US20040131056A1 - Intelligent feedback loop process control system - Google Patents

Intelligent feedback loop process control system Download PDF

Info

Publication number
US20040131056A1
US20040131056A1 US10741798 US74179803A US2004131056A1 US 20040131056 A1 US20040131056 A1 US 20040131056A1 US 10741798 US10741798 US 10741798 US 74179803 A US74179803 A US 74179803A US 2004131056 A1 US2004131056 A1 US 2004131056A1
Authority
US
Grant status
Application
Patent type
Prior art keywords
data
invention
packets
system
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10741798
Inventor
Susan Dark
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Deep Nines Inc
Original Assignee
Deep Nines Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/083Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing packet switching networks
    • H04L43/08Monitoring based on specific metrics
    • H04L43/0876Network utilization
    • H04L43/0882Utilization of link capacity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing packet switching networks
    • H04L43/16Arrangements for monitoring or testing packet switching networks using threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Abstract

There is disclosed a system and method for detecting attacks on a site in a communication network and for taking action to reduce or redirect such attacks. A monitor system reviews incoming data packets and sends directions to at least one router to change the data flow in the system. The directions may be sent to other routers. The data packets and the resulting work flow are modified for certain conditions, and for certain conditions within defined time slices, and action is taken when the monitored condition is contrary to expected conditions.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • [0001]
    This application is a continuation of U.S. application Ser. No. 09/572,112, filed on May 17, 2000, the full disclosures of which are incorporated herein by reference.
  • TECHNICAL FIELD
  • [0002]
    This invention relates to network control systems and more particularly to a system and method for detecting and preventing system disruption caused by certain data traffic conditions.
  • BACKGROUND OF THE INVENTION
  • [0003]
    The problem that we are addressing exists in the functioning of the Internet or any communications network. Such networks are inherently vulnerable to at least two types of attacks which disrupt or disable the functioning of network services. The two general types of problems are called flooding attacks and pattern attacks. Flooding attacks typically occur by a ramping up of the volume of traffic on a particular Internet line. The attackers ramp up the volume by creating situations that encourage multiple computers to interact simultaneously to create a giant flood of information directed at a single source. This is a process that often is enabled by using “third party victim” computers so that the computers at legitimate innocent sites are used in a multiplicity to create and generate a high volume of requests to a target site unknown to the victim.
  • [0004]
    There are other types of volume attacks. Different programs are used to spoof addresses, which means that an attacker creates packets and places messages inside the packets to make it appear as if the packet is coming from a particular address, while, in fact, it is not coming from that address at all. For example, person “A” could mail a letter and put person “B's” return address on the letter. This sounds innocent enough, but when it comes to tracking these volume attacks, it becomes very difficult. Thus, these attacks not only have the ability to ramp up the volume, but they have the ability to hide themselves, giving them endless opportunities to do it again and again.
  • [0005]
    Another general type of attack is what is called by some a pattern or formatting attack. A formatting attack does not have so much to do with volume, but rather has to do with the quality of the information that is coming over the line. An attacker can format a packet in such a way that it can either 1) confuse the server so that the server does not know what to do to service the request; or 2) it can cause the server to go into loops or expend endless resources trying to service that single request. This can be thought of in terms of receiving a bogus message through the mail where the sender is pretending to be a high government official. The recipient then might be thrown into a turmoil trying to get information together to answer a bogus request when, in fact, the request was not official at all. Malformed packets can cause the same reaction. The recipient is unable to determine the “credibility” of the request, or is unable to validate or recognize a key portion of the packet, thereby creating a “state-of-confusion” loop.
  • BRIEF SUMMARY OF THE INVENTION
  • [0006]
    These and other objects, features and technical advantages are achieved by a system and method which detects attacks on a site in a communication network.
  • [0007]
    One concept of the invention is the use of an intelligent feedback loop that recognizes the inherent vulnerability of the Internet and operates to redirect or block certain incoming, or outgoing, data packets. The inventive system and method, in one embodiment, is located at the perimeter of the system to be protected and allows for the installation of hardware and software configurations to address both the volume attacks and the formatting attacks. The system controls the amount of data that is allowed to flow in (or out) and controls the quality of the data that passes to the servers.
  • [0008]
    The system and method recognizes problems in the early stages as they are beginning to occur and communicates with a system router to essentially control the flow of all the communication in or out of the protected system (like a front door of a building). The system recognizes messages that are bound for the protected site and allows only certain data in. The allowed data must pass certain tests. Alternatively, all data is allowed in until an “alarm” condition is detected and then data is blocked. The blocked data can be general, or origination site specific.
  • [0009]
    The system is arranged to allow for dynamic “red lining” (a pre-determined level of traffic condition that causes a system overload) and for operator control of variables which are used to detect red line situations. Red line situations can be customized for each site for the end user and for the end user's servers depending upon, among other things, the capacity of those servers.
  • [0010]
    Also note that the physical hardware resources could be located at different locations across the country or different parts of the world and different communication paths may be utilized to complete the traffic particularly when the traffic is deemed to be legitimate. This means the customer can re-route traffic to alternate sites to optimize throughput and system performance. In this manner, high traffic can be diffused across the network and even perhaps routed to a more robust (faster, smarter, more secure, etc.) system for handling. The system (or systems) to which the traffic is redirected can be shared among a plurality of enterprises and can serve as a backup to many such enterprises.
  • [0011]
    One feature of the invention is to provide the end user with the ability to monitor and control the logistics of its protection, i.e., where it is physically located.
  • [0012]
    Another feature of the invention is to provide advance warning on an imminent crash situation, allowing the user site to take action to prevent down time.
  • [0013]
    One of the features of the invention is to provide a rapid dissemination of attack recognition and to provide recovery solutions whenever a new attack is recognized.
  • [0014]
    Another important feature of the invention is that pattern recognition is used to bring other equipment on line quickly to minimize outage time on the Internet.
  • [0015]
    The foregoing has outlined rather broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows may be better understood. Additional features and advantages of the invention will be described hereinafter which form the subject of the claims of the invention. It should be appreciated by those skilled in the art that the conception and specific embodiment disclosed may be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present invention. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the appended claims. The novel features which are believed to be characteristic of the invention, both as to its organization and method of operation, together with further objects and advantages, will be better understood from the following description when considered in connection with the accompanying figures. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended as a definition of the limits of the present invention.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • [0016]
    For a more complete understanding of the present invention, and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawing, in which:
  • [0017]
    [0017]FIG. 1 shows an overall view of a network utilizing the invention; and
  • [0018]
    [0018]FIG. 2 shows details of the configuration and detection/notification servers.
  • DETAILED DESCRIPTION OF THE INVENTION
  • [0019]
    Turning now to FIG. 1, system 10 shows a portion of Internet working 11 (or any communication network) where data flows into or out of Internet Service Provider (ISP) 12. Data from Internet 11 would typically have an address location which would be translated by a router, such as gateway router 13. In a typical situation, the devices which are accessible from the Internet which are located in data storage 101 have addresses such as “www.anything.” This address is translated by gateway router 13, such that requests directed to “www.anything” would be routed to processor 101-1 in data storage 101 via gateway 14 and firewall 15.
  • [0020]
    Note that while the network is set as the Internet, any communication system will work, provided that there is a mechanism at some point in the network for rerouting communication connections upon direction from an external source. In the Internet, as it is known today, data is routed in packets, with each packet containing a portion of a data message and each packet containing an address portion as well as the message and perhaps other portions. Routers along the network serve to route each packet to the proper destination. The Internet is a temporal network in that a stream of packets from one location to another need not flow along any particular path, but, in fact, may take a plurality of different paths between locations. Often, however, entire message streams may take the same route, all depending upon traffic and other conditions as controlled by the network routers. The Internet is a changing network and the invention discussed herein is not limited to the Internet and it is contemplated that as the Internet changes so will the exact implementation of this invention; however, the concepts described and claimed herein are meant to teach those skilled in the art so that they may apply those concepts to an evolving technology without departing from the spirit and scope of this invention.
  • [0021]
    It should be further noted that the line speeds (1.544 Mbit between gateway router 13 and customer gateway 14 and 10 Mbit between customer gateway 14 firewall 15) are for illustration only, and any desirable speeds can be used. Also note that customer gateway 14 is optional and may not exist in some configurations and router 13 may connect directly to firewall 15, or if no firewall, then directly to server 21.
  • [0022]
    As will be discussed hereinafter, detection/notification server 21 is the communication path between firewall 15 (which can be any well known firewall, such as a UNIX based computer and data storage 101 for the purpose of protecting the system from unwanted attacks. This process will be discussed in more detail hereinafter with respect to FIG. 2.
  • [0023]
    Continuing now in FIG. 1, private network 103 (which is a company's internal network) can have any number of terminals, S1-SN, processors 103-2, 103-N and storage devices such as 103-1, and any other number of devices which interact with each other on an internal private network, or which use firewall 15 to access Internet 11 in a well known manner.
  • [0024]
    The incoming packets are routed from gateway router 13 (or from perhaps a wireless network (not shown)) to firewall 15, then go to detection/notification server 21, which (as will be detailed hereinafter) investigates the quality and quantity of the incoming requests, as well as other factors and determines whether or not a “red line” (defined as a condition wherein unusual action should be performed to protect the viability of the communication system) or other potential trouble situations exist. If a problem exists, detection/notification server 21 sends a command via modem 16 to modem 17 to configuration server 22 to instruct server 22 to perform an action with respect to gateway router 13. This action serves to address the attack by choking down the offending volume by stopping or reducing packet flow through router 13. In addition, detection/notification server 21 addresses the quality of data or the formatting type attacks by investigating the format of the incoming data and determining whether or not the format is acceptable to the processors within data storage 101. Note that modems 16 and 17 are shown essentially as land line telecommunication modems but, of course, could be any form of communications, or combinations could be used, including wireless, a private sub-network independent of the Internet, or even the Internet itself. However, since the Internet could be overloaded at this point in time and unless “special” override data can be used, communication external to the Internet (such as, for example, a phone connection or a wireless page message) would be employed. Also, while the communication is shown going to gateway router 13 which is closest to the customer's gateway, the communications could be sent (either concurrently or serially) to more remote routers to begin the process of rearranging the entire network structure so that the information which would have come to “www.anything” or to any other of the Internet addresses associated with this customer would be fully or partially routed to some other location remotely. This alternate location can be a backup processor in a remote location, or a trouble processing center, thereby freeing up the telecommunication capacity at site 101.
  • [0025]
    Turning now to FIG. 2 there is shown system 20, which essentially consists of detection/notification server 21 and configuration server 22. Information packets come into the detection/notification server from firewall 15 via communication interface 210 and are intercepted by that interface and fed into microprocessor 211. Microprocessor 211 is at the same time loading programs from random access memory 212 which had been stored in disk storage 213. These programs are what logically intercept the incoming data within the random access memory. The programs operate to investigate the incoming data and to make determinations as whether to pass the data on without comment; pass the data on and perform other actions or block the data flow. Some of the other actions that may be taken include, but are not limited to: count packets versus time; count packets versus source; initiate communication with configuration server 22; recognize malformed packets; recognize suspicious or malicious traffic patterns; initiate communications with data servers 101-1, 101-2, and the like; and initiate various notification functions, such as pager and cell phone notification.
  • [0026]
    Data is accumulated and held in disk storage 213 in conjunction with RAM 212. If no problem exists, the packet is passed along via random access memory 212 to communication interface 215 and via port 101 to the servers where the requests are attended to by the servers in data storage 101. When a trouble situation appears to exist, server 21 performs one or more actions, depending upon the condition. If the condition is that incoming data is formatted improperly, then that data will not be passed along to data storage 101, but will be either held, returned or deleted, and the fact of it will be logged within the disk storage for future reference. Logs are maintained for all action taken and trouble activities. If, on the other hand, a red line process is recognized as a volume error or a flooding condition, then microprocessor 211 will be instructed to load software from disk storage 213 that will activate communication interface 214, thereby activating the link through modems 16 and 17 to send a command to configuration server 22. This command then passes through interface 220 to activate programs stored in random access memory 222, or in storage 223, under control of microprocessor 221. This in turn activates communication interface 224 to gateway router 13 to instruct the router to perform some action to choke down operation that will begin to limit the flooding operation to help solve the red line situation.
  • [0027]
    The modules that exist in storage 213 are 218-1 through 218-N and represent the software modules that comprise the logic of the system. By changing the programs, parameters and algorithms in storage 213, the system operation can be changed and upgraded for different types of attacks. These system changes, loaded on disk 213, can be manual (from station 24) or remote via the Internet or via any other course, such as wireless or direct connection (not shown) and can occur concurrently with attacks on other systems. Workstation 24 acts as a user interface into the process control system and enables technicians to activate the modules within disk storage 213 to do such things as to view and print the logs via printer 23 to address various settings that comprise the parameters that activate these modules. These parameters are some of the program factors that instruct the microprocessor as to what to do that will ultimately result in the intelligent actions of data storage 101, detection/notification server 21, or configuration server 22. All of these separate modules work together to activate each other in a logical order as will be described hereinafter.
  • [0028]
    Returning now to FIG. 1, the incoming data packets that come to detection/notification server 21 have within them requests, and these requests are requests of the processors in data storage area 101. It is the processing of these requests that really takes the most amount of time in the process of FIG. 1, so whenever something starts to go wrong, it is usually because the processors in data storage 101 become overloaded either through a volume attack or because of a format situation. The amount of time that it takes the detection/notification server 21 to deal with incoming messages is relatively insignificant with respect to the processing time of data storage 101 so that a little delay is not important.
  • [0029]
    The data flowing in to server 21 from firewall 15 could be buffered for an amount of time to allow microprocessor 211 to work on the data. However, it is anticipated that such buffering will not be required, and that the data will, if valid, be passed directly through with essentially no time lost. If the data is determined to be invalid, the data will be dropped, (i.e., removed from the data traffic altogether), destroyed, returned or otherwise processed in accordance with the inventive concepts. Also note, that not every packet need be monitored and the degree of monitoring can be dynamically changed up or down depending upon results found. Thus, if an attack is sensed, the monitoring could be increased and the incoming gateway slowed (if desired) to allow for recovery.
  • [0030]
    System 10 has several concurrent processes running, which will now be detailed. These concurrent processes are:
    Process Description Location
    CDM Communication with Configuration Server
    Detection/Notification Server
    CR Communication with Router(s) Configuration Server
    SA System Administration Configuration Server
    NF Notification Functions Configuration Server
    CDN Communication with Data (Web) Servers
    Detection/Notification Server
    PSC Packet and Source Counter Detection/Notification
    Server
    CCS Communication with Configuration Detection/Notification
    Server(s) Server
    FPR Packet Format & Pattern Recognition Detection/Notification
    Server
    CDS Communication with Data Server Detection/Notification
    Server
    SA System Administration Detection/Notification
    Server
    NF Notification Functions Detection/Notification
    Server
  • [0031]
    The system also has on-demand processes, such as the following:
    Process Description Location
    SSP System Start Up Configuration Server
    SSP System Start Up Detection/Notification Server
  • [0032]
    The following processes are operational in configuration server 22:
  • [0033]
    System Startup Process (SSP)
  • [0034]
    1) Initiates all concurrent processes and records information about the processes, such as sockets used, etc.
  • [0035]
    2) Builds an information block in memory for process CDM. The information block contains all necessary process information.
  • [0036]
    3) Ends the process.
  • [0037]
    Concurrent Communication with Detection/Notification (D/N) Server
  • [0038]
    1) When an information block is received from process SSP, it is sent to D/N Server 21 (FIG. 1) via modems 17 and 16.
  • [0039]
    2) Configuration server 22 then listens for communication from the D/N server. If the message is a “block,” “unblock,” or similar command for router action, an appropriate command block is prepared for process CR. If a “startup” message is received, that information about the D/N server is recorded. Log activity.
  • [0040]
    3) Configuration server 22 listens for acknowledgment requests from the D/N server. These requests are sent according to a specific time slice. If acknowledgments are not received, or only received partially, the configuration server builds an appropriate block for process NF and initiates appropriate actions. Log activity.
  • [0041]
    4) The server compiles and sends acknowledgments from all requested processes to the detection/notification server.
  • [0042]
    Concurrent Process CR (Communication with Routers)
  • [0043]
    1) The configuration server listens for a command block from process CDM and sends the command to the router(s) and logs the activity.
  • [0044]
    2) The server optionally receives acknowledgments from gateway router(s) 13. If such acknowledgments are absent when expected, the configuration server creates a record for process NF and takes other appropriate actions and logs the activity.
  • [0045]
    Concurrent Process SA (System Administration)
  • [0046]
    1) Display menu and information messages; accept operator input.
  • [0047]
    2) Checks for conditions that require operation response, such as: system file sizes have become critical; important parameters have been reset; an acknowledgment is needed, time delays (in and outbound) are beyond a set (or variable) limit.
  • [0048]
    3) The system will (among other functions) display or print logs, purge and archive data; and set system information, such as notification numbers, authorized numbers and addresses of detection/notification server(s), and possibly other attached equipment.
  • [0049]
    Concurrent Process NF (Notification Functions)
  • [0050]
    1) Listen for commands from other processes. When such commands are received, perform actions appropriate to the commands, such as activate pagers; activate calls to telephones; and activate other alarm mechanisms.
  • [0051]
    The following processes are operational in detection/notification server 21:
  • [0052]
    System Startup Process (SSP)
  • [0053]
    1) Initiates all concurrent processes and records information about the processes, such as sockets used, etc.
  • [0054]
    2) Builds an information block for process CCS with all process information. Log activity.
  • [0055]
    3) End process.
  • [0056]
    Concurrent Process Packet Format and Pattern Recognition (FPR)
  • [0057]
    1) Checks the configuration server(s). If any are off-line, generates a notification for process NF and checks for a “red line” (critical) condition in traffic flow; if one exists, takes appropriate action such as dropping the incoming packet. Log activity.
  • [0058]
    2) Verifies the format of incoming packets. If the verification test fails, takes appropriate action, such as dropping the packet or rerouting the packet to another location.
  • [0059]
    3) Checks packets for traffic pattern violations. If the test fails, it will note the severity. If a “red line” condition exists, the server takes appropriate action such as dropping the packet or generating a command to the CCS process to block specific traffic. Process NF may also be invoked. Log activity.
  • [0060]
    4) If a packet is not dropped, it is passed to process P.S.C.
  • [0061]
    Concurrent Process Packet and Source Counter (P.S.C.)
  • [0062]
    1) Updates traffic accumulators with information from the incoming traffic and counts total packets by time slice. Packets are also logged as to source; time slice; type; and any other desired parameters.
  • [0063]
    2) Sets an indicator if a “red line” or other warning level has been reached. If a “red line” condition exists, a command packet is produced for processes CCS and NF.
  • [0064]
    3) The packet is passed to process CDS.
  • [0065]
    Concurrent Process Communication with Configuration Server(s) (CCS)
  • [0066]
    1) Listens for communication from configuration servers. When a “startup” message is received, records the information about the configuration server processes. When acknowledgment messages have not been received within a specific time frame, a record is created for process NF and other appropriate action is taken.
  • [0067]
    2) When an acknowledgment message is received from a configuration server, an acknowledgment for each concurrent process is generated on the detection/notification server and this acknowledgment is sent to the configuration server. The server compiles requests for acknowledgment for each concurrent process and sends them.
  • [0068]
    3) The “listening” process is activated to await appropriate responses from the configuration server(s).
  • [0069]
    4) When a message is received from process FPR, an appropriate command block is built and sent to the configuration server. A record for process NF is prepared. Log activity.
  • [0070]
    5) Checks for the expiration of time on the “block traffic” condition for various sources. If expired, the server builds and sends an “unblock” command to the configuration servers. Log activity.
  • [0071]
    6) When an information block is received from process S.S.P., that information is sent to the configuration server.
  • [0072]
    Concurrent Process Notification Functions (NF)
  • [0073]
    1) The server listens for commands from other processes. When a command is received, the server performs actions appropriate to the command, such as activate pager(s); activate calls to telephones; and/or activate other alarm mechanisms. Log activity.
  • [0074]
    Concurrent Process Communication with Data Server(s) (CDS)
  • [0075]
    1) Whenever a packet has been received from another concurrent process, it is sent to the current outgoing communication port;
  • [0076]
    2) The server listens for messages from the data server(s). When such messages are received, the condition parameters are reset by process P.S.C. to adjust “red line” and other warning conditions on the basis of traffic levels;
  • [0077]
    3) Log activity.
  • [0078]
    Concurrent Process System Administration (SA)
  • [0079]
    1) Displays a menu and information messages; and accepts operator input;
  • [0080]
    2) Checks for conditions that require operator response, such as system file sizes have become critical; important parameters have been reset and an acknowledgment is needed.
  • [0081]
    3) Provides a variety of functions, such as display or print logs; purge and archive data; set system information, such as notification numbers, authorized numbers and addresses of configuration servers, and the like.
  • [0082]
    The following process is operational in data storage (web servers) 101:
  • [0083]
    Concurrent Process Communication with Detection/Notification Server (D/N Server(s))
  • [0084]
    1) Gathers statistics and/or notification messages, including warnings, and sends these to the D/N server(s).
  • [0085]
    While the invention has been described for operation with respect to a terminating device, or node, in a communication network, the concepts of this invention can be used at one or more network nodes or routing points along the network to help prevent attacks to either the network or to terminating devices connected to the network.
  • [0086]
    Also note there can be many different methods for determining a variation from a “normal” condition. As discussed, a base line of expected operation can be maintained in the data base either on a slice of time basis, such as by the minute, hour, day, etc., or there can be a prediction of expected behavior based upon past experience, anticipated experience (either hand keyed in or automatically developed based on parameters available to the system) or by the loading of certain “triggers” (such as virus triggers, code words, patterns of activity, or the like). For example, relevant information for this determination may include: the number of arriving packets in a particular time interval; the type of requests contained within given packets; the nature of the informational content of the packets; the sending identity of the packets; the response destination of the packets; the traffic patterns formed by packets from specific sources; the number of arriving packets from specific sources; certain data contained in one or more messages; and the type of file attached to a message. Thus, if a particular piece of code, or name extension, or attachment, is thought to be a problem the system would filter all (or a selected subset) of the data coming in to determine if the trouble code (name, extension, attachment, etc.) is present.
  • [0087]
    The system and method are designed to take action dependent upon the variation from a selected, or monitored, “normal” condition. The action taken can be graduated to suit the attack or could be the same regardless of the severity. Any number of methods can be used to compare the actual current behavior of the enterprise system against the expected behavior or to compare the data flowing into (or out of) the enterprise system against a pattern of behavior that has been identified as being a potential problem.
  • [0088]
    Although the present invention and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims. Moreover, the scope of the present application is not intended to be limited to the particular embodiments of the process, machine, manufacture, composition of matter, means, methods and steps described in the specification. As one of ordinary skill in the art will readily appreciate from the disclosure of the present invention, processes, machines, manufacture, compositions of matter, means, methods, or steps, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding embodiments described herein may be utilized according to the present invention. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or steps.
  • [0089]
    Although the present invention and its advantages have been described in detail, it should be understood that various changes, substitutions and alterations can be made herein without departing from the invention as defined by the appended claims. Moreover, the scope of the present application is not intended to be limited to the particular embodiments of the process, machine, manufacture, composition of matter, means, methods and steps described in the specification. As one will readily appreciate from the disclosure, processes, machines, manufacture, compositions of matter, means, methods, or steps, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding embodiments described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or steps.

Claims (74)

    What is claimed is:
  1. 1. A communication system, in which packet messages can be directed from anyone of a plurality of sending devices to one or more receiving devices, the receiving devices adapted for receiving such packet messages and for responding thereto, the system comprising:
    a network over which each packet can travel, said network being temporally available for each packet and defined according to address information contained within each such packet, said packet routed along said temporal network by routers operating under partial control of packet address information;
    at least one receiving device arranged in association with at least one gateway router, said gateway router serving to direct only those packets containing the address information of said associated receiving device to said associated receiving device;
    a monitoring system operating in conjunction with said receiving device for gathering information pertaining to the operation of said receiving device; and
    a feedback network for modifying the operational characteristics of said gateway router depending upon said gathered information.
  2. 2. The invention set forth in claim 1 wherein said gathered information is selected from the list containing:
    number of arriving packets in a particular time interval;
    the type of requests contained within given packets;
    the nature of the informational content of the packets;
    the sending identity of the packets;
    the response destination of the packets;
    the traffic patterns formed by packets from specific sources;
    the number of arriving packets from specific sources;
    certain data contained in one or more messages; and
    the type of file attached to a message.
  3. 3. The invention of claim 1 wherein said feedback network operates to compare said gathered information with certain pre-established criteria and to set limits, and wherein said operational characteristics of said gateway router are modified in accordance with said set limits.
  4. 4. The invention of claim 3 wherein said limits are dynamically changeable.
  5. 5. The invention set forth in claim 3 wherein said limits are changed manually.
  6. 6. The invention set forth in claim 1 wherein said gathered information is compared to statistics generated from said receiving device over a period of time.
  7. 7. The invention set forth in claim 6 wherein said statistics are gathered to reflect normal receiving device behavior over a period of time.
  8. 8. The invention set forth in claim 1 wherein said gathered information is dynamically changeable.
  9. 9. The invention set forth in claim 1 wherein said behavior change of said gateway router is selected from one or more of the following list:
    blocking certain packets from reaching said receiving device;
    blocking all packets from reaching said receiving device;
    rerouting certain packets to another receiving device;
    modifying the informational content of certain ones of said packets;
    unblocking certain hitherto blocked packets, on the basis of certain parameters; and
    modifying the informational content of certain ones of said packets.
  10. 10. The invention set forth in claim 1 wherein said feedback network stores information pertaining to received ones of said packets.
  11. 11. The invention set forth in claim 1 further including: a system for monitoring packets leaving said receiving device; and
    wherein said feedback network is further operable to selectively modify the operational characteristics of said gateway router with respect to said leaving packets.
  12. 12. The invention set forth in claim 1 wherein said monitoring system further gathers information pertaining to certain of said data packets; said last-mentioned gathered data useful for providing information about the history of said certain packets.
  13. 13. The invention set forth in claim 12 wherein said last-mentioned gathered data is stored for future use.
  14. 14. The invention set forth in claim 12 wherein said certain data is selected according to a set of parameters pertaining to operation of said receiving device.
  15. 15. The invention set forth in claim 1 wherein said feedback network is further operable for modifying operational characteristics of said communication system remote from said router.
  16. 16. The invention set forth in claim 1 wherein said monitoring system and said feedback network are operational at least in part at an enterprise system served by said gateway router.
  17. 17. A monitor system for use in conjunction with a particular site on a communication network; said site arranged to receive data addressed thereon via a network control device associated with said site and to send out onto the communication network via said control device data addressed to other communication network sites; said monitor system comprising:
    at least one system for tracking data flow situations within said particular site, said data flow situations selected from one or more of the following list: amount of arriving data in a particular time interval; the type of requests contained within given data; the nature of the informational content of the data; the sending identity of the data; the response destination of the data; the traffic patterns formed by data from specific sources; the amount of arriving data from specific sources; and identification of a specific data pattern; and
    wherein said tracking system sends instructions from time to time to said control device to affect the flow of data to said particular site.
  18. 18. The invention set forth in claim 17 wherein said instructions from said tracking system are in part dependent upon a comparison of said tracked data flow situations with a pre-established set of parameters.
  19. 19. The invention set forth in claim 18 wherein said parameters are dynamically changing.
  20. 20. The invention set forth in claim 18 wherein said parameters are based on statistical data gathered over a period of time with respect to the operation of said particular site.
  21. 21. The invention set forth in claim 18 wherein said parameters are established from time to time manually.
  22. 22. The invention set forth in claim 18 wherein said parameters are received from a database.
  23. 23. The invention set forth in claim 17 wherein said data flow tracking system includes means for gathering information pertaining to certain of said data arriving at said particular site; said data to be gathered being useful for providing information about the history of said data.
  24. 24. The invention set forth in claim 23 wherein said last-mentioned gathered data is stored for future use.
  25. 25. The invention set forth in claim 23 wherein said last-mentioned gathered data is selected according to a set of parameters pertaining to operation of said particular site.
  26. 26. The invention set forth in claim 17 wherein said data flow is effected by controlling data through a gateway unique to said particular site.
  27. 27. The invention set forth in claim 17 wherein said data flow is effected by controlling data through one or more nodes remote from said particular sites.
  28. 28. A flow control system for use in conjunction with at least one node on a communication network, said network operational for passing data between nodes of said network, said system comprising:
    means for real time review of certain parameters pertaining to data flowing between nodes of said network;
    means for comparing said monitored parameters against stored criteria; and
    means for feeding data traffic affecting signals to one or more of said nodes under at least partial control of said comparing means.
  29. 29. The invention set forth in claim 28 wherein said stored criteria are dynamically changeable.
  30. 30. The invention set forth in claim 29 further including:
    means for storing certain of said monitored parameters for a period of time, at least some of said stored parameters being useful in determining at least a portion of the communication history of said monitored data.
  31. 31. The invention set forth in claim 28 wherein at least one of said nodes is said at least one node.
  32. 32. The invention set forth in claim 31 wherein said at least one node is a gateway node to a particular data source.
  33. 33. The method of controlling data flow in a communication system in which packet messages can be directed from anyone of a plurality of sending devices to one or more receiving devices, the receiving devices adapted for receiving such packet messages and for responding thereto, the method comprising the steps of:
    receiving packet messages over a network where each such packet can travel to locations defined according to address information contained within each such packet and wherein each said packet is routed along temporal paths by routers operating under partial control of said address information in solo packets at a particular location in said network;
    gathering information pertaining to the operation of said particular location; and
    modifying the data flow with respect to said particular location depending upon said gathered information.
  34. 34. The invention set forth in claim 33 wherein said gathered information is selected from the list containing:
    number of arriving packets in a particular time interval;
    the type of requests contained within given packets;
    the nature of the informational content of the packets;
    the sending identity of the packets;
    the response destination of the packets;
    the traffic patterns formed by packets from specific sources;
    the number of arriving packets from specific sources;
    certain data contained in one or more messages; and
    the type of file attached to a message.
  35. 35. The invention of claim 33 wherein said gathering step includes the step of:
    gathering information based upon certain pre-established criteria.
  36. 36. The invention of claim 35 wherein said pre-established criteria are dynamically changeable.
  37. 37. The invention set forth in claim 35 wherein said pre-established criteria are changed manually.
  38. 38. The invention set forth in claim 33 wherein said gathering step includes the step of:
    comparing said gathered information to statistics generated from said particular location over a period of time.
  39. 39. The invention set forth in claim 38 wherein said statistics are gathered to reflect normal particular location behavior over a period of time.
  40. 40. The invention set forth in claim 38 wherein said gathering step includes the step of:
    comparing said gathered information to expected parameters of said particular location.
  41. 41. The invention set forth in claim 33 wherein said data flow modification is selected from one or more of the following list:
    storing certain packets for a period of time so as to delay said stored packets from reaching said receiving device for said period of time;
    blocking certain packets from reaching said receiving device;
    blocking all packets from reaching said receiving device;
    rerouting certain packets to another receiving device;
    modifying the informational content of certain ones of said packets;
    unblocking certain hitherto blocked packets, on the basis of certain parameters; and
    modifying the informational content of certain ones of said packets.
  42. 42. The invention set forth in claim 33 wherein said gathering step includes the step of:
    storing information pertaining to received ones of said packets.
  43. 43. The invention set forth in claim 33 wherein said gathering step includes:
    monitoring packets leaving said particular location.
  44. 44. The invention set forth in claim 41 wherein said modifying occurs at a gateway router associated with said particular location.
  45. 45. The invention set forth in claim 41 wherein said modifying occurs at a router remote from said particular location.
  46. 46. The invention set forth in claim 33 wherein said gathered data is useful for providing information about the history of said packets.
  47. 47. The invention set forth in claim 33 wherein said method includes the step of:
    storing said gathered data.
  48. 48. A method for controlling data flow in conjunction with at least one node of a multi-node communication network operational for passing data between nodes of said network in accordance with address information associated with packets, said method comprising the steps of
    reviewing certain parameters pertaining to data flowing between nodes of said network;
    comparing said monitored parameters against stored criteria; and
    feeding data traffic affecting signals to one or more of said nodes under at least partial control of said comparing step.
  49. 49. The invention set forth in claim 48 wherein said stored criteria are dynamically changeable.
  50. 50. The invention set forth in claim 49 further including the step of:
    storing certain of said monitored parameters for a period of time, at least some of said stored parameters being useful in determining at least a portion of the communication history of said reviewed data.
  51. 51. The invention set forth in claim 48 wherein at least one of said nodes to which traffic affecting signals are fed is said one node.
  52. 52. The invention set forth in claim 51 wherein said one node is a gateway node to an enterprise system.
  53. 53. The invention set forth in claim 52 wherein said method is practiced at least in part within said enterprise system.
  54. 54. A monitor system for use in conjunction with a particular site on a communication network; said site arranged to receive data addressed thereon via a network control device associated with said site and to send out onto the communication network via said control device data addressed to other communication network sites; said monitor system comprising:
    at least one system for tracking data flow situations within said particular site, said data flow situations selected from one or more of the following list: amount of arriving data in a particular time interval; the type of requests contained within given data; the nature of the informational content of the data; the sending identity of the data; the response destination of the data; the traffic patterns formed by data from specific sources; the amount of arriving data from specific sources; and identification of a specific data pattern; and
    wherein said tracking system sends arriving data to data storage for a period of time, said time being dependent, in part, upon said tracked data flow situations.
  55. 55. The invention set forth in claim 54 wherein said tracked data flow situations are, in part, dependent upon comparisons with a pre-established set of parameters.
  56. 56. The invention set forth in claim 55 wherein said parameters are dynamically changing.
  57. 57. The invention set forth in claim 55 wherein said parameters are based on statistical data gathered over a period of time with respect to the operation of said particular site.
  58. 58. The invention set forth in claim 55 wherein said parameters are established from time to time manually.
  59. 59. The invention set forth in claim 55 wherein said parameters are received from a database.
  60. 60. The invention set forth in claim 54 wherein said data flow tracking system includes means for gathering information pertaining to certain of said data arriving at said particular site; said data to be gathered being useful for providing information about the history of said data.
  61. 61. The invention set forth in claim 60 wherein said last-mentioned gathered data is stored for future use.
  62. 62. The invention set forth in claim 60 wherein said last-mentioned gathered data is selected according to a set of parameters pertaining to operation of said particular site.
  63. 63. The invention set forth in claim 55 wherein said data flow is effected by controlling data through a gateway unique to said particular site, said data flow controlled, at least in part, by instructions sent dependent upon said comparison.
  64. 64. The invention set forth in claim 55 wherein said data flow is effected by controlling data through one or more nodes remote from said particular sites, said data flow controlled, at least in part, by instructions sent dependent upon said comparison.
  65. 65. The method of controlling data flow in a communication system in which packet messages can be directed from anyone of a plurality of sending devices to one or more receiving devices, the receiving devices adapted for receiving such packet messages and for responding thereto, the method comprising the steps of:
    receiving packet messages over a network where each such packet can travel to locations defined according to address information contained within each such packet and wherein each said packet is routed along temporal paths by routers operating under partial control of said address information in solo packets at a particular location in said network;
    gathering information pertaining to the operation of said particular location; and
    modifying the data flow with respect to said particular location depending upon said gathered information, said modification step including the step of storing certain of said received packets in a data base for future delivery to said defined address.
  66. 66. The invention set forth in claim 65 wherein said gathered information is selected from the list containing:
    number of arriving packets in a particular time interval;
    the type of requests contained within given packets;
    the nature of the informational content of the packets;
    the sending identity of the packets;
    the response destination of the packets;
    the traffic patterns formed by packets from specific sources;
    the number of arriving packets from specific sources;
    certain data contained in one or more messages; and
    the type of file attached to a message.
  67. 67. The invention of claim 65 wherein said gathering step includes the step of:
    gathering information based upon certain pre-established criteria.
  68. 68. The invention of claim 67 wherein said pre-established criteria are dynamically changeable.
  69. 69. The invention set forth in claim 67 wherein said pre-established criteria are changed manually.
  70. 70. The invention set forth in claim 65 wherein said gathering step includes the step of:
    comparing said gathered information to statistics generated from said particular location over a period of time.
  71. 71. The invention set forth in claim 70 wherein said statistics are gathered to reflect normal particular location behavior over a period of time.
  72. 72. The invention set forth in claim 70 wherein said gathering step includes the step of:
    comparing said gathered information to expected parameters of said particular location.
  73. 73. The invention set forth in claim 65 wherein said gathering step includes the step of:
    storing information pertaining to received ones of said packets.
  74. 74. The invention set forth in claim 65 wherein said gathering step includes:
    monitoring packets leaving said particular location.
US10741798 2000-05-17 2003-12-19 Intelligent feedback loop process control system Abandoned US20040131056A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US09572112 US7058976B1 (en) 2000-05-17 2000-05-17 Intelligent feedback loop process control system
US10741798 US20040131056A1 (en) 2000-05-17 2003-12-19 Intelligent feedback loop process control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10741798 US20040131056A1 (en) 2000-05-17 2003-12-19 Intelligent feedback loop process control system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09572112 Continuation US7058976B1 (en) 2000-05-17 2000-05-17 Intelligent feedback loop process control system

Publications (1)

Publication Number Publication Date
US20040131056A1 true true US20040131056A1 (en) 2004-07-08

Family

ID=24286392

Family Applications (2)

Application Number Title Priority Date Filing Date
US09572112 Active 2020-09-24 US7058976B1 (en) 2000-05-17 2000-05-17 Intelligent feedback loop process control system
US10741798 Abandoned US20040131056A1 (en) 2000-05-17 2003-12-19 Intelligent feedback loop process control system

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US09572112 Active 2020-09-24 US7058976B1 (en) 2000-05-17 2000-05-17 Intelligent feedback loop process control system

Country Status (5)

Country Link
US (2) US7058976B1 (en)
EP (1) EP1282954B1 (en)
JP (1) JP2003533941A (en)
DE (2) DE60114181T2 (en)
WO (1) WO2001089146A3 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080178279A1 (en) * 2007-01-19 2008-07-24 Hewlett-Packard Development Company, L.P. Method and system for protecting a computer network against packet floods
US7900254B1 (en) * 2003-01-24 2011-03-01 Mcafee, Inc. Identifying malware infected reply messages
US8176553B1 (en) 2001-06-29 2012-05-08 Mcafee, Inc. Secure gateway with firewall and intrusion detection capabilities
US20150101050A1 (en) * 2013-10-07 2015-04-09 Bank Of America Corporation Detecting and measuring malware threats
US20170161176A1 (en) * 2015-12-02 2017-06-08 International Business Machines Corporation Trace recovery via statistical reasoning

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6728885B1 (en) 1998-10-09 2004-04-27 Networks Associates Technology, Inc. System and method for network access control using adaptive proxies
US7380272B2 (en) * 2000-05-17 2008-05-27 Deep Nines Incorporated System and method for detecting and eliminating IP spoofing in a data transmission network
US7058976B1 (en) * 2000-05-17 2006-06-06 Deep Nines, Inc. Intelligent feedback loop process control system
EP1512075A1 (en) * 2002-05-22 2005-03-09 Lucid Security Corporation Adaptive intrusion detection system
US20040146006A1 (en) * 2003-01-24 2004-07-29 Jackson Daniel H. System and method for internal network data traffic control
US7293238B1 (en) 2003-04-04 2007-11-06 Raytheon Company Graphical user interface for an enterprise intrusion detection system
US7895649B1 (en) 2003-04-04 2011-02-22 Raytheon Company Dynamic rule generation for an enterprise intrusion detection system
US7356585B1 (en) * 2003-04-04 2008-04-08 Raytheon Company Vertically extensible intrusion detection system and method
US7607010B2 (en) * 2003-04-12 2009-10-20 Deep Nines, Inc. System and method for network edge data protection
US7681235B2 (en) * 2003-05-19 2010-03-16 Radware Ltd. Dynamic network protection
JP4174392B2 (en) * 2003-08-28 2008-10-29 Necシステムテクノロジー株式会社 Network unauthorized access preventing system, and network unauthorized access preventing apparatus
US20050086524A1 (en) * 2003-10-16 2005-04-21 Deep Nines Incorporated Systems and methods for providing network security with zero network footprint
ES2423491T3 (en) 2003-11-12 2013-09-20 The Trustees Of Columbia University In The City Of New York Apparatus, method and means for detecting an abnormality payload distribution using n-gram normal data
US20070039051A1 (en) * 2004-11-30 2007-02-15 Sensory Networks, Inc. Apparatus And Method For Acceleration of Security Applications Through Pre-Filtering
US20060174345A1 (en) * 2004-11-30 2006-08-03 Sensory Networks, Inc. Apparatus and method for acceleration of malware security applications through pre-filtering
US8572733B1 (en) 2005-07-06 2013-10-29 Raytheon Company System and method for active data collection in a network security system
EP1917778A2 (en) * 2005-08-03 2008-05-07 Calyptix Security Systems and methods for dynamically learning network environments to achieve adaptive security
US7352280B1 (en) 2005-09-01 2008-04-01 Raytheon Company System and method for intruder tracking using advanced correlation in a network security system
US7950058B1 (en) 2005-09-01 2011-05-24 Raytheon Company System and method for collaborative information security correlation in low bandwidth environments
US8224761B1 (en) 2005-09-01 2012-07-17 Raytheon Company System and method for interactive correlation rule design in a network security system
US7849185B1 (en) 2006-01-10 2010-12-07 Raytheon Company System and method for attacker attribution in a network security system
WO2007096890A3 (en) * 2006-02-27 2009-04-09 Slavik Markovich Device, system and method of database security
US8201243B2 (en) * 2006-04-20 2012-06-12 Webroot Inc. Backwards researching activity indicative of pestware
US8190868B2 (en) 2006-08-07 2012-05-29 Webroot Inc. Malware management through kernel detection
US8811156B1 (en) 2006-11-14 2014-08-19 Raytheon Company Compressing n-dimensional data
WO2010088550A3 (en) * 2009-01-29 2010-12-02 Breach Security, Inc. A method and apparatus for excessive access rate detection
US20100251355A1 (en) * 2009-03-31 2010-09-30 Inventec Corporation Method for obtaining data for intrusion detection
US8938534B2 (en) 2010-12-30 2015-01-20 Ss8 Networks, Inc. Automatic provisioning of new users of interest for capture on a communication network
US9058323B2 (en) 2010-12-30 2015-06-16 Ss8 Networks, Inc. System for accessing a set of communication and transaction data associated with a user of interest sourced from multiple different network carriers and for enabling multiple analysts to independently and confidentially access the set of communication and transaction data
US8972612B2 (en) 2011-04-05 2015-03-03 SSB Networks, Inc. Collecting asymmetric data and proxy data on a communication network
US9350762B2 (en) 2012-09-25 2016-05-24 Ss8 Networks, Inc. Intelligent feedback loop to iteratively reduce incoming network data for analysis
US9830593B2 (en) 2014-04-26 2017-11-28 Ss8 Networks, Inc. Cryptographic currency user directory data and enhanced peer-verification ledger synthesis through multi-modal cryptographic key-address mapping

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5991881A (en) * 1996-11-08 1999-11-23 Harris Corporation Network surveillance system
US6119236A (en) * 1996-10-07 2000-09-12 Shipley; Peter M. Intelligent network security device and method
US6219786B1 (en) * 1998-09-09 2001-04-17 Surfcontrol, Inc. Method and system for monitoring and controlling network access
US6279113B1 (en) * 1998-03-16 2001-08-21 Internet Tools, Inc. Dynamic signature inspection-based network intrusion detection
US6298445B1 (en) * 1998-04-30 2001-10-02 Netect, Ltd. Computer security
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment
US6321336B1 (en) * 1998-03-13 2001-11-20 Secure Computing Corporation System and method for redirecting network traffic to provide secure communication
US6415321B1 (en) * 1998-12-29 2002-07-02 Cisco Technology, Inc. Domain mapping method and system
US6611869B1 (en) * 1999-10-28 2003-08-26 Networks Associates, Inc. System and method for providing trustworthy network security concern communication in an active security management environment
US6725377B1 (en) * 1999-03-12 2004-04-20 Networks Associates Technology, Inc. Method and system for updating anti-intrusion software
US7058976B1 (en) * 2000-05-17 2006-06-06 Deep Nines, Inc. Intelligent feedback loop process control system
US7215637B1 (en) * 2000-04-17 2007-05-08 Juniper Networks, Inc. Systems and methods for processing packets

Family Cites Families (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5319776A (en) 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
US5649095A (en) 1992-03-30 1997-07-15 Cozza; Paul D. Method and apparatus for detecting computer viruses through the use of a scan information cache
US5414650A (en) 1993-03-24 1995-05-09 Compression Research Group, Inc. Parsing information onto packets using context-insensitive parsing rules based on packet characteristics
US5835726A (en) 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
US5623601A (en) 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
JP3499621B2 (en) 1994-12-27 2004-02-23 株式会社東芝 Address management apparatus and address management method
US5828846A (en) * 1995-11-22 1998-10-27 Raptor Systems, Inc. Controlling passage of packets or messages via a virtual connection or flow
US5826014A (en) 1996-02-06 1998-10-20 Network Engineering Software Firewall system for protecting network elements connected to a public network
US5787253A (en) 1996-05-28 1998-07-28 The Ag Group Apparatus and method of analyzing internet activity
US5799002A (en) 1996-07-02 1998-08-25 Microsoft Corporation Adaptive bandwidth throttling for network services
US6222856B1 (en) 1996-07-02 2001-04-24 Murali R. Krishnan Adaptive bandwidth throttling for individual virtual services supported on a network server
US5898830A (en) 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
US5913041A (en) 1996-12-09 1999-06-15 Hewlett-Packard Company System for determining data transfer rates in accordance with log information relates to history of data transfer activities that independently stored in content servers
US6263444B1 (en) 1997-03-11 2001-07-17 National Aerospace Laboratory Of Science & Technology Agency Network unauthorized access analysis method, network unauthorized access analysis apparatus utilizing the method, and computer-readable recording medium having network unauthorized access analysis program recorded thereon
US6098172A (en) 1997-09-12 2000-08-01 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with proxy reflection
US6119165A (en) 1997-11-17 2000-09-12 Trend Micro, Inc. Controlled distribution of application programs in a computer network
US6205551B1 (en) 1998-01-29 2001-03-20 Lucent Technologies Inc. Computer security using virus probing
US6182226B1 (en) 1998-03-18 2001-01-30 Secure Computing Corporation System and method for controlling interactions between networks
US6711127B1 (en) 1998-07-31 2004-03-23 General Dynamics Government Systems Corporation System for intrusion detection and vulnerability analysis in a telecommunications signaling network
US6615358B1 (en) * 1998-08-07 2003-09-02 Patrick W. Dowd Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network
WO2000011841A1 (en) 1998-08-18 2000-03-02 Madge Networks Limited Method and system for prioritised congestion control in a switching hub
US6370648B1 (en) * 1998-12-08 2002-04-09 Visa International Service Association Computer network intrusion detection
US6550012B1 (en) * 1998-12-11 2003-04-15 Network Associates, Inc. Active firewall system and methodology
US6981155B1 (en) 1999-07-14 2005-12-27 Symantec Corporation System and method for computer security
US6598034B1 (en) * 1999-09-21 2003-07-22 Infineon Technologies North America Corp. Rule based IP data processing
US6513122B1 (en) 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6119236A (en) * 1996-10-07 2000-09-12 Shipley; Peter M. Intelligent network security device and method
US5991881A (en) * 1996-11-08 1999-11-23 Harris Corporation Network surveillance system
US6321336B1 (en) * 1998-03-13 2001-11-20 Secure Computing Corporation System and method for redirecting network traffic to provide secure communication
US6279113B1 (en) * 1998-03-16 2001-08-21 Internet Tools, Inc. Dynamic signature inspection-based network intrusion detection
US6298445B1 (en) * 1998-04-30 2001-10-02 Netect, Ltd. Computer security
US6219786B1 (en) * 1998-09-09 2001-04-17 Surfcontrol, Inc. Method and system for monitoring and controlling network access
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment
US6415321B1 (en) * 1998-12-29 2002-07-02 Cisco Technology, Inc. Domain mapping method and system
US6725377B1 (en) * 1999-03-12 2004-04-20 Networks Associates Technology, Inc. Method and system for updating anti-intrusion software
US6611869B1 (en) * 1999-10-28 2003-08-26 Networks Associates, Inc. System and method for providing trustworthy network security concern communication in an active security management environment
US7215637B1 (en) * 2000-04-17 2007-05-08 Juniper Networks, Inc. Systems and methods for processing packets
US7058976B1 (en) * 2000-05-17 2006-06-06 Deep Nines, Inc. Intelligent feedback loop process control system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8176553B1 (en) 2001-06-29 2012-05-08 Mcafee, Inc. Secure gateway with firewall and intrusion detection capabilities
US7900254B1 (en) * 2003-01-24 2011-03-01 Mcafee, Inc. Identifying malware infected reply messages
US20080178279A1 (en) * 2007-01-19 2008-07-24 Hewlett-Packard Development Company, L.P. Method and system for protecting a computer network against packet floods
US8286244B2 (en) 2007-01-19 2012-10-09 Hewlett-Packard Development Company, L.P. Method and system for protecting a computer network against packet floods
US20150101050A1 (en) * 2013-10-07 2015-04-09 Bank Of America Corporation Detecting and measuring malware threats
US20170161176A1 (en) * 2015-12-02 2017-06-08 International Business Machines Corporation Trace recovery via statistical reasoning
US9823998B2 (en) * 2015-12-02 2017-11-21 International Business Machines Corporation Trace recovery via statistical reasoning

Also Published As

Publication number Publication date Type
DE60114181T2 (en) 2006-07-13 grant
DE60114181D1 (en) 2006-03-02 grant
EP1282954B1 (en) 2005-10-19 grant
WO2001089146A3 (en) 2002-05-16 application
WO2001089146A2 (en) 2001-11-22 application
EP1282954A2 (en) 2003-02-12 application
US7058976B1 (en) 2006-06-06 grant
JP2003533941A (en) 2003-11-11 application

Similar Documents

Publication Publication Date Title
US7308715B2 (en) Protocol-parsing state machine and method of using same
US6609205B1 (en) Network intrusion detection signature analysis using decision graphs
Traynor et al. Mitigating attacks on open functionality in SMS-capable cellular networks
US7610375B2 (en) Intrusion detection in a data center environment
US7814542B1 (en) Network connection detection and throttling
US7308714B2 (en) Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack
US7620986B1 (en) Defenses against software attacks in distributed computing environments
US7934254B2 (en) Method and apparatus for providing network and computer system security
US20020133586A1 (en) Method and device for monitoring data traffic and preventing unauthorized access to a network
US20090003317A1 (en) Method and mechanism for port redirects in a network switch
US20030101353A1 (en) Method, computer-readable medium, and node for detecting exploits based on an inbound signature of the exploit and an outbound signature in response thereto
US20050125195A1 (en) Method, apparatus and sofware for network traffic management
US20030110393A1 (en) Intrusion detection method and signature table
US6775657B1 (en) Multilayered intrusion detection system and method
US20030110395A1 (en) Controlled network partitioning using firedoors
US20050111367A1 (en) Distributed architecture for statistical overload control against distributed denial of service attacks
US20060272018A1 (en) Method and apparatus for detecting denial of service attacks
US8613089B1 (en) Identifying a denial-of-service attack in a cloud-based proxy service
Mirkovic et al. D-WARD: a source-end defense against flooding denial-of-service attacks
US20030074578A1 (en) Computer virus containment
US20050251862A1 (en) Security arrangement, method and apparatus for repelling computer viruses and isolating data
US6721890B1 (en) Application specific distributed firewall
US20060272025A1 (en) Processing of packet data in a communication system
Handley et al. Internet denial-of-service considerations
US20060236394A1 (en) WAN defense mitigation service

Legal Events

Date Code Title Description
AS Assignment

Owner name: DEEP NINES, INC., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:DARK, SUSAN P.;REEL/FRAME:014837/0061

Effective date: 20001201

AS Assignment

Owner name: ALTITUDE NINES LLC, NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNOR:DEEP NINES, INC.;REEL/FRAME:018777/0732

Effective date: 20070110

AS Assignment

Owner name: DEEP NINES, INC., TEXAS

Free format text: RELEASE OF SECURITY AGREEMENT;ASSIGNOR:ALTITUDE NINES LLC;REEL/FRAME:025366/0168

Effective date: 20081203

AS Assignment

Owner name: DEEP NINES, INC., TEXAS

Free format text: RELEASE OF SECURITY AGREEMENT;ASSIGNOR:ALTITUDE NINES LLC;REEL/FRAME:025308/0947

Effective date: 20081203

AS Assignment

Owner name: DEEP NINES, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:ALTITUDE NINES, LLC;REEL/FRAME:026155/0074

Effective date: 20110202