameter by; fuzzifying the first parameter and the second parameter using the input membership function, so as to determine a first degree of membership and a second degree of membership in the input membership function for the first parameter and the second parameter, respectively, and combining the first degree of membership and the second degree of membership in order to determine a combined degree of membership. - View Dependent Claims (57, 58, 59)
-
-
60. A computer software product for protecting a network, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to measure in real-time a property of traffic entering the network, to analyze the property in real-time using at least one detection algorithm in order to detect an attack, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack, to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, and, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
- OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures, wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the instructions cause the computer to analyze the property using the at least one fuzzy logic detection algorithm, to measure the property by determining a parameter characteristic of the traffic, to analyze the property by fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, to determine the parameter by measuring a first parameter and a second parameter characteristic of the traffic, and to fuzzify the parameter by;
fuzzifying the first parameter and the second parameter using the input membership function, so as to determine a first degree of membership and a second degree of membership in the input membership function for the first parameter and the second parameter, respectively; and
combining the first degree of membership and the second degree of membership in order to determine a combined degree of membership. - View Dependent Claims (61, 62, 63)
- OR”
-
64. A method for protecting a network, the method comprising:
-
measuring in real-time a property of traffic entering the network; analyzing, by an attack detection module, the property in real-time using at least one detection algorithm in order to detect an attack; upon detection of the attack, developing, by a signature detection module, a plurality of signatures each of which characterizes packets participating in the detected attack, and organizing the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; using a filtering algorithm, filtering the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network; periodically analyzing, by the attack detection module, the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm; and upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, increasing a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein analyzing comprises analyzing the property using the at least one fuzzy logic detection algorithm, and wherein the method comprises measuring an outbound property of traffic exiting the network, wherein analyzing the property comprises analyzing the property of the traffic entering the network using at least a first fuzzy logic algorithm, and analyzing the outbound property using at least a second fuzzy logic algorithm, wherein the traffic entering the network comprises User Datagram Protocol (UDP) packets, and wherein the traffic exiting the network comprises Internet Control Message Protocol (ICMP) packets, and wherein the outbound property comprises a comparison of a number of inbound UDP packets and a number of outbound ICMP packets.
-
-
65. Apparatus for protecting a network the apparatus comprising:
-
an interface; and a network security processor, which comprises; an attack detection module, which is adapted to monitor, via the interface, traffic entering the network, to measure in real-time a property of the traffic, and to analyze the property in real-time using at least one detection algorithm in order to detect an attack; a signature detection module, which is adapted, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; and a filtering module, which is adapted to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, wherein the attack detection module is adapted to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, wherein the network security processor is adapted, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the attack detection module is adapted to analyze the property using the at least one fuzzy logic detection algorithm, wherein the network security processor is adapted to measure an outbound property of traffic exiting the network, to analyze the property of the traffic entering the network using at least a first fuzzy logic algorithm, and to analyze the outbound property using at least a second fuzzy logic algorithm, wherein the traffic entering the network comprises User Datagram Protocol (UDP) packets, and wherein the traffic exiting the network comprises Internet Control Message Protocol (ICMP) packets, and wherein the outbound property comprises a comparison of a number of inbound UDP packets and a number of outbound ICMP packets.
-
-
66. A computer software product for protecting a network, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to measure in real-time a property of traffic entering the network, to analyze the property in real-time using at least one detection algorithm in order to detect an attack, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack, to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, and, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
- OR”
relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures, wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, wherein the instructions cause the computer to analyze the property using the at least one fuzzy logic detection algorithm, to measure an outbound property of traffic exiting the network, to analyze the property of the traffic entering the network using at least a first fuzzy logic algorithm, and to analyze the outbound property using at least a second fuzzy logic algorithm, wherein the traffic entering the network comprises User Datagram Protocol (UDP) packets, wherein the traffic exiting the network comprises Internet Control Message Protocol (ICMP) packets, and wherein the outbound property comprises a comparison of a number of inbound UDP packets and a number of outbound ICMP packets.
- OR”
Specification