Detection of and responses to network attacks

US 9,258,319 B1
Filed: 06/28/2013
Issued: 02/09/2016
Est. Priority Date: 12/28/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium storing specific instructions that, when executed, cause at least one computing device to at least:

monitor data communications transmitted to a target class of first computing nodes,wherein the target class of first computing nodes comprises computing nodes that are allocated to users and have dropped data communications associated with a particular data transmission port that is blocked by the first computing nodes;

in response to detecting a dropped data communication to a computing node in the target class associated with the particular data transmission port, determine whether the dropped data communication is a form of attack on a network to which the computing nodes are connected by tracking a number of attempted data communications from a source of the dropped data communication against computing nodes in the target class of first computing nodes and comparing the number against a threshold value;

in response to determining that the network is under attack, implement new security measures for second computing nodes that are not part of the target class and allow for communications associated with the particular data transmission port to protect the second computing nodes against the attack on the network while the attack is ongoing, wherein the new security measures are implemented by generating a list of one or more internet protocol addresses associated with one or more sources of the dropped data communications and sending the list of one or more internet protocol addresses to at least one transmission manager for the second computing nodes, wherein the at least one transmission manager is configured to drop a communication from an internet protocol address and to the particular data transmission port contained on the list that is sent to one or more of the second computing nodes; and

receive authorization from one or more users of the second computing nodes before making changes to access policies of the second computing nodes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for detecting and responding to attacks on a computer network. One embodiment of such a method describes monitoring data communications transmitted to a target class of first computing nodes; in response to detecting a non-legitimate data communication to a computing node in the target class, determining whether the non-legitimate data communication is a form of attack on a network to which the computing nodes are connected; and in response to determining that the network is under attack, implementing new security measures for second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing.

58 Citations

View as Search Results

18 Claims

1. A non-transitory computer-readable medium storing specific instructions that, when executed, cause at least one computing device to at least:
- monitor data communications transmitted to a target class of first computing nodes,wherein the target class of first computing nodes comprises computing nodes that are allocated to users and have dropped data communications associated with a particular data transmission port that is blocked by the first computing nodes;
  
  in response to detecting a dropped data communication to a computing node in the target class associated with the particular data transmission port, determine whether the dropped data communication is a form of attack on a network to which the computing nodes are connected by tracking a number of attempted data communications from a source of the dropped data communication against computing nodes in the target class of first computing nodes and comparing the number against a threshold value;
  
  in response to determining that the network is under attack, implement new security measures for second computing nodes that are not part of the target class and allow for communications associated with the particular data transmission port to protect the second computing nodes against the attack on the network while the attack is ongoing, wherein the new security measures are implemented by generating a list of one or more internet protocol addresses associated with one or more sources of the dropped data communications and sending the list of one or more internet protocol addresses to at least one transmission manager for the second computing nodes, wherein the at least one transmission manager is configured to drop a communication from an internet protocol address and to the particular data transmission port contained on the list that is sent to one or more of the second computing nodes; and
  
  receive authorization from one or more users of the second computing nodes before making changes to access policies of the second computing nodes.
- View Dependent Claims (2, 3)
- - 2. The computer-readable medium of claim 1, wherein the specific instructions, when executed, further cause the at least one computing device to at least restore the security measures to a previous state before the security measures were changed after determining that the attack to the network has stopped.
  - 3. The computer-readable medium of claim 1, wherein the authorization is specified for the particular data transmission port and the authorization is verified before access rights for the particular data transmission port can be changed.

4. A system, comprising:
- at least one computing device; and
  
  a data transmission system manager executable in the at least one computing device, the data transmission system manager configured to;
  
  receive notification of a detected activity involving dropped data communications to a target class of first computing nodes, wherein the dropped data communications are generated by intercepting and discarding data communications from a source node after determining that the source node of the data communications is not associated with user-defined groups of computing nodes that are pre-authorized to communicate with the target class of first computing nodes over a particular data transmission port;
  
  wherein the target class of first computing nodes comprises computing nodes that are allocated to users and have dropped data communications directed to the particular data transmission port;
  
  in response to receiving the notification, determine which computing nodes are vulnerable to the detected activity, wherein the vulnerable computing nodes are not restricted to the target class and are authorized to communicate over the particular data transmission port;
  
  change security measures of the vulnerable computing nodes to protect against the detected activity by generating a list of one or more internet protocol addresses associated with one or more sources of the dropped data communications and sending the list of one or more internet protocol addresses to at least one transmission manager for the vulnerable computing nodes, wherein the at least one transmission manager is configured to drop a communication from an internet protocol address and to the particular data transmission port contained on the list that is sent to one or more of the vulnerable computing nodes; and
  
  restore the security measures to a previous state before the security measures were changed after the detected activity has stopped.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
- - 5. The system of claim 4, wherein the data transmission system manager is operable to drop a data communication for one computing node of the target class of first computing nodes when the data communication is directed to a network port of the one computing node that is restricted for receiving incoming data communications over the network port.
  - 6. The system of claim 4, wherein the data transmission system manager is operable to monitor the dropped data communications of the target class of first computing nodes and identify the source node as originating a number of dropped data communications which exceeds a defined threshold.
  - 7. The system of claim 4, wherein the data transmission system manager is operable to monitor the dropped data communications of the target class of first computing nodes and identify the source node as originating dropped data communications to a number of the first computing nodes which exceeds a defined threshold.
  - 8. The system of claim 4, wherein the security measures are changed while the detected activity is ongoing.
  - 9. The system of claim 4, wherein the data transmission system manager is further configured to verify authorization from a user of a particular computing node that is vulnerable to the detected activity before making changes to the security measures of the particular computing node.
  - 10. The system of claim 9, wherein the authorization is specified for the particular data transmission port and the authorization is verified before access rights for the particular data transmission port can be changed.
  - 11. The system of claim 4, wherein the data transmission system manager is further configured to:
    - monitor data communications transmitted to the target class of first computing nodes; and
      
      in response to detecting a dropped data communication to a computing node in the target class, determine whether the dropped data communication is a form of attack on a network to which the computing node is connected.

12. A method, comprising:
- monitoring data communications transmitted to a target class of first computing nodes,wherein the target class of first computing nodes comprises computing nodes that are allocated to users and have dropped data communications associated with a particular data transmission port;
  
  determining that a source node of the monitored data communications is not associated with user-defined groups of source nodes that are pre-authorized to communicate with the target class of first computing nodes over the particular data transmission port;
  
  generating dropped data communications by intercepting and discarding the monitored data communications from the source node that are addressed for the target class of first computing nodes and are associated with the particular data transmission port;
  
  in response to detecting a dropped data communication addressed to a computing node in the target class over the particular data transmission port, determining whether the dropped data communication is a form of attack on a network to which the first computing nodes are connected; and
  
  in response to determining that the network is under attack, implementing new security measures for second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing, wherein the new security measures implemented by generating a list of one or more internet protocol addresses associated with one or more sources of the dropped data communications and sending the list of one or more internet protocol addresses to at least one transmission manager for the second computing nodes, wherein the at least one transmission manager is configured to drop a communication from an internet protocol address and to the particular data transmission port contained on the list that is sent to one or more of the second computing nodes.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, further comprising dropping the data communication for one computing node of the target class of first computing nodes when the data communication is directed to a network port of the one computing node that is restricted for receiving incoming data communications associated with the network port.
  - 14. The method of claim 12, wherein the network is determined to be under attack by tracking a number of attempted data communications from the source node of the dropped data communication to computing nodes in the target class and comparing the number against a threshold value.
  - 15. The method of claim 12, wherein the attack on the network is identified by determining the source node of the dropped data communications to have transmitted data communications which were dropped and addressed for a number of the first computing nodes which exceeds a defined threshold.
  - 16. The method of claim 12, wherein the new security measures comprise changing access policies of the second computing nodes to avoid the attack on the network while the attack is ongoing.
  - 17. The method of claim 16, further comprising verifying authorization from one or more users of the second computing nodes before making changes to the access policies of the second computing nodes.
  - 18. The method of claim 17, wherein the authorization is specified for the particular data transmission port and the authorization is verified before access rights for the particular data transmission port can be changed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Rubin, Gregory A.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US13/930,507
Time in Patent Office

956 Days
Field of Search

726/11, 726 22- 26, 709223-238, 706/46, 713/150
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/606   by securing the transmissio...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Detection of and responses to network attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of and responses to network attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links