Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-05-03
2004-08-03
Decady, Albert (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C709S224000
Reexamination Certificate
active
06772349
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to a method and apparatus for detection of an attack such as a pre-attack on a computer network by an unauthorized user.
Security is important to the manager of a modern computer network, be it a LAN (Local Area Network) or a WAN (Wide Area Network). Networks are usually attached to the Internet. Therefore, there is a constant risk that some malicious person from outside of a network may attempt to obtain access to the network and use this access to disrupt normal network activity or gain access to private information.
Many network managers use ‘firewalls’ (a device which filters traffic entering and leaving a computer network to protect it from malicious users) to protect their network from people outside the network. However, for many reasons firewalls are not suitable for all types of networks, since they may restrict the ability of legitimate users to use the network and even where they are used, it is useful to have an additional level of security. We will describe a technique for detecting when someone from outside a network is attempting to access the network in an unauthorized way. The technique does not require a firewall in order to operate, and thus can be used as a complement to existing firewalls. For users who do not use firewalls, the method described offers a way to try to detect unauthorized or malicious accesses to the network.
All devices on a network are identified by an ‘address’ (eg an IP address). When a device wants to send data to another device, it typically marks the data with the destination address of the device it wants to communicate with and then puts this data onto the network, where is it forwarded to the correct device based on the destination address.
When a malicious person wishes to attack a network, it is usual for them to carry out what is referred to as a “pre-attack” on the network, that is to try to identify addresses which identify actual devices within the network. It would be useful to be able to deal with this problem.
Thus the arrangement of the invention allows the network to identify such a pre-attack.
SUMMARY OF THE INVENTION
The present invention provides a computer program on a computer readable medium or embodied in a carrier wave, for detecting a potential attack on a computer network, comprising the following steps:
(a) from network traffic data which includes source and destination addresses of traffic on the network, make a list E of all the source addresses in the data which are not allocated to the network and which are not in a list X;
(b) choose a first address in list E;
(c) count a number of data entries which include A and B and which represent network traffic passing between a source address A chosen from list E and a destination address B allocated to the network;
(d) if the number of such data entries is more than T, output address A, thereby identifying address A as a potential source of attack;
(e) determine if there are any entries in list E left to process;
(f) if yes, move on to the next address in list E and repeat steps (c) to (e);
(g) if no, stop.
The present invention also provides a method for detecting a potential attack on a computer network, the method comprising the steps of the computer program outlined.
REFERENCES:
patent: 5621889 (1997-04-01), Lermuzeaux et al.
patent: 5987611 (1999-11-01), Freund
patent: 5991881 (1999-11-01), Conklin et al.
patent: 6055236 (2000-04-01), Nessett et al.
patent: 6119236 (2000-09-01), Shipley
patent: 6154839 (2000-11-01), Arrow et al.
patent: 6298445 (2001-10-01), Shostack et al.
patent: 6304975 (2001-10-01), Shipley
patent: 6321338 (2001-11-01), Porras et al.
patent: 6405318 (2002-06-01), Rowland
patent: 6408391 (2002-06-01), Huff et al.
patent: 6487666 (2002-11-01), Shanklin et al.
patent: 6578147 (2003-06-01), Shanklin et al.
patent: 6609205 (2003-08-01), Bernhard et al.
patent: 6614800 (2003-09-01), Genty et al.
patent: WO 00/54458 (2000-09-01), None
Technical Brief—Cisco Secure Intrusion Detection System Technical Overview, Jul. 3, 2000, available from http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/tech
tran tc.htm, “Sensor Capabilities” pps. 2-4.
Real Secure™ signatures Version 5.0, Jun. 2000, pps. i-x, 15-17, 186-187 and 263-264 only, availavle from http://www.iss.net/customer care/resource center/product lit/, “Portscan Detection” and “UDP Port Scan”.
Robert Grahma, FAQ: Network Intrusion Detection Systems, Version 0.8.3,http://www.ticm.com/kb/faq/idsfaq.html, sections 1.6, 1.7, 1.9, 2.1.
Brown Ronald
Martin Hamish D S
Pearce Mark A
3Com Corporation
De'cady Albert
Michaelson Peter L.
Michaelson & Associates
Skafar Janet M.
LandOfFree
Detection of an attack such as a pre-attack on a computer... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Detection of an attack such as a pre-attack on a computer..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detection of an attack such as a pre-attack on a computer... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3346873