Dynamic network protection

US 7,681,235 B2
Filed: 05/19/2003
Issued: 03/16/2010
Est. Priority Date: 05/19/2003
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a network, the method comprising:

measuring in real-time a property of traffic entering the network;

analyzing, by an attack detection module, the property in real-time using at least one detection algorithm in order to detect an attack;

upon detection of the attack, developing, by a signature detection module, a plurality of signatures each of which characterizes packets participating in the detected attack, and organizing the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack;

using a filtering algorithm, filtering the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network;

periodically analyzing, by the attack detection module, the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm; and

upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, increasing a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “

OR”

relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein analyzing comprises analyzing the property using the at least one fuzzy logic detection algorithm,wherein measuring the property comprises determining a parameter characteristic of the traffic, and wherein analyzing the property comprises fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, andwherein fuzzifying the parameter comprises determining a degree of membership using the input membership function, and wherein analyzing the property further comprises applying the degree of membership to an output membership function.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting a network from an attack includes measuring a property of traffic entering the network, and analyzing the property using at least one fuzzy logic algorithm in order to detect the attack.

114 Citations

View as Search Results

66 Claims

1. A method for protecting a network, the method comprising:
- measuring in real-time a property of traffic entering the network;
  
  analyzing, by an attack detection module, the property in real-time using at least one detection algorithm in order to detect an attack;
  
  upon detection of the attack, developing, by a signature detection module, a plurality of signatures each of which characterizes packets participating in the detected attack, and organizing the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack;
  
  using a filtering algorithm, filtering the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network;
  
  periodically analyzing, by the attack detection module, the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm; and
  
  upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, increasing a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
  
  OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein analyzing comprises analyzing the property using the at least one fuzzy logic detection algorithm,wherein measuring the property comprises determining a parameter characteristic of the traffic, and wherein analyzing the property comprises fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, andwherein fuzzifying the parameter comprises determining a degree of membership using the input membership function, and wherein analyzing the property further comprises applying the degree of membership to an output membership function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein developing the signatures comprises providing a group of signature types that identify respective packet header fields, counting occurrences of values of each of the packet header fields in the packets of the traffic, and designating a plurality of the values as respective ones of the signatures when respective numbers of the occurrences of the values of respective packet header fields exceed respective thresholds.
  - 3. The method according to claim 2, wherein designating the values as the signatures comprises determining that the respective numbers of occurrences occurred within a certain period of time.
  - 4. The method according to claim 1, wherein the packets have packet header fields, and wherein at least one of the signatures comprises a value of one of the packet header fields.
  - 5. The method according to claim 4, wherein the one of the packet header fields is selected from a list consisting of:
    - Transmission Control Protocol (TCP) sequence number, Internet Protocol (IP) identification number, source port, source IP address, type of service (ToS), packet size, Internet Control Message Protocol (ICMP) message type, destination undefined port, destination undefined IP address, destination defined port, destination defined IP address, time-to-live (TTL), and transport layer checksum.
  - 6. The method according to claim 1, wherein the packets have payloads, and wherein at least one of the signatures comprises a value of one of the packet payloads.
  - 7. The method according to claim 1, wherein analyzing the property comprises detecting a first type of attack, wherein filtering the traffic comprises blocking the traffic participating in the attack of the first type, wherein analyzing the property further comprises analyzing the filtered traffic to detect a second type of attack, and comprising filtering the filtered traffic in order to block the traffic participating in the attack of the second type.
  - 8. The method according to claim 1, wherein analyzing the property comprises determining at least one baseline characteristic of the traffic, and adapting the at least one fuzzy logic algorithm responsively to the baseline characteristic.
  - 9. The method according to claim 8, wherein determining the at least one baseline characteristic comprises applying Infinite Impulse Response (IIR) filtering to at least one parameter of the traffic.
  - 10. The method according to claim 8, wherein determining the at least one baseline characteristic comprises determining separate baseline characteristics for each hour of a week.
  - 11. The method according to claim 8, wherein adapting the at least one fuzzy logic algorithm comprises adapting at least one input membership function of the at least one fuzzy logic algorithm, responsively to the baseline characteristic.
  - 12. The method according to claim 1, wherein analyzing the property comprises setting a parameter of an attack input membership function of the at least one fuzzy logic algorithm responsively to a maximum bandwidth of a connection between the protected network and a wide-area network from which the traffic enters the protected network.
  - 13. The method according to claim 12, wherein analyzing the property comprises setting a further parameter of the attack input membership function responsively to a relation between an average normal rate of packets of the traffic of the certain protocol type and the maximum bandwidth.
  - 14. The method according to claim 1, wherein applying the degree of membership to the output membership function comprises applying the degree of membership to at least one of a non-attack output membership function, a potential attack output membership function of the at least one fuzzy logic algorithm, and an attack output membership function of the at least one fuzzy logic algorithm.
  - 15. The method according to claim 1, wherein analyzing the filtered traffic comprises determining a degree of attack in the filtered traffic, and wherein finding that the filtering algorithm is not successfully blocking the traffic participating in the attack comprises analyzing the degree of attack.
  - 16. The method according to claim 1, and further comprising upon finding, using the feedback control loop, that the filtering algorithm is successfully blocking the traffic participating in the attack, decreasing the level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by the first one or the second one of the signatures using an “
    - OR”
      
      relationship and a sub-signature using an “
      
      AND”
      
      relationship.

17. Apparatus for protecting a network, the apparatus comprising:
- an interface; and
  
  a network security processor, which comprises;
  
  an attack detection module, which is adapted to monitor, via the interface, traffic entering the network, to measure in real-time a property of the traffic, and to analyze the property in real-time using at least one detection algorithm in order to detect an attack;
  
  a signature detection module, which is adapted, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; and
  
  a filtering module, which is adapted to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network,wherein the attack detection module is adapted to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, andwherein the network security processor is adapted, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
  
  OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the attack detection module is adapted to analyze the property using the at least one fuzzy logic detection algorithm,wherein the attack detection module is adapted to measure the property by determining a parameter characteristic of the traffic, to analyze the property by fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, to fuzzify the parameter by determining a degree of membership using the input membership function, and to analyze the property by applying the degree of membership to an output membership function.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 18. The apparatus according to claim 17, wherein the network security processor is adapted to develop the signatures by providing a group of signature types that identify respective packet header fields, counting occurrences of values of each of the packet header fields in the packets of the traffic, and designating a plurality of the values as respective ones of the signatures when respective numbers of the occurrences of the values of respective packet header fields exceed respective thresholds.
  - 19. The apparatus according to claim 17, wherein the packets have packet header fields, and wherein at least one of the filtering parameters comprises a value of one of the packet header fields.
  - 20. The apparatus according to claim 17, wherein the packets have payloads, and wherein at least one of the filtering parameters comprises a value of one of the packet payloads.
  - 21. The apparatus according to claim 17, wherein the network security processor is not assigned an Internet Protocol (IP) address.
  - 22. The apparatus according to claim 17, wherein the network security processor is adapted to analyze the property in order to detect a level of the attack.
  - 23. The apparatus according to claim 17, wherein the network security processor is adapted to detect a first type of attack, to filter the traffic by blocking the traffic participating in the attack of the first type, to analyze the filtered traffic to detect a second type of attack, and to filter the filtered traffic in order to block the traffic participating in the attack of the second type.
  - 24. The apparatus according to claim 17, wherein the network security processor is adapted to determine at least one baseline characteristic of the traffic, and to adapt the at least one fuzzy logic algorithm responsively to the baseline characteristic.
  - 25. The apparatus according to claim 24, wherein the network security processor is adapted to determine the at least one baseline characteristic by applying Infinite Impulse Response (IIR) filtering to at least one parameter of the traffic.
  - 26. The apparatus according to claim 24, wherein the network security processor is adapted to determine the at least one baseline characteristic by determining separate baseline characteristics for each hour of a week.
  - 27. The apparatus according to claim 24, wherein the network security processor is adapted to adapt at least one input membership function of the at least one fuzzy logic algorithm, responsively to the baseline characteristic.
  - 28. The apparatus according to claim 17, wherein the network security processor is adapted to analyze the property by setting a parameter of an attack input membership function of the at least one fuzzy logic algorithm responsively to a maximum bandwidth of a connection between the protected network and a wide-area network from which the traffic enters the protected network.
  - 29. The apparatus according to claim 28, wherein the network security processor is adapted to analyze the property by setting a further parameter of the attack input membership function responsively to a relation between an average normal rate of packets of the traffic of the certain protocol type and the maximum bandwidth.
  - 30. The apparatus according to claim 17, wherein the network security processor is adapted to determine a parameter characteristic of the traffic, and to fuzzify the parameter using an input membership function of the at least one fuzzy logic algorithm.
  - 31. The apparatus according to claim 30, wherein the input membership function comprises at least one of a non-attack input membership function, a potential attack input membership function, and an attack input membership function.
  - 32. The apparatus according to claim 17, wherein the network security processor is adapted to analyze the filtered traffic by determining a degree of attack in the filtered traffic, and to find that the filtering algorithm is not successfully blocking the traffic participating in the attack by analyzing the degree of attack.
  - 33. The apparatus according to claim 17, wherein the network security processor is adapted to, upon finding, using the feedback control loop, that the filtering algorithm is successfully blocking the traffic participating in the attack, decrease the level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by the first one or the second one of the signatures using an “
    - OR”
      
      relationship and a sub-signature using an “
      
      AND”
      
      relationship.
  - 34. The apparatus according to claim 17, wherein the attack detection module is adapted to apply the degree of membership to the output membership function by applying the degree of membership to at least one of a non-attack output membership function, a potential attack output membership function of the at least one fuzzy logic algorithm, and an attack output membership function of the at least one fuzzy logic algorithm.

35. A computer software product for protecting a network, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to measure in real-time a property of traffic entering the network, to analyze the property in real-time using at least one detection algorithm in order to detect an attack, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack, to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, and, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
- OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures, wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the instructions cause the computer to analyze the property using the at least one fuzzy logic detection algorithm, to measure the property by determining a parameter characteristic of the traffic, to analyze the property by fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, to fuzzify the parameter by determining a degree of membership using the input membership function, and to analyze the property by applying the degree of membership to an output membership function.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 36. The product according to claim 35, wherein the instructions cause the computer to develop the signatures by providing a group of signature types that identify respective packet header fields, counting occurrences of values of each of the packet header fields in the packets of the traffic, and designating a plurality of the values as respective ones of the signatures when respective numbers of the occurrences of the values of respective packet header fields exceed respective thresholds.
  - 37. The product according to claim 35, wherein the packets have packet header fields, and wherein at least one of the filtering parameters comprises a value of one of the packet header fields.
  - 38. The product according to claim 35, wherein the packets have payloads, and wherein at least one of the filtering parameters comprises a value of one of the packet payloads.
  - 39. The product according to claim 35, wherein the instructions cause the computer to analyze the property in order to detect a level of the attack.
  - 40. The product according to claim 35, wherein the instructions cause the computer to detect a first type of attack, to filter the traffic by blocking the traffic participating in the attack of the first type, to analyze the filtered traffic to detect a second type of attack, and to filter the filtered traffic in order to block the traffic participating in the attack of the second type.
  - 41. The product according to claim 35, wherein the instructions cause the computer to determine at least one baseline characteristic of the traffic, and to adapt the at least one fuzzy logic algorithm responsively to the baseline characteristic.
  - 42. The product according to claim 41, wherein the instructions cause the computer to determine the at least one baseline characteristic by applying Infinite Impulse Response (IIR) filtering to at least one parameter of the traffic.
  - 43. The product according to claim 41, wherein the instructions cause the computer to determine the at least one baseline characteristic by determining separate baseline characteristics for each hour of a week.
  - 44. The product according to claim 41, wherein the instructions cause the computer to adapt at least one input membership function of the at least one fuzzy logic algorithm, responsively to the baseline characteristic.
  - 45. The product according to claim 35, wherein the instructions cause the computer to analyze the property by setting a parameter of an attack input membership function of the at least one fuzzy logic algorithm responsively to a maximum bandwidth of a connection between the protected network and a wide-area network from which the traffic enters the protected network.
  - 46. The product according to claim 45, wherein the instructions cause the computer to analyze the property by setting a further parameter of the attack input membership function responsively to a relation between an average normal rate of packets of the traffic of the certain protocol type and the maximum bandwidth.
  - 47. The product according to claim 35, wherein the instructions cause the computer to determine a parameter characteristic of the traffic, and to fuzzify the parameter using an input membership function of the at least one fuzzy logic algorithm.
  - 48. The product according to claim 47, wherein the input membership function comprises at least one of a non-attack input membership function, a potential attack input membership function, and an attack input membership function.
  - 49. The product according to claim 35, wherein the instructions cause the computer to analyze the filtered traffic by determining a degree of attack in the filtered traffic, and to find that the filtering algorithm is not successfully blocking the traffic participating in the attack by analyzing the degree of attack.
  - 50. The product according to claim 35, wherein the instructions cause the computer to, upon finding, using the feedback control loop, that the filtering algorithm is successfully blocking the traffic participating in the attack, decrease the level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by the first one or the second one of the signatures using an “
    - OR”
      
      relationship and a sub-signature using an “
      
      AND”
      
      relationship.
  - 51. The product according to claim 35, wherein the instructions cause the computer to apply the degree of membership to the output membership function by applying the degree of membership to at least one of a non-attack output membership function, a potential attack output membership function of the at least one fuzzy logic algorithm, and an attack output membership function of the at least one fuzzy logic algorithm.

52. A method for protecting a network, the method comprising:
- measuring in real-time a property of traffic entering the network;
  
  analyzing, by an attack detection module, the property in real-time using at least one detection algorithm in order to detect an attack;
  
  upon detection of the attack, developing, by a signature detection module, a plurality of signatures each of which characterizes packets participating in the detected attack, and organizing the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack;
  
  using a filtering algorithm, filtering the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network;
  
  periodically analyzing, by the attack detection module, the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm; and
  
  upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, increasing a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
  
  OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein analyzing comprises analyzing the property using the at least one fuzzy logic detection algorithm,wherein measuring the property comprises determining a parameter characteristic of the traffic, and wherein analyzing the property comprises fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, andwherein determining the parameter comprises measuring a first parameter and a second parameter characteristic of the traffic, and wherein fuzzifying the parameter comprises;
  
  fuzzifying the first parameter and the second parameter using the input membership function, so as to determine a first degree of membership and a second degree of membership in the input membership function for the first parameter and the second parameter, respectively; and
  
  combining the first degree of membership and the second degree of membership in order to determine a combined degree of membership.
- View Dependent Claims (53, 54, 55)
- - 53. The method according to claim 52, wherein combining the first degree of membership and the second degree of membership comprises determining the combined degree of membership using a logical OR operation.
  - 54. The method according to claim 52, wherein analyzing the property further comprises applying the combined degree of membership to an output membership function.
  - 55. The method according to claim 54, wherein applying the combined degree of membership comprises applying a truncation fuzzy implication rule.

56. Apparatus for protecting a network, the apparatus comprising:
- an interface; and
  
  a network security processor, which comprises;
  
  an attack detection module, which is adapted to monitor, via the interface, traffic entering the network, to measure in real-time a property of the traffic, and to analyze the property in real-time using at least one detection algorithm in order to detect an attack;
  
  a signature detection module, which is adapted, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; and
  
  a filtering module, which is adapted to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network,wherein the attack detection module is adapted to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm,wherein the network security processor is adapted, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
  
  OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the attack detection module is adapted to analyze the property using the at least one fuzzy logic detection algorithm, andwherein the attack detection module is adapted to measure the property by determining a parameter characteristic of the traffic, to analyze the property by fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, to determine the parameter by measuring a first parameter and a second parameter characteristic of the traffic, and to fuzzify the parameter by;
  
  fuzzifying the first parameter and the second parameter using the input membership function, so as to determine a first degree of membership and a second degree of membership in the input membership function for the first parameter and the second parameter, respectively, andcombining the first degree of membership and the second degree of membership in order to determine a combined degree of membership.
- View Dependent Claims (57, 58, 59)
- - 57. The apparatus according to claim 56, wherein the attack detection module is adapted to combine the first degree of membership and the second degree of membership by determining the combined degree of membership using a logical OR operation.
  - 58. The apparatus according to claim 56, wherein the attack detection module is adapted to apply the combined degree of membership to an output membership function.
  - 59. The apparatus according to claim 58, wherein the attack detection module is adapted to apply the combined degree of membership by applying a truncation fuzzy implication rule.

60. A computer software product for protecting a network, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to measure in real-time a property of traffic entering the network, to analyze the property in real-time using at least one detection algorithm in order to detect an attack, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack, to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, and, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
- OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures, wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the instructions cause the computer to analyze the property using the at least one fuzzy logic detection algorithm, to measure the property by determining a parameter characteristic of the traffic, to analyze the property by fuzzifying the parameter using an input membership function of the at least one fuzzy logic algorithm, to determine the parameter by measuring a first parameter and a second parameter characteristic of the traffic, and to fuzzify the parameter by;
  
  fuzzifying the first parameter and the second parameter using the input membership function, so as to determine a first degree of membership and a second degree of membership in the input membership function for the first parameter and the second parameter, respectively; and
  
  combining the first degree of membership and the second degree of membership in order to determine a combined degree of membership.
- View Dependent Claims (61, 62, 63)
- - 61. The product according to claim 60, wherein the instructions cause the computer to combine the first degree of membership and the second degree of membership by determining the combined degree of membership using a logical OR operation.
  - 62. The product according to claim 60, wherein the instructions cause the computer to apply the combined degree of membership to an output membership function.
  - 63. The product according to claim 62, wherein the instructions cause the computer to apply the combined degree of membership by applying a truncation fuzzy implication rule.

64. A method for protecting a network, the method comprising:
- measuring in real-time a property of traffic entering the network;
  
  analyzing, by an attack detection module, the property in real-time using at least one detection algorithm in order to detect an attack;
  
  upon detection of the attack, developing, by a signature detection module, a plurality of signatures each of which characterizes packets participating in the detected attack, and organizing the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack;
  
  using a filtering algorithm, filtering the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network;
  
  periodically analyzing, by the attack detection module, the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm; and
  
  upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, increasing a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
  
  OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein analyzing comprises analyzing the property using the at least one fuzzy logic detection algorithm, andwherein the method comprises measuring an outbound property of traffic exiting the network, wherein analyzing the property comprises analyzing the property of the traffic entering the network using at least a first fuzzy logic algorithm, and analyzing the outbound property using at least a second fuzzy logic algorithm,wherein the traffic entering the network comprises User Datagram Protocol (UDP) packets, and wherein the traffic exiting the network comprises Internet Control Message Protocol (ICMP) packets, andwherein the outbound property comprises a comparison of a number of inbound UDP packets and a number of outbound ICMP packets.

65. Apparatus for protecting a network the apparatus comprising:
- an interface; and
  
  a network security processor, which comprises;
  
  an attack detection module, which is adapted to monitor, via the interface, traffic entering the network, to measure in real-time a property of the traffic, and to analyze the property in real-time using at least one detection algorithm in order to detect an attack;
  
  a signature detection module, which is adapted, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack; and
  
  a filtering module, which is adapted to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network,wherein the attack detection module is adapted to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm,wherein the network security processor is adapted, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
  
  OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures,wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, and wherein the attack detection module is adapted to analyze the property using the at least one fuzzy logic detection algorithm,wherein the network security processor is adapted to measure an outbound property of traffic exiting the network, to analyze the property of the traffic entering the network using at least a first fuzzy logic algorithm, and to analyze the outbound property using at least a second fuzzy logic algorithm,wherein the traffic entering the network comprises User Datagram Protocol (UDP) packets, and wherein the traffic exiting the network comprises Internet Control Message Protocol (ICMP) packets, andwherein the outbound property comprises a comparison of a number of inbound UDP packets and a number of outbound ICMP packets.

66. A computer software product for protecting a network, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to measure in real-time a property of traffic entering the network, to analyze the property in real-time using at least one detection algorithm in order to detect an attack, upon detection of the attack, to develop a plurality of signatures each of which characterizes packets participating in the detected attack, and to organize the signatures into a group ordered by respective levels of specificity of the signatures for characterizing the packets participating in the attack, to filter, using a filtering algorithm the traffic entering the network that is characterized by a first one of the signatures having a highest level of specificity among the group of signatures, in order to block traffic participating in the attack and allow filtered traffic to pass into the network, to periodically analyze the filtered traffic that passed into the network and was not blocked by the filtering algorithm, using the at least one detection algorithm, and, upon finding, using a feedback control loop having as input the analysis of the filtered traffic, that the filtering algorithm is not successfully blocking the traffic participating in the attack, to increase a level of restrictiveness of the filtering by blocking the traffic entering the network that is characterized by, using an “
- OR”
  
  relationship, the first one of the signatures or a second one of the signatures having a lower level of specificity than the first one of the signatures, wherein the at least one detection algorithm comprises at least one fuzzy logic detection algorithm, wherein the instructions cause the computer to analyze the property using the at least one fuzzy logic detection algorithm, to measure an outbound property of traffic exiting the network, to analyze the property of the traffic entering the network using at least a first fuzzy logic algorithm, and to analyze the outbound property using at least a second fuzzy logic algorithm, wherein the traffic entering the network comprises User Datagram Protocol (UDP) packets, wherein the traffic exiting the network comprises Internet Control Message Protocol (ICMP) packets, and wherein the outbound property comprises a comparison of a number of inbound UDP packets and a number of outbound ICMP packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
Elboim, Abraham, Chesla, Avi, Medvedovsky, Lev
Primary Examiner(s)
Pan; Joe
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US10/441,971
Publication Number

US 20040250124A1
Time in Patent Office

2,493 Days
Field of Search

726/23, 726/11, 726/13, 726/22
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Dynamic network protection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic network protection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links