GB2411799A - Virus checking devices in a test network before permitting access to a main network - Google Patents

Virus checking devices in a test network before permitting access to a main network Download PDF

Info

Publication number
GB2411799A
GB2411799A GB0404609A GB0404609A GB2411799A GB 2411799 A GB2411799 A GB 2411799A GB 0404609 A GB0404609 A GB 0404609A GB 0404609 A GB0404609 A GB 0404609A GB 2411799 A GB2411799 A GB 2411799A
Authority
GB
United Kingdom
Prior art keywords
network
server
access
information
prospective client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0404609A
Other versions
GB0404609D0 (en
Inventor
Rhodri Morgan Davies
Robert Alan Baskerville
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
VISTORM Ltd
Original Assignee
VISTORM Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by VISTORM Ltd filed Critical VISTORM Ltd
Priority to GB0404609A priority Critical patent/GB2411799A/en
Publication of GB0404609D0 publication Critical patent/GB0404609D0/en
Publication of GB2411799A publication Critical patent/GB2411799A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A shared medium network (100) is divided into a main network (20) and a test network (10) based on IP address ranges, a new device (11) wishing to join the network (100) as a prospective client can be logically isolated from the main network (20) on the test network (10). The activity of the new device (10) can be observed before selectively allowing access to the main network (20) dependent on predetermined criteria, such as e.g. number of attempted connections to network resources in a set time period. In this way, the potentially damaging effects of worms or other malware carried by the new device (11) can be reduced.

Description

241 1 799 Improvements in and Relating to Network Security
Field of the Invention
The present invention relates to network security, and in particular to methods, computer program products and servers for selectively inhibiting access to a computer network.
lo Background to the Invention
Typically, computer networks within organizations are separated from the public internet by firewalls and other perimeter defences. Such perimeter defences form a barrier to malicious attempts to gain access to or otherwise disrupt a private network, for example by preventing worms or other malware from connecting to the network.
However, a problem arises when equipment infected with potentially malicious code are brought into an organization and physically connected to the network within the perimeter defences. For example, a laptop computer may be taken to an employee's home, connected to the public internet through an insecure connection and become infected with malware. When the employee returns the infected laptop to work it will then be connected to the employer's network and may cause considerable disruption to the network.
Although rigorous personal firewalls and centralized control over maintaining up to date protective software can reduce the problem, this requires significant investment in information technology resources management and does not address the situation where equipment outside the control of the network administrator is connected.
Another approach to the problem is to allow access only to devices that are known to belong to the organization by lo monitoring hardware identifiers such as Medium Access Control (MAC) addresses. However, this requires investment in maintenance of an up to date database particularly with respect to contractors or visitors that may be working temporarily within an organization and require network access.
It is therefore an aim of preferred embodiments of the present invention to selectively inhibit access to a computer network for equipment that is infected with potentially malicious code, without the need to modify the equipment to be connected and without restricting network access to only equipment known a priori. It is also desirable that only minor modifications to an existing network configuration are required, and that only a short delay is introduced into the network connection process.
Summary of the Invention
In a first aspect, the present invention provides a method of selectively inhibiting access to a computer network comprising a secure portion, an insecure portion; the method comprising steps of: (a) identifying in the secure portion of the network a request by a prospective client for access to the network; (b) servicing the request from the secure portion of the network with information allowing the prospective client access to only the secure portion of the network; and (c) subsequently selectively providing information allowing access to the insecure portion of the network or inhibiting network access.
Suitably, the provision of information in step (c) is dependent on observed activity of the prospective client on the secure portion of the network.
Suitably, the network comprises a shared medium network, and the secure portion is logically separated from the insecure portion using Internet Protocol (IP) addresses.
Suitably, the information provided at step (b) and/or step (c) comprises an IP address.
Suitably, the information provided in step (b) and/or step (c) comprises IP addresses of a default gateway and/or a Domain Name Service (DNS) server.
Suitably, the request at step (a) comprises a Dynamic Host Configuration Protocol (DHCP) broadcast.
Suitably, the network further comprises a quarantine portion, and in step (c) information is selectively provided allowing access to the quarantine portion only.
Suitably, the quarantine portion is logically separated from the secure and insecure portions using IP addresses, and wherein the information allowing access only to the quarantine portion comprises an IP address.
Suitably, further information is provided to the prospective client to identify the prospective client as allowed access only to the quarantine portion when a user of the prospective client initiates a request for connection to any other device.
Suitably, the steps (a), (b) and (c) are administered by a server running in a secure configuration.
Suitably, the network further comprises a central DROP server, and wherein the server running in a secure configuration liases with the DHCP server to perform steps (b) and (c).
Suitably, the observed activity comprises one or more of: (i) searching for activity on a predetermined port number of the prospective client; (ii) the number of attempted connections to other network resources that the prospective client makes; and (iii) the volume of traffic that the prospective client attempts to send via a default gateway.
In a second aspect the present invention provides a computer program product including instructions arranged to selectively inhibit access to a computer network when loaded on a computer coupled to the computer network, the computer network comprising a secure portion and an insecure portion, and the instructions arranged to selectively inhibit access to the computer network by identifying in the secure portion of the network a request by a prospective client for access to the network; servicing the request from the secure portion of the network with information allowing the prospective client access to only the secure portion of the network; and subsequently selectively providing information allowing access to the insecure portion of the network or inhibiting network access.
In a third aspect the present invention provides a server comprising a terminal for connection to a network including an insecure portion; a security unit placing the server in a secure portion of the network; an access request reception unit arranged to in use receive an access request presented at the terminal from a prospective client over the network; an information allocation unit arranged to provide information in response to an access request received at the terminal; and a test unit arranged to control the information provided by the information allocation unit to thereby selectively inhibit network access for a prospective client or allow access to insecure portion of the network.
Suitably, the test unit is configured to control the information provided by the information allocation unit dependent on activity of the prospective client observed at the terminal.
Suitably, the security unit is configured to separate the secure portion from the insecure portion using IP addresses.
Suitably, the information allocation unit is configured to provide an IP address under the control of the test unit.
Suitably, the information allocation unit is configured to provide IP addresses of a default gateway and/or a DNS server under the control of the test unit.
Suitably, the access request reception unit is arranged to in use receive a DHCP broadcast.
Suitably, in use the test unit is arranged to control the information provided by the information allocation unit to thereby selectively allow access to a quarantine portion of the network.
Suitably, the security unit is configured to separate the quarantine portion from the secure and insecure portions using IP addresses, and wherein the information allocation unit is configured to selectively provide an IP address under the control of the test unit to allow access to only the quarantine portion of the network.
Suitably, the information allocation unit is configured to provide information to identify a prospective client as allowed access to only the quarantine portion when a user initiates a request for connection to any other device on the prospective client.
Suitably, the test unit is configured to observe any one or more of (i) activity on a predetermined port number of the prospective client; (ii) the number of attempted connections to other network resources that the prospective client makes; and (iii) the volume of traffic that the prospective client attempts to send via a default gateway.
In fourth and fifth aspects the present invention provides a server configured to run the computer program of the second aspect or a server configured to carry out the lo method of the first aspect.
Brief Introduction to the Drawings
For a better understanding of the invention, and to show how embodiments of the same may be carried into effect, reference will now be made, by way of example, to the accompanying diagrammatic drawings in which: Figure 1 shows a schematic view of the logical network structure of a network including a server configured to carry out a method according to first preferred embodiment of the invention; Figure 2 shows a flow chart including steps of a method according to a first preferred embodiment of the invention; and Figure 3 shows a carrier including a computer program product according to a second embodiment of the invention for use with a server according to a third preferred embodiment of the invention.
Description of Preferred Embodiments
Referring now to Figure 1 there is shown a schematic view of the logical computer network structure 100 including a server 1 configured to selectively inhibit access to the network. The network 100 comprises a shared medium network, and may be wired or wireless. In the case of a wired network, a single physical network couples all network devices. The single physical network may comprise lo one cable, or a plurality of cables linked by switches to form a single network. However, logically the network 100 is divided into three separate areas. These are a test network 10, a main network 20 and a quarantine network 30.
Figure 1 shows a new device 11 that has just joined the network 100 as a prospective client, along with a desktop 21, laptop 22 and main server 23 that are already established on the network 100. Also shown is an infected device 31 that has been isolated on the quarantine network 30.
To allow effective communication between multiple devices over the shared medium a communication protocol must be employed, for example the Internet Protocol (IP).
It is the communication protocol that allows the conceptual separation of the test network 10, main network and quarantine network 30 from one another, and which can therefore inhibit network access for certain devices if required.
Each device on the network has an IP address associated with it as part of the protocol, with the server 1 responsible for the allocation and maintenance of IP addresses. Controlling the range of IP addresses allocated to devices on the test network 10, main network and quarantine network 30 prevents communication between the networks 10,20,30.
Any new device wishing to join the network 100 must first obtain an IP address. Typically, a new device 11 wishing to connect to the network 100 sends out a Dynamic Host Configuration Protocol (DHCP) broadcast that includes a request for an IP address. The server 1 responds to the DHCP request with configuration information including a time limited IP address associated with the test network 10. Once the new device 11 is established on the test network 10, the server 1 is at liberty to carry out a predetermined test on the new device 11 in an attempt to establish whether any malicious code is present and active on the new device 11. At this point, an infected new device 11 could potentially attack the server 1, therefore it is preferable that the server 1 runs in a secure configuration.
The server 1 and test network 10 comprise a secure portion of the network 100 intended to be very resilient to attack. The main network 20 can be ring fenced by firewalls and is protected by the server 1. However, once a malicious device has gained access to the main network through the server 1, the main network 20 is w lnerable. For this reason the main network 20 is referred to as an insecure portion of the network 100.
The main network 20 is insecure in that it is vulnerable if the protection afforded by the server 1 is breached.
If the new device 11 passes the test set by the server 1 then the server provides the new device 11 with an IP address that allows the new device 11 to interface with the main network 20.
In order to achieve this operation, the server 1 has multiple IP numbers bound to its network interface, one for each of the logical networks.
When providing the time limited IP numbers, the server 1 can also supply additional network information such as the IP numbers of the "default gateway" and the Domain Name Service (DNS) servers. When returning IP numbers related to the test network 10, the server can indicate that it should be used as the default gateway and DNS server.
In this way the server obtains greater control and visibility over the new device under test. It has been observed in practice that some worms do not activate unless they can "resolve" certain network addresses, so provision of these additional facilities to the test network 10 enhances malware detection. When returning IP numbers related to the main network 20, the server identifies the default gateway and DNS servers proper to that network.
If the new device 11 does not pass the test set by the server 1 and demonstrates malicious behaviour when connected to the test network 10, then the new device is allocated an IP address from the quarantine network 30.
Once on the quarantine network the new device 11 cannot obtain any network resources or attack any other machines coupled to the network main network 20, or any other machines coupled to the test network 10.
As some forms of malicious behaviour may not occur immediately, or may only be triggered by connection to a network with certain characteristics then only a short term IP address is provided. In the duration of this lease the server 1 can continue to monitor the behaviour of the new device, and if any apparently unusual or lo malicious activity- is detected the lease will not be renewed and the device is allocated an IP number associated with the quarantine network 30. After expiry of one or more short term leases on the main network 20 the server can proceed to allocate a longer term lease with a higher level of certainty and trust.
The quarantine network 30 is a feature of preferred embodiments of the invention that offers flexibility in cases where a new device is not trusted following the results of the test carried out by the server 1. As well as isolating a suspect device, the quarantine network may be used to provide optional services to help the user of the device. For example all requests for web pages may be directed to a single web page on server 1 indicating that the device has been placed in quarantine and providing advice on the procedures for contacting the local IT support team.
More than one logically separate quarantine network may optionally be defined, so that devices infected with specific identified worms can be quarantined together, or in complete isolation if desired.
An alternative embodiment of the invention allows easy integration into large multi-segment networks with DHCP relays on each segment and a central DHCP server. In this embodiment the DHCP relays on each segment are replaced by the server 1 and the initial part of the process proceeds as above: IP numbers are allocated from the server such that the new device 11 is connected to the test network 10, where it is observed and tested. If the device passes the tests and is to be moved to the main network 20, lo rather than servicing the DHCP request itself, the server 1 relays the request to the central DHCP server. The central DHCP server allocates an IP number on the main network 20. The allocated IP number is then relayed back to the device 11 via the server 1. The server 1 may optionally modify the message that it is relaying in order to reduce the lease duration, thereby making it possible promptly to reallocate the new device 11 to the quarantine network 30 if suspicious activity is observed on the main network 20.
Figure 2 shows a flow chart explaining the steps in a preferred method that take place when a new device is physically joined to a network including a server according to a preferred embodiment of the invention.
At step 201 a new device is physically joined to the network and broadcasts a DHCP request. At step 202 the server responds to the DHCP request with a short-term lease for an IP address on the test network. At step 203 the server tests the new device. If the new device requests IP address lease renewal before the test is complete a new short-term lease on the same IP address is provided.
At step 204 the server makes a decision whether the new device is safe to connect to the main network based on the results of the test carried out in step 203. If the new device is determined to be safe the method passes to step 205, in which the server allocates the new device an IP address on the main network. If the device is determined to be unsafe the method passes to step 206, in which the server allocates the new device an IP address on the lo quarantine network.
The server continues to monitor the new device, and at some point in time the IP address allocated at either step 205 or 206 will expire. At step 207 the IP address allocated to the new device expires, and the new device requests a renewal of the lease. At step 208 the server responds to the request of step 208 with a long term lease on the main or quarantine network as appropriate, or if unusual or malicious behaviour was detected following the allocation of a first lease on the main network the renewal request can be refused and a new IP address allocated transferring the device to the quarantine network.
At step 209 the long-term lease expires, at which point the method returns to step 207 and the behaviour of previously connected device may be checked again before the lease is renewed.
The test carried out by the server can be a single part test, or can include an analysis based on a number of criteria.
For example, a port scan could be a used. Some known malicious programs, e.g. Trojan horses open predetermined port numbers. The server can poll known problem port numbers and if any are listening for activity then the presence of a malicious program is determined. Another basis for testing new devices could be the number of attempted connections to other network resources.
Typically, an uninfected new device might attempt 10 to 20 connections, whereas a device infected with a worm might lo attempt to make many hundreds of connections as the worm tries to spread. Yet another basis for testing is an analysis of traffic that a new device attempts to send via the default gateway that if active would allow the new device access to IP addresses outside the range allocated to the test network.
The method described herein is ideally administered by a dedicated server running suitable software, and does not require any client side modification. The software for performing the method can be provided as a computer program product on a carrier such as a recording medium or a carrier signal.
Figure 3 shows a suitable carrier in the form of a Compact Disk (CD) 301. The CD 301 includes a computer program comprising instructions that when loaded on a suitable programmable computer such as the server 1 are arranged to carry out the method described above. The server 1 comprises a network connection terminal 2 and a CD drive 3 for reading the CD 301.
When loaded with the program from the CD 301 and coupled to the network 100 the server 1 comprises an access request reception unit 4 arranged to receive DHCP requests presented at the terminal 2; an information allocation unit 5 arranged to provide IP addresses in response to DHCP requests received at the terminal 2; and a test unit 6 arranged to observe activity of prospective clients on the network 100. Also included in the server 1 is a security unit 7 to ensure that the server 1 comprises a secure portion of the network 100.
lo The request reception unit 4 recognizes DHCP requests from new devices received at the terminal 2, and the information allocation unit 5 assigns an IP addresses on the test network 10. A new device is evaluated against predetermined criteria stored in the test unit 6, and subsequently reallocated a new IP address. This IP address is selected by the information allocation unit 5 to selectively allow access to the secure or insecure portions of the network as appropriate. In this way the server 1 can perform the method described above.
The information stored in the test unit 6 can be updated with information provided either at the terminal 2, or from the CD drive 3, and may evolve over time to include new tests for prospective clients based on knowledge of potential threats.
The methods and apparatus described herein are not intended to provide perfect security and may not be effective against skilled individuals deliberately and ingeniously attacking a network. However, the embodiments described enable network administrators to identify and control unauthorized and potentially harmful connections caused by carelessness or low-level avoidance of security policies within an organization. The embodiments described offer this functionality without requiring modification of machines to be connected to a network, and can be easily implemented on a range of existing networks.
Attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this lo specification, and the contents of all such papers and documents are incorporated herein by reference.
All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.
Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.
The invention is not restricted to the details of the foregoing embodiment(s). The invention extends to any novel one, or any novel combination, of the features
disclosed in this specification (including any
accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed.

Claims (25)

  1. Claims: 1. A method of selectively inhibiting access to a computer network
    comprising a secure portion, an insecure portion; the method comprising steps of: (a) identifying in the secure portion of the network a request by a prospective client for access to the network; (b) servicing the request from the secure portion of the network with information allowing the prospective client lo access to only the secure portion of the network; and (c) subsequently selectively providing information allowing access to the insecure portion of the network or inhibiting network access.
  2. 2. The method of claim 1 wherein the provision of information in step (c) is dependent on observed activity of the prospective client on the secure portion of the network.
  3. 3. The method of claim 1 or 2, wherein the network comprises a shared medium network, and the secure portion is logically separated from the insecure portion using Internet Protocol (IP) addresses.
  4. 4. The method of claim 3, wherein the information provided at step (b) and/or step (c) comprises an IP address.
  5. 5. The method of claim 4, wherein the information provided in step (b) and/or step (c) comprises IP addresses of a default gateway and/or a Domain Name Service (DNS) server.
  6. 6. The method of any preceding claim, wherein the request at step (a) comprises a Dynamic Host Configuration Protocol (DHCP) broadcast.
  7. 7. The method of any preceding claim, wherein the network further comprises a quarantine portion, and in step (c) information is selectively provided allowing access to the quarantine portion only.
    lo
  8. 8. The method of claim 7, wherein the quarantine portion is logically separated from the secure and insecure portions using IP addresses, and wherein the information allowing access only to the quarantine portion comprises an IP address.
  9. 9. The method of claim 7 or 8, wherein further information is provided to the prospective client to identify the prospective client as allowed access only to the quarantine portion when a user of the prospective client initiates a request for connection to any other device.
  10. 10. The method of any preceding claim, wherein the steps (a), (b) and (c) are administered by a server running in a secure configuration.
  11. 11. The method of claim 10, wherein the network further comprises a central DHCP server, and wherein the server running in a secure configuration liases with the DHCP server to perform steps (b) and (c).
  12. 12. The method of any preceding claim as dependent on claim 2, wherein the observed activity comprises one or more of: (i) searching for activity on a predetermined port number of the prospective client; (ii) the number of attempted connections to other network resources that the prospective client makes; and (iii) the volume of traffic that the prospective client attempts to send via a default gateway.
    lo
  13. 13. A computer program product including instructions arranged to selectively inhibit access to a computer network when loaded on a computer coupled to the computer network, the computer network comprising a secure portion and an insecure portion, and the instructions arranged to selectively inhibit access to the computer network by identifying in the secure portion of the network a request by a prospective client for access to the network; servicing the request from the secure portion of the network with information allowing the prospective client access to only the secure portion of the network; and subsequently selectively providing information allowing access to the insecure portion of the network or inhibiting network access.
  14. 14. A server comprising a terminal for connection to a network including an insecure portion; a security unit placing the server in a secure portion of the network; an access request reception unit arranged to in use receive an access request presented at the terminal from a prospective client over the network; an information allocation unit arranged to provide information in response to an access request received at the terminal; and a test unit arranged to control the information provided by the information allocation unit to thereby selectively inhibit network access for a prospective client or allow access to insecure portion of the network.
  15. 15. The server of claim 14, wherein the test unit is configured to control the information provided by the information allocation unit dependent on activity of the prospective client observed at the terminal.
  16. 16. The server of claim 14 or 15, wherein the security unit is configured to separate the secure portion from the insecure portion using IP addresses.
  17. 17. The server of claim 16, wherein the information allocation unit is configured to provide an IP address under the control of the test unit.
  18. 18. The server of claim 17, wherein the information allocation unit is configured to provide IP addresses of a default gateway and/or a DNS server under the control of the test unit.
  19. 19. The server of any one of claims 14 to 18, wherein the access request reception unit is arranged to in use receive a DHCP broadcast.
  20. 20. The sever of any one of claims 14 to 19, wherein in use the test unit is arranged to control the information provided by the information allocation unit to thereby selectively allow access to a quarantine portion of the network. Or
  21. 21. The server of claim 20, wherein the security unit is configured to separate the quarantine portion from the secure and insecure portions using IP addresses, and wherein the information allocation unit is configured to selectively provide an IP address under the control of the test unit to allow access to only the quarantine portion of the network.
  22. 22. The server of claim 20 or 21, wherein the information allocation unit is configured to provide information to identify a prospective client as allowed access to only the quarantine portion when a user initiates a request for connection to any other device on the prospective client.
  23. 23. The server of any one of claims 15 to 22 as dependent on claim 14, wherein the test unit it configured to observe any one or more of (i) activity on a predetermined port number of the prospective client; (ii) the number of attempted connections to other network resources that the prospective client makes; and (iii) the volume of traffic that the prospective client attempts to send via a default gateway.
  24. 24. A server configured to run the computer program of claim 13 or to carry out the method of any one of claims 1 to 12.
  25. 25. A method, computer program product or server substantially as herein described with reference to any one of the following drawings.
GB0404609A 2004-03-02 2004-03-02 Virus checking devices in a test network before permitting access to a main network Withdrawn GB2411799A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0404609A GB2411799A (en) 2004-03-02 2004-03-02 Virus checking devices in a test network before permitting access to a main network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0404609A GB2411799A (en) 2004-03-02 2004-03-02 Virus checking devices in a test network before permitting access to a main network

Publications (2)

Publication Number Publication Date
GB0404609D0 GB0404609D0 (en) 2004-04-07
GB2411799A true GB2411799A (en) 2005-09-07

Family

ID=32088522

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0404609A Withdrawn GB2411799A (en) 2004-03-02 2004-03-02 Virus checking devices in a test network before permitting access to a main network

Country Status (1)

Country Link
GB (1) GB2411799A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019661A2 (en) * 2000-09-01 2002-03-07 Top Layer Networks, Inc. System and process for defending against denial of service attacks on network nodes
GB2371125A (en) * 2001-01-13 2002-07-17 Secr Defence Computer protection system
US20030070096A1 (en) * 2001-08-14 2003-04-10 Riverhead Networks Inc. Protecting against spoofed DNS messages
US20030217148A1 (en) * 2002-05-16 2003-11-20 Mullen Glen H. Method and apparatus for LAN authentication on switch

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019661A2 (en) * 2000-09-01 2002-03-07 Top Layer Networks, Inc. System and process for defending against denial of service attacks on network nodes
GB2371125A (en) * 2001-01-13 2002-07-17 Secr Defence Computer protection system
US20030070096A1 (en) * 2001-08-14 2003-04-10 Riverhead Networks Inc. Protecting against spoofed DNS messages
US20030217148A1 (en) * 2002-05-16 2003-11-20 Mullen Glen H. Method and apparatus for LAN authentication on switch

Also Published As

Publication number Publication date
GB0404609D0 (en) 2004-04-07

Similar Documents

Publication Publication Date Title
US10476891B2 (en) Monitoring access of network darkspace
US10542006B2 (en) Network security based on redirection of questionable network access
US9942270B2 (en) Database deception in directory services
US7827607B2 (en) Enhanced client compliancy using database of security sensor data
US9356950B2 (en) Evaluating URLS for malicious content
US9609019B2 (en) System and method for directing malicous activity to a monitoring system
US9356959B2 (en) System and method for monitoring network traffic
US7607021B2 (en) Isolation approach for network users associated with elevated risk
US8146137B2 (en) Dynamic internet address assignment based on user identity and policy compliance
EP2715522B1 (en) Using dns communications to filter domain names
US8266672B2 (en) Method and system for network identification via DNS
US20090217346A1 (en) Dhcp centric network access management through network device access control lists
WO2015171780A1 (en) Distributed system for bot detection
CA2509842A1 (en) Method and system for enforcing secure network connection
JP2009539271A (en) Computer network intrusion detection system and method
WO2016081561A1 (en) System and method for directing malicious activity to a monitoring system
Bromberger DNS as a covert channel within protected networks
Rahman et al. Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm
US11683337B2 (en) Harvesting fully qualified domain names from malicious data packets
KR101186873B1 (en) Wireless intrusion protecting system based on signature
GB2411799A (en) Virus checking devices in a test network before permitting access to a main network
Chau Network security–defense against DoS/DDoS attacks
Singh et al. Communication based vulnerabilities and script based solvabilities
US20230344798A1 (en) Roaming dns firewall
US20230370492A1 (en) Identify and block domains used for nxns-based ddos attack

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)