Logging attack context data
Abstract
Methods and systems are provided for improved attack context data logging. In one embodiment, additional context is provided for an attack by logging either a predetermined or configurable number or predetermined or configurable timeframe of packets before and optionally after detection of a packet associated with an attack. This additional context facilitates understanding of the attack and can help in connection with improving the implementation of signatures that are used to detect attacks and reducing false positives. In one aspect, the system is configured to assess multiple packets across one or more sessions and temporarily store each packet in a buffer having a configurable size such that once an attack is detected, a log can be generated based at least in part on packets present in the buffer. Then, the log can be analyzed so as to understand the context of the attack.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A network appliance system comprising:
one or more processors; a communication interface device; one or more internal data storage devices operatively coupled to the one or more processors and storing: a configuration module to allow configuration of a quantify of packets to be logged prior to a network attack; a logging module configured to receive information regarding a plurality of packets and generate a log to facilitate analysis of context of the network attack; a buffer module configured to define a buffer based on the quantity and receive and temporarily store within the buffer packets provided thereto; and an intrusion prevention module configured to scan a plurality of received packets and copy a subset of the plurality of received packets to the buffer module and when a packet of the plurality of received packets triggers detection of the network attack by the intrusion prevention module, the intrusion prevention module causes the subset of the plurality of received packets and the packet to be sent to the logging module.
2 . The system of claim 1 , wherein said configuration module is further configured to allow configuration of a quantity of packets to be logged after the detection of the network attack.
3 . The system of claim 1 , wherein said configuration module is operatively coupled to a first database that comprises one or more signatures for network attack detection.
4 . The system of claim 1 , wherein said configuration module is operatively coupled to a second database that comprises information relating to one or more network anomalies.
5 . The system of claim 1 , wherein the logging module is further configured to send the log to a logging system, wherein the logging system analyzes the log to determine the context of the network attack.
6 . The system of claim 5 , wherein an attack signature is designed based on the context of the network attack.
7 . The system of claim 1 , wherein the plurality of received packets are associated with a plurality of sessions.
8 . The system of claim 1 , wherein the quantity represents a number of packets or defines the number of packets with reference to a time frame.
9 . The system of claim 1 , wherein the buffer comprises a circular buffer.
10 . A method comprising:
configuring a network device operable within a network to log a quantity of packets prior to detection by the network device of an attack; for each of a plurality of packets received by the network device:
storing a copy of the packet within a buffer associated with the network device;
applying, by the network device, one or more attack detection algorithms to the packet;
based on results of the one or more attack detection algorithms, determining, by the network device, whether the packet is part of an attack on the network or the network device;
when the determining is affirmative, generating, by the network device, based on contents of the buffer, a log comprising a subset of the plurality of packets received by the network device prior to the affirmative determination based on the quantity.
11 . The method of claim 11 , wherein the log further comprises the packet determined to be part of the attack.
12 . The method of claim 12 , wherein the log further comprises a subset of the plurality of packets received by the network device after the affirmative determination based on the quantity.
13 . The method of claim 11 , wherein the quantity represents a number of packets or defines the number of packets with reference to a time frame.
14 . The method of claim 14 , further comprising defining a size of the buffer based on the quantity.
15 . The method of claim 15 , wherein the buffer comprises a circular buffer.
16 . The method of claim 11 , further comprising:
sending, by the network device, the log to a logging system; and analyzing, by the logging system, the log to discover context of the attack.
17 . The method of claim 13 , further comprising deploying within the network device one or more intrusion detection signatures designed based on the context of the attack.
18 . The method of claim 11 , wherein the one or more attack detection algorithms include use of one or more of (i) a set of intrusion detection signatures, (ii) a set of malware detection signatures and (iii) a set of network security policy rules.
19 . The method of claim 11 , wherein the plurality of packets includes packets associated with a plurality of sessions.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.