System and method for coordinating network incident response activities

US 20060212932A1
Filed: 01/10/2005
Published: 09/21/2006
Est. Priority Date: 01/10/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for controlling a plurality of network-attached devices to manage countermeasures specific to mitigating or prohibiting a network attack, comprising steps of:

a) Receiving from an originating source an electronic communication comprising an alert for an attack;

b) Generating a list of eligible devices and applications on the target network that may be impacted by or may facilitate the attack;

c) Selecting an optimal countermeasure specific to the attack to be deployed at each selected device based on the capabilities of the device;

d) Communicating electronically with each selected device to activate countermeasures;

e) Optionally communicating electronically to the originating source status information specific to the successful deployment of each countermeasure;

f) Optionally receiving from the originating source an electronic communication to remove the countermeasures;

g) Communicating electronically with each listed device to deactivate each countermeasure;

h) Optionally communicating electronically to the originating source status information specific to the successful removal of each countermeasure.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system and method to process information regarding a network attack through an automated workflow that actively reconfigures a plurality of heterogeneous network-attached devices and applications to dynamically counter the attack using the network'"'"'s own self-defense mechanisms. The present invention leverages the security capabilities present within existing and new network-attached devices and applications to affect a distributed defense that immediately quarantines and/or mitigates attacks from hostile sources at multiple points simultaneously throughout the network. In a preferred embodiment, deployed countermeasures are automatically lifted following remediation activities.

202 Citations

16 Claims

1. A computer-implemented method for controlling a plurality of network-attached devices to manage countermeasures specific to mitigating or prohibiting a network attack, comprising steps of:
- a) Receiving from an originating source an electronic communication comprising an alert for an attack;
  
  b) Generating a list of eligible devices and applications on the target network that may be impacted by or may facilitate the attack;
  
  c) Selecting an optimal countermeasure specific to the attack to be deployed at each selected device based on the capabilities of the device;
  
  d) Communicating electronically with each selected device to activate countermeasures;
  
  e) Optionally communicating electronically to the originating source status information specific to the successful deployment of each countermeasure;
  
  f) Optionally receiving from the originating source an electronic communication to remove the countermeasures;
  
  g) Communicating electronically with each listed device to deactivate each countermeasure;
  
  h) Optionally communicating electronically to the originating source status information specific to the successful removal of each countermeasure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the received electronic communications from the originating source may include authentication credentials which are checked against a directory for authorization limiting which devices are available for countermeasure coordination by the originating source, or in the absence of authentication credentials a default limit is imposed based on the perceived originating source type or location.
  - 3. The method of claim 1, wherein the authentication credentials provided by the originating source are passed through to the devices selected for countermeasure coordination, having the credentials retained permanently only by the originating source.
  - 4. The method of claim 1, wherein the received electronic communication comprising the alert provides attack event targeting information consisting of characteristics that define the attack and may include any, all, or some combination of the following network and host characteristics specific to the attack:
    - protocol;
      
      source address or address range;
      
      destination address or destination range;
      
      protocol attributes;
      
      packet signature or regular expression depicting the packet contents;
      
      source device types;
      
      destination device types;
      
      candidate countermeasure coordination device list.
  - 5. The method of claim 1, wherein the received electronic communication comprising the alert provides a priority for the alert which is used to determine precedence for selecting which alert to process first when multiple alerts are received simultaneously which exceed available resources for immediate response and which alerts to suspend when an alert exceeding available resources for immediate response is received with a higher precedence than alerts which are currently being processed with available resources.
  - 6. The method of claim 1, wherein the received electronic communication comprising the alert provides a timeframe and/or duration to schedule an automated start and/or stop time for deployment of countermeasures.
  - 7. The method of claim 1, wherein the list of devices for countermeasure coordination is generated based on input provided by the originating source attack alert compared to an active rules set and the current state of a topology database maintained for this purpose.
  - 8. The method of claim 1, wherein the countermeasure selected for deployment at a given device is chosen based on input provided by the originating source compared to a virtualization layer which exposes the capabilities of each device in a standard manner and incorporates plug-in device drivers for each supported device type.
  - 9. A computer-readable medium having computer-executable instructions for performing the steps recited in claim 1.

10. A system for controlling a plurality of network-attached devices to manage countermeasures specific to mitigating or prohibiting a network attack, the system comprising:
- a) An interface connecting the system to a communications network;
  
  b) A system clock capable of keeping time independently and/or in sync with an external time source attached to the communications network;
  
  c) A data store capable of receiving and storing electronic communications, data associated therewith, system configuration data, network configuration data, device configuration data, and combinations thereof;
  
  d) A system processor in communication with the interface and data store and comprising one or more processing elements programmed to;
  
  i) Receive communication via the interface wherein the received communication is transmitted from an originating source which has determined that a network attack is either imminent, underway, recently witnessed and expected to recur, or no longer ongoing;
  
  ii) Store the received communication in the data store and process the event as a parent transaction tracked within an activity queue that contains the transaction identifier, description and current status;
  
  iii) Assign a start time to the parent transaction and an expiration time and/or maximum duration if provided in the received communication;
  
  iv) Parse the received communication and perform a plurality of tests to determine the type and number of child transactions required to rapidly activate or deactivate countermeasures across the target network based on the context of the received communication to mitigate or prohibit a network attack where each child transaction is associated with a countermeasure at a specific network device;
  
  v) Execute each transaction across a plurality of network devices processed through a device driver which uses the system interface to communicate between the system, the communications network, and the devices on the target network;
  
  vi) Update the current state of each transaction as recorded in the queue;
  
  vii) Output status notifications to the originating source.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the system processor runs a programmed timer service which tracks the duration of transactions specific to network countermeasure activities in the queue and for those transactions with identified expiration values will change the state listed within the queue to expire for transactions where the duration of the transaction exceeds the duration value or the expiration time has passed as measured against a system clock.
  - 12. The system of claim 10, wherein the system processor performs subsequent attempts to accomplish a transaction specific to network countermeasure activities in the event that the transaction execution fails, continuing to attempt successful accomplishment of the transaction until the transaction is either accomplished or expires.
  - 13. The system of claim 10, wherein the system processor schedules subsequent attempts to accomplish a failed transaction by modifying the transaction execution start time with an interval that exponentially increments following each failed attempt and includes a random value to offset the interval from being fixed and predictable.
  - 14. The system of claim 10, wherein the system processor is capable of multi-tasking and executes a serialization function to ensure all child transactions specific to network countermeasure activities in the queue are evaluated serially across a given device, ensuring that the system can communicate with multiple devices concurrently in parallel, but will communicate with any given device in a serial manner to avoid potential race conditions between multiple transactions assigned to a given device.
  - 15. The system of claim 10, wherein metrics specific to each transaction are recorded in the data store and this statistical data is applied as weighted factors to subsequent transactions for reducing the time required by the system to deploy and manage the most effective and greatest number of countermeasures in the least amount of time.
  - 16. The system of claim 10, wherein the system is coordinating countermeasures across a plurality of varied and different network devices that may not have a primary function to mitigate or prohibit network attacks but the system enables capabilities of each network device which will negatively impact a network attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Patrick Roberts
Inventors
Patrick, Robert, Key, Christopher, Holzberger, Paul

Granted Patent

US 8,850,565 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

System and method for coordinating network incident response activities

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

202 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for coordinating network incident response activities

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

202 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links