Leveraging active firewalls for network intrusion detection and retardation of attack

US 8,170,020 B2
Filed: 12/08/2005
Issued: 05/01/2012
Est. Priority Date: 12/08/2005
Status: Active Grant

First Claim

Patent Images

1. A standalone network filter coupled to a computer system, the filter comprising:

a network interface supporting a plurality of ports;

a controller operable to route traffic originating from a sender that is received at an inactive port of the plurality of ports; and

a processing unit operable to;

receive the traffic routed from the controller;

obtain, from the traffic, traffic data including routing information for the traffic, source information about the sender, and payload information of the traffic;

based at least in part on the traffic data obtained from the traffic, categorize the traffic on the inactive port as a threat;

categorize the traffic on the inactive port as having a predetermined attack profile;

determine that the traffic meets a threshold number of communication attempts by the sender at the inactive port;

responsive to determining that the traffic meets a threshold number of communication attempts at the inactive port, perform protective measures comprising;

using the traffic data obtained from the traffic to provide a delayed response with an inflated error rate on the inactive port, wherein the delayed response communicates to the sender that a vulnerability exists on the computer system and causes the sender to allocate additional resources to continue attacking the computer system via the inactive port;

manipulating a payload size of the traffic from the sender on the inactive port to reduce communication bandwidth; and

notifying a neighboring server and a clearinghouse of at least a portion of the traffic data obtained from the traffic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network firewall or network filter functions normally to pass data on open ports to a respective service or data source associated with an open port. In addition, traffic arriving on closed ports may be directed to a handler for analysis and response. The handler may analyze and catalog the source and type of traffic arriving on the closed ports. The handler may then send a response with either a fixed response or data tailored to the type and nature of the traffic. The handler may respond slowly to cause the source of the traffic to wait for the response, thereby slowing the speed at which a potential attacker can identify valid targets and proceed past non-valid targets.

Citations

12 Claims

1. A standalone network filter coupled to a computer system, the filter comprising:
- a network interface supporting a plurality of ports;
  
  a controller operable to route traffic originating from a sender that is received at an inactive port of the plurality of ports; and
  
  a processing unit operable to;
  
  receive the traffic routed from the controller;
  
  obtain, from the traffic, traffic data including routing information for the traffic, source information about the sender, and payload information of the traffic;
  
  based at least in part on the traffic data obtained from the traffic, categorize the traffic on the inactive port as a threat;
  
  categorize the traffic on the inactive port as having a predetermined attack profile;
  
  determine that the traffic meets a threshold number of communication attempts by the sender at the inactive port;
  
  responsive to determining that the traffic meets a threshold number of communication attempts at the inactive port, perform protective measures comprising;
  
  using the traffic data obtained from the traffic to provide a delayed response with an inflated error rate on the inactive port, wherein the delayed response communicates to the sender that a vulnerability exists on the computer system and causes the sender to allocate additional resources to continue attacking the computer system via the inactive port;
  
  manipulating a payload size of the traffic from the sender on the inactive port to reduce communication bandwidth; and
  
  notifying a neighboring server and a clearinghouse of at least a portion of the traffic data obtained from the traffic.
- View Dependent Claims (2, 3)
- - 2. The filter of claim 1, wherein to categorize the traffic on the inactive port as a threat is further based on suspected attack information.
  - 3. The filter of claim 2, further comprising determining a trustworthiness ranking of the suspected attack information based on whether the suspected attack information is internally generated by the computer system, received from the neighboring server or another neighboring server, or the clearinghouse or another clearinghouse.

4. A standalone network firewall associated with a computer system, the firewall comprising:
- a network interface supporting a plurality of ports associated with one or more services, including a closed port that is inactive and not associated with the one or more services;
  
  a controller;
  
  a processing unit separate from the controller or the one or more services,the controller configured to route traffic received at the closed port to the processing unit, the traffic originating from a sender,the processing unit configured to;
  
  receive the traffic routed from the controller;
  
  obtain, from the traffic, traffic data including routing information for the traffic, source information about the sender, and payload information of the traffic;
  
  responsive to receiving the traffic routed from the controller and based on the traffic data obtained from the traffic, determine that the traffic is a threat;
  
  determine that the traffic meets a threshold number of communication attempts by the sender at the closed port; and
  
  responsive to determining that the traffic meets the threshold number of communication attempts at the closed port, perform protective measures comprising;
  
  modifying an operation profile of the firewall;
  
  over a secure session or secure tunnel, notifying at least one associated entity of the threat and providing the at least one entity with some or all of the traffic data obtained from the traffic, the at least one associated entity comprising a neighboring server or a clearinghouse;
  
  using the traffic data obtained from the traffic to provide a response to the sender that has an inflated error rate associated with the closed port, the response providing an indication to the sender that a vulnerability exists and delaying the sender'"'"'s discovery that the closed port is inactive, to provide the response comprising;
  
  generating the response using the traffic data obtained from the traffic;
  
  delaying communication of the response to the sender; and
  
  reducing a packet size of the response to reduce communication bandwidth between the sender and the firewall.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The firewall of claim 4, wherein the processing unit is further operable to categorize the traffic on the closed port as having a predetermined attack profile.
  - 6. The firewall of claim 4, wherein the response comprises data unrelated to any corresponding service of the one or more services that is associated with an active port of the plurality of ports.
  - 7. The firewall of claim 4, wherein the response comprises information provided by the clearinghouse.
  - 8. The firewall of claim 4, wherein determining that the traffic is a threat is further based on at least a portion of suspected attack information.
  - 9. The firewall of claim 8, further comprising determining a trustworthiness ranking of the suspected attack information based on whether the suspected attack information is internally generated by the computer system, provided by the neighboring server, or provided by the clearinghouse.

10. A method comprising:
- supporting a plurality of ports including a closed port that is inactive and not associated with a respective service;
  
  routing, by a controller associated with a computer system, traffic that is received at the closed port to a processing unit associated with the computer system and separate from the controller, the traffic originating from a sender;
  
  receiving the traffic routed from the controller;
  
  obtaining, from the traffic, traffic data including routing information for the traffic, source information about the sender, and payload information of the traffic;
  
  responsive to receiving the traffic routed from the controller and based on the traffic data obtained from the traffic, determining that the traffic is a threat;
  
  determining that the traffic meets a threshold number of communication attempts by the sender at the closed port;
  
  responsive to determining that the traffic meets the threshold number of communication attempts, performing protective measures comprising;
  
  modifying an operation profile of the firewall;
  
  over a secure session or secure tunnel, notifying an associated entity of the threat and providing the associated entity with some or all of the traffic data obtained from the traffic;
  
  using the traffic data obtained from the traffic to provide a response with an inflated error rate on the closed port that indicates to the sender that a vulnerability exists and that delays discovery by the sender that the closed port is inactive, to provide the response comprising;
  
  generating the response using the traffic data obtained from the traffic;
  
  delaying communication of the response to the sender;
  
  reducing a packet size of the response to reduce communication bandwidth between the sender and the firewall.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, wherein the determining that the traffic is a threat is further based on suspected attack information.
  - 12. The method of claim 11, further comprising determining a trustworthiness ranking of the suspected attack information based on whether the suspected attack information is internally generated by the computer system or received from the associated entity or another entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Oliver, Robert Ian, Frank, Alexander
Primary Examiner(s)
BLANTON, JOHN D

Application Number

US11/298,411
Publication Number

US 20070133537A1
Time in Patent Office

2,336 Days
Field of Search

370/392, 726/23
US Class Current

370/392
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1408 by monitoring network traff...

Leveraging active firewalls for network intrusion detection and retardation of attack

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Leveraging active firewalls for network intrusion detection and retardation of attack

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links