System and method for coordinating network incident response activities

US 8,850,565 B2
Filed: 01/10/2005
Issued: 09/30/2014
Est. Priority Date: 01/10/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for responding to an attack that occurred on a computer network, comprising:

receiving a description of the attack that occurred;

accessing a description of a topology of the network;

determining, based on the attack description and the topology description, one or more devices or applications that are relevant to the attack that occurred;

determining, based on the one or more relevant devices or applications, a first set of actions that can be executed to respond to the attack that occurred;

automatically determining, from the first set of actions, a subset of actions to execute to respond to the attack that occurred;

executing the subset of actions; and

determining that the attack that occurred no longer presents a threat.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system and method to process information regarding a network attack through an automated workflow that actively reconfigures a plurality of heterogeneous network-attached devices and applications to dynamically counter the attack using the network'"'"'s own self-defense mechanisms. The present invention leverages the security capabilities present within existing and new network-attached devices and applications to effect a distributed defense that immediately quarantines and/or mitigates attacks from hostile sources at multiple points simultaneously throughout the network. In a preferred embodiment, deployed countermeasures are automatically lifted following remediation activities.

Citations

14 Claims

1. A computer-implemented method for responding to an attack that occurred on a computer network, comprising:
- receiving a description of the attack that occurred;
  
  accessing a description of a topology of the network;
  
  determining, based on the attack description and the topology description, one or more devices or applications that are relevant to the attack that occurred;
  
  determining, based on the one or more relevant devices or applications, a first set of actions that can be executed to respond to the attack that occurred;
  
  automatically determining, from the first set of actions, a subset of actions to execute to respond to the attack that occurred;
  
  executing the subset of actions; and
  
  determining that the attack that occurred no longer presents a threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the description of the attack that occurred comprises one element of a group containing a start time, a stop time, and a duration.
  - 3. The method of claim 1, wherein the description of the attack that occurred comprises one element of a group containing an indication of a source of the attack and an indication of a destination of the attack.
  - 4. The method of claim 1, wherein the description of the attack that occurred comprises one element of a group containing a packet count, an attribute of a packet header, a packet signature, an indication of a protocol, a regular expression, and a priority.
  - 5. The method of claim 1, wherein a device or application is relevant to the attack that occurred if the attack originated outside the network and if the device or application is located on a logical border of the network.
  - 6. The method of claim 1, wherein a device or application is relevant to the attack that occurred if the device or application is located on a logical path from a source of the attack to a destination of the attack.
  - 7. The method of claim 1, wherein a device or application is relevant to the attack that occurred if the device or application is vulnerable to the attack.
  - 8. The method of claim 1, wherein determining, based on the one or more relevant devices or applications, the first set of actions that can be executed to respond to the attack that occurred comprises determining one or more capabilities of the one or more relevant devices or applications.
  - 9. The method of claim 1, wherein determining, based on the one or more relevant devices or applications, the first set of actions that can be executed to respond to the attack that occurred comprises determining states of availability of the one or more relevant devices or applications.
  - 10. The method of claim 1, wherein determining, from the first set of actions, the subset of actions to execute to respond to the attack that occurred comprises determining a most effective action from the actions within the first set.
  - 11. The method of claim 1, wherein determining, from the first set of actions, the subset of actions to execute to respond to the attack that occurred comprises identifying, from the one or more relevant devices or applications, a device or application that is logically closest to a source of the attack.
  - 12. The method of claim 1, wherein executing the subset of actions comprises modifying a setting of a device or application.
  - 13. The method of claim 1, wherein executing the subset of actions comprises controlling operation of a device or application.
  - 14. The method of claim 1, further comprising responsive to determining that the attack that occurred no longer presents the threat, reversing the executed actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Patrick, Robert, Key, Christopher, Holzberger, Paul
Primary Examiner(s)
Hailu, Teshome

Application Number

US10/905,537
Publication Number

US 20060212932A1
Time in Patent Office

3,550 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

System and method for coordinating network incident response activities

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for coordinating network incident response activities

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links