Stealth network attack monitoring

US 9,172,715 B2
Filed: 10/22/2013
Issued: 10/27/2015
Est. Priority Date: 04/27/2011
Status: Active Grant

First Claim

Patent Images

1. At least one machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

identify a particular failed connection attempt initiated by a particular source asset in a network;

track subsequent failed connection attempts initiated by the particular source asset in the network during a time period;

determine whether the subsequent failed connection attempts during the time period correspond to a low frequency failed connection attempt rate corresponding to an attempted stealth attack, wherein the stealth attack is characterized by a low frequency series of connection attempts; and

designate the source asset as a potential security risk based on a determination that the subsequent failed connection attempts correspond to the low frequency failed connection attempt rate.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A particular failed connection attempt initiated by a particular source asset in a network is identified and subsequent failed connection attempts initiated by the particular source asset in the network during a time period are tracked. A low frequency sequence of failed connection attempts involving the particular source asset is detected during the time period and the source asset is designated as a potential security risk based on the detected low frequency sequence of failed connection attempts.

Citations

23 Claims

1. At least one machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- identify a particular failed connection attempt initiated by a particular source asset in a network;
  
  track subsequent failed connection attempts initiated by the particular source asset in the network during a time period;
  
  determine whether the subsequent failed connection attempts during the time period correspond to a low frequency failed connection attempt rate corresponding to an attempted stealth attack, wherein the stealth attack is characterized by a low frequency series of connection attempts; and
  
  designate the source asset as a potential security risk based on a determination that the subsequent failed connection attempts correspond to the low frequency failed connection attempt rate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The storage medium of claim 1, wherein the low frequency failed connection attempt rate comprises a sequence of repeated failed network connection attempts by a source at a rate not exceeding one attempt per hour.
  - 3. The storage medium of claim 1, wherein the instructions when executed on a machine, further cause the machine to monitor the network for failed connection attempts in a private address range of the network.
  - 4. The storage medium of claim 3, wherein the network is an internet protocol (IP) network and the private address range comprises a range of IP addresses.
  - 5. The storage medium of claim 3, wherein the instructions when executed on a machine, further cause the machine to ignore failed port connection attempts to ports that are designated as trusted ports.
  - 6. The storage medium of claim 3, wherein the instructions when executed on a machine, further cause the machine to ignore failed port connection attempts for source assets that are designated as trusted assets.
  - 7. The storage medium of claim 3, wherein the instructions when executed on a machine, cause the machine to only monitor failed port connection attempts to ports that are designated as suspect ports.
  - 8. The storage medium of claim 7, wherein the suspect ports include one or more of an SSH port, HTTP port, telnet port, and SMTP port.
  - 9. The storage medium of claim 1, wherein the instructions when executed on a machine, further cause the machine to receive data describing detection of the particular failed connection attempt.
  - 10. The storage medium of claim 1, wherein each failed connection attempt comprises an attempt by the respective source asset to connect to a respective destination asset in the network.
  - 11. The storage medium of claim 10, wherein the instructions when executed on a machine, further cause the machine to track the subsequent failed connection attempts by the particular source based on identification of the particular failed connection attempt.
  - 12. The storage medium of claim 11, wherein the instructions when executed on a machine, further cause the machine to generate a source asset tracking instance for the particular source asset based on identification of the particular failed connection attempt, wherein the source asset tracking instance is used to track the subsequent failed connection attempts.
  - 13. The storage medium of claim 12, wherein the source asset tracking instance is generated based on a determination that a source asset tracking instance is not yet maintained for the particular source asset.

14. A method comprising:
- identifying a particular failed connection attempt initiated by a particular source asset in a network;
  
  tracking subsequent failed connection attempts initiated by the particular source asset in the network during a time period;
  
  determining that the subsequent failed connection attempts during the time period comprise a low frequency sequence of repeated failed connection attempts according to a low frequency failed connection attempt rate corresponding to an attempted stealth attack; and
  
  designating the source asset as a potential security risk based on determining that the sequence of failed connection attempts correspond to the low frequency failed connection attempt rate.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising maintaining a source asset tracking instance for each source asset associated with a failed connection attempt, wherein the source asset tracking instance identifies the corresponding source asset and is used in the tracking of subsequent failed connection attempts initiated by the particular source asset.
  - 16. The method of claim 15, wherein the sequence of failed connection attempts involving the particular source asset is determined from information maintained in the source asset tracking instance of the particular source asset.
  - 17. The method of claim 15, wherein source asset tracking instances are generated based on detected failed connection attempts involving the corresponding source asset.
  - 18. The method of claim 15, further comprising:
    - determining from a particular source asset tracking instance for another source asset that failed connection attempts involving the particular source asset do not correspond to a security risk; and
      
      purging the particular source asset tracking instance based upon determining that failed connection attempts involving the particular source asset do not correspond to a security risk.
  - 19. The method of claim 14, wherein the time period is a period of time measured from the particular failed connection attempt.
  - 20. The method of claim 14, further comprising determining whether the subsequent failed connection attempts during the time period correspond to a higher failed connection attempt ratio corresponding to a burst-like probing attack.

21. A system comprising:
- a data processing apparatus;
  
  a storage medium; and
  
  attack detection logic, executable by the data processing apparatus to;
  
  identify a particular failed connection attempt initiated by a particular source asset in a network;
  
  track subsequent failed connection attempts initiated by the particular source asset in the network during a time period;
  
  determine whether the subsequent failed connection attempts during the time period correspond to a low frequency failed connection attempt rate corresponding to a stealth attack, wherein the stealth attack is characterized by a low frequency sequence of connection attempts; and
  
  designate the source asset as a potential security risk based on a determination that the subsequent failed connection attempts correspond to the low frequency failed connection attempt rate.
- View Dependent Claims (22, 23)
- - 22. The system of claim 21, further comprising a plurality of source asset tracking instances stored in the storage medium, wherein each of the plurality of source asset tracking instances is to track respective failed connection attempts of a corresponding source asset in a plurality of source assets including the particular source asset.
  - 23. The system of claim 22, comprising resource management logic, executable by the data processing apparatus to purge source asset tracking instances based on a determination that a current sequence of tracked failed connection attempts by a respective source asset does not correspond to a security risk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mahadik, Vinay, Madhusudan, Bharath, Buruganahalli, Shivakumar, Vissamsetty, Venu
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US14/060,062
Publication Number

US 20140047547A1
Time in Patent Office

735 Days
Field of Search

726 22- 27, 714/4.1, 714/26, 714/43, 379/112.04, 379/221.03, 379/279, 709223-225, 370/225
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1433 Vulnerability analysis

Stealth network attack monitoring

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Stealth network attack monitoring

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links