Method of and system for computer system denial-of-service protection

US 8,701,189 B2
Filed: 01/29/2009
Issued: 04/15/2014
Est. Priority Date: 01/31/2008
Status: Active Grant

First Claim

Patent Images

1. A method of denial-of-service protection for a computer system comprises:

collecting network data information from an interface receiving network data from one or more sources;

collecting application data describing attributes of one or more software applications utilized by the computer system;

identifying a subset of the network data as associated with the application data, the subset of network data including less than all of the collected network data;

receiving a system exploitation indication identifying detection of an attempt by malicious code to access a predetermined memory address;

analyzing the subset of the network data information to identify a malicious source corresponding to the malicious code, from the one or more sources; and

processing network data originating from the malicious source to prevent denial-of-service, wherein processing the network data includes redirecting network traffic associated with the malicious source to another system, wherein at least a portion of the redirected traffic is analysed at the other system.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of and system for protecting a computer system against denial-of-service attacks or other exploitation. The method comprises collecting network data and analyzing the network data using statistical and heuristic techniques to identify the source of the exploitation upon receiving an indication of exploitation. Upon identifying the network source, the network data associated with the network is blocked, redirected, or flow controlled. Preferably, the method also includes identifying when the system is being exploited.

269 Citations

26 Claims

1. A method of denial-of-service protection for a computer system comprises:
- collecting network data information from an interface receiving network data from one or more sources;
  
  collecting application data describing attributes of one or more software applications utilized by the computer system;
  
  identifying a subset of the network data as associated with the application data, the subset of network data including less than all of the collected network data;
  
  receiving a system exploitation indication identifying detection of an attempt by malicious code to access a predetermined memory address;
  
  analyzing the subset of the network data information to identify a malicious source corresponding to the malicious code, from the one or more sources; and
  
  processing network data originating from the malicious source to prevent denial-of-service, wherein processing the network data includes redirecting network traffic associated with the malicious source to another system, wherein at least a portion of the redirected traffic is analysed at the other system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the analysis the subset of the network data comprises statistical techniques, heuristic techniques, or a combination thereof.
  - 3. The method of claim 2, wherein the network data comprises one or more of, a time the connection was made, a connection duration, a time that a packet was received, a host identifiers, a number of connections from a host, a number of packets from a host, a protocol identifier, port number, packet data, and assembled packet data.
  - 4. The method of claim 2, wherein the processing the network data from the malicious source comprises one or more of blocking, redirecting, and flow controlling of the malicious data.
  - 5. The method of claim 4, further comprising collecting process information, wherein the process information is associated with the network data, and used in the identification of the subset of the network data.
  - 6. The method of claim 1, wherein the network data originating from the malicious source is processed using a Transport Data Interface (TDI) filter added to the executions path of a TDI networking stack coupled to the computer interface.
  - 7. The method of claim 1, wherein the subset of the network data information is analyzed using a Transport Data Interface (TDI) filter.
  - 8. The method of claim 1, further comprising generating a system exploitation indication in response to the detection of code executing out of writable memory space on the computer system.

9. A system for denial-of-service protection comprising:
- a storage component containing network data information;
  
  a network interface component configured to collect network data information from one or more sources;
  
  an analysis component configured to collect application data describing attributes of one or more software applications utilized by the system, identify a subset of the network data information associated with the application data, the subset of network data information including less than all of the collected network data information, receive a system exploitation indication identifying detection of an attempt by malicious code to access a predetermined memory address, and analyze the subset of the network data to identify a malicious source corresponding to the malicious code; and
  
  a processing component configured to process network data from the malicious source, wherein processing the network data includes redirecting network traffic associated with the malicious source to another system, wherein at least a portion of the redirected traffic is analysed at the other system.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the analysis component is configured to identify the malicious source using statistical techniques, heuristic techniques, or a combination thereof.
  - 11. The system of claim 10, wherein the network data information comprises one or more of, connection times, packet receipt times, host identifiers, a number of connections from a host, number of packets from a host, protocol identifiers, port numbers, packet data, and assembled packet data.
  - 12. The system of claim 10, wherein the processing component is configured to block, redirect, flow control the network data from the malicious source, or any combination thereof.
  - 13. The system of claim 12, wherein the processing component further comprises collecting is further configured to collect at least one of the application information, process information, or a combination thereof, wherein the application information and the process information are associated with the network data, and used by the analysis component in the identification of the malicious source.
  - 14. The system of claim 13, wherein the application information, the process information, or the combination thereof is used by the processing component to selectively process the network data.
  - 15. The system of claim 11, wherein the processing component is included in a Transport Data Interface (TDI) filter added to the execution path of a TDI networking stack.
  - 16. The system of claim 11, wherein the analysis of the network data information is executed by a Transport Data Interface (TDI) filter.
  - 17. The system of claim 10, further comprising a malicious code detection component configured to detect malicious code using a predetermined address protection.

18. A computer device comprising a non-transitory, computer-readable storage medium having computer executable instruction thereon for denial-of-service protection by performing the steps:
- collecting network data information from an interface receiving network data from one or more sources;
  
  collecting application data describing attributes of one or more software applications utilized by the system;
  
  identifying a subset of the network data as associated with the application data, the subset of network data including less than all of the collected network data;
  
  receiving a system exploitation indication identifying detection of an attempt by malicious code to access a predetermined memory address;
  
  analyzing the subset of the network data information to identify a malicious source corresponding to the malicious code, from the one or more sources; and
  
  processing the network data originating from the malicious source, wherein processing the network data includes redirecting network traffic associated with the malicious source to another system, wherein at least a portion of the redirected traffic is analysed at the other system.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The computer device of claim 18, wherein the processor readable code for processing network data information comprises statistical techniques, heuristic techniques, or a combination thereof.
  - 20. The computer device of claim 19, wherein the network data information comprises times a connection was made, connections duration, a time that a packet was received, host identifiers, a number of connections from a host, a number of packets from a host, protocol identifiers, port numbers, packet data, assembled packet data, or any combination thereof.
  - 21. The computer device of claim 19, wherein the processing the network data comprises one or more of blocking, redirecting, or flow control of the network data from the malicious source.
  - 22. The computer device of claim 21, further comprising collecting process information, wherein the process information is associated with the network data, and used in the identification of the subset of the network data.
  - 23. The computer device of claim 22, wherein the application information, the process information, or the combination thereof is used to selectively processing the network data.
  - 24. The computer device of claim 20, wherein the processing the network data from the malicious source is performed by a Transport Data Interface (TDI) filter.
  - 25. The computer device of claim 20, wherein the analysis of the subset of the network data information is executed by a Transport Data Interface (TDI) filter.
  - 26. The computer device of claim 19, further comprising the step of detecting malicious code using a predetermined address protection, wherein the detection of code executing out of writable memory space generates the system exploitation indication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Saraf, Suman, Agrawal, Sharad, Kumar, Pankaj
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US12/322,321
Publication Number

US 20130247181A1
Time in Patent Office

1,902 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Method of and system for computer system denial-of-service protection

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

269 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method of and system for computer system denial-of-service protection

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

269 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links