US2015033336A1PendingUtilityA1

Logging attack context data

52
Assignee: FORTINET INCPriority: Jul 24, 2013Filed: Jul 24, 2013Published: Jan 29, 2015
Est. expiryJul 24, 2033(~7 yrs left)· nominal 20-yr term from priority
H04L 63/1425H04L 63/20H04L 63/0245H04L 63/1416H04L 63/145H04L 63/0254H04L 63/14
52
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods and systems are provided for improved attack context data logging. In one embodiment, additional context is provided for an attack by logging either a predetermined or configurable number or predetermined or configurable timeframe of packets before and optionally after detection of a packet associated with an attack. This additional context facilitates understanding of the attack and can help in connection with improving the implementation of signatures that are used to detect attacks and reducing false positives. In one aspect, the system is configured to assess multiple packets across one or more sessions and temporarily store each packet in a buffer having a configurable size such that once an attack is detected, a log can be generated based at least in part on packets present in the buffer. Then, the log can be analyzed so as to understand the context of the attack.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A network appliance system comprising:
 one or more processors;   a communication interface device;   one or more internal data storage devices operatively coupled to the one or more processors and storing:   a configuration module to allow configuration of a quantify of packets to be logged prior to a network attack;   a logging module configured to receive information regarding a plurality of packets and generate a log to facilitate analysis of context of the network attack;   a buffer module configured to define a buffer based on the quantity and receive and temporarily store within the buffer packets provided thereto; and   an intrusion prevention module configured to scan a plurality of received packets and copy a subset of the plurality of received packets to the buffer module and when a packet of the plurality of received packets triggers detection of the network attack by the intrusion prevention module, the intrusion prevention module causes the subset of the plurality of received packets and the packet to be sent to the logging module.   
     
     
         2 . The system of  claim 1 , wherein said configuration module is further configured to allow configuration of a quantity of packets to be logged after the detection of the network attack. 
     
     
         3 . The system of  claim 1 , wherein said configuration module is operatively coupled to a first database that comprises one or more signatures for network attack detection. 
     
     
         4 . The system of  claim 1 , wherein said configuration module is operatively coupled to a second database that comprises information relating to one or more network anomalies. 
     
     
         5 . The system of  claim 1 , wherein the logging module is further configured to send the log to a logging system, wherein the logging system analyzes the log to determine the context of the network attack. 
     
     
         6 . The system of  claim 5 , wherein an attack signature is designed based on the context of the network attack. 
     
     
         7 . The system of  claim 1 , wherein the plurality of received packets are associated with a plurality of sessions. 
     
     
         8 . The system of  claim 1 , wherein the quantity represents a number of packets or defines the number of packets with reference to a time frame. 
     
     
         9 . The system of  claim 1 , wherein the buffer comprises a circular buffer. 
     
     
         10 . A method comprising:
 configuring a network device operable within a network to log a quantity of packets prior to detection by the network device of an attack;   for each of a plurality of packets received by the network device:
 storing a copy of the packet within a buffer associated with the network device; 
 applying, by the network device, one or more attack detection algorithms to the packet; 
 based on results of the one or more attack detection algorithms, determining, by the network device, whether the packet is part of an attack on the network or the network device; 
 when the determining is affirmative, generating, by the network device, based on contents of the buffer, a log comprising a subset of the plurality of packets received by the network device prior to the affirmative determination based on the quantity. 
   
     
     
         11 . The method of  claim 11 , wherein the log further comprises the packet determined to be part of the attack. 
     
     
         12 . The method of  claim 12 , wherein the log further comprises a subset of the plurality of packets received by the network device after the affirmative determination based on the quantity. 
     
     
         13 . The method of  claim 11 , wherein the quantity represents a number of packets or defines the number of packets with reference to a time frame. 
     
     
         14 . The method of  claim 14 , further comprising defining a size of the buffer based on the quantity. 
     
     
         15 . The method of  claim 15 , wherein the buffer comprises a circular buffer. 
     
     
         16 . The method of  claim 11 , further comprising:
 sending, by the network device, the log to a logging system; and   analyzing, by the logging system, the log to discover context of the attack.   
     
     
         17 . The method of  claim 13 , further comprising deploying within the network device one or more intrusion detection signatures designed based on the context of the attack. 
     
     
         18 . The method of  claim 11 , wherein the one or more attack detection algorithms include use of one or more of (i) a set of intrusion detection signatures, (ii) a set of malware detection signatures and (iii) a set of network security policy rules. 
     
     
         19 . The method of  claim 11 , wherein the plurality of packets includes packets associated with a plurality of sessions.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.