Proactive containment of network security attacks

US 9,491,185 B2
Filed: 05/13/2013
Issued: 11/08/2016
Est. Priority Date: 09/15/2004
Status: Active Grant

First Claim

Patent Images

1. A method of proactive containment of network security attacks, the method comprising:

identifying a specific system vulnerability;

analyzing the specific system vulnerability to determine a network behavior that exploits the specific system vulnerability;

determining, based upon the analysis, filtering parameters to be applied by packet filters at network infrastructure components; and

distributing said filtering parameters to the network infrastructure components,wherein the network infrastructure components are to examine received packets using said filtering parameters to identify whether the packets include a predetermined sequence of packets that signal an occurrence of an attack against the specific system vulnerability, andwherein identifying the specific system vulnerability, analyzing the specific system vulnerability, determining the filtering parameters, and distributing the filtering parameters is performed prior to the identification by the network infrastructure components of a specific virus exploiting said vulnerability.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment disclosed relates to a method of proactive containment of network security attacks. Filtering parameters corresponding to a specific system vulnerability are determined. These parameters are distributed to network infrastructure components, and the network infrastructure components examine packets using these parameters to detect occurrence of an attack. Once an attack is detected, the network infrastructure components take action to inhibit the attack. Other embodiments are also disclosed.

34 Citations

View as Search Results

23 Claims

1. A method of proactive containment of network security attacks, the method comprising:
- identifying a specific system vulnerability;
  
  analyzing the specific system vulnerability to determine a network behavior that exploits the specific system vulnerability;
  
  determining, based upon the analysis, filtering parameters to be applied by packet filters at network infrastructure components; and
  
  distributing said filtering parameters to the network infrastructure components,wherein the network infrastructure components are to examine received packets using said filtering parameters to identify whether the packets include a predetermined sequence of packets that signal an occurrence of an attack against the specific system vulnerability, andwherein identifying the specific system vulnerability, analyzing the specific system vulnerability, determining the filtering parameters, and distributing the filtering parameters is performed prior to the identification by the network infrastructure components of a specific virus exploiting said vulnerability.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, said method further comprising:
    - taking action in the network infrastructure components to inhibit an identified attack, wherein the action to inhibit the identified attack comprises preventing the packets arranged in the predetermined sequence of packets from being transmitted through a network port, while permitting other packets to be transmitted without interruption, and wherein the action to inhibit the attack further comprises restricting further packet transmission through the network port.
  - 3. The method of claim 1, further comprising:
    - taking action in the network infrastructure components to inhibit an identified attack, wherein the action to inhibit the identified attack further comprises terminating a connection or session through a network port of the network infrastructure components.
  - 4. The method of claim 1, further comprising:
    - taking action in the network infrastructure components to inhibit an identified attack, wherein the action to inhibit the identified attack further comprises limiting a number of packets transmitted through a network port of the network infrastructure components.
  - 5. The method of claim 1, further comprising:
    - taking action in the network infrastructure components to inhibit an identified attack, wherein the action to inhibit the identified attack further comprises preventing specific types of packets from being transmitted through a network port of the network infrastructure components, while permitting other types of packets to be transmitted without interruption.
  - 6. The method of claim 1, further comprising:
    - taking action in the network infrastructure components to inhibit an identified attack, wherein the action to inhibit the identified attack further comprises triggering an alert to a network management system.
  - 7. The method of claim 1, wherein the specific system vulnerability pertains to a specific software component.
  - 8. The method of claim 7, wherein the specific software component comprises an operating system, or a utility, or an application.
  - 9. The method of claim 1, wherein the network infrastructure components comprise at least one component selected from a group of components consisting of networking hubs, switches, routers, wireless access points, IDS/IPS, firewall, and network security appliances.
  - 10. The method of claim 1, wherein the networking infrastructure components filter packets at a physical port, datalink, network, and/or session level.
  - 11. The method of claim 1, further comprising filtering packets by the networking infrastructure components using hardware circuitry and firmware of the networking infrastructure components.
  - 12. The method of claim 1, wherein the network infrastructure components comprise dynamically-modifiable packet firewalls.
  - 13. The method of claim 1, further comprising identifying the specific system vulnerability prior to the identification by the network infrastructure components of a specific virus exploiting said vulnerability.
  - 14. The method of claim 1, wherein distributing said parameters further comprises distributing said filtering parameters by a network management system of an enterprise network.
  - 15. The method of claim 1, wherein distributing said filtering parameters further comprises distributing said filtering parameters by a remote service provider.
  - 16. The method of claim 15, wherein the remote service provider comprises a web-based service.

17. A system of proactive containment of network security attacks, the system comprising:
- a processor; and
  
  a storage device on which is stored machine-readable instructions to cause the processor to;
  
  identify a specific system vulnerability;
  
  analyze the specific system vulnerability to determine a network behavior that exploits the specific system vulnerability;
  
  determine, based upon the analysis of the specific system vulnerability, network filtering parameters corresponding to a specific system vulnerability; and
  
  distribute said parameters to network infrastructure components, wherein the network infrastructure components are to;
  
  examine received packets using said filtering parameters to identify whether the received packets include a predetermined sequence of packets that signal an occurrence of an attack against the specific system vulnerability; and
  
  take action to inhibit the detected attack, the action being to prevent the received packets arranged in the predetermined sequences of packets from being transmitted through a network port, while permitting other received packets to be transmitted without interruption, wherein identifying the specific system vulnerability, analyzing the specific system vulnerability, determining the filtering parameters, and distributing the filtering parameters is performed prior to the identification by the network infrastructure components of a specific virus exploiting said vulnerability.

18. A network infrastructure component to proactively contain network security attacks, the network infrastructure component comprising:
- a processor; and
  
  a storage device on which is stored machine-readable instructions to cause the processor to;
  
  prior to identification of a specific virus exploiting a specific system vulnerability, receive and store network filtering parameters corresponding to the specific system vulnerability, wherein the network filtering parameters are determined based upon an identification of the specific system vulnerability and an analysis of the specific system vulnerability to determine a network behavior that exploits these specific system vulnerability;
  
  examine received packets using said network filtering parameters to detect whether the received packets include a predetermined sequence of packets that signal an occurrence of an attack against the specific system vulnerability; and
  
  prevent the received packets arranged in the predetermined sequence of packets from being transmitted through a network port, while permitting other packets to be transmitted without interruption, wherein the network filtering parameters are distributed to the network infrastructure component prior to the discovery of a specific virus exploiting said vulnerability.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The network infrastructure component of claim 18, wherein the network infrastructure component comprises a device selected from a group of devices consisting of networking hubs, switches, routers, wireless access points, IDS/IPS, firewall, and network security appliances.
  - 20. The network infrastructure component of claim 18, wherein the networking infrastructure component filters packets at a physical port, datalink (MAC address), network (IP), and/or session (TCP) level.
  - 21. The network infrastructure component of claim 18, wherein the network infrastructure component comprises a dynamically-modifiable packet firewall.
  - 22. The network infrastructure component of claim 18, wherein said parameters are distributed by a network management system of an enterprise network.
  - 23. The network infrastructure component of claim 18, wherein said parameters are distributed by a remote service provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Selep, John, Sanchez, Mauricio
Primary Examiner(s)
Turchen, James

Application Number

US13/893,007
Publication Number

US 20130269034A1
Time in Patent Office

1,275 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/02   for separating internal fro...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Proactive containment of network security attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Proactive containment of network security attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links