System and method for reducing false positives during detection of network attacks

US 8,151,341 B1
Filed: 05/23/2011
Issued: 04/03/2012
Est. Priority Date: 05/23/2011
Status: Active Grant

First Claim

Patent Images

1. A system for reduction of false positives during detection of network attacks on a protected computer, the system comprising:

a proxy device configured to receive network traffic directed to a protected computer, redirect the received traffic to a filtering center and mirror the received traffic to a traffic sensor;

the traffic sensor configured to collect statistical information about the mirrored traffic;

a data collector configured to aggregate information collected by the traffic sensor and generate, based on the aggregated information, traffic filtering rules for detecting network attacks on the protected computer;

the filtering center configured to, in parallel with collection of the statistical information from the mirrored traffic by the traffic sensor and based on the traffic filtering rules provided by the data collector, detect, in the redirected traffic, network attacks on the protected computer and filter out from the redirected traffic network traffic associated with the detected network attacks; and

a control module configured to collect and store statistical information about known network attacks and to correct the traffic filtering rules used by the filtering center for purpose of reducing false positives during detection of network attacks on the protected computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for reduction of false positives during detection of network attacks on a protected computer. In one example, the system comprises a proxy device configured to redirect and mirror traffic directed to the protected computer; a traffic sensor configured to collect statistical information about the mirrored traffic; a data collector configured to aggregate information collected by the traffic sensor and to generate traffic filtering rules based on the aggregated statistical information; a filtering center configured to, in parallel with collection of statistical information, filter redirected traffic based on the traffic filtering rules provided by the data collector; and a control module configured to collect and store statistical information about known network attacks and to correct traffic filtering rules used by the filtering center for purpose of reducing false positives during detection of network attacks on the protected computer.

121 Citations

View as Search Results

20 Claims

1. A system for reduction of false positives during detection of network attacks on a protected computer, the system comprising:
- a proxy device configured to receive network traffic directed to a protected computer, redirect the received traffic to a filtering center and mirror the received traffic to a traffic sensor;
  
  the traffic sensor configured to collect statistical information about the mirrored traffic;
  
  a data collector configured to aggregate information collected by the traffic sensor and generate, based on the aggregated information, traffic filtering rules for detecting network attacks on the protected computer;
  
  the filtering center configured to, in parallel with collection of the statistical information from the mirrored traffic by the traffic sensor and based on the traffic filtering rules provided by the data collector, detect, in the redirected traffic, network attacks on the protected computer and filter out from the redirected traffic network traffic associated with the detected network attacks; and
  
  a control module configured to collect and store statistical information about known network attacks and to correct the traffic filtering rules used by the filtering center for purpose of reducing false positives during detection of network attacks on the protected computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the data collector generates a model of the average statistical traffic directed to the protected computer based on the aggregated information and generates traffic filtering rules based on the generated statistical model.
  - 3. The system of claim 1, wherein the statistical information about known network attacks includes:
    - statistics of the average and peak network load during an attack;
      
      information about malicious activities by botnets in the Internet;
      
      number of botnets participating in the network attack;
      
      time of the beginning of the network attack;
      
      duration of the network attack; and
      
      geography of the network attack.
  - 4. The system of claim 1, wherein the control module uses white and black lists of IP addresses to update traffic filtering rules.
  - 5. The system of claim 4, wherein the white and black lists of IP addresses are created based on behavioral criteria, including:
    - number of queries and sessions from one IP address;
      
      number of unconfirmed queries from one IP address;
      
      number of queries for data of the same type from one IP address; and
      
      number of connections without continuation of information exchange.
  - 6. The system of claim 1, wherein the data collector is configured to aggregate statistical information about network traffic at different level of granularity and generate different filtering rules for filtering network traffic at different levels of granularity.
  - 7. The system of claim 1, wherein filtering centers are located in the proximity to broadband backbone network associated with the protected computer.
  - 8. The system of claim 1, wherein traffic sensors are located in the proximity to the protected computer.

9. A computer implemented method for reducing false positives during detection of network attacks on a protected computer, the method comprising:
- receiving at a proxy device network traffic directed to the protected computer;
  
  redirecting by the proxy device the received network traffic to a filtering center;
  
  mirroring by the proxy device the received network traffic to a traffic sensor;
  
  analyzing the mirrored network traffic by the traffic sensor and collecting statistical information about the mirrored network traffic;
  
  aggregating information collected by the traffic sensor and generating, based on the aggregated information, traffic filtering rules for detecting network attacks on the protected computer;
  
  filtering, in parallel with collection of the statistical information from the mirrored traffic by the traffic sensor, the redirected traffic by the filtering center using the generated filtering rules; and
  
  correcting the filtering rules by a control module based on statistical information about known network attacks for purpose of reducing false positives during detection of network attacks on the protected computer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein collecting statistical information about the mirrored network traffic further includes:
    - generating a model of the average statistical traffic directed to the protected computer based on the collected statistical information; and
      
      generating traffic filtering rules based on the generated statistical model.
  - 11. The method of claim 9, wherein the statistical information about known network attacks includes:
    - statistics of the average and peak network load during an attack;
      
      information about malicious activities by botnets in the Internet;
      
      number of botnets participating in the network attack;
      
      time of the beginning of the network attack;
      
      duration of the network attack; and
      
      geography of the network attack.
  - 12. The method of claim 9, wherein correcting filtering rules by a control module further comprises:
    - using white and black lists of IP addresses to correct traffic filtering rules.
  - 13. The method of claim 12, further comprising generating white and black lists of IP addresses based on behavioral criteria, including:
    - number of queries and sessions from one IP address;
      
      number of unconfirmed queries from one IP address;
      
      number of queries for data of the same type from one IP address; and
      
      number of connections without continuation of information exchange.
  - 14. The method of claim 9, wherein collecting statistical information further comprises:
    - collecting statistical information about traffic at different level of granularity; and
      
      generating different filtering rules for filtering traffic at different levels of granularity.
  - 15. The method of claim 9, further comprising positioning filtering centers in the proximity to a broadband backbone network associated with the protected computer.
  - 16. The method of claim 9, further comprising positioning traffic sensors in the proximity to the protected computer.

17. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for reducing false positives during detection of network attacks on a protected computer, the medium includes instructions for:
- receiving at a proxy device network traffic directed to the protected computer;
  
  redirecting by the proxy device the received network traffic to a filtering center;
  
  mirroring by the proxy device the received network traffic to a traffic sensor;
  
  analyzing the mirrored network traffic by the traffic sensor and collecting statistical information about the mirrored network traffic;
  
  aggregating information collected by the traffic sensor and generating, based on the aggregated information, traffic filtering rules for detecting network attacks on the protected computer;
  
  filtering, in parallel with collection of the statistical information from the mirrored traffic by the traffic sensor, the redirected traffic by the filtering center using the generated filtering rules; and
  
  correcting the filtering rules by a control module based on statistical information about known network attacks for purpose of reducing false positives during detection of network attacks on the protected computer.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, wherein the statistical information about known network attacks includes:
    - statistics of the average and peak network load during an attack;
      
      information about malicious activities by botnets in the Internet;
      
      number of botnets participating in the network attack;
      
      time of the beginning of the network attack;
      
      duration of the network attack; and
      
      geography of the network attack.
  - 19. The computer program product of claim 17, wherein instructions for correcting filtering rules by a control module further comprise instructions for using white and black lists of IP addresses to correct traffic filtering rules.
  - 20. The computer program product of claim 17, wherein instructions for collecting statistical information further comprise instructions for:
    - collecting statistical information about traffic at different level of granularity; and
      
      generating different filtering rules for filtering traffic at different levels of granularity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Levashov, Dmitry A., Gudov, Nikolay V.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US13/113,223
Time in Patent Office

316 Days
Field of Search

726/13, 726/22, 726/23, 726/24, 726/25
US Class Current

726/13
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

System and method for reducing false positives during detection of network attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for reducing false positives during detection of network attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others