Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Attack signature generation

Inactive Publication Date: 2007-04-26
IBM CORP
View PDF2 Cites 65 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

[0007] In accordance with the present invention, there is now provided a method for generating from requests on a first data network attack signatures for use in a second data network, the method comprising a reception step for receiving data traffic from the first data network addressed to a number of unassigned addresses in a third data network; an inspection step for inspecting several incidents of the data traffic that has been received in the previous step, for a common data pattern, and upon finding a the data pattern, a determination step for determining from the corresponding data traffic the attack signature for use in detecting attacks on the second data network. This attack signature generation method makes use of the idea that network traffic directed against an unassigned address is a priori suspicious, and does provide a higher likelihood of being an actual attack. This higher likelihood is exploited to generate one or more attack signatures that are supposed to lead to a more precise detection of attacks.
[0011] If the incidents of data traffic are selected only from those of the sources replying to the spoofed answer and those sources that have not been subjected to the answer step, a reduction of the data used for generating an attack signature is achievable. This reduction is useful since it is deemed to concentrate the data on those incidents that have a higher likelihood of being real attacks and not innocent incidents of data traffic that at first sight look like attacks, also referred to as false positives. The selection is a way of reducing the number of false positives in the signature generation method.
[0030] It is particularly advantageous to provide the signature generation, forwarding of a signature and the attack identification for several entities and using technical data derived from the execution of the method for one of the entities for the execution of the same method for another of the entities. There is a significant saving in resources expectable, if the signature is generated not only for the use by a specific entity, such as the owner of the second network, but for a multitude of entities, especially if the networks of those entities are connected to the same or a substantially identical portion of the first, second, or third data network. The signature generation method can in a preferred embodiment comprise a selection step that selects the entities according to a selection criterion preferably derived from a degree of similarity in utility of the generated signature. The more similar the infrastructural components of several entities with respect to attackability are, the more likely it is that those entities are prone to the same type of attack and the more similar are the needs to receive the same type of attack signature.

Problems solved by technology

This attack signature generation method makes use of the idea that network traffic directed against an unassigned address is a priori suspicious, and does provide a higher likelihood of being an actual attack.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Attack signature generation
  • Attack signature generation
  • Attack signature generation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0041] Referring first to FIG. 1, a data processing system comprises a CPU 10, an I / O subsystem 20, and a memory subsystem 40, all interconnected by a bus subsystem 30. The memory subsystem 40 may comprise random access memory (RAM), read only memory (ROM), and one or more data storage devices such as hard disk drives, optical disk drives, and the like. The I / O subsystem 20 may comprise: a display; a printer; a keyboard; a pointing device such as a mouse, tracker ball, or the like; and one or more network connections permitting communication between the data processing system and one or more similar systems and / or peripheral devices via a data network. The combination of such systems and devices interconnected by such a network may itself form a distributed data processing system. Such distributed systems may be themselves interconnected by additional data networks.

[0042] In the memory subsystem 40 is stored data 60 and computer program code 50 executable by the CPU 10. The program...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The present invention provides a method for generating from requests from a first data network attack signatures for use in a second data network having a plurality of addresses assigned to data processing systems, the method comprising receiving data traffic from the first data network addressed to a number of unassigned addresses in a third data network; inspecting several incidents of the received data traffic for a common data pattern, upon finding a said data pattern, determining from the corresponding data traffic the attack signature for use in detecting attacks for the second data network. The invention also provides an apparatus for generating from requests on a first data network attack signatures for use in a second data network having a plurality of addresses assigned to data processing systems. The present invention further extends to a computer program element comprising computer program code means which, when loaded in a processor of a data processing system, configures the processor to perform a method for detecting attacks on a data network as hereinbefore described. The present invention further extends to a method of supporting an entity in the handling of a detected attack.

Description

TECHNICAL FIELD [0001] The present invention generally relates to the generation of attack signatures for the use in detecting network attacks and particularly relates to methods, apparatus, and computer program elements for generating attack signatures on a data network. BACKGROUND OF THE INVENTION [0002] The Internet is a wide area data network formed from a plurality of interconnected data networks. In operation, the Internet facilitates data communication between a range of remotely situated data processing systems. Such data processing systems each typically comprise a central processing unit (CPU), a memory subsystem, and input / output (I / O) subsystem, and computer program code stored in the memory subsystem for execution by the CPU. Typically, end user data processing systems connected to the Internet are referred to as client data processing systems or simply clients. Similarly, data processing systems hosting web sites and services for access by clients via the Internet are ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F12/14H04L12/14H04L29/06H04L29/12
CPCH04L12/14H04L29/12009H04L61/00H04L63/1491H04L63/1425H04L63/1458H04L63/1416G06F15/00G06F15/16
Inventor JULISCH, KLAUSRIORDAN, JAMES F.
Owner IBM CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products