System and method for identification and blocking of unwanted network traffic

US 9,009,828 B1
Filed: 09/29/2008
Issued: 04/14/2015
Est. Priority Date: 09/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior;

receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature;

determining a source of the network traffic that triggered the first alert and the second alert;

grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert;

assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;

establishing a predetermined alert threshold indicative of whether the a source of the alert group should be blocked; and

determining that a number of alerts associated with the source exceeds the alert threshold;

creating at the network protection system a second signature in response to determining to that the number of alerts exceeds the alert threshold; and

providing the second signature to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the source.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network traffic can be prevented from entering a protected network. An alert can be received that can be triggered by network traffic that matches at least one signature that is associated with undesired network behavior. A source of the network traffic that triggered the alert can be determined, and network traffic that originates from the source can be blocked. Blocking the source can include assigning a determination to the alert. It can then be determined whether network traffic from the source should be blocked based on the determination. The source can then be provided to the protected network such that a network device coupled to the protected network can be configured to block network traffic that originates from the source.

78 Citations

View as Search Results

19 Claims

1. A method comprising:
- receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior;
  
  receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature;
  
  determining a source of the network traffic that triggered the first alert and the second alert;
  
  grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert;
  
  assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;
  
  establishing a predetermined alert threshold indicative of whether the a source of the alert group should be blocked; and
  
  determining that a number of alerts associated with the source exceeds the alert threshold;
  
  creating at the network protection system a second signature in response to determining to that the number of alerts exceeds the alert threshold; and
  
  providing the second signature to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the source.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the alert threshold comprises at least one of:
    - a predetermined number of matched signatures, a predetermined number of target devices, and a predetermined period of time.
  - 3. The method of claim 1, further comprising reducing the alert threshold in response to determining that the country of origin of the source is commonly associated with unwanted network traffic.
  - 4. The method of claim 1, further comprising reducing the alert threshold if the total number of alerts associated with the source exceeds a predetermined value.
  - 5. The method of claim 1, further comprising providing the second signature to a network device that did not generate the alert.
  - 6. The method of claim 1, wherein the threat level comprises a reconnaissance threat level, a global attack threat level, a targeted attack threat level, a benign threat level, a customer opt-out threat level, and a false positive threat level.
  - 7. The method of claim 1, wherein assigning the determination to the alert group comprises transmitting the alert to an analyst to assign the determination to the alert.
  - 8. The method, of claim 1, wherein assigning the determination to the alert group comprises automatically assigning the determination to the alert group without intervention by an analyst.
  - 9. The method of claim 1, wherein the common characteristics comprises at least one of:
    - a source address, a destination address, a signature, and a time period.
  - 10. The method of claim 1, comprising:
    - providing an address of the source to an analyst if the number of alerts associated with the source exceeds the alert threshold, wherein the analyst determines whether the source should be blocked.

11. A system comprising:
- an alert analysis facility for receiving one or more alerts from a plurality of intrusion detection systems, the alerts being associated with network traffic comprising a source, wherein the alert analysis facility groups the alerts into an alert group based upon a common characteristic between the alerts, and assigns a determination to the alerts group, the determination indicating a threat level associated with the alert group;
  
  an engine configured to receive the alert group from the alert analysis facility, wherein the engine analyzes the alert group to determine whether further network traffic originating from a source of the alerts should be blocked;
  
  a database configured to receive and store an address of the source upon a determination by the engine that network traffic originating from the source should be blocked; and
  
  a distribution facility for distributing the database to the intrusion detection systems;
  
  wherein the alert analysis facility is configured to receive the address from the database for use in analyzing the alerts.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, further comprising a signature generation facility for generating signatures for identifying network attacks.
  - 13. The system of claim 12, wherein the signature generation facility receives the address from the database for use in the generation of signatures.
  - 14. The system of claim 11, further comprising a first intrusion detection system of the plurality of intrusion detection systems, the first intrusion detection system being configured to receive network traffic and signatures from the signature generation facility, wherein the first intrusion detection system transmits the alert to the alert analysis facility when the network traffic matches at least one of the signatures.

15. A non-transitory computer-readable medium encoded with computer-executable instructions for performing a method, the method comprising:
- receiving a first alert from a first intrusion detection system associated with a first protected network, the first alert being triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature associated with a network attack;
  
  receiving a second alert from a second intrusion detection system associated with a second protected network, the second alert being triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature;
  
  determining a source of the network traffic that triggered the first alert and the second alert;
  
  grouping the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert;
  
  assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;
  
  establishing a predetermined alert threshold indicative of whether the a source of the alert group should be blocked; and
  
  determining that a number of alerts associated with the source exceeds the alert threshold;
  
  creating a second signature in response to determining that the number of alerts exceeds the alert threshold; and
  
  providing the second signature to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the source.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-readable medium of claim 15, further comprising:
    - determining that network traffic from the source should be blocked if the number of alerts associated with the source exceeds the alert threshold.
  - 17. The computer-readable medium of claim 16, wherein the alert threshold comprises at least one of:
    - a predetermined number of matched signatures, a predetermined number of target devices, and a predetermined period of time.
  - 18. The computer-readable medium of claim 16, further comprising reducing the alert threshold in response to determining that the country of origin of the source is commonly associated with unwanted network traffic.
  - 19. The computer-readable medium of claim 16, further comprising reducing the alert threshold if the total number of alerts associated with the source exceeds a predetermined value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Securworks Incorporated
Original Assignee
Dell Secureworks Incorporated (Dell Technologies Inc.)
Inventors
Ramsey, Jon R., Haber, Wayne Howard, Guerry, Bill, Hubbard, Michael Joseph, Banerjee, Uday
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US12/240,444
Time in Patent Office

2,388 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 16/24575   using context

H04L 63/02   for separating internal fro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

System and method for identification and blocking of unwanted network traffic

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identification and blocking of unwanted network traffic

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links