Method and system for dynamically protecting a computer system from attack

US 7,913,303 B1
Filed: 03/27/2003
Issued: 03/22/2011
Est. Priority Date: 01/21/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for dynamically protecting a computer system comprising the steps of:

generating a policy for defending the system from an attack;

receiving a data packet at the system;

comparing information in the data packet to the policy to determine if an intrusion event has been detected;

determining if the data packet should be blocked from entering the system based on the policy for defending the system;

determining a method of blocking the data packet based on a positive determination to block the data packet from entering the system; and

blocking the packet from entering the system using the determined method.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic protection system can analyze a computer system to determine its vulnerabilities to attack and generate a policy for protecting the computer system based on the identified vulnerabilities. Data received by the computer system can be analyzed to determine if it poses a threat to the system. This can prevent the data from entering the system or host based on a determination that the data poses a threat. Also, the dynamic protection system can receive policy updates to allow it to protect the system more efficiently and effectively. In other words, the dynamic protection system can protect an evolving computer system operating in an environment that is characterized by constantly changing methods of attack. Furthermore, by minimizing a need for manual intervention, attacks can be rapidly and accurately detected with a minimization of false positives, thereby lowering the cost of operation.

425 Citations

58 Claims

1. A computer-implemented method for dynamically protecting a computer system comprising the steps of:
- generating a policy for defending the system from an attack;
  
  receiving a data packet at the system;
  
  comparing information in the data packet to the policy to determine if an intrusion event has been detected;
  
  determining if the data packet should be blocked from entering the system based on the policy for defending the system;
  
  determining a method of blocking the data packet based on a positive determination to block the data packet from entering the system; and
  
  blocking the packet from entering the system using the determined method.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The computer-implemented method of claim 1 further comprising the step of passing the data packet to the system based on a negative determination to block the data packet from entering the system.
  - 3. The computer-implemented method of claim 1, wherein the step of generating the policy for defending the system from attack comprises:
    - evaluating the system for vulnerabilities to a plurality of known attacks;
      
      generating a vulnerability assessment report based on the evaluation of the system;
      
      analyzing a plurality of hosts for the system to determine the vulnerability of the plurality of hosts to the attacks based on the vulnerability assessment report;
      
      determining if at least one of the plurality of hosts are vulnerable to one of the attacks based on the analysis of the vulnerability assessment report;
      
      generating the policy to protect the system and the plurality of hosts from attacks associated with the plurality of vulnerabilities in the vulnerability assessment report based on a positive determination that at least one host is vulnerable to one of the attacks; and
      
      sending the policy to a plurality of sensors.
  - 4. The computer-implemented method of claim 3, wherein the step of analyzing a plurality of hosts comprises correlating information in the vulnerability assessment report to prioritize actions to be taken in dynamically protecting the system.
  - 5. The computer-implemented method of claim 3, wherein the plurality of sensors comprise host sensors and network sensors.
  - 6. The computer-implemented method of claim 1, wherein the step of determining if the data packet should be blocked from entering the system comprises the steps of:
    - evaluating the data packet to determine if the data packet comprises characteristics which make the data packet suspicious, said characteristics comprising characteristics of known attacks; and
      
      determining whether to block the data packet based solely on a determination that the data packet contains at least one of the characteristics which make the data packet suspicious.
  - 7. The computer-implemented method of claim 6 further comprising the steps of:
    - retrieving a protocol from the data packet based on a negative determination to block the data packet; and
      
      determining a protocol type from the protocol in the data packet.
  - 8. The computer-implemented method of claim 6 further comprising the step of blocking the data packet based on a positive determination that the data packet contains at least one of the characteristics which make the data packet suspicious.
  - 9. The computer-implemented method of claim 1 wherein the method of blocking the data packet comprises at least one active method and a passive method.
  - 10. The computer-implemented method of claim 9, wherein the passive method of blocking a data packet comprises the steps of:
    - determining if the system will send a reset packet to a party who sent the data packet; and
      
      if so, sending the reset packet to the party who sent the data packet, the reset packet operative to communicate to the party that the system has disconnected from the party.
  - 11. The computer-implemented method of claim 10 further comprising the steps of:
    - determining if the system will reset at least one of a plurality of hosts that is vulnerable to the attack by the data packet;
      
      retrieving at least one identification code from the at least one host based on a positive determination that the at least one host is vulnerable to the attack;
      
      identifying each of the hosts to be reset based on each identification code; and
      
      sending the reset packet to each of the identified hosts.
  - 12. The computer-implemented method of claim 11 further comprising the step of allowing the data packet to enter the system in response to sending the reset packet to each of the identified hosts.
  - 13. The computer-implemented method of claim 9 wherein a first active method of blocking a data packet from the system comprises:
    - determining if a rule for blocking the packet is no longer valid because the time limit for the rule is expired;
      
      determining if a network address for a party sending the data packet should be blocked from the system if the rule for blocking the packet is valid;
      
      inserting into a blocking criteria an instruction to block the network address for the party sending the data packet based on a positive determination to block the network address; and
      
      applying the blocking criteria to the data packet.
  - 14. The computer-implemented method of claim 13 further comprising the steps of:
    - determining if the port of the party sending the data packet should be blocked from the system; and
      
      inserting into the blocking criteria an instruction blocking the port belonging to the party sending the data packet based on a positive determination to block the port.
  - 15. The computer-implemented method of claim 13 further comprising the steps of:
    - determining if at least one of a plurality of host network addresses should be blocked from the system; and
      
      inserting into the block criteria an instruction blocking at least one host network address based on a positive determination to block host network addresses.
  - 16. The computer-implemented method of claim 13 further comprising the steps of:
    - determining if at least one of a plurality of host ports should be blocked from the system; and
      
      inserting an instruction into the block criteria blocking at least one host port based on a positive determination to block host ports.
  - 17. The computer-implemented method of claim 13 further comprising the steps of:
    - determining if a block percentage has been met on the system, whereby the block percentage is a numerical value corresponding to the number of data packets blocked as compared to the total number of data packets received by the system; and
      
      inserting an instruction into block criteria blocking the data packet meeting the block percentage based on a positive determination that the block percentage has been met.
  - 18. The computer-implemented method of claim 13, wherein the first active method of blocking a data packet is initiated on each data packet comprising transmission control protocol and user datagram protocol.
  - 19. The computer-implemented method of claim 13 further comprising the steps of:
    - determining if a packet internet control message protocol (“
      
      ICMP”
      
      ) code should be blocked from the system; and
      
      inserting an instruction into the block criteria blocking the packet internet control message protocol code from the system based on a positive determination to block packet internet control message protocol code.
  - 20. The computer-implemented method of claim 13 further comprising the steps of:
    - determining if at least one of a plurality of host internet control message protocol types should be blocked from the system; and
      
      inserting an instruction into the block criteria blocking at least one host internet control message protocol type based on a positive determination to block host internet control message protocol types.
  - 21. The computer-implemented method of claim 13, wherein a second active method of blocking a data packet is initiated on each data packet comprising internet control message protocol.
  - 22. The computer-implemented method of claim 1, wherein the data packet comprises a stream of data being sent from a first point to a second point.
  - 23. A computer-readable tangible storage device having computer-executable instructions for performing the steps recited in claim 1.

24. A computer-implemented method for dynamically protecting a host from attacks comprising the steps of:
- receiving a policy for defending the host from attack;
  
  sending the policy to at least one of a plurality of host sensors associated with the host;
  
  receiving a data packet at one of the host sensors;
  
  scanning the data packet to determine if the data packet contains at least one suspicious event;
  
  determining if the data packet should be blocked from passage to the host based on the received policy in response to detection of at least one suspicious event;
  
  selecting a method of blocking the data packet from a set of block criteria based on a positive determination to block the data packet from entering the host;
  
  blocking the packet from entering the host using the selected method;
  
  determining if a block percentage has been met on the system, whereby the block percentage is a numerical value corresponding to the number of data packets blocked as compared to the total number of data packets received by the system; and
  
  inserting an instruction into the block criteria blocking the data packet meeting the block percentage based on a positive determination that the block percentage has been met.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 25. The computer-implemented method of claim 24 wherein the method of blocking the data packet comprises at least one active method and a passive method.
  - 26. The computer-implemented method of claim 25, wherein the passive method of blocking a data packet from the system comprises the steps of:
    - determining if the system will send a reset packet to a party who sent the data packet; and
      
      sending the reset packet to the party who sent the data packet, the reset packet operative to communicate to the party that the system has disconnected from the party.
  - 27. The computer-implemented method of claim 26 further comprising the steps of:
    - determining if the system will reset at least one of a plurality of hosts that is vulnerable to the attack by the data packet;
      
      retrieving at least one identification code from the at least one host based on a positive determination that the at least one host is vulnerable to the attack;
      
      identifying each of the hosts to be reset based on the identification codes; and
      
      sending the reset packet to each of the identified hosts.
  - 28. The computer-implemented method of claim 27 further comprising the step of allowing the data packet to enter the system in response to sending the reset packet to each of the identified hosts.
  - 29. The computer-implemented method of claim 25 wherein a first active method of blocking a data packet from the host comprises:
    - determining if a rule for blocking the packet is no longer valid because the time limit for the rule is expired;
      
      determining if a network address for a party sending the data packet should be blocked from the system if the rule for blocking the packet is valid;
      
      inserting into a blocking criteria an instruction to block the network address for the party sending the data packet based on a positive determination to block the network address; and
      
      applying the blocking criteria to the data packet.
  - 30. The computer-implemented method of claim 29 further comprising the steps of:
    - determining if the port of the party sending the data packet should be blocked from the system; and
      
      inserting an instruction into the blocking criteria blocking the port belonging to the party sending the data packet based on a positive determination to block the port.
  - 31. The computer-implemented method of claim 29 further comprising the steps of:
    - determining if at least one of a plurality of host network addresses should be blocked from the system; and
      
      inserting an instruction into the block criteria blocking at least one host network address based on a positive determination to block host internet addresses.
  - 32. The computer-implemented method of claim 29 further comprising the steps of:
    - determining if at least one of a plurality of host ports should be blocked from the system; and
      
      inserting an instruction into the block criteria blocking at least one host port based on a positive determination to block host ports.
  - 33. The computer-implemented method of claim 29, wherein the first active method of blocking a data packet is initiated on each data packet comprising transmission control protocol and user datagram protocol.
  - 34. The computer-implemented method of claim 29 further comprising the steps of:
    - determining if a packet internet control message protocol (“
      
      ICMP”
      
      ) code should be blocked from the system; and
      
      inserting an instruction into the block criteria blocking the packet internet control message protocol code from the system based on a positive determination to block packet internet control message protocol code.
  - 35. The computer-implemented method of claim 29 further comprising the steps of:
    - determining if at least one of a plurality of host internet control message protocol types should be blocked from the system; and
      
      inserting an instruction into the block criteria blocking at least one host internet control message protocol type based on a positive determination to block host internet control message protocol types.
  - 36. The computer-implemented method of claim 29, wherein a second active method of blocking a data packet is initiated on each data packet comprising internet control message protocol.
  - 37. The computer-implemented method of claim 24, wherein the step of scanning the data packet to determine if the data packet contains at least one suspicious event comprises the steps of:
    - scanning the data packet;
      
      determining if the data packet contains at least one suspicious event which makes the host vulnerable to an attack by the data packet;
      
      generating a report based on the positive determination that the data packet contains at least one suspicious event;
      
      eliminating the host'"'"'s vulnerability to the attack by the data packet by correlating information in the generated report; and
      
      generating a policy to scan the host for vulnerability to this attack in the future.
  - 38. The computer-implemented method of claim 37 further comprising the steps of:
    - determining if a new policy is received by the host;
      
      parsing the new policy based on a positive determination that a new policy was received by the host;
      
      receiving at least one of a plurality of algorithms at the host from the parsed new policy; and
      
      sending the algorithms to at least one of the plurality of host sensors.
  - 39. A computer-readable tangible storage device having computer-executable instructions for performing the steps recited in claim 24.

40. A computer-implemented method for dynamically protecting a computer network from attacks comprising the steps of:
- generating a policy for defending the network from attack;
  
  sending the generated policy to at least one of a plurality of network sensors;
  
  receiving a data packet by at least one network sensor;
  
  comparing information in the data packet to the policy to determine if an intrusion event has been detected;
  
  processing the data packet by at least one network sensor to determining if the data packet should be blocked from entering the network based on the policy;
  
  selecting a method of blocking the data packet based on a positive determination to block the data packet from entering the network; and
  
  blocking the packet from entering the network using the selected method.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 41. The computer-implemented method of claim 40 further comprising the steps of:
    - determining if the network contains a data correlation component; and
      
      analyzing the data packet by correlating information in the data packet at the data correlation component.
  - 42. The computer-implemented method of claim 41 further comprising the step of generating a new policy for protecting the network from attack based on the analysis by the data correlation component.
  - 43. The computer-implemented method of claim 40 further comprising the step of passing the data packet to the network based on a negative determination to block the data packet from the network.
  - 44. The computer-implemented method of claim 40, wherein the method of blocking the data packet comprises at least one active method and a passive method.
  - 45. The computer-implemented method of claim 44, wherein the passive method of blocking a data packet from the network comprises the steps of:
    - determining if the network will send a reset packet to a party who sent the data packet; and
      
      sending the reset packet to the party who sent the data packet, the reset packet operative to communicate to the party that the network has disconnected from the party.
  - 46. The computer-implemented method of claim 45 further comprising the steps of:
    - determining if the network will reset at least one of a plurality of hosts that is vulnerable to the attack by the data packet;
      
      retrieving at least one identification code from the at least one host based on a positive determination that the at least one host is vulnerable to the attack;
      
      identifying each of the hosts to be reset based on the identification codes; and
      
      sending the reset packet to each of the identified hosts.
  - 47. The computer-implemented method of claim 46 further comprising the step of allowing the data packet to enter the network in response to sending the reset packet to each of the identified hosts.
  - 48. The computer-implemented method of claim 44, wherein a first active method of blocking a data packet from the network comprises:
    - determining if a rule for blocking the packet is no longer valid because the time limit for the rule is expired;
      
      determining if a network address for a party sending the data packet should be blocked from the network if the rule for blocking the packet is valid;
      
      inserting an instruction into a blocking criteria to block the network address for the party sending the data packet based on a positive determination to block the network address; and
      
      applying the blocking criteria to the data packet.
  - 49. The computer-implemented method of claim 48 further comprising the steps of:
    - determining if the port of the party sending the data packet should be blocked from the network; and
      
      inserting an instruction into the blocking criteria blocking the port belonging to the party sending the data packet based on a positive determination to block the port.
  - 50. The computer-implemented method of claim 48 further comprising the steps of:
    - determining if at least one of a plurality of host network addresses should be blocked from the network; and
      
      inserting an instruction into the block criteria blocking at least one host network address based on a positive determination to block host network addresses.
  - 51. The computer-implemented method of claim 48 further comprising the steps of:
    - determining if at least one of a plurality of host ports should be blocked from the network; and
      
      inserting an instruction into the block criteria blocking at least one host port based on a positive determination to block host ports.
  - 52. The computer-implemented method of claim 48 further comprising the steps of:
    - determining if a block percentage has been met on the network, whereby the block percentage is a numerical value corresponding to the number of data packets blocked as compared to the total number of data packets received by the network; and
      
      inserting an instruction into block criteria to block the data packet meeting the block percentage based on a positive determination that the block percentage has been met.
  - 53. The computer-implemented method of claim 48, wherein the first active method of blocking a data packet is initiated on each data packet comprising transmission control protocol and user datagram protocol.
  - 54. The computer-implemented method of claim 48 further comprising the steps of:
    - determining if a packet internet control message protocol (“
      
      ICMP”
      
      ) code should be blocked from the network; and
      
      inserting an instruction into the block criteria blocking the packet internet control message protocol code from the network based on a positive determination to block packet Internet control message protocol code.
  - 55. The computer-implemented method of claim 48 further comprising the steps of:
    - determining if at least one of a plurality of host internet control message protocol types should be blocked from the network; and
      
      inserting an instruction into the block criteria blocking at least one host internet control message protocol type based on a positive determination to block host internet control message protocol types.
  - 56. The computer-implemented method of claim 44, wherein a second active method of blocking a data packet is initiated on each data packet comprising Internet control message protocol.
  - 57. A computer-readable tangible storage device medium having computer-executable instructions for performing the steps recited in claim 40.

58. A computer-implemented method for updating a protection policy for a computer system comprising the steps of:
- receiving from a central source a new policy to update protection of the computer system from attacks;
  
  parsing the new policy to retrieve at least one new protection program for protecting the computer system against a previously unknown attack;
  
  sending the new protection program to at least one of a plurality of sensors for the computer system; and
  
  installing the new protection program to operate in addition to each existing protection program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
International Business Machines Corporation
Inventors
Becker, Patrick Morton, Rouland, Christopher Jay, Klaus, Christopher W.
Primary Examiner(s)
KIM, JUNG W

Application Number

US10/400,938
Time in Patent Office

2,917 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1433 Vulnerability analysis

Method and system for dynamically protecting a computer system from attack

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

425 Citations

58 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for dynamically protecting a computer system from attack

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

425 Citations

58 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links