Applying blocking measures progressively to malicious network traffic
First Claim
1. A method of responding progressively to network anomalies, said method comprising:
- applying a blocking measure or suspending the blocking measure in accordance with a state B(t) of the blocking measure at time t for discrete values of t which are integer multiples of a time interval Dt, said discrete values of t representing t=0, Dt, 2*Dt, . . . , J*Dt, wherein J is a positive integer equal to or greater than 2;
wherein if B(t)=1 then the blocking measure is applied and if B(t)=0 then the blocking measure is suspended;
wherein D(t)=1 if a last output measurement of a network anomaly detector indicates that a network anomaly is present and D(t)=0 otherwise;
wherein S(t) is a time stamp indicating the absolute start time of a most recent sequence of time values with consecutive application of the blocking measure;
wherein K(t) is a count of the number of times, within a present epoch of consecutive detections of network anomaly, that the blocking measure has been suspended and then re-applied in response to detection of a persistent network anomaly;
wherein P(t) is a duration of the blocking measure and is a non-decreasing function of K(t);
wherein a specified positive integer L is a maximum permitted value of K(t);
wherein t=0 is a time prior to execution of a loop of J iterations denoted as iterations 1, 2, . . . , J;
wherein at t=0, B(0)=1, A(0)=1, S(0)=0, K(0)=0, and P(0)=P0=I*Dt, wherein I is a positive integer;
wherein B(t), S(t), and K(t) are iteratively computed during execution of the loop such that in each iteration;
B(t+Dt)=D(t)*(1−
B(t))+(1−
D(t)*(1−
B(t)))*if(t+Dt−
S(t)<
P(t) then 1, else
0),
S(t+Dt)=B(t+Dt)*(1−
B(t))*(t+Dt−
S(t))+S(t),
K(t+Dt)=min{L, D(t)*(K(t)+B(t+Dt)*(1−
B(t)+(1−
D(t))*B(t+Dt)*(K(t)+1−
B(t))))},
t=t+DT after B(t+Dt), S(t+Dt), and K(t+Dt) have been determined.
0 Assignments
0 Petitions
Accused Products
Abstract
A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When an anomaly is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the anomaly is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-apply the blocking measure for a specified duration, then suspend the blocking measure and test again for the anomaly. If the anomaly is detected, the blocking measure is re-applied, and its duration is adapted. If the anomaly is no longer detected, the method returns to the state of readiness.
291 Citations
10 Claims
-
1. A method of responding progressively to network anomalies, said method comprising:
-
applying a blocking measure or suspending the blocking measure in accordance with a state B(t) of the blocking measure at time t for discrete values of t which are integer multiples of a time interval Dt, said discrete values of t representing t=0, Dt, 2*Dt, . . . , J*Dt, wherein J is a positive integer equal to or greater than 2; wherein if B(t)=1 then the blocking measure is applied and if B(t)=0 then the blocking measure is suspended; wherein D(t)=1 if a last output measurement of a network anomaly detector indicates that a network anomaly is present and D(t)=0 otherwise; wherein S(t) is a time stamp indicating the absolute start time of a most recent sequence of time values with consecutive application of the blocking measure; wherein K(t) is a count of the number of times, within a present epoch of consecutive detections of network anomaly, that the blocking measure has been suspended and then re-applied in response to detection of a persistent network anomaly; wherein P(t) is a duration of the blocking measure and is a non-decreasing function of K(t); wherein a specified positive integer L is a maximum permitted value of K(t); wherein t=0 is a time prior to execution of a loop of J iterations denoted as iterations 1, 2, . . . , J; wherein at t=0, B(0)=1, A(0)=1, S(0)=0, K(0)=0, and P(0)=P0=I*Dt, wherein I is a positive integer; wherein B(t), S(t), and K(t) are iteratively computed during execution of the loop such that in each iteration;
B(t+Dt)=D(t)*(1−
B(t))+(1−
D(t)*(1−
B(t)))*if(t+Dt−
S(t)<
P(t) then 1, else
0),
S(t+Dt)=B(t+Dt)*(1−
B(t))*(t+Dt−
S(t))+S(t),
K(t+Dt)=min{L, D(t)*(K(t)+B(t+Dt)*(1−
B(t)+(1−
D(t))*B(t+Dt)*(K(t)+1−
B(t))))},
t=t+DT after B(t+Dt), S(t+Dt), and K(t+Dt) have been determined. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification