35 results about "Attack response" patented technology

A system and method for detecting and identifying intruders in a computer network environment by providing a network traffic evaluation and simulation module at the interface between a protected network and external traffic source. The evaluation and simulation module identifies suspected intruders by observing intrusion pattern behavior and then presents a simulated network to the intruder. The simulated network appears to offer the intruder valuable information and provides the intruder with the appearance of success in breaking down the layers of the simulated network to keep the intruder engaged in the intrusion effort while information is gathered to trace and identify the source of the intrusion. Intrusion attempts are identified and categorized in an intrusion analysis module. The network traffic evaluation and simulated network may be provided as a self contained physical module that does not require modification of existing network software.

A system for computer system security using file system access pattern heuristics is provided. The system includes access patterns to establish nominal read and write frequencies to a file system using heuristics, dynamic policies, and a policy manager. The policy manager monitors accesses to the file system to determine read and write access frequencies to the file system. The policy manager also compares the read and write access frequencies to the access patterns, and determines whether the read and write access frequencies exceed the access patterns per the dynamic policies. The policy manager further identifies an attack on the file system in response to exceeding the dynamic policies, where the identified attack is associated with a communication path to the file system. The policy manager additionally modifies an aspect of access via the communication path in accordance with the attack response in the dynamic policies to mitigate the attack.

The invention discloses a DDoS attack distributed detection and response system and method based on information entropy. The system comprises a controller, the controller is connected with a plurality of exchangers, each exchanger is connected with a plurality of host computers, each exchanger is also connected with the other exchangers, and the controller is used for managing network topology, developing data forwarding strategies, and sending down the strategies to the exchangers; the exchangers are used for data forwarding; the exchangers comprise boundary exchangers and/or non-boundary exchangers; an attack detection algorithm and an attack response algorithm are operated by the boundary exchangers to achieve the attack detection and the attack response; the host computers are computers of users and each host computer corresponds to a certain IP address, and data of the host computers are forwarded by the boundary exchangers. The DDoS attack distributed detection and response system and method based on the information entropy has the advantages of being fast in detection speed, high in detection precision rate, rapid in attack response, and small in resource burden.

The invention discloses a high-coverage intranet honeypot system. The honeypot system comprises an agent node comprising an attack drainage module; a first network card, a second network card and a proxy forwarding module, the attack drainage module is used for passing ARP spoofing; guiding a local area network access request of which a destination address is an idle IP address in a network segment where the local area network is located to the agent node, the IP address of the first network card and the IP address of the honeypot are in the same network segment; the first network card is usedfor communicating with a honeypot node; the IP address of the second network card and the IP address of the protected device in the local area network are in the same network segment. The second network card is used for communicating with equipment in the local area network, and the agent forwarding module is used for sending the local area network access request guided to the agent node to the honeypot node and sending attack response information returned by the honeypot node to an initiator IP address of the local area network access request. Through the technical scheme provided by the invention, the IP address coverage rate of the honeypot in the honeypot system is improved while the IP address occupation of the honeypot is reduced.

The invention relates to an indirect distributed denial of service attack defense method and an indirect distributed denial of service attack defense system based on a Web agency. A behavior characteristic of a proxy-to-server network flow is described by extracting the space-time local property of the proxy-to-server network flow; the interference of a small-probability large value on an available signal is restrained by a nonlinear mapping function; a normal behavior model of the proxy-to-server network is constructed through a hidden semi-markov model (HsMM); normal degree estimation, namely long-time behavior estimation and short-time behavior estimation, under different time scales is performed by using behavior indexes acquired by the model; as to an abnormal behavior sequence (HTTP request sequence), an attack response is implemented by adopting a soft control method; and the basis of the soft control represents an HsMM model parameter and a structure index which are used for performing a normal behavior. The parameter for describing the proxy-to-server network is the space-time local property which is irrelevant to the change of the Web content on a target server; and the detection property of the method is the nature property based on the agent network flow and irrelevant to the size of the attack flow. By the method, the attack response can be realized before the resources of the target server are used by the attack flow, so that early detection can be realized effectively.

In one example aspect, a computerized method of automatically detecting and blocking at least one attack on an application includes the step of modifying instructions of the application to include at least one sensor. The at least one sensor generates a set of events related to detecting an attack on the application or a computing system implementing the application. The method includes the step of reviewing, from within the application, the set of events generated by the at least one sensor. The method includes the step of detecting a presence of at least one attack on the application based on the review of the set of events. The method includes the step of invoking an attack response action.

The invention discloses a network attack result detection method and system. The network attack result detection method comprises the following steps: extracting to-be-contrasted features from networkdata of a target host; contrasting the to-be-contrasted features with more than one attack response rules, wherein the attack response rules are formed according to the first response data, and the first response data is used for responding to a successful attack request by the attacked host; and if the to-be-contrasted features are matched with the attack response rules, judging that the targethost suffers from successful network attack. Through the network attack result detection method and system disclosed by the invention, the successful network attack can be precisely identified, thereby providing effective network attack information for the network administrator.

The invention discloses a network attack identification method and system. The network attack identification method comprises the steps of detecting whether a target host bears a network attack or not; extracting a to-be-compared feature from network data corresponding to the network attack if the target host bears the network attack; comparing the to-be-compared feature with more than one attackresponse rules, wherein the attack response rules are formed according to first response data, and the first response data is used for an attacked host to respond to a successful attack request; and judging that the network attack is successful if the to-be-compared feature matches the attack response rule. According to the network attack identification method and system provided by the invention,the successful network attack can be precisely identified, and the effective network attack information is provided for a network manager.

The invention relates to a method for responding TOCTOU attack aiming at a TPM credible computer. The components of the method comprise a virtual TPM device program and a privileged domain proxy module which both have more powerful functions. Just as the prior methods, the method of the invention adopts a method of PCR register information updating, but the methods for enabling and executing event update is different from the prior methods so that a TPM command in the following two conditions can correctly indicate the current state of a client virtual domain platform: the first TPM command condition is that a TPM command processing result is not sent out of the virtual TPM device program when the TOCTOU attack is detected, and the second TPM command condition is that the TPM command is not received by the virtual TPM device program when the TOCTOU attack is detected. While considering the security, the invention also takes the system performance into full consideration and ensures the utilization effectiveness and the expandability of system resources by adopting event drive and avoiding process scheduling of an extra user space.

The invention discloses an SQL injection vulnerability detection method and device for a REST API, and the method comprises the steps: injecting a detection vector that is easy to trigger a SQL syntaxerror into a to-be-detected API list to form a first API attack request, and then using a SQL error information regular matching expression to detect whether a first API attack response has a SQL syntax error or not; injecting two API response content comparison detection vectors according to the type of an API parameter if no SQL syntax error is detected, obtaining a second API attack response,a third API attack response and an API normal response to perform the comparison therebetween, detecting whether the relationship between the second API attack response, the third API attack responseand the API normal response meets a default SQL injection vulnerability condition and obtaining a detection result. Therefore, the detection vector that is easy to trigger the SQL syntax error and a vector for the API response content comparison detection are injected into the to-be-detected RESTful API, thereby detecting the mode of the corresponding API response, and achieving the effective detection of the SQL injection vulnerability of the RESTful API.

The invention provides an intrusion detection method and detection equipment, and the method comprises the steps: building a detection model which comprises a capture layer, a network protocol layer, a detection layer and a response layer; the capture layer is used for capturing a data packet; the network protocol layer is used for performing protocol analysis on the captured data packet to obtain an analysis result; the detection layer is used for determining whether the captured data packet is an attack event or not according to the analysis result; the response layer is used for performing attack response when the detection layer judges that the captured data packet is an attack event; and performing intrusion detection on the network data by using the detection model. Through the method, whether the data packet contains the attack event or not can be judged through protocol analysis of the data packet.

The invention discloses a DDoS attack detection method based on a network traffic application layer. The method comprises the following steps: selecting three parameters including a flow change rate,a new source IP address change rate and a source IP address request allocation rate to analyze network flow. Therefore, the DDoS attack traffic is distinguished from the FC traffic. The system is provided with a network flow analysis module, a DDoS attack detection module and an attack response module. When network flow changes suddenly, the network flow analysis module sends a warning signal to the DDoS attack detection module. The DDoS attack module is used for judging whether an FC attack or a DDoS attack occurs. When the DDoS attack is detected, the DDoS attack is detected. The attack response module is activated to filter malicious traffic and maintain uninterrupted service for a real user, the similarity between application layer DDoS attack traffic and FC traffic can be effectivelyrecognized, main characteristics of the application layer DDoS attack traffic and FC traffic are selected for distinguishing, the false alarm rate and the missing report rate are reduced, the cost islow, and application and popularization are facilitated.

An input audio signal is detected to provide a fast time constant control signal which is clamped for immediate response when the input signal drops below a threshold level and filtered to provide a modified control signal with a slow time constant. As the modified control signal level decreases toward the control signal level, a time constant differential control signal decreases and slows the rate of change of the decreasing modified control signal which, as it nears the control signal level, reverts to a slow response. The resulting control signal has an exponential release response which can be applied to an audio dynamics processor. The time constant differential control signal may also be detected to provide an inverted output when it is significantly less than the modified control signal so as to result in the control signal also having an exponential attack response to be applied to the processor.

The invention discloses an active defense DDOS system based on an SDWAN. The system comprises a cloud service platform; an SDWAN controller; an attack monitoring module is used for collecting attack data in a public network; an attack data analysis module is used for extracting attack features in the attack data; a DDOS attack defense module interacts attack characteristics through a plurality of SDWAN controllers and matches corresponding defense strategies; an attack response defense module is used for pre-formulating a defense strategy; when the attack monitoring module detects that a user is attacked, attack data is sent to an attack data analysis module for attack feature extraction, and a corresponding defense strategy is matched according to attack features in the cloud service platform through data interaction of the multiple SDWAN controllers so as to defend a previous attack event; Meanwhile, a pre-formulated defense strategy corresponding to a virtual feature approximate to the attack feature in the attack response defense module is called for active defense. According to the active defense DDOS system based on the SDWAN, the defense efficiency is relatively high when a DDOS attack event occurs.