Detection of and responses to network attacks

US 8,499,348 B1
Filed: 12/28/2010
Issued: 07/30/2013
Est. Priority Date: 12/28/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program comprising:

code that monitors data communications transmitted to a target class of first computing nodes;

code that, in response to detecting a non-legitimate data communication to a computing node in the target class, determines whether the non-legitimate data communication is a form of attack on a network to which the computing nodes are connected by tracking a number of attempted data communications from a source of the non-legitimate data communication against computing nodes in the target class of computing nodes and comparing the number against a threshold value,wherein membership of the target class of first computing nodes is made up of computing nodes that are not currently allocated to users within a data center and have been previously allocated to users, the data center further comprising second computing nodes connected to the network, wherein the second computing nodes are not part of the target class;

code that, in response to determining that the network is under attack, implementing new security measures for the second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing; and

code that receives authorization from a user of a particular second computing node before making changes to access policies of the particular second computing node as part of the new security measures.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for detecting and responding to attacks on a computer network. One embodiment of such a method describes monitoring data communications transmitted to a target class of first computing nodes; in response to detecting a non-legitimate data communication to a computing node in the target class, determining whether the non-legitimate data communication is a form of attack on a network to which the computing nodes are connected; and in response to determining that the network is under attack, implementing new security measures for second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing.

Citations

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program comprising:
- code that monitors data communications transmitted to a target class of first computing nodes;
  
  code that, in response to detecting a non-legitimate data communication to a computing node in the target class, determines whether the non-legitimate data communication is a form of attack on a network to which the computing nodes are connected by tracking a number of attempted data communications from a source of the non-legitimate data communication against computing nodes in the target class of computing nodes and comparing the number against a threshold value,wherein membership of the target class of first computing nodes is made up of computing nodes that are not currently allocated to users within a data center and have been previously allocated to users, the data center further comprising second computing nodes connected to the network, wherein the second computing nodes are not part of the target class;
  
  code that, in response to determining that the network is under attack, implementing new security measures for the second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing; and
  
  code that receives authorization from a user of a particular second computing node before making changes to access policies of the particular second computing node as part of the new security measures.
- View Dependent Claims (2, 3)
- - 2. The computer-readable medium of claim 1, the program further comprising:
    - code that restores the security measures to a previous state before the security measures were changed after determining that the attack to the network has stopped.
  - 3. The computer-readable medium of claim 1, wherein the authorization is specified for a particular data transmission protocol and the authorization is verified before access rights for the particular data transmission protocol can be changed.

4. A system, comprising:
- at least one computing device; and
  
  a data transmission system manager executable in the at least one computing device, the data transmission system manager comprising;
  
  logic that receives notification of a detected activity involving one or more non-legitimate data communications to a target class of first computing nodes, wherein membership of the target class of first computing nodes is made up of a subset of computing nodes within a data center;
  
  logic that, in response to receiving the notification, determines which of a plurality of second computing nodes are vulnerable to the detected activity, wherein the plurality of second computing nodes are not members of the target class;
  
  logic that changes security measures of the plurality of second computing nodes to protect the second computing nodes that are vulnerable to the detected activity; and
  
  logic that restores the security measures to a previous state before the security measures were changed after the detected activity has stopped.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The system of claim 4, wherein the target class of first computing nodes comprise an address-space of computing nodes that have not been used to legitimately communicate with or receive data communications from other computing nodes.
  - 6. The system of claim 4, wherein the target class of first computing nodes comprises computing nodes that are not currently allocated to users within the data center and have been previously allocated to users of the data center.
  - 7. The system of claim 4, wherein the target class of first computing nodes comprises computing nodes that are allocated to users of the data center and have dropped data communications.
  - 8. The system of claim 4, wherein the security measures are changed while the detected activity is ongoing.
  - 9. The system of claim 4, the data transmission system manager further comprising:
    - logic that verifies authorization from a user of a particular computing node that is vulnerable to the detected activity before making changes to the access policies of the particular computing node.
  - 10. The system of claim 9, wherein the authorization is specified for a particular data transmission protocol and the authorization is verified before access rights for the particular data transmission protocol can be changed.
  - 11. The system of claim 4, further comprising:
    - logic that monitors data communications transmitted to the target class of first computing nodes; and
      
      in response to detecting a non-legitimate data communication to a computing node in the target class, determines whether the non-legitimate data communication is a form of attack on a network to which the computing nodes are connected.
  - 12. The system of claim 11, wherein the network is determined to be under attack by tracking a number of attempted data communications from a source of the non-legitimate data communication to first computing nodes in the target class and comparing the number against a threshold value.

13. A method, comprising:
- monitoring, by a hardware processing unit, data communications transmitted to a target class of first computing nodes of a data center, wherein membership of the target class of first computing nodes is made up of a subset of computing nodes within a data center;
  
  in response to detecting a non-legitimate data communication to a computing node in the target class, determining, by the hardware processing unit, whether the non-legitimate data communication is a form of attack on a network to which the first computing nodes and a plurality of second computing nodes are connected; and
  
  in response to determining that the network is under attack, implementing, by the hardware processing unit, new security measures for the plurality of second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the target class of first computing nodes comprise an address-space of computing nodes that have not been used to legitimately communicate with or receive data communications from other computing nodes.
  - 15. The method of claim 13, wherein the target class of first computing nodes comprises computing nodes that are not currently allocated to users within a data center and have been previously allocated to users of the data center.
  - 16. The method of claim 15, wherein the network is determined to be under attack by tracking a number of attempted data communications from a source of the non-legitimate data communication to computing nodes in the target class of first computing nodes and comparing the number against a threshold value.
  - 17. The method of claim 13, wherein the target class of first computing nodes comprises computing nodes that are allocated to users of the data center and have dropped data communications.
  - 18. The method of claim 17, wherein the network is determined to be under attack by tracking a number of attempted data communications from a source of the non-legitimate data communication to computing nodes in the target class of first computing nodes and comparing the number against a threshold value.
  - 19. The method of claim 13, wherein the new security measures comprise changing access policies of the second computing nodes to avoid the network attack while the attack on the network is ongoing.
  - 20. The method of claim 19, further comprising:
    - verifying authorization from a user of a particular second computing node before making changes to the access policies of the particular second computing node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Rubin, Gregory A.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US12/980,057
Time in Patent Office

945 Days
Field of Search

726 22- 26, 726/11, 713151-154, 713/189
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/606   by securing the transmissio...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Detection of and responses to network attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of and responses to network attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links