US20060059558A1 - Proactive containment of network security attacks - Google Patents

Proactive containment of network security attacks Download PDF

Info

Publication number
US20060059558A1
US20060059558A1 US10/942,207 US94220704A US2006059558A1 US 20060059558 A1 US20060059558 A1 US 20060059558A1 US 94220704 A US94220704 A US 94220704A US 2006059558 A1 US2006059558 A1 US 2006059558A1
Authority
US
United States
Prior art keywords
network
attack
parameters
network infrastructure
specific
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/942,207
Inventor
John Selep
Mauricio Sanchez
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to US10/942,207 priority Critical patent/US20060059558A1/en
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. reassignment HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SANCHEZ, MAURICIO, SELEP, JOHN B.
Publication of US20060059558A1 publication Critical patent/US20060059558A1/en
Priority to US13/893,007 priority patent/US9491185B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates generally to computer networking and computer software.
  • FIG. 1A A typical sequence of events leading up to a virus attack is shown in FIG. 1A .
  • the attack sequence begins with the discovery of a vulnerability (either in an operating system, utility, or application) ( 101 ), which may lead unscrupulous authors to create viruses that exploit that vulnerability ( 102 ). These viruses are then launched and spread among vulnerable systems ( 103 ). At that point, various commercial or public agencies begin to identify an attack and the specific virus responsible for the attack, but frequently the attack is already underway and damage or losses have already been incurred ( 104 ).
  • a traditional protection sequence 150 for providing anti-virus security is depicted in FIG. 1B .
  • This traditional method 150 begins after a vulnerability has been discovered ( 101 ), viruses exploiting the vulnerability have been created ( 102 ) and launched ( 103 ), and a specific virus is discovered or identified ( 104 ). The specific virus is then analyzed ( 105 ) such that a virus signature is determined ( 106 ). These ‘signatures’ often rely on a physical disk or memory ‘footprint’ of the specific virus' object code. These virus ‘signatures’ are then distributed to populations of computer users ( 107 ), where users can then employ signature-based scanning of their systems ( 108 ) to detect the presence of the virus and allow removal.
  • This traditional method leaves user organizations exposed to damage or loss between the point in time from when a vulnerability is discovered ( 101 ), and the point where all users have employed the signature-based scanning ( 108 ) to rid their systems of the threat. This interval is labeled in FIG. 1B as a ‘vulnerability gap’ ( 110 ).
  • This traditional approach is also subject to variants of viruses that may exploit the same vulnerability but exhibit a different object code ‘footprint’ or signature and thereby escape detection until these variants are identified and their additional signature determined, the signatures distributed, and users utilize the new signatures in their scanning for viruses.
  • One embodiment of the invention relates to a method of proactive containment of network security attacks. Filtering parameters corresponding to a specific system vulnerability are determined. These parameters are distributed to network infrastructure components, and the network infrastructure components examine packets using these parameters to detect occurrence of an attack. Once an attack is detected, the network infrastructure components take action to inhibit the attack.
  • the system includes software configured to determine network filtering parameters corresponding to a specific system vulnerability, and means for distributing said parameters to network infrastructure components.
  • the network infrastructure components are configured to examine packets using said parameters to detect occurrence of an attack against the specific system vulnerability and are further configured to take action to inhibit the detected attack.
  • the network infrastructure component includes communication means for receiving network filtering parameters corresponding to a specific system vulnerability, and memory for storing said parameters.
  • the network infrastructure component further includes circuitry and firmware configured to examine packets using said parameters to detect occurrence of an attack against the specific system vulnerability and to take action to inhibit the detected attack.
  • FIG. 1A is a timeline depicting a typical virus attack sequence.
  • FIG. 1B is a timeline depicting a traditional method for providing anti-virus security.
  • FIG. 2 is a timeline depicting a method for active containment of network security attacks in accordance with an embodiment of the invention.
  • FIG. 3 is a schematic diagram depicting an example network infrastructure component configured for proactive containment of network security attacks in accordance with an embodiment of the invention.
  • FIG. 4 is a schematic diagram depicting a dynamically-modifiable packet firewall configured for active containment of network security attacks in accordance with an embodiment of the invention.
  • one embodiment of the invention relates to a method of proactive containment of network security attacks.
  • This method relies on an identification of network ‘behavior’ associated with network security attacks, rather than a specific signature or disk footprint of a specific virus.
  • Network filtering parameters corresponding to a specific system vulnerability or the behavior of a specific network security attack are determined. These parameters are distributed to network infrastructure components, and packets are filtered using these parameters to detect the occurrence of the attack. Once an attack is detected, the network infrastructure can take action to limit or eliminate the impact of the attack.
  • the traditional virus scanning technique described above can only detect previously-identified and analyzed virus signatures. Hence, a significant time lag may exist between the time that a system vulnerability is discovered and the point where traditional virus-scanning signatures become widely deployed to protect against potential threats. This time lag may be an interval of hours or days. Furthermore, even after a virus-scan defense has been devised, it can take organizations many days or longer to fully deploy virus-scan and software patch defenses against that attack, leaving a significant ‘vulnerability gap’ or window of time where user systems and networks are vulnerable to attack.
  • An embodiment of the present invention eliminates this window of vulnerability and improves network integrity. This is accomplished by enabling the network infrastructure to dynamically adapt to prevent network attacks on specific system vulnerabilities, as soon as those vulnerabilities have been identified. This is in contrast to the traditional technique of waiting for specific viruses to take advantage of a system vulnerability, discovering the viruses, analyzing them to determine their signatures, and employing signature-based scanning to detect and protect against the virus infection.
  • specific software vulnerabilities may enable classes of viruses to attack specific logical ports in specific ways.
  • An embodiment of the invention provides a solution for the problem posed by such vulnerabilities.
  • the key benefit of the solution is its ability to protect against exploitation of the vulnerability, even before a specific virus or other attack is released.
  • FIG. 2 is a timeline depicting a protection sequence ( 250 ) for active containment of network security attacks in accordance with an embodiment of the invention. This sequence may begin as soon as a specific system vulnerability is discovered or identified ( 101 ).
  • the specific vulnerability may relate to a specific known weakness of the system.
  • the specific weakness may pertain to a weakness in a specific software component, such as an operating system, a utility (for example, a browser), or an application (for example, an instant messaging application).
  • the new protection sequence ( 250 ) may be initiated in accordance with an embodiment of the invention.
  • the vulnerability is first analyzed ( 205 ) to determine network behaviors that would trigger or exploit the vulnerability.
  • the analysis may be performed with the assistance of software configurable to simulate and/or analyze a system.
  • This initial analysis step ( 205 ) contrasts with the conventional technique's initial analysis step ( 105 ) which involves analyzing a specific virus (or worm or similar malicious code) after that virus has already been launched or unleashed.
  • a benefit of this embodiment of the invention is that the analysis of the vulnerability may be performed much earlier, prior to the discovery or identification of any specific virus or other malicious code that exploits this vulnerability. This results in a smaller vulnerability gap ( 210 ).
  • the vulnerability analysis determines filtering parameters ( 206 ) to be applied by packet filters at network infrastructure components.
  • Network infrastructure components include, for example, LAN and/or WAN trunk lines, hubs, switches, routers, wireless access points, Intrusion Detection/Prevention System (IDS/IPS) and/or firewall appliances, and other hardware/software components.
  • IDS/IPS Intrusion Detection/Prevention System
  • These parameters may then be distributed ( 207 ) to the appropriate network infrastructure components.
  • filtering with the parameters may be applied ( 208 ) to detect an attack from unidentified viruses (or worms or other malicious code) that exploits the analyzed vulnerability.
  • the networking infrastructure components may filter packets at a physical port, datalink (Ethernet MAC), network (IP), and/or session (TCP) level.
  • action may be taken to contain or inhibit the attack.
  • the action taken may include, for example, one or more of the following:
  • a known attack may be analyzed to find characteristic network behavior of that known attack and to determine network filtering parameters pertaining to that behavior.
  • Those filtering parameters may be distributed to network infrastructure components, and filtering then applied using those parameters to detect attacks, followed by action to contain or inhibit any detected attack.
  • FIG. 3 is a schematic diagram depicting an example network infrastructure component configured for proactive containment of network security attacks in accordance with an embodiment of the invention.
  • the network component comprises a switch 300 .
  • Other examples of network infrastructure components include networking hubs, routers, wireless access points, IDS/IPS, firewalls, and network security appliances.
  • the example switch 300 shown in FIG. 3 includes a switching core 302 and various ports 304 communicatively coupled to the core. Each port 304 may in turn be communicatively coupled to a client system, or another network component. In the illustration of FIG. 3 , four ports are shown by way of example. Of course, such a switch 300 may include more (or less) than four ports.
  • each port 304 may effectively include a corresponding packet filter 306 .
  • These packet filters 306 are depicted schematically as being within the ports 304 for explanatory purposes, but they are more likely implemented as a firmware and/or hardware component (not illustrated) coupled to the switching core 302 and configured to filter packets going from one port to another port of the switch.
  • IP internet protocol
  • the network ports are discussed above as physical ports. However, the technique may be applied also to logical ports in that a filter with modifiable parameters may be provided per logical port.
  • communications or packet streams from a specific client may be blocked entirely to prevent a virus or similar malicious infection from spreading from that client to other machines in a network, and/or communications or packet streams to a specific client may be blocked entirely to prevent a virus or similar malicious infection from spreading from another machine in the network to that client.
  • Lower levels of containment would involve filtering of the packets to or from a specific client.
  • FIG. 3 While the example embodiment discussed above in relation to FIG. 3 allows for proactive containment of viruses or attacks at the port level, it does require substantial processing bandwidth on the part of the network infrastructure components.
  • Another example embodiment of the invention utilizes a dynamically-modifiable packet firewall and may be implemented so as to require less processing bandwidth. Such an embodiment is now described in relation to FIG. 4 .
  • FIG. 4 is a schematic diagram depicting a dynamically-modifiable packet firewall 404 configured for active containment of network security attacks in accordance with an embodiment of the invention.
  • the firewall 404 may be configured, for example, to separate and protect a local area network (LAN) 402 from a wide area network 410 .
  • the firewall 404 may be implemented as part of a networking switch or other network infrastructure device.
  • the firewall 404 may be configured to include a packet filter 406 and dynamically-modifiable parameters 408 to be applied by said filter 406 of the firewall 404 .
  • a parameter distributor 412 may be configured to distribute filter parameters to various such firewalls 404 in a network system.
  • the parameter distributor 412 may be, for example, at a network management station of an enterprise network, or at a remote service provider such as a web service.
  • a parameter distributor 412 the appropriate filtering parameters to prevent exploitation of a vulnerability may be communicated over a network to a distributed set of network infrastructure components.
  • the network may be proactively made very resistant against exploitation of the vulnerability.
  • an entire enterprise network may be proactively prepared against attacks exploiting a system vulnerability prior to the discovery of a specific virus targeting that vulnerability.
  • the dynamically-modifiable packet firewall 404 may be configured to concentrate on filtering for those vulnerabilities so as to advantageously reduce the amount of processing required at the network infrastructure devices.

Abstract

One embodiment disclosed relates to a method of proactive containment of network security attacks. Filtering parameters corresponding to a specific system vulnerability are determined. These parameters are distributed to network infrastructure components, and the network infrastructure components examine packets using these parameters to detect occurrence of an attack. Once an attack is detected, the network infrastructure components take action to inhibit the attack. Other embodiments are also disclosed.

Description

    BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • The present invention relates generally to computer networking and computer software.
  • 2. Description of the Background Art
  • Personal computers and network clients are vulnerable to a broad variety of viruses and other security attacks. Individual systems succumbing to a virus attack can threaten other systems and overall network integrity, leading to lost user productivity and business. Many of these threats are present even when the client systems reside behind a network firewall, such as in an internal network within an organization. A typical sequence of events leading up to a virus attack is shown in FIG. 1A. The attack sequence begins with the discovery of a vulnerability (either in an operating system, utility, or application) (101), which may lead unscrupulous authors to create viruses that exploit that vulnerability (102). These viruses are then launched and spread among vulnerable systems (103). At that point, various commercial or public agencies begin to identify an attack and the specific virus responsible for the attack, but frequently the attack is already underway and damage or losses have already been incurred (104).
  • A traditional protection sequence 150 for providing anti-virus security is depicted in FIG. 1B. This traditional method 150 begins after a vulnerability has been discovered (101), viruses exploiting the vulnerability have been created (102) and launched (103), and a specific virus is discovered or identified (104). The specific virus is then analyzed (105) such that a virus signature is determined (106). These ‘signatures’ often rely on a physical disk or memory ‘footprint’ of the specific virus' object code. These virus ‘signatures’ are then distributed to populations of computer users (107), where users can then employ signature-based scanning of their systems (108) to detect the presence of the virus and allow removal. While somewhat effective, this traditional method leaves user organizations exposed to damage or loss between the point in time from when a vulnerability is discovered (101), and the point where all users have employed the signature-based scanning (108) to rid their systems of the threat. This interval is labeled in FIG. 1B as a ‘vulnerability gap’ (110). This traditional approach is also subject to variants of viruses that may exploit the same vulnerability but exhibit a different object code ‘footprint’ or signature and thereby escape detection until these variants are identified and their additional signature determined, the signatures distributed, and users utilize the new signatures in their scanning for viruses.
    • SUMMARY
  • One embodiment of the invention relates to a method of proactive containment of network security attacks. Filtering parameters corresponding to a specific system vulnerability are determined. These parameters are distributed to network infrastructure components, and the network infrastructure components examine packets using these parameters to detect occurrence of an attack. Once an attack is detected, the network infrastructure components take action to inhibit the attack.
  • Another embodiment relates to a system of proactive containment of network security attacks. The system includes software configured to determine network filtering parameters corresponding to a specific system vulnerability, and means for distributing said parameters to network infrastructure components. The network infrastructure components are configured to examine packets using said parameters to detect occurrence of an attack against the specific system vulnerability and are further configured to take action to inhibit the detected attack.
  • Another embodiment relates to a network infrastructure component configured for proactive containment of network security attacks. The network infrastructure component includes communication means for receiving network filtering parameters corresponding to a specific system vulnerability, and memory for storing said parameters. The network infrastructure component further includes circuitry and firmware configured to examine packets using said parameters to detect occurrence of an attack against the specific system vulnerability and to take action to inhibit the detected attack.
  • Other embodiments are also disclosed.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1A is a timeline depicting a typical virus attack sequence.
  • FIG. 1B is a timeline depicting a traditional method for providing anti-virus security.
  • FIG. 2 is a timeline depicting a method for active containment of network security attacks in accordance with an embodiment of the invention.
  • FIG. 3 is a schematic diagram depicting an example network infrastructure component configured for proactive containment of network security attacks in accordance with an embodiment of the invention.
  • FIG. 4 is a schematic diagram depicting a dynamically-modifiable packet firewall configured for active containment of network security attacks in accordance with an embodiment of the invention.
    • DETAILED DESCRIPTION
  • As described below, one embodiment of the invention relates to a method of proactive containment of network security attacks. This method relies on an identification of network ‘behavior’ associated with network security attacks, rather than a specific signature or disk footprint of a specific virus. Network filtering parameters corresponding to a specific system vulnerability or the behavior of a specific network security attack are determined. These parameters are distributed to network infrastructure components, and packets are filtered using these parameters to detect the occurrence of the attack. Once an attack is detected, the network infrastructure can take action to limit or eliminate the impact of the attack.
  • The traditional virus scanning technique described above can only detect previously-identified and analyzed virus signatures. Hence, a significant time lag may exist between the time that a system vulnerability is discovered and the point where traditional virus-scanning signatures become widely deployed to protect against potential threats. This time lag may be an interval of hours or days. Furthermore, even after a virus-scan defense has been devised, it can take organizations many days or longer to fully deploy virus-scan and software patch defenses against that attack, leaving a significant ‘vulnerability gap’ or window of time where user systems and networks are vulnerable to attack.
  • An embodiment of the present invention eliminates this window of vulnerability and improves network integrity. This is accomplished by enabling the network infrastructure to dynamically adapt to prevent network attacks on specific system vulnerabilities, as soon as those vulnerabilities have been identified. This is in contrast to the traditional technique of waiting for specific viruses to take advantage of a system vulnerability, discovering the viruses, analyzing them to determine their signatures, and employing signature-based scanning to detect and protect against the virus infection.
  • For example, specific software vulnerabilities may enable classes of viruses to attack specific logical ports in specific ways. An embodiment of the invention provides a solution for the problem posed by such vulnerabilities. The key benefit of the solution is its ability to protect against exploitation of the vulnerability, even before a specific virus or other attack is released.
  • FIG. 2 is a timeline depicting a protection sequence (250) for active containment of network security attacks in accordance with an embodiment of the invention. This sequence may begin as soon as a specific system vulnerability is discovered or identified (101). The specific vulnerability may relate to a specific known weakness of the system. The specific weakness may pertain to a weakness in a specific software component, such as an operating system, a utility (for example, a browser), or an application (for example, an instant messaging application).
  • Once the vulnerability has been discovered (101), the new protection sequence (250) may be initiated in accordance with an embodiment of the invention. In the new protection sequence (250), the vulnerability is first analyzed (205) to determine network behaviors that would trigger or exploit the vulnerability. The analysis may be performed with the assistance of software configurable to simulate and/or analyze a system. This initial analysis step (205) contrasts with the conventional technique's initial analysis step (105) which involves analyzing a specific virus (or worm or similar malicious code) after that virus has already been launched or unleashed. A benefit of this embodiment of the invention is that the analysis of the vulnerability may be performed much earlier, prior to the discovery or identification of any specific virus or other malicious code that exploits this vulnerability. This results in a smaller vulnerability gap (210).
  • In accordance with an embodiment of the invention, the vulnerability analysis determines filtering parameters (206) to be applied by packet filters at network infrastructure components. Network infrastructure components include, for example, LAN and/or WAN trunk lines, hubs, switches, routers, wireless access points, Intrusion Detection/Prevention System (IDS/IPS) and/or firewall appliances, and other hardware/software components.
  • These parameters may then be distributed (207) to the appropriate network infrastructure components. At the network infrastructure components, filtering with the parameters may be applied (208) to detect an attack from unidentified viruses (or worms or other malicious code) that exploits the analyzed vulnerability. The networking infrastructure components may filter packets at a physical port, datalink (Ethernet MAC), network (IP), and/or session (TCP) level.
  • Once such an attack has been detected, action may be taken to contain or inhibit the attack. The action taken may include, for example, one or more of the following:
      • a. restricting any further packet transmission through a pertinent network port;
      • b. terminating the connection or session through a pertinent network port;
      • c. limiting the number of packets transmitted through a pertinent network port to some arbitrary level;
      • d. preventing or blocking specific types or sequences of packets from being transmitted through a pertinent network port, while permitting other packets to be transmitted without interruption; and
      • e. triggering an alert to a human administrator, or higher-level network management system, for further action.
  • In an alternate embodiment, a known attack may be analyzed to find characteristic network behavior of that known attack and to determine network filtering parameters pertaining to that behavior. Those filtering parameters may be distributed to network infrastructure components, and filtering then applied using those parameters to detect attacks, followed by action to contain or inhibit any detected attack.
  • FIG. 3 is a schematic diagram depicting an example network infrastructure component configured for proactive containment of network security attacks in accordance with an embodiment of the invention. In the example depicted in FIG. 3, the network component comprises a switch 300. Other examples of network infrastructure components include networking hubs, routers, wireless access points, IDS/IPS, firewalls, and network security appliances.
  • The example switch 300 shown in FIG. 3 includes a switching core 302 and various ports 304 communicatively coupled to the core. Each port 304 may in turn be communicatively coupled to a client system, or another network component. In the illustration of FIG. 3, four ports are shown by way of example. Of course, such a switch 300 may include more (or less) than four ports.
  • As shown in FIG. 3, each port 304 may effectively include a corresponding packet filter 306. These packet filters 306 are depicted schematically as being within the ports 304 for explanatory purposes, but they are more likely implemented as a firmware and/or hardware component (not illustrated) coupled to the switching core 302 and configured to filter packets going from one port to another port of the switch.
  • Using a network infrastructure component, such as the illustrated switch 300 of FIG. 3, packet filtering to detect and proactively contain viruses or other attacks may be employed at a port level at the network edge, with one client system per network port. Such a network infrastructure component may be configured to scan network packets directed to a specific client system or emanating from a particular client system. In some instances, the packets may be scanned to detect specific behaviors that would indicate an attack targeting a known system vulnerability. For example, internet protocol (IP) packets containing network attacks targeting a specific IP port number, or specific sequences of packets directed to specific IP ports, may be detected and interrupted or blocked by the switch 300, or other network infrastructure component, so as to prevent the attack from being completed successfully.
  • In FIG. 3, the network ports are discussed above as physical ports. However, the technique may be applied also to logical ports in that a filter with modifiable parameters may be provided per logical port.
  • In one implementation, communications or packet streams from a specific client may be blocked entirely to prevent a virus or similar malicious infection from spreading from that client to other machines in a network, and/or communications or packet streams to a specific client may be blocked entirely to prevent a virus or similar malicious infection from spreading from another machine in the network to that client. Lower levels of containment would involve filtering of the packets to or from a specific client.
  • While the example embodiment discussed above in relation to FIG. 3 allows for proactive containment of viruses or attacks at the port level, it does require substantial processing bandwidth on the part of the network infrastructure components. Another example embodiment of the invention utilizes a dynamically-modifiable packet firewall and may be implemented so as to require less processing bandwidth. Such an embodiment is now described in relation to FIG. 4.
  • FIG. 4 is a schematic diagram depicting a dynamically-modifiable packet firewall 404 configured for active containment of network security attacks in accordance with an embodiment of the invention. As depicted in FIG. 4, the firewall 404 may be configured, for example, to separate and protect a local area network (LAN) 402 from a wide area network 410. The firewall 404 may be implemented as part of a networking switch or other network infrastructure device. In one implementation, the firewall 404 may be configured to include a packet filter 406 and dynamically-modifiable parameters 408 to be applied by said filter 406 of the firewall 404. A parameter distributor 412 may be configured to distribute filter parameters to various such firewalls 404 in a network system.
  • The parameter distributor 412 may be, for example, at a network management station of an enterprise network, or at a remote service provider such as a web service. By way of such a parameter distributor 412, the appropriate filtering parameters to prevent exploitation of a vulnerability may be communicated over a network to a distributed set of network infrastructure components. In this way, the network may be proactively made very resistant against exploitation of the vulnerability. Using this technique, for example, an entire enterprise network may be proactively prepared against attacks exploiting a system vulnerability prior to the discovery of a specific virus targeting that vulnerability.
  • At any one time, there may be only a small number of specific vulnerabilities that have been recently discovered and for which newly-devised virus attacks may be expected to be launched. (Older known vulnerabilities may largely have been closed by available patches or broadly-deployed virus-scanning solutions.) By knowing up front the vulnerabilities against which attacks are most likely, the dynamically-modifiable packet firewall 404 may be configured to concentrate on filtering for those vulnerabilities so as to advantageously reduce the amount of processing required at the network infrastructure devices.
  • In the above description, numerous specific details are given to provide a thorough understanding of embodiments of the invention. However, the above description of illustrated embodiments of the invention is not intended to be exhaustive or to limit the invention to the precise forms disclosed. One skilled in the relevant art will recognize that the invention can be practiced without one or more of the specific details, or with other methods, components, etc. In other instances, well-known structures or operations are not shown or described in detail to avoid obscuring aspects of the invention. While specific embodiments of, and examples for, the invention are described herein for illustrative purposes, various equivalent modifications are possible within the scope of the invention, as those skilled in the relevant art will recognize.
  • These modifications can be made to the invention in light of the above detailed description. The terms used in the following claims should not be construed to limit the invention to the specific embodiments disclosed in the specification and the claims. Rather, the scope of the invention is to be determined by the following claims, which are to be construed in accordance with established doctrines of claim interpretation.

Claims (26)

1. A method of proactive containment of network security attacks, the method comprising:
determining filtering parameters corresponding to a specific system vulnerability; and
distributing said parameters to network infrastructure components,
wherein the network infrastructure components are configured to examine packets using said parameters to detect occurrence of an attack against the specific system vulnerability; and
wherein the network infrastructure components are further configured to take action to inhibit the detected attack.
2. The method of claim 1, wherein the action to inhibit the attack comprises restricting further packet transmission through a network port.
3. The method of claim 1, wherein the action to inhibit the attack comprises terminating a connection or session through a network port.
4. The method of claim 1, wherein the action to inhibit the attack comprises limiting a number of packets transmitted through a network port.
5. The method of claim 1, wherein the action to inhibit the attack comprises preventing specific types or sequences of packets from being transmitted through a network port, while permitting other packets to be transmitted without interruption.
6. The method of claim 1, wherein the action to inhibit the attack comprises triggering an alert to a network management system.
7. The method of claim 1, wherein the specific system vulnerability pertains to a specific software component.
8. The method of claim 7, wherein the specific software component comprises an operating system, or a utility, or an application.
9. The method of claim 1, wherein the network infrastructure components comprise at least one component from a group of components consisting of networking hubs, switches, routers, wireless access points, IDS/IPS, firewall, and network security appliances.
10. The method of claim 1, wherein the networking infrastructure components filter packets at a physical port, datalink, network, and/or session level.
11. The method of claim 1, wherein the networking infrastructure components filter packets using hardware circuitry and firmware.
12. The method of claim 1, wherein the network infrastructure components comprise dynamically-modifiable packet firewalls.
13. The method of claim 1, wherein the specific system vulnerability is identified prior to discovery of a specific virus exploiting said vulnerability.
14. The method of claim 13, wherein the method of proactive containment is performed prior to the discovery of a specific virus exploiting said vulnerability.
15. The method of claim 1, wherein said parameters are distributed by a network management system of an enterprise network.
16. The method of claim 1, wherein said parameters are distributed by a remote service provider.
17. The method of claim 16, wherein the remote service provider comprises a web-based service.
18. A system of proactive containment of network security attacks, the system comprising:
software configured to determine network filtering parameters corresponding to a specific system vulnerability; and
means for distributing said parameters to network infrastructure components,
wherein the network infrastructure components are configured to examine packets using said parameters to detect occurrence of an attack against the specific system vulnerability; and
wherein the network infrastructure components are further configured to take action to inhibit the detected attack.
19. A network infrastructure component configured for proactive containment of network security attacks, the network infrastructure component comprising:
communication means for receiving network filtering parameters corresponding to a specific system vulnerability;
memory for storing said parameters; and
circuitry and firmware configured to examine packets using said parameters to detect occurrence of an attack against the specific system vulnerability and to take action to inhibit the detected attack.
20. The network infrastructure component of claim 19, wherein the network infrastructure component comprises a device from a group of devices consisting of networking hubs, switches, routers, wireless access points, IDS/IPS, firewall, and network security appliances.
21. The network infrastructure component of claim 19, wherein the networking infrastructure component filters packets at a physical port, datalink (MAC address), network (IP), and/or session (TCP) level.
22. The network infrastructure component of claim 19, wherein the network infrastructure component comprises a dynamically-modifiable packet firewall.
23. The network infrastructure component of claim 19, wherein said parameters are distributed by a network management system of an enterprise network.
24. The network infrastructure component of claim 19, wherein said parameters are distributed by a remote service provider.
25. A method of protecting against a known malicious attack on a system, the method comprising:
analyzing the known attack to determine an identifying behavior;
determining filtering parameters corresponding to the identifying behavior;
distributing said parameters to network infrastructure components; and
filtering packets using said parameters to detect and inhibit the attack.
26. A network infrastructure component configured for proactive containment of network security attacks, the network infrastructure component comprising:
communication means for receiving network filtering parameters corresponding to behavior of a known attack;
memory for storing said parameters; and
circuitry and firmware configured to examine packets using said parameters to detect occurrence of the attack and to take action to inhibit the attack.
US10/942,207 2004-09-15 2004-09-15 Proactive containment of network security attacks Abandoned US20060059558A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US10/942,207 US20060059558A1 (en) 2004-09-15 2004-09-15 Proactive containment of network security attacks
US13/893,007 US9491185B2 (en) 2004-09-15 2013-05-13 Proactive containment of network security attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/942,207 US20060059558A1 (en) 2004-09-15 2004-09-15 Proactive containment of network security attacks

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/893,007 Division US9491185B2 (en) 2004-09-15 2013-05-13 Proactive containment of network security attacks

Publications (1)

Publication Number Publication Date
US20060059558A1 true US20060059558A1 (en) 2006-03-16

Family

ID=36035598

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/942,207 Abandoned US20060059558A1 (en) 2004-09-15 2004-09-15 Proactive containment of network security attacks
US13/893,007 Active 2025-08-30 US9491185B2 (en) 2004-09-15 2013-05-13 Proactive containment of network security attacks

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/893,007 Active 2025-08-30 US9491185B2 (en) 2004-09-15 2013-05-13 Proactive containment of network security attacks

Country Status (1)

Country Link
US (2) US20060059558A1 (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030204632A1 (en) * 2002-04-30 2003-10-30 Tippingpoint Technologies, Inc. Network security system integration
US20040158643A1 (en) * 2003-02-10 2004-08-12 Hitachi, Ltd. Network control method and equipment
US20070153763A1 (en) * 2005-12-29 2007-07-05 Rampolla Richard A Route change monitor for communication networks
US20100071054A1 (en) * 2008-04-30 2010-03-18 Viasat, Inc. Network security appliance
US9323930B1 (en) * 2014-08-19 2016-04-26 Symantec Corporation Systems and methods for reporting security vulnerabilities
US20180063085A1 (en) * 2016-08-23 2018-03-01 Cisco Technology, Inc. Automatic firewall configuration based on aggregated cloud managed information
US10263898B2 (en) 2016-07-20 2019-04-16 Cisco Technology, Inc. System and method for implementing universal cloud classification (UCC) as a service (UCCaaS)
US10326817B2 (en) 2016-12-20 2019-06-18 Cisco Technology, Inc. System and method for quality-aware recording in large scale collaborate clouds
US10334029B2 (en) 2017-01-10 2019-06-25 Cisco Technology, Inc. Forming neighborhood groups from disperse cloud providers
US10382534B1 (en) 2015-04-04 2019-08-13 Cisco Technology, Inc. Selective load balancing of network traffic
US10523657B2 (en) 2015-11-16 2019-12-31 Cisco Technology, Inc. Endpoint privacy preservation with cloud conferencing
US10552191B2 (en) 2017-01-26 2020-02-04 Cisco Technology, Inc. Distributed hybrid cloud orchestration model
US10608865B2 (en) 2016-07-08 2020-03-31 Cisco Technology, Inc. Reducing ARP/ND flooding in cloud environment
US10892940B2 (en) 2017-07-21 2021-01-12 Cisco Technology, Inc. Scalable statistics and analytics mechanisms in cloud networking
US11005682B2 (en) 2015-10-06 2021-05-11 Cisco Technology, Inc. Policy-driven switch overlay bypass in a hybrid cloud network environment
US11044162B2 (en) 2016-12-06 2021-06-22 Cisco Technology, Inc. Orchestration of cloud and fog interactions

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9600320B2 (en) 2015-02-11 2017-03-21 International Business Machines Corporation Mitigation of virtual machine security breaches
US10135855B2 (en) * 2016-01-19 2018-11-20 Honeywell International Inc. Near-real-time export of cyber-security risk information
US10749888B2 (en) 2018-03-08 2020-08-18 Bank Of America Corporation Prerequisite quantitative risk assessment and adjustment of cyber-attack robustness for a computer system

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6009475A (en) * 1996-12-23 1999-12-28 International Business Machines Corporation Filter rule validation and administration for firewalls
US6098172A (en) * 1997-09-12 2000-08-01 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with proxy reflection
US6154775A (en) * 1997-09-12 2000-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules
US6243815B1 (en) * 1997-04-25 2001-06-05 Anand K. Antur Method and apparatus for reconfiguring and managing firewalls and security devices
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment
US20020188870A1 (en) * 2001-06-11 2002-12-12 Mcnc Intrusion tolerant server system
US6519703B1 (en) * 2000-04-14 2003-02-11 James B. Joyce Methods and apparatus for heuristic firewall
US6571338B1 (en) * 1995-12-20 2003-05-27 Sun Microsystems Inc. Maintaining packet security in a computer network
US6571738B2 (en) * 1998-01-16 2003-06-03 Animal Care Systems, Inc. Animal caging and biological storage systems
US6578151B1 (en) * 1997-09-02 2003-06-10 Telefonaktiebolaget Lm Ericsson Arrangement in a data communication system
US20030126468A1 (en) * 2001-05-25 2003-07-03 Markham Thomas R. Distributed firewall system and method
US6704873B1 (en) * 1999-07-30 2004-03-09 Accenture Llp Secure gateway interconnection in an e-commerce based environment
US6772347B1 (en) * 1999-04-01 2004-08-03 Juniper Networks, Inc. Method, apparatus and computer program product for a network firewall
US6789203B1 (en) * 2000-06-26 2004-09-07 Sun Microsystems, Inc. Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests
US7143438B1 (en) * 1997-09-12 2006-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with multiple domain support
US7152105B2 (en) * 2002-01-15 2006-12-19 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7269847B2 (en) * 1996-02-06 2007-09-11 Wesinger Jr Ralph E Firewall providing enhanced network security and user transparency

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6487666B1 (en) * 1999-01-15 2002-11-26 Cisco Technology, Inc. Intrusion detection signature analysis using regular expressions and logical operators
US7836498B2 (en) * 2000-09-07 2010-11-16 Riverbed Technology, Inc. Device to protect victim sites during denial of service attacks
US20020133586A1 (en) * 2001-01-16 2002-09-19 Carter Shanklin Method and device for monitoring data traffic and preventing unauthorized access to a network
US7191468B2 (en) * 2001-07-17 2007-03-13 The Boeing Company System and method for multidimensional data compression
US20030084326A1 (en) * 2001-10-31 2003-05-01 Richard Paul Tarquini Method, node and computer readable medium for identifying data in a network exploit
US20030097557A1 (en) * 2001-10-31 2003-05-22 Tarquini Richard Paul Method, node and computer readable medium for performing multiple signature matching in an intrusion prevention system
US7222366B2 (en) * 2002-01-28 2007-05-22 International Business Machines Corporation Intrusion event filtering
US7355996B2 (en) * 2004-02-06 2008-04-08 Airdefense, Inc. Systems and methods for adaptive monitoring with bandwidth constraints
US7324804B2 (en) * 2003-04-21 2008-01-29 Airdefense, Inc. Systems and methods for dynamic sensor discovery and selection
US7681235B2 (en) * 2003-05-19 2010-03-16 Radware Ltd. Dynamic network protection
US8065725B2 (en) * 2003-05-30 2011-11-22 Yuliang Zheng Systems and methods for enhanced network security
US7346922B2 (en) * 2003-07-25 2008-03-18 Netclarity, Inc. Proactive network security system to protect against hackers
US7356587B2 (en) * 2003-07-29 2008-04-08 International Business Machines Corporation Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram
EP1730917A1 (en) * 2004-03-30 2006-12-13 Telecom Italia S.p.A. Method and system for network intrusion detection, related network and computer program product
US20060015715A1 (en) * 2004-07-16 2006-01-19 Eric Anderson Automatically protecting network service from network attack

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6571338B1 (en) * 1995-12-20 2003-05-27 Sun Microsystems Inc. Maintaining packet security in a computer network
US7269847B2 (en) * 1996-02-06 2007-09-11 Wesinger Jr Ralph E Firewall providing enhanced network security and user transparency
US6009475A (en) * 1996-12-23 1999-12-28 International Business Machines Corporation Filter rule validation and administration for firewalls
US6243815B1 (en) * 1997-04-25 2001-06-05 Anand K. Antur Method and apparatus for reconfiguring and managing firewalls and security devices
US6578151B1 (en) * 1997-09-02 2003-06-10 Telefonaktiebolaget Lm Ericsson Arrangement in a data communication system
US6098172A (en) * 1997-09-12 2000-08-01 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with proxy reflection
US6154775A (en) * 1997-09-12 2000-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules
US7143438B1 (en) * 1997-09-12 2006-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with multiple domain support
US6571738B2 (en) * 1998-01-16 2003-06-03 Animal Care Systems, Inc. Animal caging and biological storage systems
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment
US6772347B1 (en) * 1999-04-01 2004-08-03 Juniper Networks, Inc. Method, apparatus and computer program product for a network firewall
US6704873B1 (en) * 1999-07-30 2004-03-09 Accenture Llp Secure gateway interconnection in an e-commerce based environment
US6519703B1 (en) * 2000-04-14 2003-02-11 James B. Joyce Methods and apparatus for heuristic firewall
US6789203B1 (en) * 2000-06-26 2004-09-07 Sun Microsystems, Inc. Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests
US20030126468A1 (en) * 2001-05-25 2003-07-03 Markham Thomas R. Distributed firewall system and method
US7076801B2 (en) * 2001-06-11 2006-07-11 Research Triangle Institute Intrusion tolerant server system
US20020188870A1 (en) * 2001-06-11 2002-12-12 Mcnc Intrusion tolerant server system
US7152105B2 (en) * 2002-01-15 2006-12-19 Mcafee, Inc. System and method for network vulnerability detection and reporting

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030204632A1 (en) * 2002-04-30 2003-10-30 Tippingpoint Technologies, Inc. Network security system integration
US7359962B2 (en) * 2002-04-30 2008-04-15 3Com Corporation Network security system integration
US20040158643A1 (en) * 2003-02-10 2004-08-12 Hitachi, Ltd. Network control method and equipment
US20070153763A1 (en) * 2005-12-29 2007-07-05 Rampolla Richard A Route change monitor for communication networks
US20100071054A1 (en) * 2008-04-30 2010-03-18 Viasat, Inc. Network security appliance
US9323930B1 (en) * 2014-08-19 2016-04-26 Symantec Corporation Systems and methods for reporting security vulnerabilities
US10382534B1 (en) 2015-04-04 2019-08-13 Cisco Technology, Inc. Selective load balancing of network traffic
US11843658B2 (en) 2015-04-04 2023-12-12 Cisco Technology, Inc. Selective load balancing of network traffic
US11122114B2 (en) 2015-04-04 2021-09-14 Cisco Technology, Inc. Selective load balancing of network traffic
US11005682B2 (en) 2015-10-06 2021-05-11 Cisco Technology, Inc. Policy-driven switch overlay bypass in a hybrid cloud network environment
US10523657B2 (en) 2015-11-16 2019-12-31 Cisco Technology, Inc. Endpoint privacy preservation with cloud conferencing
US10608865B2 (en) 2016-07-08 2020-03-31 Cisco Technology, Inc. Reducing ARP/ND flooding in cloud environment
US10659283B2 (en) 2016-07-08 2020-05-19 Cisco Technology, Inc. Reducing ARP/ND flooding in cloud environment
US10263898B2 (en) 2016-07-20 2019-04-16 Cisco Technology, Inc. System and method for implementing universal cloud classification (UCC) as a service (UCCaaS)
US10567344B2 (en) * 2016-08-23 2020-02-18 Cisco Technology, Inc. Automatic firewall configuration based on aggregated cloud managed information
US20180063085A1 (en) * 2016-08-23 2018-03-01 Cisco Technology, Inc. Automatic firewall configuration based on aggregated cloud managed information
US11044162B2 (en) 2016-12-06 2021-06-22 Cisco Technology, Inc. Orchestration of cloud and fog interactions
US10326817B2 (en) 2016-12-20 2019-06-18 Cisco Technology, Inc. System and method for quality-aware recording in large scale collaborate clouds
US10334029B2 (en) 2017-01-10 2019-06-25 Cisco Technology, Inc. Forming neighborhood groups from disperse cloud providers
US10552191B2 (en) 2017-01-26 2020-02-04 Cisco Technology, Inc. Distributed hybrid cloud orchestration model
US10892940B2 (en) 2017-07-21 2021-01-12 Cisco Technology, Inc. Scalable statistics and analytics mechanisms in cloud networking
US11411799B2 (en) 2017-07-21 2022-08-09 Cisco Technology, Inc. Scalable statistics and analytics mechanisms in cloud networking

Also Published As

Publication number Publication date
US9491185B2 (en) 2016-11-08
US20130269034A1 (en) 2013-10-10

Similar Documents

Publication Publication Date Title
US9491185B2 (en) Proactive containment of network security attacks
US8423645B2 (en) Detection of grid participation in a DDoS attack
Artail et al. A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks
US7757283B2 (en) System and method for detecting abnormal traffic based on early notification
Mirkovic et al. A taxonomy of DDoS attack and DDoS defense mechanisms
US20040054925A1 (en) System and method for detecting and countering a network attack
US20030084322A1 (en) System and method of an OS-integrated intrusion detection and anti-virus system
Haris et al. Detecting TCP SYN flood attack based on anomaly detection
US7917957B2 (en) Method and system for counting new destination addresses
KR20060116741A (en) Method and apparatus for identifying and disabling worms in communication networks
Kaushik et al. Detection of attacks in an intrusion detection system
Deraison et al. Passive vulnerability scanning: Introduction to NeVO
Kessler Defenses against distributed denial of service attacks
KR20020072618A (en) Network based intrusion detection system
US8095981B2 (en) Worm detection by trending fan out
Sulieman et al. Detecting zero-day polymorphic worm: A review
Haggerty et al. Beyond the perimeter: the need for early detection of denial of service attacks
Amran et al. An evidential network forensics analysis model with adversarial capability and layering
Chan et al. A netflow based internet-worm detecting system in large network
Rodrigues et al. Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach
Othman Understanding the various types of denial of service attack
Shaikh et al. Disarming firewall
Udhayan et al. Reconnaissance scan detection heuristics to disrupt the pre-attack information gathering
Akhil et al. Distributed Denial of Service (DDoS) Attacks and Defence Mechanism
Janczewski Handling distributed denial-of-service attacks

Legal Events

Date Code Title Description
AS Assignment

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SELEP, JOHN B.;SANCHEZ, MAURICIO;REEL/FRAME:015806/0969

Effective date: 20040915

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION