System and method for preventing network misuse
First Claim
Patent Images
1. A computer-implemented method comprising:
- identifying a plurality of data signatures relevant to computer security;
designating an alert condition value to each data signature based on each data signature itself and contextual information associated with the data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information;
creating a table comprising the contextual information, the data signatures, and the alert condition values;
detecting a data signature by evaluating communications at an application layer level between a target and a suspect;
correlating said data signature with an application layer fingerprint of the target to determine to what extent said target is vulnerable to said data signature;
evaluating contextual information related to the data signature by comparing the contextual information and the data signature to the table in order to determine a likelihood that said target is under attack; and
assigning an alert condition value to the data signature based on the comparison of the contextual information and data signature to data in the table.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method for preventing misuse conditions on a data network are described. Embodiments of the system and method evaluate potential network misuse signatures by analyzing variables such as the state of the network and/or target, the context in which the potential misuse signatures are detected, the response/reaction of the target and/or the fingerprint of the target. These and other variables may be factored in to the misuse determination, either alone, or in combination.
489 Citations
52 Claims
-
1. A computer-implemented method comprising:
-
identifying a plurality of data signatures relevant to computer security; designating an alert condition value to each data signature based on each data signature itself and contextual information associated with the data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; creating a table comprising the contextual information, the data signatures, and the alert condition values; detecting a data signature by evaluating communications at an application layer level between a target and a suspect; correlating said data signature with an application layer fingerprint of the target to determine to what extent said target is vulnerable to said data signature; evaluating contextual information related to the data signature by comparing the contextual information and the data signature to the table in order to determine a likelihood that said target is under attack; and assigning an alert condition value to the data signature based on the comparison of the contextual information and data signature to data in the table. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method comprising:
-
identifying a plurality of data signatures relevant to computer security; designating an alert condition value to each data signature based on each data signature itself and contextual information associated with the data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; creating a table comprising the data signatures, contextual information, and alert condition values; identifying a data signature encapsulated in an application layer data field and directed at a target using an application layer protocol; evaluating a context of the data signature by one of; reviewing the application layer data field type; reviewing the application layer protocol type; comparing the evaluated context of the data signature to the table; determining whether said data signature poses a threat based on said context of said data signature; and assigning an alert condition value to the data signature based on the comparison of the context to data in the table. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer-implemented method comprising:
-
identifying a plurality of data signatures relevant to computer security; designating a relative alert condition value to each data signature based on each data signature itself and contextual information associated with the data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; creating a table comprising the contextual information, the data signatures, and the relative alert condition values; monitoring a plurality of data transmissions at an applications layer level between a suspect and a target to identify one or more data signatures, said data transmissions indicating a current state of communication between said suspect and said target; evaluating contextual information related to each data signature by comparing the contextual information and data signatures to the table; evaluating a likelihood that said target is under attack based on the contextual information of one or more data signatures of said transmissions and said current state of communication; and assigning a relative alert condition value to the data signature based on the comparison of the contextual information to data in the table. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A machine-readable physical medium having program code stored thereon which, when executed by a machine, causes said machine to perform the operations of:
-
identifying a plurality of data signatures relevant to computer security; designating a relative alert condition value to each data signature based on each data signature itself and contextual information associated with the data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the relative alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; creating a table comprising the contextual information, the data signatures, and the relative alert condition values; detecting a data signature by evaluating communications at an application layer level between a target and a suspect; correlating said data signature with a fingerprint of the target to determine to what extent said target is vulnerable to said data signature; and evaluating contextual information related to the data signature by comparing the contextual information and the data signature to the table in order to determine a likelihood that said target is under attack; and assigning a relative alert condition value to the data signature based on the comparison of the contextual information and data signature to data in the table. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A machine-readable physical medium having program code stored thereon which, when executed by a machine, causes said machine to perform the operations of:
-
identifying a plurality of data signatures relevant to computer security; designating an alert condition value to each data signature based on each data signature itself and contextual information associated with the data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; creating a table comprising the data signatures, the contextual information, and the alert condition values; identifying a data signature encapsulated in an application layer data field directed at a target using an application layer protocol; evaluating a context of the data signature by one of; reviewing the application layer data field type; reviewing the application layer protocol type; and comparing the evaluated context of the data signature to the table; determining whether said data signature poses a threat based on said context of said data signature; and assigning an alert condition value to the data signature based on the comparison of the context to data in the table. - View Dependent Claims (47, 48, 49, 50)
-
-
51. A machine-readable physical medium having program code stored thereon which, when executed by a machine, causes said machine to perform the operations of:
-
identifying a plurality of data signatures relevant to computer security; designating a relative alert condition value to each data signature based on each data signature itself and contextual information associated with the data signature, each alert condition value comprising a ranked value that is unique to each combination of data signature and contextual information associated with a particular data signature, the contextual information comprising at least one of an application layer data field type used to encapsulate the data signature and an application layer protocol type used to transmit the data signature, the relative alert condition value indicating a security risk level relative to different data signatures and relative to other identical data signatures associated with different contextual information; creating a table comprising the contextual information, the data signatures, and the relative alert condition values; monitoring a plurality of data transmissions at an applications layer level between a suspect and a target to identify one or more data signatures, said data transmissions indicating a current state of communication between said suspect and said target; evaluating contextual information related to each data signature by comparing the contextual information and data signatures to the table; evaluating a likelihood that said target is under attack based on the contextual information of one or more data signatures of said transmissions and said current state of communication; and assigning a relative alert condition value to the data signature based on the comparison of the contextual information to data in the table. - View Dependent Claims (52)
-
Specification