Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular node for directing data and applying cryptography
Reexamination Certificate
2002-05-24
2003-11-25
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular node for directing data and applying cryptography
C713S189000, C713S194000, C713S152000, C713S152000
Reexamination Certificate
active
06654882
ABSTRACT:
FIELD OF THE INVENTION
The present invention is directed to intrusion detection for a computer-based system and, more particularly, to a network security system protecting a network from disclosure of information in response to maleficent message.
BACKGROUND OF THE INVENTION
Computer networks provide connectivity between and among computer resources connected to the network and, typically, remote networks and devices. A private network may support computer resources at a single location, e.g., a local area network (LAN) or at multiple locations, e.g., a wide area network (WAN.) The network infrastructure may include one or more routers for directing messages between and among computer resources connected to the network, while gateways and/or bridges connect the LAN or WAN to other, typically remote networks. Often, the connection to remote networks is provided using open or public communications network facilities such as the ubiquitous Internet.
Once a private network is connected to an open network or otherwise provides open access to the network, security of the private network becomes a paramount concern. Typically, some form of “firewall” is required, i.e., a system that restricts access between a protected network and the Internet, or between other sets of networks. The firewall may be implemented using one or more systems including, for example, a screening router, dual homes and screen-host gateway, a screened-subnet, and an application-level gateway (or proxy server.) Those skilled in the art of network security systems use these and other components and systems to restrict access to a protected network.
While certain components and systems provide some level of protection, there is increasing need for more sophisticated systems to help maintain network security. A network intrusion detection system (NIDS) provides capabilities to identify and respond to malicious or anomalous activities aimed at networked systems. Commercial products include AXENT® by Axent Technologies, Inc. (www.axent.com), Cisco® by Cisco Technology, Inc. (www.cisco.com), CyberSafe® by Cybersafe corporation (www.cybersafe.com), Safesuite® by Internet Security System, Inc. (ISS) (www.iss.net), and Shadow® (www.nswc.navy.mil/ISSEC/CID).
Further examples of network security systems are described in U.S. Pat. No. 5,414,833 of Hershey, et al. entitled “Network Security System And Method Using A Parallel Finite State Machine Adaptive Active Monitor And Responder” issued May 9, 1995; U.S. Pat. No. 5,557,742 of Smaha, et al. entitled “Method And System For Detecting Intrusion Into And Misuse Of A Data Processing System” issued Sep. 17, 1996; U.S. Pat. No. 5,720,033 of Deo entitled “Security Platform And Method Using Object Oriented Rules For Computer-Based Systems Using UNIX-Line Operating Systems” issued Feb. 17, 1998; U.S. Pat. No. 5,892,903 of Klaus entitled “Method And Apparatus For Detecting And Identifying Security Vulnerabilities In An Open Network Computer Communication System” issued Apr. 6, 1999; and U.S. Pat. No. 6,279,113 of Vaidya entitled “Dynamic Signature Inspection-Based Network Intrusion Detection” issued Aug. 21, 2001.
While these security systems inspect data packets and messages to identify attempts to gain unauthorized access to a network, processing upon detection of a network intrusion may not foil the attempt. In particular, prior art systems are divided into passive and reactive types. Passive systems monitor network traffic and generate notifications and reports that can be reviewed by security personnel. Reactive implementations perform all the functions of their passive counterparts but can also take immediate action to deny access to network resources. Most reactive NIDS systems are host based, the few network based implementations are bound to specific network hardware, specific network topologies, and work by completely filtering the offending party. Since the hosts appear unreachable to the attacker, reporting within the protected network is lost.
Accordingly, a need exists for a device and method that protects a network from externally launched attacks while tracking and reporting such events. A further need exists for a device and method of providing network security protection and reporting that is compatible with a wide range of NIDS.
SUMMARY OF THE INVENTION
The invention is a system for and method of monitoring traffic inbound to a protected network for any signs of malicious activity. Once an attack is detected, the system acts to prevent the attacker from retrieving any data from its target.
According to one aspect of the invention, a network security system includes a router connected to a protected network, the router configured to selectively route incoming messages to respective destinations on the protected network as addressed by the respective incoming messages. A network intrusion detection system (NIDS) connected to the protected network operates to detect any attack on the protected network associated with one or more of the incoming messages. A control system on the network operates to cause the router to selectively redirect a reply message associated with the one incoming message to an alternate terminus on the protected network in response to the NIDS detecting the attack (i.e., an offending message).
According to a feature of the invention, a GateD server is connected to the protected network wherein the reply message associated with the offending incoming message is initially addressed to an offending off-network IP address associated with the incoming message prior to rerouting by the router. In this case, the GateD server stores (i) the offending IP address associated with the incoming message and (ii) a static route pointing the offending LP address to the alternate terminus on the protected network.
According to another feature of the invention, the control system may further include a routing server storing a routing table. The routing server may include a GateD server.
According to another feature of the invention, the control system may be configured to execute a network routing daemon that understands a plurality of protocols including at least one or more of BGP, EGP, RIP, RIP II, OSPF, and HELLO. In this case, the NIDS may be configured to monitor the incoming messages to detect predetermined patterns of TCP/IP activity indicative of the attack on the protected network.
According to another feature of the invention, the NIDS may be configured to monitor packet headers of the incoming messages to detect probes.
According to another feature of the invention, the NIDS may be configured to monitor the incoming messages to detect one of:
(i) a network resource anomaly including activity that is different from a predetermined normal behavior; and
(ii) a network resource misuse including activity corresponding to known intrusion techniques, a known intrusion signature, and/or known system vulnerabilities.
According to another feature of the invention, the NIDS may be configured to notify the control system of detecting the attack via a (i) system log (syslog) and/or (ii) Simple Network Management Protocol (snmp) trap.
According to another feature of the invention, the NIDS may be configured to mirror ports addressable corresponding to the destinations on the protected network.
According to another feature of the invention, the router may include a routing table, the control system configured to introduce to the router a preferred route into the routing table. The preferred route is effective to selectively redirect the reply message to the alternate terminus on the protected network. The alternate terminus on the protected network may be a system configured to analyze the reply message to identify network vulnerabilities of the protected network.
According to another feature of the invention, the control system may be configured to put an Exterior Gateway Protocol (EGP) neighbor corresponding to a destination of the reply message into a down state and generate a corresponding egpNeighborLoss trap.
According to another feature of the invention, t
Evans Eric
Froutan Paul
Fulbright & Jaworski L.L.P.
Peeso Thomas R.
Rackspace, LTD
LandOfFree
Network security system protecting against disclosure of... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network security system protecting against disclosure of..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network security system protecting against disclosure of... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3130443