Detection of and responses to network attacks
First Claim
1. A non-transitory computer-readable medium storing specific instructions that, when executed, cause at least one computing device to at least:
- monitor data communications transmitted to a target class of first computing nodes,wherein the target class of first computing nodes comprises computing nodes that are allocated to users and have dropped data communications associated with a particular data transmission port that is blocked by the first computing nodes;
in response to detecting a dropped data communication to a computing node in the target class associated with the particular data transmission port, determine whether the dropped data communication is a form of attack on a network to which the computing nodes are connected by tracking a number of attempted data communications from a source of the dropped data communication against computing nodes in the target class of first computing nodes and comparing the number against a threshold value;
in response to determining that the network is under attack, implement new security measures for second computing nodes that are not part of the target class and allow for communications associated with the particular data transmission port to protect the second computing nodes against the attack on the network while the attack is ongoing, wherein the new security measures are implemented by generating a list of one or more internet protocol addresses associated with one or more sources of the dropped data communications and sending the list of one or more internet protocol addresses to at least one transmission manager for the second computing nodes, wherein the at least one transmission manager is configured to drop a communication from an internet protocol address and to the particular data transmission port contained on the list that is sent to one or more of the second computing nodes; and
receive authorization from one or more users of the second computing nodes before making changes to access policies of the second computing nodes.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are various embodiments for detecting and responding to attacks on a computer network. One embodiment of such a method describes monitoring data communications transmitted to a target class of first computing nodes; in response to detecting a non-legitimate data communication to a computing node in the target class, determining whether the non-legitimate data communication is a form of attack on a network to which the computing nodes are connected; and in response to determining that the network is under attack, implementing new security measures for second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing.
58 Citations
18 Claims
-
1. A non-transitory computer-readable medium storing specific instructions that, when executed, cause at least one computing device to at least:
-
monitor data communications transmitted to a target class of first computing nodes, wherein the target class of first computing nodes comprises computing nodes that are allocated to users and have dropped data communications associated with a particular data transmission port that is blocked by the first computing nodes; in response to detecting a dropped data communication to a computing node in the target class associated with the particular data transmission port, determine whether the dropped data communication is a form of attack on a network to which the computing nodes are connected by tracking a number of attempted data communications from a source of the dropped data communication against computing nodes in the target class of first computing nodes and comparing the number against a threshold value; in response to determining that the network is under attack, implement new security measures for second computing nodes that are not part of the target class and allow for communications associated with the particular data transmission port to protect the second computing nodes against the attack on the network while the attack is ongoing, wherein the new security measures are implemented by generating a list of one or more internet protocol addresses associated with one or more sources of the dropped data communications and sending the list of one or more internet protocol addresses to at least one transmission manager for the second computing nodes, wherein the at least one transmission manager is configured to drop a communication from an internet protocol address and to the particular data transmission port contained on the list that is sent to one or more of the second computing nodes; and receive authorization from one or more users of the second computing nodes before making changes to access policies of the second computing nodes. - View Dependent Claims (2, 3)
-
-
4. A system, comprising:
-
at least one computing device; and a data transmission system manager executable in the at least one computing device, the data transmission system manager configured to; receive notification of a detected activity involving dropped data communications to a target class of first computing nodes, wherein the dropped data communications are generated by intercepting and discarding data communications from a source node after determining that the source node of the data communications is not associated with user-defined groups of computing nodes that are pre-authorized to communicate with the target class of first computing nodes over a particular data transmission port; wherein the target class of first computing nodes comprises computing nodes that are allocated to users and have dropped data communications directed to the particular data transmission port; in response to receiving the notification, determine which computing nodes are vulnerable to the detected activity, wherein the vulnerable computing nodes are not restricted to the target class and are authorized to communicate over the particular data transmission port; change security measures of the vulnerable computing nodes to protect against the detected activity by generating a list of one or more internet protocol addresses associated with one or more sources of the dropped data communications and sending the list of one or more internet protocol addresses to at least one transmission manager for the vulnerable computing nodes, wherein the at least one transmission manager is configured to drop a communication from an internet protocol address and to the particular data transmission port contained on the list that is sent to one or more of the vulnerable computing nodes; and restore the security measures to a previous state before the security measures were changed after the detected activity has stopped. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
-
-
12. A method, comprising:
-
monitoring data communications transmitted to a target class of first computing nodes, wherein the target class of first computing nodes comprises computing nodes that are allocated to users and have dropped data communications associated with a particular data transmission port; determining that a source node of the monitored data communications is not associated with user-defined groups of source nodes that are pre-authorized to communicate with the target class of first computing nodes over the particular data transmission port; generating dropped data communications by intercepting and discarding the monitored data communications from the source node that are addressed for the target class of first computing nodes and are associated with the particular data transmission port; in response to detecting a dropped data communication addressed to a computing node in the target class over the particular data transmission port, determining whether the dropped data communication is a form of attack on a network to which the first computing nodes are connected; and in response to determining that the network is under attack, implementing new security measures for second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing, wherein the new security measures implemented by generating a list of one or more internet protocol addresses associated with one or more sources of the dropped data communications and sending the list of one or more internet protocol addresses to at least one transmission manager for the second computing nodes, wherein the at least one transmission manager is configured to drop a communication from an internet protocol address and to the particular data transmission port contained on the list that is sent to one or more of the second computing nodes. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification