WO2015152869A1 - Redirection de requêtes de connexion dans un réseau - Google Patents

Redirection de requêtes de connexion dans un réseau Download PDF

Info

Publication number
WO2015152869A1
WO2015152869A1 PCT/US2014/032344 US2014032344W WO2015152869A1 WO 2015152869 A1 WO2015152869 A1 WO 2015152869A1 US 2014032344 W US2014032344 W US 2014032344W WO 2015152869 A1 WO2015152869 A1 WO 2015152869A1
Authority
WO
WIPO (PCT)
Prior art keywords
connection request
network
server
suspicious connection
suspicious
Prior art date
Application number
PCT/US2014/032344
Other languages
English (en)
Inventor
Shaila SHREE
Raphael AMORIM DANTAS LEITE
Debasish BISWAS
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/US2014/032344 priority Critical patent/WO2015152869A1/fr
Publication of WO2015152869A1 publication Critical patent/WO2015152869A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams

Definitions

  • Network security systems may be utilized to enhance the security and/or the performance of a computing network.
  • a network security system may block traffic that is seeking resolution of a domain name, such as those reportedly involved in a malicious activity. Malicious activities can include distributed denial of service attacks or sending spam, for example, among others.
  • Figure 1 illustrates a diagram of an example of a system for redirecting connection requests in a network according to the present disclosure.
  • Figure 2 illustrates a diagram of an example computing device according to the present disclosure.
  • Figure 3 illustrates an environment for redirecting connection requests in a network according to the present disclosure.
  • Figure 4 illustrates a flow chart of a method for redirecting connection requests in a network according to the present disclosure.
  • An entity can implement network security systems to protect against vulnerabilities in their networks.
  • IT information technology
  • cloud computing environments e.g., from self-managed on-premise data centers to service-provider managed outsourced virtual data centers
  • third parties may allow third parties to provide shared computing resources and applications running on those resources.
  • the move by companies to cloud computing environments is increasing for various reasons, including the need for increased computing power, increased storage capacity, and/or increased network bandwidth, among others. Without adequate device, system, and application security, the cloud can compromise these applications, potentially causing large losses.
  • DNS Domain Name System
  • Some malicious software can use spurious (e.g., fake and/or illegitimate) Domain Name System (DNS) servers to gain access to networks.
  • DNS servers can be corrupted to resolve to a malicious site that enables various security threats to gain access to the network.
  • Some mechanisms to protect network services from such attacks include using firewalls which can have policies to prevent network clients from accessing a potentially malicious server. However, such mechanisms merely block requests to access such servers, and do not allow for customized responses to particular requests to connect to particular servers.
  • redirecting network requests in a network can provide a more scalable and custom network security system than firewalls by implementing custom policies.
  • firewall-based approaches simply block suspicious requests and result in an error page for the user attempting to gain access, or result in network timeouts.
  • Examples of the present disclosure enable special processing and/or further inspection of suspicious access requests and provide a robust solution that can be implemented on any networking protocol.
  • Figures 1 and 2 illustrate examples of systems 100, 208 according to the present disclosure.
  • Figure 1 illustrates a diagram of an example of a system 100 for redirecting connection requests in a network according to the present disclosure.
  • the system 100 can include a database 101 , a subsystem 102, and/or a number of engines 103, 104, 105.
  • "a" or "a number of something can refer to one or more such things.
  • "a number of widgets" can refer to one or more widgets.
  • the subsystem can include the number of engines in communication with the database 101 via a communication link.
  • the system 100 can include additional or fewer engines than illustrated to perform the various functions described herein.
  • the system can represent software and/or hardware of a network controller (e.g., device 208 as referenced in Figure 2, etc.).
  • the number of engines 103, 104, 105 can include a combination of hardware and programming that is configured to perform a number of functions described herein (e.g., detect a suspicious connection request within a network, etc.).
  • the programming can include program instructions (e.g., software, firmware, etc.) stored in a memory resource (e.g., computer readable medium (CRM), machine readable medium (MRM), etc.) as well as hard-wired program (e.g., logic).
  • the detection engine 103 can include hardware and/or a combination of hardware and programming to detect a suspicious connection request within a network, such as a software defined network (SDN).
  • a suspicious connection request can refer to a connection request received from a client in a client-server network, to access a particular server that is not recognized by the client-server network as a trusted (e.g., standard) server.
  • a suspicious connection request can include a request to access a server outside of the client-server network.
  • a suspicious connection request can include a request from a client in a client-server network to connect to a server not identified on a list of trusted servers.
  • a client-server network refers to a distributed application structure that partitions tasks or workloads between providers of a resource or service (e.g., servers), and service requesters (e.g., clients).
  • Clients and servers in a client-server network can communicate over a computer network on separate hardware, but both client and server may reside in the same system.
  • the client-server network can include an SDN-enabled network (e.g., a network that can be managed as an SDN).
  • a trusted server can include a server within the client- server network that has been identified as safe and/or not corrupt by malicious software.
  • a suspicious connection request can include a DNS request from a client in the client-server network.
  • DNS is a technology for managing the names of web sites and their internet domains. DNS technology enables users to automatically find entered web addresses on the internet.
  • a DNS server can refer to any device (e.g., computer) registered to join the DNS.
  • a DNS server can run special-purpose networking software, can feature a public internet protocol (IP) address, and can contain a database of network names and addresses for internet hosts.
  • IP public internet protocol
  • a suspicious connection request can include a request from a client in the client-server network to access a server outside of the client-server network using any protocol (e.g., such as a dynamic host configuration protocol (DHCP), remote authentication dial-in user service (RADIUS) protocol, network time protocol (NTP), lightweight directory access protocol (LDAP), among others).
  • DHCP dynamic host configuration protocol
  • RADIUS remote authentication dial-in user service
  • NTP network time protocol
  • LDAP lightweight directory access protocol
  • the detection engine 103 can detect a suspicious connection request within a network using an SDN rule.
  • an SDN rule can refer to a rule (e.g., an Open Flow rule) specified by a user and/or administrator of the client-server network and executed by an SDN controller.
  • An SDN can refer to a form of network virtualization in which the control plane (system that makes decisions that affect network traffic) is separated from the data plane (system that moves the network traffic) and implemented as software.
  • the control plane defines how network traffic is handled (e.g., via protocols such as spanning tree, open shortest path first, border gateway protocol, etc.) in a network device.
  • the data plane actually handles the network traffic according to the control plane (e.g., using forwarding tables, routing tables, queues, etc.) in a network device.
  • the control plane may be said to be distributed in a typical network where each network device includes a control plane and a data plane. Thus, in the event of network congestion, each network device may take corrective action largely
  • network administrators can have programmable (e.g., centralized) control of network traffic without requiring physical access to the network's hardware devices.
  • Open Flow can refer to a communication protocol that gives access to a data plane of a network (e.g., an SDN). Open Flow can enable remote controllers (e.g., SDN controllers) to determine the path of network packets through a network of switches.
  • An Open Flow rule can refer to a rule (e.g., a set of policies and/or instructions) executed by an SDN controller that directs the handling of network packets and/or network traffic.
  • the redirection engine 104 can include hardware and/or a combination of hardware and programming to redirect a suspicious connection request to a trusted server within the network. For example, in response to identifying a suspicious connection request from a client in the client-server network, the redirection engine 104 can send the suspicious connection request to a server within the client-server network that is identified as a trusted server. In some examples, the redirection engine 104 can send the suspicious connection request to a pre-configured destination transmission control protocol (TCP) port of a trusted server in the client-server network.
  • TCP transmission control protocol
  • the response engine 105 can include hardware and/or a combination of hardware and programming to execute a number of actions in response to receiving a redirected suspicious connection request and based on a characteristic of the suspicious connection request.
  • the response engine 105 can instruct the trusted server which received the redirected suspicious connection request to execute a number of actions in response to receiving the suspicious connection request.
  • the trusted server can execute an intrusion detection system and/or redirect a malicious DNS request to a correct internet protocol (IP) address, among other actions.
  • IP internet protocol
  • the particular actions taken by the trusted server in response to receiving a redirected suspicious connection request can be differentiated and selective responses, configured by an administrator and/or user of the client-server network.
  • the administrator can specify a number of policies that instruct how connection requests of a particular type, connection requests from a particular originator (e.g., a particular client originating and/or generating the connection request), and/or connection requests to access a particular server outside of the client-server network should be handled.
  • a particular type of a connection request can be based on a specific network service.
  • a type of connection request can include a DNS host lookup request (e.g., a request to resolve a domain and/or hostname to an IP address).
  • a type of connection request can include a discover request (e.g., a request to obtain an IP address from a DHCP server in the network).
  • a type (e.g., particular type) of a connection request can include any type of request based on specific services offered by the client-server network.
  • an administrator of the client-server network can add a number of protocols and a number of request types to the client-server network using an SDN controller, particularly, using a network service security application embedded in an SDN controller (as discussed further herein).
  • the response engine 105 can instruct a security application in the client-server network to execute a number of actions in response to receiving a response from a trusted server.
  • a suspicious connection request can be redirected to a trusted server in the client-server network, the trusted server can process packets associated with the suspicious connection request, and the trusted server can send a response back to a security application within the client-server network.
  • the security application can identify the original request associated with the suspicious connection request, and execute a number of actions to handle the suspicious connection request.
  • the original request can be identified by looking up the source IP address of the client and intended destination IP address in a database (e.g., a database maintained by the security application).
  • a database e.g., a database maintained by the security application.
  • the security application can generate and/or display a number of statistics related to the suspicious connection request and/or drop the packet associated with the suspicious connection request, among other actions. Such statistics can be used by administrators of the client-server network to improve security policies and/or prevent future security attacks.
  • FIG. 2 illustrates a diagram of an example computing device 208 according to the present disclosure.
  • the computing device 208 can utilize software, hardware, firmware, and/or logic to perform a number of functions described herein.
  • the computing device 208 can be any combination of hardware and program instructions configured to share information.
  • the hardware for example, can include a processing resource 209 and/or a memory resource 21 1 (e.g., CRM, MRM, database, etc.).
  • a processing resource 209 can include any number of processors capable of executing instructions stored by a memory resource 21 1 .
  • Processing resource 209 may be implemented in a single device or distributed across multiple devices.
  • the program instructions can include instructions stored on the memory resource 21 1 and executable by the processing resource 209 to implement a desired function (e.g., redirect a suspicious connection request to a trusted server in a network).
  • a desired function e.g., redirect a suspicious connection request to a trusted server in a network
  • the memory resource 21 1 can be in communication with a processing resource 209.
  • a memory resource 211 can include any number of memory components capable of storing instructions that can be executed by processing resource 209.
  • Such memory resource 21 1 can be a non-transitory CRM or MRM.
  • Memory resource 21 1 may be integrated in a single device or distributed across multiple devices. Further, memory resource 21 1 may be fully or partially integrated in the same device as processing resource 209 or it may be separate but accessible to that device and processing resource 209.
  • the computing device 208 may be implemented on a participant device, on a server device, on a collection of server devices, and/or a combination of the user device and the server device.
  • the memory resource 21 1 can be in communication with the processing resource 209 via a communication link (e.g., a path) 210.
  • the communication link 210 can be local or remote to a machine (e.g., a computing device) associated with the processing resource 209. Examples of a local communication link 210 can include an electronic bus internal to a machine (e.g., a computing device) where the memory resource 21 1 is one of volatile, non-volatile, fixed, and/or removable storage medium in communication with the processing resource 209 via the electronic bus.
  • a number of modules 213, 214, 215 can include CRI that when executed by the processing resource 209 can perform a number of functions.
  • the number of modules 213, 214, 215 can be sub-modules of other modules.
  • the detection module 213, the redirection module 214, and the response module 215 can be sub-modules and/or contained within the same computing device.
  • the number of modules 213, 214, 215 can comprise individual modules at separate and distinct locations (e.g., CRM, etc.).
  • Each of the number of modules 213, 214, 215 can include instructions that when executed by the processing resource 209 can function as a corresponding engine as described herein.
  • the detection module 213 can include instructions that when executed by the processing resource 209 can function as the detection engine 103.
  • the redirection module 214 can include instructions that when executed by the processing resource 209 can function as the redirection engine 104.
  • response module 215 can include instructions that when executed by the processing resource 209 can function as the response engine 105.
  • FIG. 3 illustrates an environment 320 for redirecting connection requests in a network according to the present disclosure.
  • the environment 320 can include a client-server network (e.g., a cloud network) 330 that allows end recipient computer systems (e.g., thin clients, portable computers, smartphones, desktop computers, etc.) to access a pool of hosted computing and/or storage resources (e.g., the cloud resources) and virtual network services over a physical network (e.g., a private intranet and/or the public Internet).
  • the client-server network can include an SDN- enabled network (e.g., a network that can be managed as an SDN). That is, the environment 320 can include an SDN enabled client-server network (e.g., an SDN).
  • An SDN can include a form of cloud virtual ization in which a control layer 322 (e.g., a sub-system that makes decisions that affect cloud traffic) is separated from an infrastructure layer 323 and is implemented as software.
  • the control layer 322 can define how cloud traffic is handled (e.g., via protocols) in a number of devices.
  • the environment 320 can include an application layer 321 , a control layer 322, and/or an infrastructure layer 323 in the network 330 (e.g., in the SDN).
  • the application layer 321 can include a number of applications (e.g., programs) 328-1 , 328-2, 328-R that
  • security application 327 is depicted in Figure 3 as embedded in controller 302, security application 327 is also an example application in the application layer 321 .
  • Applications in the application layer 321 can be implemented by the controller 302 and/or be implemented by other computing devices that interface with controller 302.
  • the application layer 321 can communicate with the control layer 322 via an application programming interface (API).
  • API application programming interface
  • an API can include a set of routines, protocols, and/or tools that accomplish a specific task and/or are allowed to interact with a specific software component.
  • the application layer 321 can communicate with the control layer 322 via a representation state transfer (REST)ful API.
  • REST can include an architectural style that abstracts architectural elements within a distributed hypermedia system that ignores the details of component implementation and protocol syntax in order to focus on the roles of components, the constraints upon interaction with other
  • a RESTful API can include a web API implemented using hypertext transfer protocol (HTTP) and REST principles as a collection of resources.
  • HTTP hypertext transfer protocol
  • examples are not so limited, and the application layer 321 can communicate with the control layer 322 using other APIs and/or protocols.
  • the control layer 322 can translate requirements provided by the application layer 321 to the infrastructure layer 323. Further, the control layer 322 can include a controller (e.g., an SDN controller) 302 to communicate between the application layer 321 and the infrastructure layer 323.
  • the SDN controller 302 can be hardware and/or software.
  • a hardware SDN controller 302 can include a processing resource in communication with a memory resource.
  • the memory resource can include instructions, executable by the processing resource to perform a number of functions described herein.
  • the SDN controller 302 can be a discrete device, such as a server.
  • the environment 320 can include a network service security application (e.g., a security application) 327 embedded in the controller 302, (or implemented by one or more other computing devices interfacing with controller 302), and a number of servers 324-1 , 324-2, 324- N (referred to herein as servers 324).
  • the infrastructure layer may include various network devices, such as switches, routers, bridges, wireless access points, and the like, for connecting the servers 324 together in a network.
  • the network service security application 327 can include hardware and/or software to maintain a table of outstanding suspicious connection requests (e.g., suspicious connection requests that have not yet been processed by a trusted server and/or have not yet been resolved by the network service security application).
  • the network service security application 327 can maintain a number of controlled (e.g., user and/or administrator
  • Each of the number of servers 324 can include a number of agents.
  • an agent refers to a component of a server that relays messages between the cloud controller 302 and the server and performs a specific network service.
  • each of the number of servers 324 can include an agent that performs the services of at least one of an IP address agent, a switching agent, and/or a routing agent. Multiple instances of these agents could be running on each server, however, each agent can be
  • the environment 320 can include an outside network 329.
  • the outside network 329 can include a number of servers outside of (e.g., external to) the client-server network 330.
  • the outside network 329 can include a plurality of private, public, academic, business and/or government networks, each including a plurality of computing devices and/or servers.
  • the outside network 329 can refer to the Internet.
  • servers 324 within the client-server network 330 can request access to servers in the outside network 329.
  • FIG 4 illustrates a flow chart of a method 440 for redirecting connection requests in a network according to the present disclosure.
  • the method 440 can include detecting a suspicious connection request.
  • a client in a client-server network e.g., network 330 illustrated in Figure 3
  • the client can request access to a server outside of the client server network (e.g., the client can request access to a server in outside network 329 illustrated in Figure 3).
  • detecting a suspicious connection request can be executed using the detection engine 103 and/or the detection module 213, illustrated in Figures 1 and 2, respectively.
  • a suspicious connection request can include a non-standard connection request.
  • a suspicious connection request can be identified using a set of rules stored in the network service security application (e.g., security application 327 illustrated in Figure 3). These rules (e.g., the set of rules) can be installed in switches using Open Flow and can be executed to redirect client connection requests.
  • a switch refers to a network device that is used to connect devices in a network. A switch can provide on the wire communication between devices as well as command messages between different components illustrated in Figure 3.
  • the set of rules can specify servers that are considered safe (e.g., trusted and/or standard) servers, and servers that are not-considered safe (e.g., not trusted and/or non-standard). For example, a connection request received from a client requesting access to a server not included on a list of trusted servers could be identified as a suspicious connection request. Similarly, a connection request received from a client requesting access to a server included on a list of trusted servers would not be identified as a suspicious connection request and would be allowed to process normally (e.g., without special processing).
  • the set of rules can be executed by Open Flow and/or a controller (e.g., SDN controller) in the client-server network. For instance, an administrator of the client-server network (e.g., of the SDN) can create a set of rules (e.g., open flow security rules) that identify criteria which can be used by the SDN to identify suspicious connection requests.
  • the method 440 can include redirecting the suspicious connection request to a trusted server.
  • Redirecting the suspicious connection request to a trusted server can include executing a set of rules (e.g., Open Flow redirection rules) that identify a number of trusted servers that are configured to receive and/or process suspicious connection requests.
  • the suspicious connection request can be sent (e.g., redirected) to a trusted server in the client-server network (e.g., servers 324 illustrated in Figure 3).
  • the suspicious connection request in response to identifying a particular connection request as a suspicious connection request, can be redirected to a non-standard but pre-configured destination TCP port of the trusted server.
  • an administrator can configure a particular port on a trusted server (e.g., server 324-2 illustrated in Figure 3) within the client-server network as a designated port for receiving suspicious connection requests.
  • a switch in the client-server network can redirect the traffic to a trusted server in the client-server network.
  • a trusted server can refer to a server included in the client- server network.
  • a trusted server can include a DHCP server, a file transfer protocol (FTP) server, a groupware server, an internet relay chat server, a list server, a mail server, and/or a web server among others, included in the client-server network.
  • the method 440 can include detecting suspicious connection requests that arrive at a non-standard port designated for a protocol to handle connection requests identified as suspicious connection requests.
  • the internet assigned numbers authority (IANA) assigned port is 53.
  • Connection requests identified as suspicious connection requests can be sent to the user datagram protocol (UDP) port 5300.
  • UDP user datagram protocol
  • suspicious connection requests can be sent to a port other than the IANA assigned TCP port number for DNS, 53, so the trusted server can be alerted to the fact that it is a suspicious connection request and thereby can process the suspicious connection request in a customized (e.g., differently than normal) manner.
  • a copy of the suspicious connection request can also be sent to a relevant SDN application (e.g., a security application 327 illustrated in Figure 3) within the client-server network.
  • the client-server network can include an SDN-enabled network (e.g., a network that can be managed as an SDN), and can therefore include an SDN controller.
  • a suspicious connection request can be sent to a network service security application on an SDN controller for subsequent handling.
  • the network service security application can maintain a table of outstanding suspicious connection requests (e.g., suspicious connection requests that have not yet been resolved and/or responded to), including details about the original request that was subsequently identified as a suspicious connection request, such as the source IP address, original destination IP address and/or source port.
  • a connection request identified as a suspicious connection request can be redirected to a trusted server within the network, sent to a network service security application, and recorded in a table of suspicious connection requests stored in the network service security application until appropriate actions have been taken.
  • the method 440 can include executing a set of actions in response to a trusted server receiving a suspicious connection request, and based on a characteristic of the suspicious connection request.
  • a characteristic of a suspicious connection request can include a type of request, an identifier identifying the originator of the request, and/or any other feature that may identify the suspicious connection request.
  • the trusted server can take a set of actions based on the request type and/or originator of the suspicious connection request. Examples of actions can include resolving the suspicious connection request to a correct DNS server.
  • a suspicious connection request instead of connecting a client to the legitimate IP address associated with www.examplelPaddress.com, can connect the client to an IP address associated with a malicious site.
  • the trusted server can take an action to connect the client to the correct IP address associated with www.examplelPaddress.com.
  • Another example of an action that a trusted server can take in response to receiving a suspicious connection request can include executing an intrusion detection system, program and/or processes that monitor network or system activities for malicious activities or policy violations. Examples of the present disclosure are not so limited, however, and actions taken by the trusted server in response to receiving a suspicious connection request can vary based on a protocol executed by the particular trusted server. For instance, actions taken by a DNS server can differ from actions taken by a DHCP server.
  • the method 440 can include sending the suspicious connection request back to the network service security application on the SDN controller (e.g., the trusted server can send a response to the network service security application).
  • the suspicious connection request can be sent back to the network service security application by an access switch in the client-server network.
  • the trusted server can send a response to the network service security application, and the network service security application can look up the suspicious connection request in the table of outstanding suspicious connection requests.
  • the trusted server can format a response with a correct (e.g., appropriate) response to the particular suspicious connection request.
  • a connection request e.g., a connection request received from a client in the client-server network
  • a suspicious connection request is a request for the IP address of a website such as examplelPaddress.com
  • the trusted server can respond to the connection request with the authoritative IP address of examplelPaddress.com. If the suspicious connection request was for a malicious web site like examplemalicioussite.ru, the trusted server can respond with a properly framed response that denies access to malicious websites.
  • the network service security application can then identify the original connection request based on the response received from the trusted server and can execute a list of actions, controlled by policies configured on the network service security application.
  • a network service security application (e.g., a security application, illustrated as item 327 in Figure 3) can identify an original request that generated a redirection to the trusted server.
  • the network service security application can execute a number of actions to handle and/or resolve the suspicious connection request. For instance, the network service security application can change the value of the IP address associated with the suspicious connection request to the original (e.g., legitimate and/or not malicious) IP address.
  • the network service security application can generate and/or display for a user, statistics about how many connection requests similar to the identified suspicious connection request (e.g., that share a common characteristic) have been received.
  • the network service security application can generate and/or display statistics identifying where suspicious connection requests are going (e.g., what servers they were attacking).
  • the network service security application can block a port on a server associated with particular suspicious connection requests, and/or drop a number of packets associated with the suspicious connection request.
  • logic is an alternative or additional processing resource to perform a particular action and/or function, etc., described herein, which includes hardware, e.g., various forms of transistor logic, application specific integrated circuits (ASICs), etc., as opposed to computer executable instructions, e.g., software firmware, etc., stored in memory and executable by a processor.
  • ASICs application specific integrated circuits
  • a number of something can refer to one or more such things.
  • a number of widgets can refer to one or more widgets.
  • a plurality of something can refer to more than one of such things.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention concerne la redirection de requêtes de connexion dans un réseau, laquelle redirection peut consister à détecter une requête de connexion suspecte à l'intérieur d'un réseau, à rediriger la requête de connexion suspecte vers un serveur de confiance à l'intérieur du réseau, et à exécuter une action sélective sur la base d'une caractéristique de la requête de connexion suspecte.
PCT/US2014/032344 2014-03-31 2014-03-31 Redirection de requêtes de connexion dans un réseau WO2015152869A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2014/032344 WO2015152869A1 (fr) 2014-03-31 2014-03-31 Redirection de requêtes de connexion dans un réseau

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/032344 WO2015152869A1 (fr) 2014-03-31 2014-03-31 Redirection de requêtes de connexion dans un réseau

Publications (1)

Publication Number Publication Date
WO2015152869A1 true WO2015152869A1 (fr) 2015-10-08

Family

ID=54241002

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/032344 WO2015152869A1 (fr) 2014-03-31 2014-03-31 Redirection de requêtes de connexion dans un réseau

Country Status (1)

Country Link
WO (1) WO2015152869A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160380960A1 (en) * 2015-06-28 2016-12-29 Verisign, Inc. Enhanced inter-network monitoring and adaptive management of dns traffic
WO2018188019A1 (fr) * 2017-04-13 2018-10-18 Nokia Technologies Oy Appareil, procédé et programme d'ordinateur pour une gestion de confiance
CN108900518A (zh) * 2018-07-09 2018-11-27 南京邮电大学 可信的软件定义云网络数据分发系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060123478A1 (en) * 2004-12-02 2006-06-08 Microsoft Corporation Phishing detection, prevention, and notification
US20110041182A1 (en) * 2008-04-29 2011-02-17 John Stenfelt intrusion detection and notification
US20120311664A1 (en) * 2005-12-30 2012-12-06 Elrod Craig T Network threat detection and mitigation
US20130283374A1 (en) * 2012-04-18 2013-10-24 Radware, Ltd. Techniques for separating the processing of clients' traffic to different zones in software defined networks
US20130333029A1 (en) * 2012-06-11 2013-12-12 Radware, Ltd. Techniques for traffic diversion in software defined networks for mitigating denial of service attacks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060123478A1 (en) * 2004-12-02 2006-06-08 Microsoft Corporation Phishing detection, prevention, and notification
US20120311664A1 (en) * 2005-12-30 2012-12-06 Elrod Craig T Network threat detection and mitigation
US20110041182A1 (en) * 2008-04-29 2011-02-17 John Stenfelt intrusion detection and notification
US20130283374A1 (en) * 2012-04-18 2013-10-24 Radware, Ltd. Techniques for separating the processing of clients' traffic to different zones in software defined networks
US20130333029A1 (en) * 2012-06-11 2013-12-12 Radware, Ltd. Techniques for traffic diversion in software defined networks for mitigating denial of service attacks

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160380960A1 (en) * 2015-06-28 2016-12-29 Verisign, Inc. Enhanced inter-network monitoring and adaptive management of dns traffic
US10560422B2 (en) * 2015-06-28 2020-02-11 Verisign, Inc. Enhanced inter-network monitoring and adaptive management of DNS traffic
WO2018188019A1 (fr) * 2017-04-13 2018-10-18 Nokia Technologies Oy Appareil, procédé et programme d'ordinateur pour une gestion de confiance
US11012313B2 (en) 2017-04-13 2021-05-18 Nokia Technologies Oy Apparatus, method and computer program product for trust management
CN108900518A (zh) * 2018-07-09 2018-11-27 南京邮电大学 可信的软件定义云网络数据分发系统
CN108900518B (zh) * 2018-07-09 2020-12-29 南京邮电大学 可信的软件定义云网络数据分发系统

Similar Documents

Publication Publication Date Title
AU2022202068B2 (en) Rule-based network-threat detection
US11811809B2 (en) Rule-based network-threat detection for encrypted communications
US9503424B2 (en) Dynamic resolution of fully qualified domain name (FQDN) address objects in policy definitions
US9319315B2 (en) Distributing transmission of requests across multiple IP addresses of a proxy server in a cloud-based proxy service
US20160164826A1 (en) Policy Implementation at a Network Element based on Data from an Authoritative Source
US20130103834A1 (en) Multi-Tenant NATting for Segregating Traffic Through a Cloud Service
US10609081B1 (en) Applying computer network security policy using domain name to security group tag mapping
US10230691B2 (en) Systems, devices, and methods for improved domain name system firewall protection
US20170063929A1 (en) Methods, apparatus and systems for processing service requests
EP4022876B1 (fr) Suppression d'un protocole réseau dans un canal crypté et l'application correspondante
WO2023020606A1 (fr) Procédé, système et appareil pour masquer une station source, et dispositif et support de stockage
WO2013144713A1 (fr) Articles manufacturés, procédés informatiques d'un prestataire de services et systèmes de service informatique
Rajendran et al. Domain name system (dns) security: Attacks identification and protection methods
WO2015152869A1 (fr) Redirection de requêtes de connexion dans un réseau
US20160205135A1 (en) Method and system to actively defend network infrastructure
US20240056388A1 (en) Supporting overlapping network addresses universally
US11570149B2 (en) Feedback mechanism to enforce a security policy
RU2758997C1 (ru) Способ защиты информационно-вычислительной сети от вторжений
US20230370492A1 (en) Identify and block domains used for nxns-based ddos attack
Cherry Firewalls
Rahalkar et al. Networking Basics

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14888390

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14888390

Country of ref document: EP

Kind code of ref document: A1