Suspect traffic redirection

US 20070097976A1
Filed: 05/19/2006
Published: 05/03/2007
Est. Priority Date: 05/20/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving within a subnetwork a set of suspect addresses, wherein the subnetwork is coupled to an external network and the suspect addresses represent device addresses in the external network;

detecting a message that originates from a noninteractive process of a source device within the subnetwork and is destined to at least one of the suspect addresses in the external network;

redirecting the message to an interrogation module; and

identifying the source device within the subnetwork based on the message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system receives suspect traffic information pertaining to possible network threats. A router detects and redirects suspect traffic from within a subnetwork to an interrogation module. The interrogation module receives the redirected suspect traffic and identifies the source device from within the subnetwork. The interrogation module can also identify the type of suspect traffic, the original destination of the suspect traffic and the protocol type of the packet. Suspect traffic information can be updated and the router can be reconfigured to accommodate the updated information.

378 Citations

36 Claims

1. A method comprising:
- receiving within a subnetwork a set of suspect addresses, wherein the subnetwork is coupled to an external network and the suspect addresses represent device addresses in the external network;
  
  detecting a message that originates from a noninteractive process of a source device within the subnetwork and is destined to at least one of the suspect addresses in the external network;
  
  redirecting the message to an interrogation module; and
  
  identifying the source device within the subnetwork based on the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising:
    - configuring a router in the subnetwork to redirect messages that originate from a source device within the subnetwork and are destined to at least one of the suspect addresses in the external network.
  - 3. The method of claim 2 further comprising:
    - receiving within the subnetwork an updated set of suspect addresses in the external network; and
      
      configuring a router in the subnetwork to redirect messages that are destined to at least one of the suspect addresses in the updated set of suspect addresses in the external network.
  - 4. The method of claim 1 further comprising:
    - altering a routing table of a router in the subnetwork to redirect messages that originate from a source device within the subnetwork and are destined to at least one of the suspect addresses in the external network.
  - 5. The method of claim 4 further comprising:
    - receiving within the subnetwork an updated set of suspect addresses in the external network; and
      
      altering a routing table of a router in the subnetwork to redirect messages that are destined to at least one of the suspect addresses in the updated set of suspect addresses in the external network.
  - 6. The method of claim 1 wherein the set of suspect addresses in the external network is received in Border Gateway Protocol format.
  - 7. The method of claim 1 wherein the detecting operation comprises:
    - determining that the message includes a destination address that is a member of the set of suspect addresses.
  - 8. The method of claim 1 wherein the detecting operation comprises:
    - determining that the message includes a source address that within the subnetwork.
  - 9. The method of claim 1 wherein the redirecting operation comprises:
    - forwarding the message to a forwarding address in a routing table, wherein the forwarding address is associated with a suspect address in the routing table.
  - 10. The method of claim 1 wherein a router receives the message and the redirecting operation comprises:
    - forwarding the message to the interrogation module within the router.
  - 11. The method of claim 1 wherein a router receives the message and the redirecting operation comprises:
    - forwarding the message to an interrogation module at another address within the subnetwork.
  - 12. The method of claim 1 wherein the identifying operation comprises:
    - examining the message to determine the source device address within the subnetwork.
  - 13. The method of claim 1 wherein the identifying operation comprises:
    - examining the message to determine the destination address within the external network.
  - 14. The method of claim 1 further comprising:
    - determining a type of suspect address to which the message was destined.
  - 15. The method of claim 14 wherein the determining operation employs an implementation of the Practical Algorithm to Retrieve Information Coded in Alphanumeric to determine the type of suspect address to which the messages was destined.
  - 16. The method of claim 1 further comprising:
    - determining the protocol type of the message.

17. A computer program product encoding a computer program for a computer process that executes on a computer system, the computer process comprising:
- receiving within a subnetwork a set of suspect addresses, wherein the subnetwork is coupled to an external network and the suspect addresses represent device addresses in the external network;
  
  detecting a message that originates from a process of a source device within the subnetwork and is destined to at least one of the suspect addresses in the external network, wherein the process has not been intentionally initiated by an authorized user of the client device;
  
  redirecting the message to an interrogation module; and
  
  identifying the source device within the subnetwork based on the message.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 29, 30, 31, 32)
- - 18. The computer program product of claim 17 wherein the computer process further comprises:
    - configuring a router in the subnetwork to redirect messages that originate from a source device within the subnetwork and are destined to at least one of the suspect addresses in the external network.
  - 19. The computer program product of claim 18 wherein the computer process further comprises:
    - receiving within the subnetwork an updated set of suspect addresses in the external network; and
      
      configuring a router in the subnetwork to redirect messages that are destined to at least one of the suspect addresses in the updated set of suspect addresses in the external network.
  - 20. The computer program product of claim 17 wherein the computer process further comprises:
    - altering a routing table of a router in the subnetwork to redirect messages that originate from a source device within the subnetwork and are destined to at least one of the suspect addresses in the external network.
  - 21. The computer program product of claim 20 wherein the computer process further comprises:
    - receiving within the subnetwork an updated set of suspect addresses in the external network; and
      
      altering a routing table of a router in the subnetwork to redirect messages that are destined to at least one of the suspect addresses in the updated set of suspect addresses in the external network.
  - 22. The computer program product of claim 17 wherein the set of suspect addresses in the external network is received in Border Gateway Protocol format.
  - 23. The computer program product of claim 17 wherein the detecting operation comprises:
    - determining that the message includes a destination address that is a member of the set of suspect addresses.
  - 24. The computer program product of claim 17 wherein the detecting operation comprises:
    - determining that the message includes a source address that within the subnetwork.
  - 25. The computer program product of claim 17 wherein the redirecting operation comprises:
    - forwarding the message to a forwarding address in a routing table, wherein the forwarding address is associated with a suspect address in the routing table.
  - 26. The computer program product of claim 17 wherein a router receives the message and the redirecting operation comprises:
    - forwarding the message to the interrogation module within the router.
  - 27. The computer program product of claim 17 wherein a router receives the message and the redirecting operation comprises:
    - forwarding the message to an interrogation module at another address within the subnetwork.
  - 29. The computer program of claim 17 wherein the identifying operation comprises:
    - examining the message to determine the destination address within the external network.
  - 30. The computer program product of claim 17 further comprising:
    - determining a type of suspect address to which the message was destined.
  - 31. The computer program product of claim 30 wherein the determining operation employs an implementation of the Practical Algorithm to Retrieve Information Coded in Alphanumeric to determine the type of suspect address to which the messages was destined.
  - 32. The computer program products of claim 17 further comprising:
    - determining the protocol type of the message.

28. The computer program product of claimed 17 wherein the identifying operation comprises:
- examining the message to determine the source device address within the subnetwork.

33. A system comprising:
- an interface within a subnetwork a set of suspect addresses, wherein the subnetwork is coupled to an external network and the suspect addresses represent device addresses in the external network;
  
  a router detecting a message that originates from a noninteractive process of a source device within the subnetwork and is destined to at least one of the suspect addresses in the external network and redirecting the message; and
  
  an interrogation module receiving the redirected message and identifying the source device within the subnetwork based on the message.

34. A method comprising:
- receiving within a subnetwork a set of suspect addresses, wherein the subnetwork is coupled to an external network and the suspect addresses represent device addresses in the external network;
  
  receiving a redirected message, the redirected message originating from a noninteractive process of a source device within the subnetwork and being previously destined to at least one of the suspect addresses in the external network; and
  
  identifying the source device within the subnetwork based on the message.
- View Dependent Claims (35)
- - 35. A computer-readable medium having computer-executable instructions for performing a computer process that implements the operations recited in claim 34.

36. A system comprising:
- an interface receiving within a subnetwork a set of suspect addresses, wherein the subnetwork is coupled to an external network and the suspect addresses represent device addresses in the external network; and
  
  an adaptive interrogation module receiving a redirected message, the redirected message originating from a source device within the subnetwork and being previously destined to at least one of the suspect addresses in the external network and identifying the source device within the subnetwork based in the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MainNerve, Inc.
Original Assignee
MainNerve, Inc.
Inventors
Watson, Brett, Broyles, Mark, Wood, George, Joffe, Rodney, Oppleman, Victor, Dunagan, Jesse, Kanner, Zachary, Willett, James

Application Number

US11/437,264
Publication Number

US 20070097976A1
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 2463/144 Detection or countermeasure...

H04L 63/1416 Event detection, e.g. attac...

Suspect traffic redirection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

378 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Suspect traffic redirection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

378 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links