System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

US 9,380,072 B2
Filed: 10/30/2014
Issued: 06/28/2016
Est. Priority Date: 08/24/2011
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer readable media that include code for execution, wherein the code is executable by one or more processors to:

detect, at a first node, a threat sent from a source node in a network, the network including at least a plurality of nodes having respective security modules;

create, at the first node, a first firewall policy configured to block incoming network requests associated with a source address of the source node;

broadcast an alert from the first node to the respective security modules of the plurality of nodes in the network, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes; and

communicate a second firewall policy to the source node based, at least in part, on determining whether the source node includes a firewall module, the second firewall policy to be applied by the source node to block outgoing network requests from the source node to any one or more of the plurality of nodes in the network.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.

71 Citations

View as Search Results

20 Claims

1. One or more non-transitory computer readable media that include code for execution, wherein the code is executable by one or more processors to:
- detect, at a first node, a threat sent from a source node in a network, the network including at least a plurality of nodes having respective security modules;
  
  create, at the first node, a first firewall policy configured to block incoming network requests associated with a source address of the source node;
  
  broadcast an alert from the first node to the respective security modules of the plurality of nodes in the network, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes; and
  
  communicate a second firewall policy to the source node based, at least in part, on determining whether the source node includes a firewall module, the second firewall policy to be applied by the source node to block outgoing network requests from the source node to any one or more of the plurality of nodes in the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The one or more non-transitory computer readable media of claim 1, wherein the first firewall policy is configured to block outgoing network requests to the source address of the source node.
  - 3. The one or more non-transitory computer readable media of claim 1, wherein the second firewall policy is to be applied by the source node to block network requests received at the source node from other nodes.
  - 4. The one or more non-transitory computer readable media of claim 1, wherein the code is executable by the one or more processors to:
    - send, to a network administrator, a notification including at least the source address of the source node and an identification of the first firewall policy.
  - 5. The one or more non-transitory computer readable media of claim 1, wherein the code is executable by the one or more processors to:
    - identify the source address of the source node.
  - 6. The one or more non-transitory computer readable media of claim 1, wherein the network is one of an intranet or a subnet.
  - 7. The one or more non-transitory computer readable media of claim 1, wherein the code is executable by the one or more processors to:
    - determine, by the first node, whether the source node includes the firewall module.
  - 8. The one or more non-transitory computer readable media of claim 1, wherein the alert includes an identification of the source node.
  - 9. The one or more non-transitory computer readable media of claim 1, wherein the threat is an attempt to replicate data from the source node to the first node.

10. A first node, comprising:
- one or more processors;
  
  an antivirus module configured to execute on the one or more processors to detect a threat sent from a source node in a network, the network including at least a plurality of nodes having respective security modules;
  
  a local firewall module configured to execute on the one or more processors to apply a first firewall policy to block incoming network requests associated with a source address of the source node; and
  
  a rumoring module configured to execute on the one or more processors to;
  
  broadcast an alert to the respective security modules of the plurality of nodes in the network, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes; and
  
  communicate a second firewall policy to the source node based, at least in part, on determining whether the source node includes a firewall module, the second firewall policy to be applied by the source node to block outgoing network requests from the source node to any one or more of the plurality of nodes in the network.
- View Dependent Claims (11, 12, 13)
- - 11. The first node of claim 10, wherein the rumoring module is configured to execute on the one or more processors to:
    - determine whether the source node includes the firewall module.
  - 12. The first node of claim 10, further comprising:
    - a dynamic policy module configured to execute on the one or more processors to create the first firewall policy based on the detected threat.
  - 13. The first node of claim 12, wherein the antivirus module is configured to execute on the one or more processors to:
    - identify the source address of the source node; and
      
      provide the source address to the local firewall module of the first node.

14. A method, comprising:
- detecting, at a first node, a threat sent from a source node in a network, the network including at least a plurality of nodes having respective security modules;
  
  creating, at the first node, a first firewall policy configured to block incoming network requests associated with a source address of the source node;
  
  broadcasting an alert from the first node to the respective security modules of the plurality of nodes in the network, wherein the broadcast alert comprises the first firewall policy to be applied by the plurality of nodes; and
  
  communicating a second firewall policy to the source node based, at least in part, on determining whether the source node includes a firewall module, the second firewall policy to be applied by the source node to block outgoing network requests from the source node to any one or more of the plurality of nodes in the network.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein the first firewall policy is configured to block outgoing network requests to the source address of the source node, and wherein the second firewall policy is to be applied by the source node to block network requests received at the source node from other nodes.
  - 16. The method of claim 14, further comprising:
    - sending, to a network administrator, a notification including at least the source address of the source node and an identification of the first firewall policy.
  - 17. The method of claim 14, further comprising:
    - determining, by the first node, whether the source node includes the firewall module.

18. One or more non-transitory computer readable media that include code for execution, wherein the code is executable by one or more processors to:
- broadcast an alert from a first node in a network to respective security modules of a plurality of nodes in the network when a threat, sent from a source node in the network, is detected by the first node, wherein the broadcast alert comprises a local firewall policy to be applied by the plurality of nodes to block incoming network requests associated with a source address of the source node;
  
  determine whether the source node includes a firewall module; and
  
  communicate a second firewall policy to the source node based, at least in part, on determining whether the source node includes the firewall module, the second firewall policy to be applied by the source node to block outgoing network requests from the source node to any one or more of the plurality of nodes in the network.
- View Dependent Claims (19, 20)
- - 19. The one or more non-transitory computer readable media of claim 18, wherein the code is executable by the one or more processors to:
    - send, to a network administrator, a notification including at least the source address of the source node and an identification of the first firewall policy.
  - 20. The one or more non-transitory computer readable media of claim 18, wherein the first firewall policy is configured to block outgoing network requests to the source address of the source node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Paul, Manabendra, Sudharma, Praveen Ravichandran
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US14/528,155
Publication Number

US 20150128248A1
Time in Patent Office

607 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/06   Management of faults, event...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links