US2007094728A1PendingUtilityA1

Attack signature generation

43
Assignee: JULISCH KLAUSPriority: May 30, 2003Filed: Nov 24, 2003Published: Apr 26, 2007
Est. expiryMay 30, 2023(expired)· nominal 20-yr term from priority
H04L 61/00H04L 63/1458H04L 12/14H04L 63/1425H04L 63/1416H04L 63/1491G06F 15/00G06F 15/16
43
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The present invention provides a method for generating from requests from a first data network attack signatures for use in a second data network having a plurality of addresses assigned to data processing systems, the method comprising receiving data traffic from the first data network addressed to a number of unassigned addresses in a third data network; inspecting several incidents of the received data traffic for a common data pattern, upon finding a said data pattern, determining from the corresponding data traffic the attack signature for use in detecting attacks for the second data network. The invention also provides an apparatus for generating from requests on a first data network attack signatures for use in a second data network having a plurality of addresses assigned to data processing systems. The present invention further extends to a computer program element comprising computer program code means which, when loaded in a processor of a data processing system, configures the processor to perform a method for detecting attacks on a data network as hereinbefore described. The present invention further extends to a method of supporting an entity in the handling of a detected attack.

Claims

exact text as granted — not AI-modified
1 . A method for generating attack signatures from requests from a first data network, said attack signatures being usable in a second data network, the method comprising: 
 a reception step for receiving data traffic from the first data network addressed to a number of unassigned addresses in a third data network;    an inspection step for inspecting several incidents of said received data traffic for a common data pattern,    a determination step for, upon finding a said common data pattern, determining from the corresponding data traffic said attack signature for use in detecting attacks for said second data network, wherein the determination step comprises counting the number of incidents with a common data substring that has a predetermined minimum length and defining as a said attack signature those data substrings whose number exceeds a predetermined number.    
     
     
         2 . A method as claimed in  claim 1 , wherein the inspection step is preceded by an answer step for spoofing an answer to a said source that sent a request contained in the received data traffic.  
     
     
         3 . A method as claimed in  claim 2 , wherein said answer step is executed selectively based on a selection criterion that is dependent on the type of protocol of said received data traffic.  
     
     
         4 . A method as claimed in  claim 2 , wherein for the inspection step the incidents of data traffic are selected only from those of the sources replying to the spoofed answer and sources that have not been subjected to the answer step.  
     
     
         5 . A method as claimed in one of  claim 1 , wherein the inspection step comprises sorting the incidents according to a connection attribute such as one of source address, source port, protocol type and destination port of the data traffic.  
     
     
         6 . A method as claimed in one of  claim 1 , further comprising sending said attack signature to an intrusion detector assigned to said second data network.  
     
     
         7 . A method as claimed in one of  claim 1 , wherein two or all of the first data network, the second data network, and the third data network are selected to be identical, partially identical, connected to each other, or of unitary construction.  
     
     
         8 . A method as claimed in one of  claim 1 , further comprising a reception step for receiving on the second data network data traffic addressed to an unassigned address therein; inspecting the received data traffic for data indicative of an attack, using therefor a said attack signature; and, on detection of data indicative of an attack, generating an alert signal.  
     
     
         9 . A method as claimed in  claim 8 , comprising, on generation of the alert signal, a rerouting step for rerouting the data traffic originating at the address assigned to the data processing system originating the data indicative of the attack to a disinfection address.  
     
     
         10 . A method as claimed in  claim 8 , comprising, on generation of the alert signal, an alert step for sending an alert signal to the disinfection address, said alert signal preferably comprising data indicative of the attack detected.  
     
     
         11 . A method as claimed in  claim 8 , further comprising supporting an entity in the handling of the detected attack by one of providing instructions for use of, assistance in executing, and execution of disinfection program code.  
     
     
         12 . A method as claimed in  claim 8 , further comprising providing a report to said entity containing information related to one of alert, disinfection, rerouting, logging, discarding of data traffic in the context of a detected attack.  
     
     
         13 . A method as claimed in  claim 1 , further comprising billing said entity for the execution of at least one of the steps, the charge being billed preferably being determined in dependence of one of the size of the network, the number of unassigned addresses monitored, the number of assigned addresses monitored, the volume of data traffic inspected, the number of attacks identified, the number of alerts generated, the signature of the identified attack, the volume of rerouted data traffic, the degree of network security achieved, the turnover of said entity.  
     
     
         14 . A method as claimed in  claim 1 , further comprising providing said method for several entities and using technical data derived from the attack-handling for one of said entities for the attack-handling for another of said entities.  
     
     
         15 . A method for deploying a signature generation application to an entity, comprising 
 connecting a signature generator to a first data network for generating from requests thereon attack signatures for use in a second data network used by said entity and having a plurality of addresses assigned to data processing systems,    setting up said signature generator to generate an attack signature under use of the method claimed in  claim 1 ,    setting up said signature generator to send the generated attack signature to an intrusion detector connected to said second data network.    
     
     
         16 . A computer program element comprising computer program code means which, when loaded in a processor of a data processing system, configures the processor to perform a method for generating attack signatures as claimed in  claim 1 .  
     
     
         17 . An apparatus for generating attack signatures from requests on a first data network, said attack signatures being usable in a second data network, the apparatus comprising: 
 a signature generator for receiving data traffic on the first data network addressed to a number of unassigned address in a third data network, inspecting several incidents of said data traffic received for a common data pattern, and upon finding a said data pattern, determining from the corresponding data traffic said attack signature for use in detecting attacks for said second data network, wherein the signature generator is designed to determine the attack signature by counting the number of incidents with a common data substring and defining as a said attack signature those data substrings whose number exceeds a predetermined number.    
     
     
         18 . An apparatus as claimed in  claim 17 , wherein the signature generator is designed to inspect the received data traffic by spoofing an answer to a said sources that sent a said request contained in the data traffic received.  
     
     
         19 . An apparatus as claimed in  claim 18 , wherein the signature generator is designed to select the incidents of data traffic only from those of the sources replying to the spoofed answer and those sources that have not been subjected to a said spoofed answer.  
     
     
         20 . An apparatus as claimed in  claim 17 , wherein the signature generator is designed to sort the incidents according to a connection attribute such as one of source address, source port, protocol type, and destination port of the data traffic.  
     
     
         21 . An apparatus as claimed in  claim 17 , wherein the signature generator is designed to send said attack signature to an intrusion detector assigned to said second data network.  
     
     
         22 . An apparatus as claimed in  claim 17 , further comprising an intrusion detector for receiving data traffic on the first data network addressed to a number of unassigned address in said second data network, inspecting the received data traffic for data indicative of an attack, using a said attack signature, and, on detection of data indicative of an attack, generating an alert signal.  
     
     
         23 . An apparatus as claimed in  claim 17 , further comprising a router connected to the intrusion detector for rerouting data traffic originating at the address assigned to the data processing system originating the data indicative of the attack to a disinfection address on said third data network.  
     
     
         24 . An apparatus as claimed in  claim 23 , further comprising a disinfection server assigned to the disinfection address, the disinfection server being equipped for sending, on receipt of the alert signal, a warning message to the address assigned to the data processing system originating the data indicative of the attack.  
     
     
         25 . A method as claimed in  claim 1 , 
 wherein the inspection step is preceded by an answer step for spoofing an answer to a said source that sent a request contained in the received data traffic;    wherein said answer step is executed selectively based on a selection criterion that is dependent on the type of protocol of said received data traffic;    wherein for the inspection step the incidents of data traffic are selected only from those of the sources replying to the spoofed answer and sources that have not been subjected to the answer step;    wherein the inspection step comprises sorting the incidents according to a connection attribute such as one of source address, source port, protocol type and destination port of the data traffic;    further comprising sending said attack signature to an intrusion detector assigned to said second data network;    wherein two or all of the first data network, the second data network, and the third data network are selected to be identical, partially identical, connected to each other, or of unitary construction;    further comprising a reception step for receiving on the second data network data traffic addressed to an unassigned address therein; inspecting the received data traffic for data indicative of an attack, using therefor a said attack signature; and, on detection of data indicative of an attack, generating an alert signal;    further comprising, on generation of the alert signal, a rerouting step for rerouting the data traffic originating at the address assigned to the data processing system originating the data indicative of the attack to a disinfection address;    further comprising, on generation of the alert signal, an alert step for sending an alert signal to the disinfection address, said alert signal preferably comprising data indicative of the attack detected;    further comprising supporting an entity in the handling of the detected attack by one of providing instructions for use of, assistance in executing, and execution of disinfection program code;    further comprising providing a report to said entity containing information related to one of alert, disinfection, rerouting, logging, discarding of data traffic in the context of a detected attack;    further comprising billing said entity for the execution of at least one of the steps, the charge being billed preferably being determined in dependence of one of the size of the network, the number of unassigned addresses monitored, the number of assigned addresses monitored, the volume of data traffic inspected, the number of attacks identified, the number of alerts generated, the signature of the identified attack, the volume of rerouted data traffic, the degree of network security achieved, the turnover of said entity; and    further comprising providing said method for several entities and using technical data derived from the attack-handling for one of said entities for the attack-handling for another of said entities.    
     
     
         26 . An article of manufacture comprising a computer usable medium having computer readable program code means embodied therein for causing generation of attack signatures from requests from a first data network, said attack signatures being usable in a second data network, the computer readable program code means in said article of manufacture comprising computer readable program code means for causing a computer to effect: 
 a reception step for receiving data traffic from the first data network addressed to a number of unassigned addresses in a third data network;    an inspection step for inspecting several incidents of said received data traffic for a common data pattern,    a determination step for, upon finding a said common data pattern, determining from the corresponding data traffic said attack signature for use in detecting attacks for said second data network, wherein the determination step comprises counting the number of incidents with a common data substring that has a predetermined minimum length and defining as a said attack signature those data substrings whose number exceeds a predetermined number.    
     
     
         27 . A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing generation of attack signatures from requests from a first data network, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect the functions of  claim 17.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.