Proactive containment of network security attacks
First Claim
Patent Images
1. A method of proactive containment of network security attacks, the method comprising:
- identifying a specific system vulnerability;
analyzing the specific system vulnerability to determine a network behavior that exploits the specific system vulnerability;
determining, based upon the analysis, filtering parameters to be applied by packet filters at network infrastructure components; and
distributing said filtering parameters to the network infrastructure components,wherein the network infrastructure components are to examine received packets using said filtering parameters to identify whether the packets include a predetermined sequence of packets that signal an occurrence of an attack against the specific system vulnerability, andwherein identifying the specific system vulnerability, analyzing the specific system vulnerability, determining the filtering parameters, and distributing the filtering parameters is performed prior to the identification by the network infrastructure components of a specific virus exploiting said vulnerability.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment disclosed relates to a method of proactive containment of network security attacks. Filtering parameters corresponding to a specific system vulnerability are determined. These parameters are distributed to network infrastructure components, and the network infrastructure components examine packets using these parameters to detect occurrence of an attack. Once an attack is detected, the network infrastructure components take action to inhibit the attack. Other embodiments are also disclosed.
34 Citations
23 Claims
-
1. A method of proactive containment of network security attacks, the method comprising:
-
identifying a specific system vulnerability; analyzing the specific system vulnerability to determine a network behavior that exploits the specific system vulnerability; determining, based upon the analysis, filtering parameters to be applied by packet filters at network infrastructure components; and distributing said filtering parameters to the network infrastructure components, wherein the network infrastructure components are to examine received packets using said filtering parameters to identify whether the packets include a predetermined sequence of packets that signal an occurrence of an attack against the specific system vulnerability, and wherein identifying the specific system vulnerability, analyzing the specific system vulnerability, determining the filtering parameters, and distributing the filtering parameters is performed prior to the identification by the network infrastructure components of a specific virus exploiting said vulnerability. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system of proactive containment of network security attacks, the system comprising:
-
a processor; and a storage device on which is stored machine-readable instructions to cause the processor to; identify a specific system vulnerability; analyze the specific system vulnerability to determine a network behavior that exploits the specific system vulnerability; determine, based upon the analysis of the specific system vulnerability, network filtering parameters corresponding to a specific system vulnerability; and distribute said parameters to network infrastructure components, wherein the network infrastructure components are to; examine received packets using said filtering parameters to identify whether the received packets include a predetermined sequence of packets that signal an occurrence of an attack against the specific system vulnerability; and take action to inhibit the detected attack, the action being to prevent the received packets arranged in the predetermined sequences of packets from being transmitted through a network port, while permitting other received packets to be transmitted without interruption, wherein identifying the specific system vulnerability, analyzing the specific system vulnerability, determining the filtering parameters, and distributing the filtering parameters is performed prior to the identification by the network infrastructure components of a specific virus exploiting said vulnerability.
-
-
18. A network infrastructure component to proactively contain network security attacks, the network infrastructure component comprising:
-
a processor; and a storage device on which is stored machine-readable instructions to cause the processor to; prior to identification of a specific virus exploiting a specific system vulnerability, receive and store network filtering parameters corresponding to the specific system vulnerability, wherein the network filtering parameters are determined based upon an identification of the specific system vulnerability and an analysis of the specific system vulnerability to determine a network behavior that exploits these specific system vulnerability; examine received packets using said network filtering parameters to detect whether the received packets include a predetermined sequence of packets that signal an occurrence of an attack against the specific system vulnerability; and prevent the received packets arranged in the predetermined sequence of packets from being transmitted through a network port, while permitting other packets to be transmitted without interruption, wherein the network filtering parameters are distributed to the network infrastructure component prior to the discovery of a specific virus exploiting said vulnerability. - View Dependent Claims (19, 20, 21, 22, 23)
-
Specification