System and method for identification and blocking of unwanted network traffic
First Claim
1. A method comprising:
- receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior;
receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature;
determining a source of the network traffic that triggered the first alert and the second alert;
grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert;
assigning a determination to the alert group, the determination indicating a threat level associated with the alert group;
establishing a predetermined alert threshold indicative of whether the a source of the alert group should be blocked; and
determining that a number of alerts associated with the source exceeds the alert threshold;
creating at the network protection system a second signature in response to determining to that the number of alerts exceeds the alert threshold; and
providing the second signature to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the source.
10 Assignments
0 Petitions
Accused Products
Abstract
Network traffic can be prevented from entering a protected network. An alert can be received that can be triggered by network traffic that matches at least one signature that is associated with undesired network behavior. A source of the network traffic that triggered the alert can be determined, and network traffic that originates from the source can be blocked. Blocking the source can include assigning a determination to the alert. It can then be determined whether network traffic from the source should be blocked based on the determination. The source can then be provided to the protected network such that a network device coupled to the protected network can be configured to block network traffic that originates from the source.
78 Citations
19 Claims
-
1. A method comprising:
-
receiving at a network protection system a first alert from a first intrusion detection system associated with a first protected network, wherein the first alert is triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature that is associated with undesired network behavior; receiving at the network protection system a second alert from a second intrusion detection system associated with a second protected network, wherein the second alert is triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature; determining a source of the network traffic that triggered the first alert and the second alert; grouping at the network protection system the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert; assigning a determination to the alert group, the determination indicating a threat level associated with the alert group; establishing a predetermined alert threshold indicative of whether the a source of the alert group should be blocked; and determining that a number of alerts associated with the source exceeds the alert threshold; creating at the network protection system a second signature in response to determining to that the number of alerts exceeds the alert threshold; and providing the second signature to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the source. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
an alert analysis facility for receiving one or more alerts from a plurality of intrusion detection systems, the alerts being associated with network traffic comprising a source, wherein the alert analysis facility groups the alerts into an alert group based upon a common characteristic between the alerts, and assigns a determination to the alerts group, the determination indicating a threat level associated with the alert group; an engine configured to receive the alert group from the alert analysis facility, wherein the engine analyzes the alert group to determine whether further network traffic originating from a source of the alerts should be blocked; a database configured to receive and store an address of the source upon a determination by the engine that network traffic originating from the source should be blocked; and a distribution facility for distributing the database to the intrusion detection systems; wherein the alert analysis facility is configured to receive the address from the database for use in analyzing the alerts. - View Dependent Claims (12, 13, 14)
-
-
15. A non-transitory computer-readable medium encoded with computer-executable instructions for performing a method, the method comprising:
-
receiving a first alert from a first intrusion detection system associated with a first protected network, the first alert being triggered by first network traffic that is evaluated by the first intrusion detection system and that is determined to match a first signature associated with a network attack; receiving a second alert from a second intrusion detection system associated with a second protected network, the second alert being triggered by second network traffic that is evaluated by the second intrusion detection system and that is determined to match the first signature; determining a source of the network traffic that triggered the first alert and the second alert; grouping the first alert and the second alert into an alert group based upon a common characteristic between the first alert and the second alert; assigning a determination to the alert group, the determination indicating a threat level associated with the alert group; establishing a predetermined alert threshold indicative of whether the a source of the alert group should be blocked; and determining that a number of alerts associated with the source exceeds the alert threshold; creating a second signature in response to determining that the number of alerts exceeds the alert threshold; and providing the second signature to the first intrusion detection system and to the second intrusion detection system, such that the first intrusion detection system and the second intrusion detection system are configured to block network traffic that originates from the source. - View Dependent Claims (16, 17, 18, 19)
-
Specification