Nothing Special   »   [go: up one dir, main page]

WO2004109971A1 - Systemes et procedes de securite dynamique et tenant compte du risque d'un reseau - Google Patents

Systemes et procedes de securite dynamique et tenant compte du risque d'un reseau Download PDF

Info

Publication number
WO2004109971A1
WO2004109971A1 PCT/US2003/016817 US0316817W WO2004109971A1 WO 2004109971 A1 WO2004109971 A1 WO 2004109971A1 US 0316817 W US0316817 W US 0316817W WO 2004109971 A1 WO2004109971 A1 WO 2004109971A1
Authority
WO
WIPO (PCT)
Prior art keywords
connection
node
network security
policy data
security system
Prior art date
Application number
PCT/US2003/016817
Other languages
English (en)
Inventor
Yuliang Zheng
Lawrence Chin Shiun Teo
Gail-Joon Ahn
Original Assignee
University Of North Carolina At Charlotte
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University Of North Carolina At Charlotte filed Critical University Of North Carolina At Charlotte
Priority to PCT/US2003/016817 priority Critical patent/WO2004109971A1/fr
Priority to US10/553,306 priority patent/US20060206615A1/en
Priority to JP2005500610A priority patent/JP2006526814A/ja
Priority to EP03817157A priority patent/EP1629623A4/fr
Priority to AU2003231876A priority patent/AU2003231876A1/en
Publication of WO2004109971A1 publication Critical patent/WO2004109971A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • This invention relates to the field of information assurance and security. More specifically, it relates to the field of firewalls, intrusion detection, network security, and risk assessment.
  • firewalls In order to provide efficient and effective security, firewalls must make determinations of whether to block or allow packets based on rules. Historically, firewalls have relied upon static rules to determine whether or not to allow a packet. For example, the rules entered into a static firewall typically include a list of valid Internet protocol (IP) addresses. When the firewall receives a packet from one of these IP addresses, the firewall allows the packets to pass through. Firewalls tj ⁇ ically maintain a similar list of ports through which packets may pass. The use of static rules for filtering packets is insufficient for effectively securing a network.
  • IP Internet protocol
  • Firewall developers have tried several approaches to improve conventional firewalls.
  • some conventional firewalls include a technique called stateful inspection, see, e.g., Sofaware Technologies (http://www.sofaware.com/htail/tech_stateful.shtm) and Check
  • Stateful inspection is a technique that uses state-related information from the network and network-related applications to make control decisions, instead of examining each packet in isolation. While stateful inspection improves the filtering of potentially malicious packets, conventional firewalls implementing this technique rely on only a limited set of information sources.
  • Embodiments of the present invention provide systems and methods for dynamic and risk-aware network security.
  • a system dynamically assesses whether a connection over a communications medium is anomalous (suspicious, malicious, deviating from normal behavior, fits a certain profile or pattern, or has the potential to be any one of these) and generates an appropriate response depending on whether the connection is deemed to be normal or anomalous for a specified period of time.
  • the types of responses include, but are not limited to, blocking the source of the connection from connecting to its intended destination, altering the destination of the connection, auditing the connection, or any combination of these.
  • An embodiment of the present invention may comprise software or a pre-programmed device or it may be integrated into another software product or device.
  • a network device is capable of analyzing one or more connections at any one time; theoretically there is no maximum number of connections that the device can analyze.
  • the device examines a set of inputs and/or performs a set of actions in the environment in which the communications medium is located. Based on these inputs and results of the actions, the device determines if the connection is anomalous or not. If the connection is assessed to be anomalous, the risk measurement for thd identifier of the connection (such as the name of the source) is adjusted (increased or decreased) by a certain amount. Once the risk measurement for a connection identifier reaches or exceeds a certain specified threshold, an appropriate response is generated for all future connection that are identified by that identifier. The risk measurement can also be adjusted if the connection is determined to be normal.
  • a set of policies which may be human-defined and/or machine-generated, is used to specify the risk measurement adjustment amounts, the types of connections to examine, the appropriate responses, the inputs, the actions, the time periods, specific attributes of the communications medium, specific attributes of the environment, and other elements that are deemed necessary or beneficial to the risk assessment and dynamic response device according to the present invention
  • an embodiment of the present invention can be used for include, but are not limited to, adaptive and intelligent firewalls, intrusion detection systems, load balancing systems, network traffic control, and reputation-based systems in various environments.
  • Embodiments of the present invention provide numerous advantages over conventional network access management solutions.
  • An embodiment of the present invention utilizes a wide variety of applications, policies, and other information to make more intelligent and accurate decisions.
  • embodiments of the present invention provide a role-based approach to network management that is independent of the actual network protocols used.
  • Embodiments of the present invention use the concepts of roles, risk, and other attributes to describe and characterize the nodes in the network.
  • an embodiment of the present invention is not limited to implementation in firewalls. Further, if an embodiment is implemented as a firewall, the firewall uses more varied sources of information than do conventional firewalls and is capable of initiating active countermeasures in response to an anomalous connection.
  • Figure 1 is a block diagram, illustrating an exemplary environment for implementation of one embodiment of the present invention
  • Figure 2 is a timing diagram illustrating the flow of information in one embodiment of the present invention.
  • Figure 3 is a diagram illustrating how roles are used to assign node and service values in one embodiment of the present invention
  • Figure 4 is a diagram illustrating various attributes of the static and dynamic data stores in one embodiment of the present invention
  • Figure 5 is a flow diagram illustrating the simulation flow for the creation of graphical output in one embodiment of the present invention
  • Figure 6 is a graph plot showing traffic with a nomial profile in one embodiment of the present invention.
  • Figure 7 is a graph plot showing traffic with a suspicious profile in one embodiment of the present invention.
  • Figure 8 is a graph plot showing traffic with a highly malicious profile in one embodiment of the present invention.
  • An embodiment of the present invention provides a new mechanism that dynamically assesses whether a connection over a communications medium is anomalous (suspicious, malicious, deviating from normal behavior, fits a certain profile or pattern, or has the potential to be any one of these) and generates an appropriate response depending on whether the connection is deemed to be normal or anomalous for a specified time period. Unlike other similar mechanisms that perform such tasks, the invention uses risk as an input along with several forms of management and enforcement policies.
  • FIG. 1 is an exemplary environment for implementation of one embodiment of the present invention.
  • an organization accesses the Internet 102 through a firewall 104.
  • the firewall 104 provides basic network security as is well known to those skilled in the art.
  • the firewall 104 is in communication with an Authorization Enforcement Facility (hereinafter "AEF") 106.
  • AEF Authorization Enforcement Facility
  • the AEF 106 extracts policy information from a static policy data store 108 and a dynamic policy data store 110 in order to evaluate threats to resources in the network caused by connections.
  • a connection is an active state of communication between a source and a node on the communications medium, which is valid for a certain time period.
  • a connection can be identified using a connection identifier.
  • a common connection identifier for a connection is the source address.
  • the AEF 106 comprises program code stored on a computer-readable medium.
  • a processor in the AEF 106 executes the program code.
  • the processor may include, for example, digital logic processors capable of processing input, executing algorithms, and generating output as necessary in response to the inputs received from the touch-sensitive input device.
  • processors may include a microprocessor, an ASIC, and state machines.
  • processors include, or may be in communication with, media, for example computer-readable media, which stores instructions that, when executed by the processor, cause the processor to perform the steps described herein.
  • Embodiments of computer-readable media include, but are not limited to, an electronic, optical, magnetic, or other storage or transmission device capable of providing a processor, such as the processor in communication with a touch-sensitive input device, with computer-readable instructions.
  • suitable media include, but are not limited to, a floppy disk, CD-ROM, magnetic disk, memory chip, ROM, RAM, an ASIC, a configured processor, all optical media, all magnetic tape or other magnetic media, or any other medium from which a computer processor can read instructions.
  • various other forms of computer-readable media may transmit or carry instructions to a computer, including a router, private or public network, or other transmission device or channel both wired and wireless.
  • the instructions may comprise code written in any computer- programming language, including, for example, C, C++, C#, Visual Basic, Java, and
  • the program code of an embodiment of the present invention may be implemented in a variety of applications, including, but not limited to: a hardware appliance, software on a server, software on a firewall, a smart router, a smart gateway, a smart switch, electronic circuitry on a circuit board, a mobile device, and a wireless device.
  • a source is a system, software, or device that initiates a connection using a communications medium, such as the Internet 102.
  • a node When a node is connecting to another node using a communications medium in an enclosed environment (such as a corporate LAN), the node that initiates the connection would be known as the source.
  • a node that acts the destination may also be referred to as a "destination node.”
  • a node is a system, software, or device that is the destination of a connection.
  • nodes 102a-d are computer workstations.
  • the AEF 106 analyzes connections in the network, the AEF 106 dynamically adjusts the policies stored in the dynamic policy data store 110 based on the AEF's 106 analysis of the risk level and other criteria as described herein.
  • FIG. 2 is a timing diagram, illustrating the flow of messages in an embodiment of the present invention.
  • the AEF (106) When the AEF (106) is started, it loads policy information from the static policy data store (110) 202. Subsequently, the AEF (106) receives a connection from the Internet (102) 204. In response the AEF (106) loads information from the dynamic policy data store (110) 206. Depending on the size of the data store (110), the AEF (106) may load all of the policy information or only that policy information related to the connection. If the connection is not anomalous, the AEF (106) forwards the connection the node to which it was directed (112a) 208.
  • the node (112a) may provide feedback to the AEF(106) 210.
  • the connection may contain a virus, such as a worm.
  • the AEF (106) updates the policy information in the dynamic policy data store (110) 212.
  • the AEF (106) then reloads the updated policy information from the dynamic policy data store (110) 214.
  • FIG 3 is a diagram illustrating how roles are used to assign node and service values in one embodiment of the present invention.
  • a role is a structure that can be used to identify a node, and provide the node with its name, node. value, available services for the node, and the service values for these said services.
  • Figure 3 shows an example of a role 302 for a web server, which would be applicable if the invention is used in a computer network environment.
  • the role 302 includes various attributes 304.
  • the attributes 304 include the name, 'web,' and the node value, 6.
  • a node value specifies how valuable a node is in a quantitative manner. Depending on the policies and/or constraints in the environment in which an embodiment of the invention is used, the node value can either be finite or infinite.
  • the role 302 also has at least one service 306 associated with it.
  • the service also includes attributes 308.
  • One of the attributes 308 is the service value.
  • a service value specifies how valuable a service is in a quantitative manner. Depending on the policies and/or constraints in the environment in which the embodiment of the invention is used, the service value can either be finite or infinite.
  • FIG 4 is a diagram illustrating various attributes of the static and dynamic data stores in one embodiment of the present invention.
  • the overall policy 402 of the AEF (106) comprises static policy 404 and dynamic policy 406.
  • Static policy 404 comprises various attributes 408, including constraints, roles, node-role assignments, a threshold table, services, and actions. These attributes 408 may comprise tables in a database, mles programmed into business objects, or other methods for storing and enforcing rules in a software application.
  • Static policy 404 may comprise additional attributes as well.
  • dynamic policy 406 comprises a single attribute, a threat level table 410. This is merely exemplary. Both the static policy 404 and dynamic policy may include subsets or supersets of the attributes shown in Figure 4.
  • One attribute 408 of the static policy 404 is an action.
  • An action has two purposes: the first is to adjust the threat level of a source, and the second is to act as a countermeasure that is triggered as a result of an event. Countermeasures can be either active or passive.
  • a threat level is a quantitative measure that specifies how anomalous a source or any other comiection identifier is. The higher the threat level, the more suspicious the comiection identifier is. The threat level can also be thought of as the risk associated with the source. Whether or not a connection is allowed to pass through the AEF (106) is a function of the threat level of the node/service and of the threshold. A threshold is a quantitative measure specifies how tolerant a node is to anomalous behavior.
  • FIG. 5 is a flow diagram illustrating the simulation flow resulting in the creation of graphical output in one embodiment of the present invention.
  • the flow diagram of Figure 5 provides one example of a method of testing the effectiveness of the AEF (106) according to the present invention.
  • traffic profiles are stored in a traffic profile data store 502. These profiles represent various types of anomalous and non-anomalous (normal) connections that may be attempted.
  • a traffic generator 504 accesses the traffic profile data store 502 in order to generate a series of connections to the AEF 106.
  • Threat levels increase as a result of events, which trigger actions.
  • actions might adjust threat levels.
  • the following statement can be specified in an action to enable the action to increase the threat level for a source by a 1.5:
  • the two types of policies are used to support the analysis.
  • the static policy provides rules to the mechanism so that it can perform its decision making.
  • the dynamic policy is updated by the mechanism in real-time to keep track of the threat levels of all the sources.
  • the AEF 106 provides event logs to an event analyzer 506.
  • the event analyzer 506 processes these logs and generates a graph of the results 508'.
  • Figures 6, 7, and 8 are examples of the graphs produced by one embodiment of the present invention.
  • Figure 6 is a graph plot showing traffic with a normal profile in one embodiment of the present invention.
  • Figure 7 is a graph plot showing traffic with a suspicious profile in one embodiment of the present invention.
  • Figure 8 is a graph plot showing traffic with a highly malicious profile in one embodiment of the present invention.
  • the AEF 106 may respond to threats in a number of ways.
  • the types of responses may include, but are not limited to: blocking the source of the connection from connecting to its intended destination (authorization enforcement), altering the destination of the connection, auditing the connection, or any combination of these.
  • the AEF 106 may use a variety of methods to adjust the threat level for a certain node, including, for example, the following:
  • IDS IMS signatures. If there are matches, this may be a malicious attack happening. Increase the threat level and if it gets worse, block it;
  • An embodiment of the present invention encompasses an efficient management scheme of nodes using concepts from role-based access control (RBAC) in a context that is specific to this mechanism (Role information - ability to specify values to different nodes). So nodes that are more valuable can have higher values. Also, on embodiment includes an independent and generic interface to carry out countermeasures. Since the interface to apply countermeasures is generic, the mechanism can potentially use input from all layers of the OSI model.
  • RBAC role-based access control
  • Embodiments of the present invention AEF can reduce the propagation rate for new Internet worms and email viruses within an organization, and ultimately stop the propagation entirely.
  • the AEF may also frustrate and deter persistent attackers who are trying to compromise systems from remote locations.
  • the AEF can provide monitoring and deter persistent insiders who are trying to misuse or abuse the systems in the organization.
  • Node A node is a system, software, or device that is the destination of a connection.
  • Source A source is a system, software, or device that initiates a connection using a communications medium. When a node is connecting to another node using a communications medium in an enclosed environment (such as a corporate LAN), the node that initiates the connection would be known as the source. Whenever there is ambiguity, a node that acts the destination may also be referred to as a "destination node.”
  • a service is a function, facility, or capability that is offered by a node.
  • Node Value A node value specifies how valuable a node is in a quantitative manner. Depending on the policies and/or constraints in the environment that the invention is used, the node value can either be finite or infinite.
  • Service Value specifies how valuable a service is in a quantitative manner. Depending on the policies and/or constraints in the environment that the invention is used, the service value can either be finite or infinite.
  • Connection A connection is an active state of communication between a source and a node on the communications medium, which is valid for a certain time period.
  • a connection can be identified using a connection identifier.
  • a common connection identifier for a connection is the source address.
  • Role A role is a structure that can be used to identify a node, and provide the node with its name, node value, available services for the said node, and the service values for these said services.
  • An action has two purposes: the first is to adjust the threat level of a source, and the second is to act as a countermeasure that is triggered as a result of an event.
  • Countemieasures can be either active or passive. Active countemieasures enable the destination node to send either asynchronous messages or queries, which solicit a response from the source. Passive countemieasures rely on methods, which do not send any messages to the source whatsoever (the source would not know that a countermeasure has taken place).
  • Threat Level A threat level is a quantitative measure that specifies how anomalous a source or any other connection identifier is. The higher the threat level, the more suspicious the connection identifier is. The threat level can also be thought of as the risk associated with the source.
  • Threshold A threshold is a quantitative measure specifies how tolerant a node is to anomalous behavior.
  • a threshold is assigned to a node based on its node value. The higher the node value, the lower its threshold, which in turn means that the said node exhibits less tolerance to anomalous behavior.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne des systèmes et des procédés de sécurité dynamique et tenant compte du risque d'un réseau. Selon une forme d'exécution, un système évalue dynamiquement si une connexion dans un support de communication (102) présente une anomalie (écart suspect, malveillant, par rapport au comportement normal, adopte un certain profil ou modèle, ou est susceptible de présenter l'une des ces anomalies) et génère une réponse appropriée selon que la connexion est jugée normale ou anormale pour une période de temps spécifiée. Les types de réponse comprennent, toutefois sans limitation : le blocage de la source, la supprimant de sa connexion vers sa destination voulue, la modification de la destination de la connexion, la vérification de la connexion, ou une combinaison de ces moyens.
PCT/US2003/016817 2003-05-30 2003-05-30 Systemes et procedes de securite dynamique et tenant compte du risque d'un reseau WO2004109971A1 (fr)

Priority Applications (5)

Application Number Priority Date Filing Date Title
PCT/US2003/016817 WO2004109971A1 (fr) 2003-05-30 2003-05-30 Systemes et procedes de securite dynamique et tenant compte du risque d'un reseau
US10/553,306 US20060206615A1 (en) 2003-05-30 2003-05-30 Systems and methods for dynamic and risk-aware network security
JP2005500610A JP2006526814A (ja) 2003-05-30 2003-05-30 動的かつリスク認識型ネットワークセキュリティのためのシステムおよび方法
EP03817157A EP1629623A4 (fr) 2003-05-30 2003-05-30 Systemes et procedes de securite dynamique et tenant compte du risque d'un reseau
AU2003231876A AU2003231876A1 (en) 2003-05-30 2003-05-30 Systems and methods for dynamic and risk-aware network security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2003/016817 WO2004109971A1 (fr) 2003-05-30 2003-05-30 Systemes et procedes de securite dynamique et tenant compte du risque d'un reseau

Publications (1)

Publication Number Publication Date
WO2004109971A1 true WO2004109971A1 (fr) 2004-12-16

Family

ID=33509882

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/016817 WO2004109971A1 (fr) 2003-05-30 2003-05-30 Systemes et procedes de securite dynamique et tenant compte du risque d'un reseau

Country Status (4)

Country Link
EP (1) EP1629623A4 (fr)
JP (1) JP2006526814A (fr)
AU (1) AU2003231876A1 (fr)
WO (1) WO2004109971A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7937353B2 (en) 2007-01-15 2011-05-03 International Business Machines Corporation Method and system for determining whether to alter a firewall configuration
US8042150B2 (en) 2008-12-08 2011-10-18 Motorola Mobility, Inc. Automatic generation of policies and roles for role based access control
CN106716953A (zh) * 2014-09-10 2017-05-24 霍尼韦尔国际公司 控制系统中的网络安全风险的动态量化
CN118555147A (zh) * 2024-07-30 2024-08-27 湖南博盛芯微电子科技有限公司 一种防护方法、防火墙系统及设备

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007279906A (ja) * 2006-04-04 2007-10-25 Mitsubishi Electric Corp ネットワークアクセス管理システム

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5278901A (en) * 1992-04-30 1994-01-11 International Business Machines Corporation Pattern-oriented intrusion-detection system and method
US5621889A (en) * 1993-06-09 1997-04-15 Alcatel Alsthom Compagnie Generale D'electricite Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility
US5720035A (en) * 1994-11-21 1998-02-17 France Telecom System for control of access to computer machines which are connected in a private network
US6275942B1 (en) * 1998-05-20 2001-08-14 Network Associates, Inc. System, method and computer program product for automatic response to computer system misuse using active response modules
US6321338B1 (en) * 1998-11-09 2001-11-20 Sri International Network surveillance

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6219706B1 (en) * 1998-10-16 2001-04-17 Cisco Technology, Inc. Access control for networks
ATE350829T1 (de) * 1999-06-10 2007-01-15 Alcatel Internetworking Inc System und verfahren zur einheitlichen regelverwaltung mit integriertem regelumsetzer

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5278901A (en) * 1992-04-30 1994-01-11 International Business Machines Corporation Pattern-oriented intrusion-detection system and method
US5621889A (en) * 1993-06-09 1997-04-15 Alcatel Alsthom Compagnie Generale D'electricite Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility
US5720035A (en) * 1994-11-21 1998-02-17 France Telecom System for control of access to computer machines which are connected in a private network
US6275942B1 (en) * 1998-05-20 2001-08-14 Network Associates, Inc. System, method and computer program product for automatic response to computer system misuse using active response modules
US6321338B1 (en) * 1998-11-09 2001-11-20 Sri International Network surveillance

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1629623A4 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7937353B2 (en) 2007-01-15 2011-05-03 International Business Machines Corporation Method and system for determining whether to alter a firewall configuration
US8042150B2 (en) 2008-12-08 2011-10-18 Motorola Mobility, Inc. Automatic generation of policies and roles for role based access control
CN106716953A (zh) * 2014-09-10 2017-05-24 霍尼韦尔国际公司 控制系统中的网络安全风险的动态量化
CN106716953B (zh) * 2014-09-10 2020-06-12 霍尼韦尔国际公司 控制系统中的网络安全风险的动态量化
CN118555147A (zh) * 2024-07-30 2024-08-27 湖南博盛芯微电子科技有限公司 一种防护方法、防火墙系统及设备

Also Published As

Publication number Publication date
JP2006526814A (ja) 2006-11-24
EP1629623A4 (fr) 2010-12-08
AU2003231876A1 (en) 2005-01-04
EP1629623A1 (fr) 2006-03-01

Similar Documents

Publication Publication Date Title
US11824875B2 (en) Efficient threat context-aware packet filtering for network protection
US20060206615A1 (en) Systems and methods for dynamic and risk-aware network security
Schnackengerg et al. Cooperative intrusion traceback and response architecture (CITRA)
US10542006B2 (en) Network security based on redirection of questionable network access
US10326777B2 (en) Integrated data traffic monitoring system
JP6006788B2 (ja) ドメイン名をフィルタリングするためのdns通信の使用
US6738814B1 (en) Method for blocking denial of service and address spoofing attacks on a private network
US8230505B1 (en) Method for cooperative intrusion prevention through collaborative inference
US6487666B1 (en) Intrusion detection signature analysis using regular expressions and logical operators
US7774832B2 (en) Systems and methods for implementing protocol enforcement rules
US20060026682A1 (en) System and method of characterizing and managing electronic traffic
US20080196099A1 (en) Systems and methods for detecting and blocking malicious content in instant messages
US12003537B2 (en) Mitigating phishing attempts
Mukkamala et al. A survey on the different firewall technologies
Jeyanthi Internet of things (IoT) as interconnection of threats (IoT)
Khosravifar et al. An experience improving intrusion detection systems false alarm ratio by using honeypot
Trabelsi et al. Preventing ARP attacks using a fuzzy-based stateful ARP cache
WO2004109971A1 (fr) Systemes et procedes de securite dynamique et tenant compte du risque d'un reseau
Bojjagani et al. Early DDoS Detection and Prevention with Traced-Back Blocking in SDN Environment.
EP4080822B1 (fr) Procédés et systèmes de filtrage de paquets efficace sensible au contexte de menace pour la protection de réseau
RU2704741C2 (ru) СПОСОБ ЗАЩИТЫ ОТ DDoS-АТАК НА ОСНОВЕ КЛАССИФИКАЦИИ ТРАФИКА
WO2022225951A1 (fr) Procédés et systèmes pour filtrage efficace de paquets sensibles au contexte de menace pour la protection de réseau
Vanikalyani et al. Cross-domain search for policy anomalies in firewall
Sulaman An Analysis and Comparison of The Security Features of Firewalls and IDSs
ADEYEMO COMPARATIVE ANALYSIS OF VARIOUS DENIALS OF SERVICE (DoS) ATTACK MITIGATION TECHNIQUES

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 10553306

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 2005500610

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 2003817157

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003817157

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 10553306

Country of ref document: US