WO2003063449A1 - System and method for monitoring network security - Google Patents

System and method for monitoring network security Download PDF

Info

Publication number
WO2003063449A1
WO2003063449A1 PCT/US2003/001592 US0301592W WO03063449A1 WO 2003063449 A1 WO2003063449 A1 WO 2003063449A1 US 0301592 W US0301592 W US 0301592W WO 03063449 A1 WO03063449 A1 WO 03063449A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
client
security
request
computer
Prior art date
Application number
PCT/US2003/001592
Other languages
French (fr)
Inventor
Jesse P. Roberts
Original Assignee
Metrowerks Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Metrowerks Corporation filed Critical Metrowerks Corporation
Publication of WO2003063449A1 publication Critical patent/WO2003063449A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the invention relates generally to the field of computer networks. More particularly, the invention relates to computer network security systems.
  • Firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware, software, or a combination of both. All commands entering or leaving the network pass through the firewall, which examines each command and blocks those that do not meet the specified security criteria. Nevertheless, these criteria are fixed and cannot be dynamically created, updated, or implemented.
  • IP Internet Protocol
  • a method for securing a network comprises receiving a request from a client at a network device connected to a network, transmitting data from the network device to a policy server if the request is a failed request, analyzing the failed request to determine if the client is a hostile client, creating a security rule if the client is a hostile client, communicating the security rule to the network device, modifying a network device access rule according to the security rule, and blocking the hostile client from the network as a function of the network device access rule.
  • a network security apparatus comprises a computer network, a client computer coupled to the computer network, a network device coupled to the computer network, and a policy server coupled to the computer network; the network device receiving a request from a client computer and transmitting data to the policy server if the request is a failed request, the policy server analyzing the failed request to determine if the client computer is a hostile client, creating a security rule if the client computer is a hostile client, communicating the security rule to the network device, modifying a network device access rule according to the security rule, and blocking the hostile client from the computer network.
  • Figure 1 is a block diagram of a distributed security system, representing an embodiment of the invention.
  • Figure 2 is a block diagram of an exemplary client computer, representing an embodiment of the invention.
  • Figure 3 is a block diagram of a computer network policy server, representing an embodiment of the invention.
  • Figure 4 is a flowchart of a distributed security method, representing an embodiment of the invention.
  • the invention may include a method and apparatus for surveillance and detection of attempted intrusions into computers connected to a network.
  • the invention may also include a method and apparatus for the systematic monitoring, intrusion identification, notification, tracking, and elimination of unauthorized activities, such as methods or systems used by "hackers" to intrude into computer networks.
  • Prior-art technologies for network security monitoring have generally been limited to detection and notification capabilities.
  • the invention may include a method and apparatus for providing a security system that detects unauthorized activity on a network, determines the presence of at least one hostile host, and denies connectivity by one or more hosts identified as a hostile host.
  • the invention may also include a method and apparatus by which a distributed group of IP-enabled devices may dynamically construct and implement network access and connectivity rules, h another embodiment, the invention may include providing data that is useful for evidence of theft or misuse of electronically stored property.
  • a representative section of the distributed security system 100 may comprise a plurality of client computers 118 and 120, a policy server 125, and a plurality of computing/network devices 130.
  • Each computing device depicted in Figure 1 may be configured to electronically communicate via a network 101 such as, for example, the Internet, h addition, the policy server 125 and the plurality of computing devices 130 may be controlled by one business entity and thus also configured to electronically communicate via a local area network (LAN) 102, or the like.
  • a network 101 such as, for example, the Internet
  • the policy server 125 and the plurality of computing devices 130 may be controlled by one business entity and thus also configured to electronically communicate via a local area network (LAN) 102, or the like.
  • LAN local area network
  • the client computers 118 and 120 are described in greater detail with respect to Figure 2.
  • the policy server 125 and the plurality of computing devices 130 are described in greater detail with respect to Figure 3. It should be appreciated that the
  • Figure 1 is one suitable computing environment for the invention and that the methods described below may be implemented in any computing environment.
  • the competing environment of Figure 1 may be configured on an intranet, thereby limiting the computing devices to a closed system.
  • FIG. 2 a block diagram of the exemplary client computer 120 detailed in Figure 1 is depicted in accordance with one aspect of the invention.
  • client computer 120 may be any general purpose computing device, such as a personal computer, server, or the like.
  • client computer 120 may also be a distributed computing device, such as a network of servers.
  • client computer 120 may be any other communications device such as a two-way pager, mobile phone, personal data assistant (PDA), or any other computing device having network capabilities.
  • PDA personal data assistant
  • the computing device 120 may include more components than those shown and described below. However, it is not necessary that all of these generally conventional components be shown in order to disclose an illustrative embodiment for practicing the invention.
  • the client computer 120 includes a network interface 230 for connecting to the network 101.
  • the network interface 230 includes the necessary circuitry for such a connection, and may also be constructed for use with the TCP/IP protocol.
  • the client computer 120 also includes a processing unit 210, a display 240, and a memory 250.
  • the memory 250 generally comprises a random access memory (RAM), a read-only memory (ROM), and a permanent mass storage device, such as a disk drive.
  • the memory 250 stores the program code necessary for operating the client computer 120 and for providing a user interface on the display 240.
  • the memory 250 may store a network application 255, such as a web browser, mail application, or the like.
  • the network application 255 is utilized by a user of the client computer 120 to access various network servers, such as a file server, mail server, etc. It will be appreciated that these software components may be loaded from a computer-readable
  • a drive mechanism associated with the computer-readable medium such as a floppy, tape or CD-ROM drive (not shown), or via the network interface 230.
  • the policy server 125 may contain at least one of the components described above with reference to the client computer 120 of Figure 2.
  • the policy server 125 may comprise a processing unit 310, a display 340, a mass
  • the policy server 125 may also comprise a security application 355 and a host database 356 in the memory 350.
  • the security application 355 is configured to carry out a method of the invention as detailed in Figure 4
  • the host database 356 is configured to store the data collected from the network devices 130.
  • the network devices 130 may be a client or server computer configured in a manner that is similar to the above-described devices.
  • the network devices 130 may be in the form of a router, firewall, or any other electronic device configured to communicate with a network, hi one embodiment, a single computer may perform the functions of the policy server 125 and of the computing device 130.
  • the invention may provide a system and method for network surveillance and detection of attempted intrusions into computers connected to a network. As applied to the example network 100 described above, one embodiment of the system of the
  • invention involves a network having a plurality of devices such as a policy server 125,
  • the policy server 125 receives and analyzes data describing attempted intrusions from various computing devices 130 on the network 101.
  • the policy server 125 server then may generate a set of security rules, which allow the computing devices 130 to selectively lock out hostile hosts having a history of attempted intrusions.
  • Steps 405-415 may be performed by the computing devices 130, while steps 420-435 may be performed by the policy server 125, both detailed in Figure 1.
  • a computing device 130 of the network receives a request.
  • the computing device 130 may determine the presence of an attempted intrusion and transmit data describing the attempted intrusion to the policy server 125. hi one embodiment, the presence of an attempted intrusion may be determined if a device receives a request to open an unavailable PORT.
  • the presence of an attempted intrusion may be determined if a device 130, such as a firewall, receives a request to open PORT 20, a PORT normally reserved for email services.
  • a request to open PORT 80 on a firewall may indicate the presence of an attempted intrusion.
  • any request that does not match a service or an available PORT on a particular device may indicate the presence of an attempted intrusion, hi other embodiments, the presence of an attempted intrusion may be determined by other types of network activity such as a failed login or any other failed access request. If a device 130 determines the presence of an attempted intrusion, control passes to step 415, otherwise the method 400 ends.
  • a computing device 130 may transmit data describing each attempted intrusion, also referred to herein as access data, to the policy server 125.
  • each computing device 130 records the and periodically transmits the recorded access data to the policy server 125.
  • the computing devices 130 of the network may be configured to transmit the access data to the policy server 125 each time the presence of an attempted intrusion is determined.
  • the access data may include the IP address of the host transmitting the access request, the time and date of each attempted intrusion, and other related data.
  • the access data is analyzed for a pattern by the policy sever 125.
  • the policy server 125 is configured to continuously receive and record the access data from the computing devices 130.
  • the policy server 125 may also continuously analyze the access data for patterns to determine the presence of a hostile host, one embodiment, the policy server 125 maintains a cached list of known sources of unauthorized connection attempts and evaluates the potential hostility of each attempt.
  • step 425 if a source is determined to be responsible for a predetermined number of unauthorized attempts, it may be promoted into a cached list of known hostile hosts and control passed to step 430, otherwise the method 400 ends.
  • one particular host such as the host 118 of Figure 1
  • the policy may be promoted into a cached list of known hostile hosts and control passed to step 430, otherwise the method 400 ends.
  • one particular host such as the host 118 of Figure 1
  • repeatedly attempts to access one particular device 130 in the network the policy
  • server 125 may determine the presence of a hostile host, h another embodiment, if one particular host, such as the host 118 of Figure 1, sends a number of failed access
  • the policy server 125 may determine the presence of a hostile host. In addition, policy server 125 may determine the presence of a hostile host if there are many failed request to open a particular PORT on one or more devices 130. h other embodiments, any one of the above- described embodiments, or combinations thereof, may be utilized to determine the presence of a hostile host. For example, if a host 118 executes a systematic PORT scan to open PORT 80 on each device 130 in the network, the policy server 125 may determine the presence of a hostile host.
  • the policy server 125 may generate and/or update a set of security rules in step, which allow the computing devices 130 to lock out specific hosts having a history of attempted intrusions, h one embodiment, the policy server 125 can establish a rule to lock out any network request transmitted from a particular internet protocol (IP) address.
  • IP internet protocol
  • the policy server 125 may provide instructions to each device 130 in the network to refuse any request from that particular host.
  • the policy server 125 is configured to update and modify the security rules on an ongoing basis, thereby identifying potential hostile hosts as patterns of intrusion or unauthorized access attempts develop.
  • the security rules are updated, the security rules are
  • each device 130 in the network may periodically poll the policy server 125 to request an updated set of security rules.
  • the policy server 125 retrieves a set of security rules from a database storing the updated security rules, and transmits the updated security rules to the requesting device.
  • the method of this embodiment can be described as having data "pulled" from the policy server 125 to the plurality of devices on the network.
  • the devices on the network may be configured to deny access to any incoming data that is randomly sent to each device, and each device may be configured to only accept data when the device sends a request for specific data.
  • the policy server 125 may communicate to the plurality of devices on the network by other means, such as a data "push" from the policy server 125 to each device, h this alternative embodiment, the updated security rules stored on the policy server 125 are periodically distributed to each network device 130 by any one of a number of communication methods known in the art.
  • a particular device 130 may then modify its access rules, thereby locking out hosts that may be deemed as a hostile host.
  • Each device 130 may also vary the level of its own participation with respect to the security rules received by the policy server 125. For instance, in one embodiment, some devices 130 may mirror the rules provided by the policy server 125. In an alternative embodiment, certain devices 130 may mirror a set of security rules generated by a subset of devices 130 in the network, i this alternative
  • the policy server 125 may generate a set of security rules based on access data received from a specific group of policies.
  • each device may specify the level of its own participation in the dynamic rules.
  • the invention may provide a network security system that allows a number of network devices to dynamically update a security list, allowing each device to readily adapt itself to rapidly changing environments.
  • a or an, as used herein, are defined as one or more than one.
  • the term plurality, as used herein, is defined as two or more than two.
  • the term another, as used herein, is defined as at least a second or more.
  • the terms including and/or having, as used herein, are defined as comprising (i.e., open language).
  • the term coupled, as used herein, is defined as connected, although not necessarily directly, and not necessarily mechanically.
  • means, as used herein, is defined as hardware, firmware and/or software for achieving a result.
  • program or software, as used herein is defined as a sequence of instructions designed for execution on a computer system.
  • a program, or computer program may include a subroutine, a function, a procedure, an object method, an object implementation, an executable application, an applet, a servlet, a source code, an object code, a shared library/dynamic load library and/or other sequence of instructions designed for execution on a computer system.

Abstract

Systems and methods are described for monitoring network security. A method for securing a network includes receiving a request from a client at network device connected to a network, transmitting data from the network device to a policy server if the request is a failed request, analyzing the failed request to determine if the client is a hostile client, creating a security rele if the client is a hostile client, communicating the security rule to the network device, modifying a network device access rule according to the security rule, and blocking the hostile client from the network as a function of the network device access rule.

Description

DESCRIPTION
SYSTEM AND METHOD FOR MONITORING NETWORK SECURITY
CROSS-REFERENCE(S) TO RELATED APPLICATION(S)
This application claims a benefit of priority under 35 U.S.C. 119(e) and/or 35 U.S.C. 120 from U.S. Provisional Patent Application No. 60/349,903, filed January 18, 2002, the entire contents of which are hereby expressly incorporated by reference for all purposes. BACKGROUND OF THE INVENTION
1. Field of the Invention
The invention relates generally to the field of computer networks. More particularly, the invention relates to computer network security systems.
2. Discussion of the Related Art The use of computer networks has increased dramatically in recent years with the rise of the Internet and intranets, such as local area networks (LANs). Unfortunately, this surge in network usage also generates a growing concern over security issues. Network security can be defined as the process of preventing and detecting unauthorized use of a computer network. A Firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware, software, or a combination of both. All commands entering or leaving the network pass through the firewall, which examines each command and blocks those that do not meet the specified security criteria. Nevertheless, these criteria are fixed and cannot be dynamically created, updated, or implemented.
What is needed is a method and apparatus by which a distributed group of computing devices such as, for example, Internet Protocol (IP)-enabled devices, may dynamically construct and implement network access and connectivity rules.
SUMMARY OF THE INVENTION
There is a need for the following embodiments. Of course, the invention is not limited to these embodiments.
According to an aspect of the invention, a method for securing a network comprises receiving a request from a client at a network device connected to a network, transmitting data from the network device to a policy server if the request is a failed request, analyzing the failed request to determine if the client is a hostile client, creating a security rule if the client is a hostile client, communicating the security rule to the network device, modifying a network device access rule according to the security rule, and blocking the hostile client from the network as a function of the network device access rule.
According to another aspect of the invention, a network security apparatus comprises a computer network, a client computer coupled to the computer network, a network device coupled to the computer network, and a policy server coupled to the computer network; the network device receiving a request from a client computer and transmitting data to the policy server if the request is a failed request, the policy server analyzing the failed request to determine if the client computer is a hostile client, creating a security rule if the client computer is a hostile client, communicating the security rule to the network device, modifying a network device access rule according to the security rule, and blocking the hostile client from the computer network.
These, and other, embodiments of the invention will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. It should be understood, however, that the following description, while indicating various embodiments of the invention and numerous specific details thereof, is given by way of illustration and not of limitation. Many substitutions, modifications, additions and/or rearrangements may be made within the scope of the invention without departing from the spirit thereof, and the invention includes all such substitutions, modifications, additions and/or rearrangements.
BRIEF DESCRIPTION OF THE DRAWINGS
The drawings accompanying and forming part of this specification are included to depict certain aspects of the invention. A clearer conception of the invention, and of the components and operation of systems provided with the invention, will become more readily apparent by referring to the exemplary, and therefore nonlimiting, embodiments illustrated in the drawings, wherein like reference numerals (if they occur in more than one view) designate the same or similar elements. The invention may be better understood by reference to one or more of these drawings in combination with the description presented herein. It should be noted that the features illustrated in the drawings are not necessarily drawn to scale.
Figure 1 is a block diagram of a distributed security system, representing an embodiment of the invention. Figure 2 is a block diagram of an exemplary client computer, representing an embodiment of the invention.
Figure 3 is a block diagram of a computer network policy server, representing an embodiment of the invention. Figure 4 is a flowchart of a distributed security method, representing an embodiment of the invention.
DETAILED DESCRIPTION
The invention and the various features and advantageous details thereof are explained more fully with reference to the nonlimiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. It should be understood that the detailed description and the specific examples, while indicating specific embodiments of the invention, are given by way of illustration only and not by way of limitation. Various substitutions, modifications, additions and/or rearrangements within the spirit and/or scope of the underlying inventive concept will become apparent to those of ordinary skill in the art from this disclosure.
The invention may include a method and apparatus for surveillance and detection of attempted intrusions into computers connected to a network. The invention may also include a method and apparatus for the systematic monitoring, intrusion identification, notification, tracking, and elimination of unauthorized activities, such as methods or systems used by "hackers" to intrude into computer networks. Prior-art technologies for network security monitoring have generally been limited to detection and notification capabilities. In one embodiment, the invention may include a method and apparatus for providing a security system that detects unauthorized activity on a network, determines the presence of at least one hostile host, and denies connectivity by one or more hosts identified as a hostile host. The invention may also include a method and apparatus by which a distributed group of IP-enabled devices may dynamically construct and implement network access and connectivity rules, h another embodiment, the invention may include providing data that is useful for evidence of theft or misuse of electronically stored property.
Referring to Figure 1, a block diagram of a distributed security system 100 is depicted, according to an embodiment of the invention. A representative section of the distributed security system 100 may comprise a plurality of client computers 118 and 120, a policy server 125, and a plurality of computing/network devices 130.
Each computing device depicted in Figure 1 may be configured to electronically communicate via a network 101 such as, for example, the Internet, h addition, the policy server 125 and the plurality of computing devices 130 may be controlled by one business entity and thus also configured to electronically communicate via a local area network (LAN) 102, or the like.
The client computers 118 and 120 are described in greater detail with respect to Figure 2. The policy server 125 and the plurality of computing devices 130 are described in greater detail with respect to Figure 3. It should be appreciated that the
illustrative embodiment shown in Figure 1 is one suitable computing environment for the invention and that the methods described below may be implemented in any computing environment. For instance, the competing environment of Figure 1 may be configured on an intranet, thereby limiting the computing devices to a closed system.
Referring to Figure 2, a block diagram of the exemplary client computer 120 detailed in Figure 1 is depicted in accordance with one aspect of the invention. The
client computer 120 may be any general purpose computing device, such as a personal computer, server, or the like. One of ordinary skill in the art will appreciate that the client computer 120 may also be a distributed computing device, such as a network of servers. In addition, the client computer 120 may be any other communications device such as a two-way pager, mobile phone, personal data assistant (PDA), or any other computing device having network capabilities. Those of ordinary skill in the art will appreciate that the computing device 120 may include more components than those shown and described below. However, it is not necessary that all of these generally conventional components be shown in order to disclose an illustrative embodiment for practicing the invention. As shown in Figure 2, the client computer 120 includes a network interface 230 for connecting to the network 101. One of ordinary skill in the art will appreciate that the network interface 230 includes the necessary circuitry for such a connection, and may also be constructed for use with the TCP/IP protocol. The client computer 120 also includes a processing unit 210, a display 240, and a memory 250. The memory 250 generally comprises a random access memory (RAM), a read-only memory (ROM), and a permanent mass storage device, such as a disk drive. The memory 250 stores the program code necessary for operating the client computer 120 and for providing a user interface on the display 240. h addition, the memory 250 may store a network application 255, such as a web browser, mail application, or the like. The network application 255 is utilized by a user of the client computer 120 to access various network servers, such as a file server, mail server, etc. It will be appreciated that these software components may be loaded from a computer-readable
medium into memory 250 of the client computer 120 using a drive mechanism associated with the computer-readable medium, such as a floppy, tape or CD-ROM drive (not shown), or via the network interface 230.
Referring to Figure 3, a block diagram of the computer network policy server 125 detailed in Figure 1 is depicted according to one exemplary embodiment of the invention. The policy server 125, may contain at least one of the components described above with reference to the client computer 120 of Figure 2. For instance, the policy server 125 may comprise a processing unit 310, a display 340, a mass
memory 350, and an interface 330, all interconnected to a bus 320. The policy server 125 may also comprise a security application 355 and a host database 356 in the memory 350. In one embodiment, the security application 355 is configured to carry out a method of the invention as detailed in Figure 4, and the host database 356 is configured to store the data collected from the network devices 130.
Referring again to Figure 1, for purposes of illustrating various aspects of the invention, the network devices 130 may be a client or server computer configured in a manner that is similar to the above-described devices. Alternatively, the network devices 130 may be in the form of a router, firewall, or any other electronic device configured to communicate with a network, hi one embodiment, a single computer may perform the functions of the policy server 125 and of the computing device 130. The invention may provide a system and method for network surveillance and detection of attempted intrusions into computers connected to a network. As applied to the example network 100 described above, one embodiment of the system of the
invention involves a network having a plurality of devices such as a policy server 125,
plurality of computing devices 130 and a plurality of client computers 118 and 120. In one embodiment of the invention, the policy server 125 receives and analyzes data describing attempted intrusions from various computing devices 130 on the network 101. The policy server 125 server then may generate a set of security rules, which allow the computing devices 130 to selectively lock out hostile hosts having a history of attempted intrusions.
Referring to Figure 4, a flowchart of a distributed security method 400 is depicted according to one exemplary embodiment of the invention. Steps 405-415 may be performed by the computing devices 130, while steps 420-435 may be performed by the policy server 125, both detailed in Figure 1. In step 405, a computing device 130 of the network receives a request. In step 410, the computing device 130 may determine the presence of an attempted intrusion and transmit data describing the attempted intrusion to the policy server 125. hi one embodiment, the presence of an attempted intrusion may be determined if a device receives a request to open an unavailable PORT. For instance, the presence of an attempted intrusion may be determined if a device 130, such as a firewall, receives a request to open PORT 20, a PORT normally reserved for email services. In another example, a request to open PORT 80 on a firewall may indicate the presence of an attempted intrusion. In summary, any request that does not match a service or an available PORT on a particular device may indicate the presence of an attempted intrusion, hi other embodiments, the presence of an attempted intrusion may be determined by other types of network activity such as a failed login or any other failed access request. If a device 130 determines the presence of an attempted intrusion, control passes to step 415, otherwise the method 400 ends. h step 415, a computing device 130 may transmit data describing each attempted intrusion, also referred to herein as access data, to the policy server 125. hi one embodiment, each computing device 130 records the and periodically transmits the recorded access data to the policy server 125. hi another embodiment, the computing devices 130 of the network may be configured to transmit the access data to the policy server 125 each time the presence of an attempted intrusion is determined. The access data may include the IP address of the host transmitting the access request, the time and date of each attempted intrusion, and other related data. In step 420, the access data is analyzed for a pattern by the policy sever 125. h one mode of operation, the policy server 125 is configured to continuously receive and record the access data from the computing devices 130. The policy server 125 may also continuously analyze the access data for patterns to determine the presence of a hostile host, one embodiment, the policy server 125 maintains a cached list of known sources of unauthorized connection attempts and evaluates the potential hostility of each attempt.
In step 425, if a source is determined to be responsible for a predetermined number of unauthorized attempts, it may be promoted into a cached list of known hostile hosts and control passed to step 430, otherwise the method 400 ends. In one specific embodiment, if one particular host, such as the host 118 of Figure 1, repeatedly attempts to access one particular device 130 in the network, the policy
server 125 may determine the presence of a hostile host, h another embodiment, if one particular host, such as the host 118 of Figure 1, sends a number of failed access
requests to a number of unique devices 130 on the network, the policy server 125 may determine the presence of a hostile host. In addition, policy server 125 may determine the presence of a hostile host if there are many failed request to open a particular PORT on one or more devices 130. h other embodiments, any one of the above- described embodiments, or combinations thereof, may be utilized to determine the presence of a hostile host. For example, if a host 118 executes a systematic PORT scan to open PORT 80 on each device 130 in the network, the policy server 125 may determine the presence of a hostile host.
In step 430, once the presence of a hostile host is determined, the policy server 125 then may generate and/or update a set of security rules in step, which allow the computing devices 130 to lock out specific hosts having a history of attempted intrusions, h one embodiment, the policy server 125 can establish a rule to lock out any network request transmitted from a particular internet protocol (IP) address. In this example, if a particular host, such as the device labeled as a 'hostile host' 118 in Figure 1, is the source of many attempted intrusions, the policy server 125 may provide instructions to each device 130 in the network to refuse any request from that particular host. In one embodiment, the policy server 125 is configured to update and modify the security rules on an ongoing basis, thereby identifying potential hostile hosts as patterns of intrusion or unauthorized access attempts develop. In step 435, as the security rules are updated, the security rules are
communicated from the policy server 125 to the plurality of devices on the network,
hi one embodiment, each device 130 in the network may periodically poll the policy server 125 to request an updated set of security rules. In response to the poll from an individual device, the policy server 125 retrieves a set of security rules from a database storing the updated security rules, and transmits the updated security rules to the requesting device. As can be appreciated by one of ordinary skill in the art, the method of this embodiment can be described as having data "pulled" from the policy server 125 to the plurality of devices on the network. By the use of this embodiment, the devices on the network may be configured to deny access to any incoming data that is randomly sent to each device, and each device may be configured to only accept data when the device sends a request for specific data. In another embodiment, the policy server 125 may communicate to the plurality of devices on the network by other means, such as a data "push" from the policy server 125 to each device, h this alternative embodiment, the updated security rules stored on the policy server 125 are periodically distributed to each network device 130 by any one of a number of communication methods known in the art.
Once a particular device 130 receives the updated security rules, the device may then modify its access rules, thereby locking out hosts that may be deemed as a hostile host. Each device 130 may also vary the level of its own participation with respect to the security rules received by the policy server 125. For instance, in one embodiment, some devices 130 may mirror the rules provided by the policy server 125. In an alternative embodiment, certain devices 130 may mirror a set of security rules generated by a subset of devices 130 in the network, i this alternative
embodiment, the policy server 125, or a second policy server (not shown), may generate a set of security rules based on access data received from a specific group of
devices 130. By the use of the above-described system and method, attempted intrusions on a small number of devices in a particular network can be used to preempt intrusions directed to other devices in the network. In one embodiment, each device may specify the level of its own participation in the dynamic rules. In addition, the invention may provide a network security system that allows a number of network devices to dynamically update a security list, allowing each device to readily adapt itself to rapidly changing environments.
The terms a or an, as used herein, are defined as one or more than one. The term plurality, as used herein, is defined as two or more than two. The term another, as used herein, is defined as at least a second or more. The terms including and/or having, as used herein, are defined as comprising (i.e., open language). The term coupled, as used herein, is defined as connected, although not necessarily directly, and not necessarily mechanically. The term means, as used herein, is defined as hardware, firmware and/or software for achieving a result. The term program or software, as used herein, is defined as a sequence of instructions designed for execution on a computer system. A program, or computer program, may include a subroutine, a function, a procedure, an object method, an object implementation, an executable application, an applet, a servlet, a source code, an object code, a shared library/dynamic load library and/or other sequence of instructions designed for execution on a computer system.
The appended claims are not to be interpreted as including means-plus- function limitations, unless such a limitation is explicitly recited in a given claim using the phrase(s) "means for" and/or "step for." Subgeneric embodiments of the invention are delineated by the appended independent claims and their equivalents. Specific embodiments of the invention are differentiated by the appended dependent claims and their equivalents.

Claims

CLAIMSWhat is claimed is:
1. A method for securing a network, comprising: receiving a request from a client at a network device connected to a network; transmitting data from the network device to a policy server if the request is a failed request; analyzing the failed request to determine if the client is a hostile client; creating a security rule if the client is a hostile client; communicating the security rule to the network device; modifying a network device access rule according to the security rule; and blocking the hostile client from the network as a function of the network device access rule.
2. The method of claim 1 , wherein the failed request includes a failed command.
3. The method of claim 1, wherein transmitting the data includes transmitting a client data.
4. The method of claim 3, wherein transmitting the client data includes transmitting a client internet protocol address.
5. The method of claim 3, wherein transmitting the client data includes transmitting a request data.
6. The method of claim 3, wherein transmitting the client data includes transmitting a date and time.
7. The method of claim 1, wherein creating the security rule includes creating a set of security rules.
8. The method of claim 1, wherein creating the security rule includes updating a security rule.
9. The method of claim 1 , wherein the network includes the Internet.
10. The method of claim 1, wherein the network includes an intranet.
11. The method of claim 1 , wherein the intranet includes a local area network.
12. A network security apparatus, comprising: a computer network; a client computer coupled to the computer network; a network device coupled to the computer network; and a policy server coupled to the computer network, the network device receiving a request from a client computer and transmitting data to the policy server if the request is a failed request, the policy server analyzing the failed request to determine if the client computer is a hostile client, creating a security rule if the client computer is a hostile client, communicating the security rule to the network device, modifying a network device access rule according to the security rule, and blocking the hostile client from the computer network.
13. The a network security apparatus of claim 12, wherein the network device is coupled to the policy sever by a local area network.
14. The network security apparatus of claim 12, further comprising another client computer coupled to the computer network.
15. The network security apparatus of claim 12, further comprising another network device coupled to the network.
16. The a network security apparatus of claim 12, wherein the computer network includes the internet.
PCT/US2003/001592 2002-01-18 2003-01-17 System and method for monitoring network security WO2003063449A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US34990302P 2002-01-18 2002-01-18
US60/349,903 2002-01-18

Publications (1)

Publication Number Publication Date
WO2003063449A1 true WO2003063449A1 (en) 2003-07-31

Family

ID=27613333

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/001592 WO2003063449A1 (en) 2002-01-18 2003-01-17 System and method for monitoring network security

Country Status (1)

Country Link
WO (1) WO2003063449A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10771484B2 (en) * 2002-02-01 2020-09-08 Intel Corporation Integrated network intrusion detection

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6167520A (en) * 1996-11-08 2000-12-26 Finjan Software, Inc. System and method for protecting a client during runtime from hostile downloadables
WO2002014987A2 (en) * 2000-08-18 2002-02-21 Camelot Information Technologies Ltd. An adaptive system and architecture for access control

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6167520A (en) * 1996-11-08 2000-12-26 Finjan Software, Inc. System and method for protecting a client during runtime from hostile downloadables
WO2002014987A2 (en) * 2000-08-18 2002-02-21 Camelot Information Technologies Ltd. An adaptive system and architecture for access control

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10771484B2 (en) * 2002-02-01 2020-09-08 Intel Corporation Integrated network intrusion detection

Similar Documents

Publication Publication Date Title
CN101802837B (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
US6892241B2 (en) Anti-virus policy enforcement system and method
US7962960B2 (en) Systems and methods for performing risk analysis
JP6086968B2 (en) System and method for local protection against malicious software
US8108930B2 (en) Secure self-organizing and self-provisioning anomalous event detection systems
EP1400061B1 (en) Stateful distributed event processing and adaptive security
US6499107B1 (en) Method and system for adaptive network security using intelligent packet analysis
US7478420B2 (en) Administration of protection of data accessible by a mobile device
US8020192B2 (en) Administration of protection of data accessible by a mobile device
CN109688105B (en) Threat alarm information generation method and system
US9166984B2 (en) System, method and computer program product for controlling network communications based on policy compliance
US8914644B2 (en) System and method of facilitating the identification of a computer on a network
EP2733656A1 (en) System and method for enforcing a security policy on mobile devices using dynamically generated security profiles
US7373659B1 (en) System, method and computer program product for applying prioritized security policies with predetermined limitations
AU1919601A (en) Method and system for remotely configuring and monitoring a communication device
WO1999057625A1 (en) Dynamic system defence for information warfare
WO2004023714A2 (en) Computer network security system utilizing dynamic mobile sensor agents
WO2004057834A2 (en) Methods and apparatus for administration of policy based protection of data accessible by a mobile device
CN101675423A (en) System and method for providing data and device security between external and host devices
WO2007069337A1 (en) Improper communication program restriction system and program
US20210329459A1 (en) System and method for rogue device detection
WO2003063449A1 (en) System and method for monitoring network security
KR100470918B1 (en) Elusion prevention system and method for firewall censorship on the network
KR100439174B1 (en) Method for managing alert database and policy propagation in ladon-security gateway system
US20240007440A1 (en) Persistent IP address allocation for virtual private network (VPN) clients

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 69(1) EPC DATED 21-10-2004

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP