System and method for managing tiered blacklists for mitigating network attacks

US 10,462,166 B2
Filed: 10/11/2016
Issued: 10/29/2019
Est. Priority Date: 10/11/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method to manage blacklists used for mitigating threat traffic associated with a network attack, the method comprising:

manage, using a central blacklist manager, first, second and third mitigation systems, wherein the first mitigation system includes a first blacklist, the second mitigation system includes a second blacklist and the third mitigation system includes a third blacklist and wherein the first blacklist is upstream the second and third blacklists with the second blacklist being upstream to the third blacklist relative to one or more protected devices, and wherein the central blacklist manager has a processor such that upon execution of instructions is configured to;

monitor the first blacklist used by a first mitigation process of the first mitigation system and determine an amount of time a blacklist entry has been on the first blacklist;

monitor the second blacklist used by a second mitigation process of the second mitigation system and determine an amount of time a blacklist entry has been on the second blacklist;

monitor the third blacklist used by a third mitigation process of the third mitigation system and determine an amount of time a blacklist entry has been on the third blacklist, whereby a blacklist entry is moved from the third blacklist to the second blacklist if it is determined the blacklist entry was on the third blacklist beyond a threshold time, and move a blacklist entry from the second blacklist to the first blacklist if it is determined the blacklist entry was on the second blacklist beyond the threshold time;

determine an amount of time entries are included with the first blacklist;

determine if any of the time entries have been included with the first blacklist for more than a threshold amount of time; and

remove from the first blacklist each blacklist entry determined to have been included with the first blacklist for more than the threshold amount of time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer-implemented method to manage blacklists used for mitigating network traffic is provided. The method includes monitoring a first blacklist and a second blacklist, wherein the first blacklist is used by a first mitigation process applied to network traffic that is performed upstream along a communication path of the network traffic relative to a second mitigation process that is performed using the second blacklist. The method further includes moving at least one entry from one of the first and second blacklists to the other of the first and second blacklist based on a result of the monitoring.

19 Citations

10 Claims

1. A computer-implemented method to manage blacklists used for mitigating threat traffic associated with a network attack, the method comprising:
- manage, using a central blacklist manager, first, second and third mitigation systems, wherein the first mitigation system includes a first blacklist, the second mitigation system includes a second blacklist and the third mitigation system includes a third blacklist and wherein the first blacklist is upstream the second and third blacklists with the second blacklist being upstream to the third blacklist relative to one or more protected devices, and wherein the central blacklist manager has a processor such that upon execution of instructions is configured to;
  
  monitor the first blacklist used by a first mitigation process of the first mitigation system and determine an amount of time a blacklist entry has been on the first blacklist;
  
  monitor the second blacklist used by a second mitigation process of the second mitigation system and determine an amount of time a blacklist entry has been on the second blacklist;
  
  monitor the third blacklist used by a third mitigation process of the third mitigation system and determine an amount of time a blacklist entry has been on the third blacklist, whereby a blacklist entry is moved from the third blacklist to the second blacklist if it is determined the blacklist entry was on the third blacklist beyond a threshold time, and move a blacklist entry from the second blacklist to the first blacklist if it is determined the blacklist entry was on the second blacklist beyond the threshold time;
  
  determine an amount of time entries are included with the first blacklist;
  
  determine if any of the time entries have been included with the first blacklist for more than a threshold amount of time; and
  
  remove from the first blacklist each blacklist entry determined to have been included with the first blacklist for more than the threshold amount of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein monitoring the first and second blacklists includes obtaining statistics related to mitigation of threat traffic associated with a network attack using the second blacklist, and does not include obtaining statistics related to mitigation of threat traffic associated with a network attack using the first blacklist.
  - 3. The method of claim 2, wherein the statistics include at least one of an indication of an amount of traffic sent by sources associated with entries included in the second blacklist or a length of time the respective entries have been included on the second blacklist.
  - 4. The method of claim 1, wherein the first and second mitigation processes are performed by the respective first and second mitigation devices, and the first and second mitigation devices have two different types, the types being selected from a threat management system (TMS) performing software threat management with software mitigation using software blacklisting;
    - a switch device integrated with a chassis of the TMS, the switch device performing hardware mitigation using hardware blacklisting; and
      
      an offloaded hardware device physically remote from the chassis, the offloaded hardware device performing hardware mitigation using hardware blacklisting.
  - 5. The method of claim 1, wherein the first blacklist has limited space for including entries available relative to the second blacklist.
  - 6. The method of claim 5 further comprising:
    - monitoring incoming network traffic;
      
      comparing a characteristic of sources sending network traffic determined to include threat traffic to entries that were previously stored on the first blacklist;
      
      identifying, based on the comparison, sources that are associated with entries previously stored on the first blacklist; and
      
      adding entries previously stored on the first blacklist that are associated with the identified sources.
  - 7. The method of claim 6, further comprising:
    - determining whether a source of the network traffic determined to be transmitting threat traffic is transmitting a larger amount of threat traffic than has been transmitted by sources associated with entries in the second blacklist;
      
      adding an entry associated with the source to the third blacklist if it is determined that the source is transmitting the larger amount of threat traffic; and
      
      adding an entry associated with the source to the second blacklist if it is determined that the source is not transmitting the larger amount of threat traffic.
  - 8. The method of claim 1, wherein the first mitigation process is performed upstream relative to the central blacklist manager.
  - 9. The method of claim 1, wherein moving entries to and from the second blacklist is more time consuming than moving entries to the first blacklist.
  - 10. The method of claim 1, wherein each of the first, second and third mitigation systems includes a computer processor independent of one another for monitoring the respective blacklist of each of the first, second and third mitigation systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
St. Pierre, Brian
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Bucknor, Olanrewaju J.

Application Number

US15/290,809
Publication Number

US 20180103057A1
Time in Patent Office

1,113 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/20 for managing network securi...

System and method for managing tiered blacklists for mitigating network attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

System and method for managing tiered blacklists for mitigating network attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others