System and method for reducing false positives during detection of network attacks
First Claim
1. A system for reduction of false positives during detection of network attacks on a protected computer, the system comprising:
- a proxy device configured to receive network traffic directed to a protected computer, redirect the received traffic to a filtering center and mirror the received traffic to a traffic sensor;
the traffic sensor configured to collect statistical information about the mirrored traffic;
a data collector configured to aggregate information collected by the traffic sensor and generate, based on the aggregated information, traffic filtering rules for detecting network attacks on the protected computer;
the filtering center configured to, in parallel with collection of the statistical information from the mirrored traffic by the traffic sensor and based on the traffic filtering rules provided by the data collector, detect, in the redirected traffic, network attacks on the protected computer and filter out from the redirected traffic network traffic associated with the detected network attacks; and
a control module configured to collect and store statistical information about known network attacks and to correct the traffic filtering rules used by the filtering center for purpose of reducing false positives during detection of network attacks on the protected computer.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are systems, methods and computer program products for reduction of false positives during detection of network attacks on a protected computer. In one example, the system comprises a proxy device configured to redirect and mirror traffic directed to the protected computer; a traffic sensor configured to collect statistical information about the mirrored traffic; a data collector configured to aggregate information collected by the traffic sensor and to generate traffic filtering rules based on the aggregated statistical information; a filtering center configured to, in parallel with collection of statistical information, filter redirected traffic based on the traffic filtering rules provided by the data collector; and a control module configured to collect and store statistical information about known network attacks and to correct traffic filtering rules used by the filtering center for purpose of reducing false positives during detection of network attacks on the protected computer.
121 Citations
20 Claims
-
1. A system for reduction of false positives during detection of network attacks on a protected computer, the system comprising:
-
a proxy device configured to receive network traffic directed to a protected computer, redirect the received traffic to a filtering center and mirror the received traffic to a traffic sensor; the traffic sensor configured to collect statistical information about the mirrored traffic; a data collector configured to aggregate information collected by the traffic sensor and generate, based on the aggregated information, traffic filtering rules for detecting network attacks on the protected computer; the filtering center configured to, in parallel with collection of the statistical information from the mirrored traffic by the traffic sensor and based on the traffic filtering rules provided by the data collector, detect, in the redirected traffic, network attacks on the protected computer and filter out from the redirected traffic network traffic associated with the detected network attacks; and a control module configured to collect and store statistical information about known network attacks and to correct the traffic filtering rules used by the filtering center for purpose of reducing false positives during detection of network attacks on the protected computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer implemented method for reducing false positives during detection of network attacks on a protected computer, the method comprising:
-
receiving at a proxy device network traffic directed to the protected computer; redirecting by the proxy device the received network traffic to a filtering center; mirroring by the proxy device the received network traffic to a traffic sensor; analyzing the mirrored network traffic by the traffic sensor and collecting statistical information about the mirrored network traffic; aggregating information collected by the traffic sensor and generating, based on the aggregated information, traffic filtering rules for detecting network attacks on the protected computer; filtering, in parallel with collection of the statistical information from the mirrored traffic by the traffic sensor, the redirected traffic by the filtering center using the generated filtering rules; and correcting the filtering rules by a control module based on statistical information about known network attacks for purpose of reducing false positives during detection of network attacks on the protected computer. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for reducing false positives during detection of network attacks on a protected computer, the medium includes instructions for:
-
receiving at a proxy device network traffic directed to the protected computer; redirecting by the proxy device the received network traffic to a filtering center; mirroring by the proxy device the received network traffic to a traffic sensor; analyzing the mirrored network traffic by the traffic sensor and collecting statistical information about the mirrored network traffic; aggregating information collected by the traffic sensor and generating, based on the aggregated information, traffic filtering rules for detecting network attacks on the protected computer; filtering, in parallel with collection of the statistical information from the mirrored traffic by the traffic sensor, the redirected traffic by the filtering center using the generated filtering rules; and correcting the filtering rules by a control module based on statistical information about known network attacks for purpose of reducing false positives during detection of network attacks on the protected computer. - View Dependent Claims (18, 19, 20)
-
Specification