[go: up one dir, main page]

US20130219500A1 - Network intrusion detection in a network that includes a distributed virtual switch fabric - Google Patents

Network intrusion detection in a network that includes a distributed virtual switch fabric Download PDF

Info

Publication number
US20130219500A1
US20130219500A1 US13/685,784 US201213685784A US2013219500A1 US 20130219500 A1 US20130219500 A1 US 20130219500A1 US 201213685784 A US201213685784 A US 201213685784A US 2013219500 A1 US2013219500 A1 US 2013219500A1
Authority
US
United States
Prior art keywords
network
nids
switch fabric
network intrusion
system administrator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/685,784
Inventor
Joshua Lukas
Gary R. Ricard
Timothy L. Thompson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Enterprise Solutions Singapore Pte Ltd
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US13/685,784 priority Critical patent/US20130219500A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: THOMPSON, TIMOTHY L., LUKAS, JOSHUA, RICARD, GARY R.
Publication of US20130219500A1 publication Critical patent/US20130219500A1/en
Assigned to LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD. reassignment LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INTERNATIONAL BUSINESS MACHINES CORPORATION
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • This disclosure generally relates to networked computer systems, and more specifically relates to network intrusion detection in a network that includes a distributed virtual switch fabric.
  • Networked computer systems are the life blood of today's business world. With the explosion of information available on the Internet, and the corresponding explosion of network technology used by companies both large and small, the complexity of networked computer system continues to increase.
  • security includes making sure that unauthorized agents do not intrude on the network.
  • Network Intrusion Detection Systems have been developed that allow a system administrator to configure notification rules that correspond to certain attack signatures. When an attack that matches an attack signature is detected by the NIDS, the NIDS notifies the system administrator as specified in the corresponding notification rule. In this manner, a system administrator is made aware of the unauthorized network intrusion, and in response can take steps to counteract the network intrusion.
  • a network intrusion detection system works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems.
  • the NIDS accesses network information on a bridge of the distributed virtual switch fabric, which gives the NIDS access to hardware information for all networking devices in the network. Because the NIDS can discover the network topology by interrogating the bridge on the distributed virtual switch fabric, manual configuration of network topology within the NIDS by a system administrator is not required.
  • NIDS access to the network information via the bridge gives the NIDS the capability of not only monitoring and alerting a human system administrator, but the NIDS may also take various service actions when an intrusion is detected, without any action required of a human system administrator. These service actions may be taken immediately, dramatically increasing the security of the network by automatically neutralizing any detected intrusions immediately using an automated service action instead of merely notifying a system administrator. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
  • FIG. 1 is a block diagram of a networked computer system that includes a network intrusion detection system that receives network topology and configuration information from a distributed virtual Ethernet switch fabric;
  • FIG. 2 is a flow diagram of a method performed by the NIDS in FIG. 1 when monitoring network traffic for a network intrusion;
  • FIG. 3 is a flow diagram of a method for configuring the NIDS in FIG. 1 and for the NIDS to autonomically change its configuration when the NIDS detects a change in the network;
  • FIG. 4 is a block diagram showing possible network changes that could be handled autonomically by the NIDS in FIG. 1 ;
  • FIG. 5 is a block diagram showing possible service actions that could be performed by the NIDS in response to a detected network intrusion
  • FIG. 6 is a block diagram showing a sample prior art networked computer system
  • FIG. 7 is a block diagram showing the sample prior art networked computer system after adding two prior art NIDS;
  • FIG. 8 is a block diagram showing prior art attack signatures for network 1 and notification rules for network 1 defined in NIDS 1 in FIG. 7 ;
  • FIG. 9 is a block diagram showing prior art attack signatures for network 2 and notification rules for network 2 defined in NIDS 2 in FIG. 7 ;
  • FIG. 10 is a block diagram showing a prior art correlation between an attack signature and a corresponding notification rule
  • FIG. 11 is a flow diagram of a method for the prior art NIDS (such as NIDS 1 and NIDS 2 in FIG. 7 ) to monitor network traffic for a network intrusion;
  • FIG. 12 is a flow diagram of a method for configuring a prior art NIDS (such as NIDS 1 and NIDS 2 in FIG. 7 );
  • FIG. 13 is a prior art networked computer system interconnected using a distributed virtual Ethernet switch fabric that provides a virtual view of the systems and networks in the networked computer system.
  • the claims and disclosure herein provide a network intrusion detection system (NIDS) that works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems.
  • the NIDS accesses network information from of the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions.
  • the result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
  • a sample prior art networked computer system 600 is shown, which includes for this particular example four server groups 610 , 620 , 630 and 640 .
  • Server group 610 is coupled to server group 620 via Network 2 .
  • Server group 610 is coupled to server group 640 via Network 2 .
  • Server groups 620 , 630 and 640 are interconnected via Network 1 .
  • Server group 630 has a connection to the Internet 150 , as does server group 640 .
  • each server group may include any suitable number of computer systems, network switches, or other hardware, such as racks of servers, power supplies, storage area networks, disk drives, etc.
  • FIG. 7 shows a networked computer system 700 that is the same networked computer system 600 of FIG. 6 with the addition of two prior art Network Intrusion Detection Systems (NIDS) 710 and 720 .
  • NIDS 1 710 is used to detect network intrusion into Network 1 that interconnects server groups 620 , 630 and 640
  • NIDS 2 720 is used to detect network intrusion into Network 2 that interconnects server group 610 to server groups 620 and 640 .
  • FIGS. 8 and 9 are shown in FIGS. 8 and 9 , respectively.
  • NIDS 1 710 includes attack signatures for network 1 810 and notification rules for network 1 820 .
  • NIDS 720 includes attack signatures for network 2 910 and notification rules for network 2 920 .
  • the attack signatures specify network traffic that may be an intrusion.
  • the attack signatures may be generated manually by the system administrator, but it is more common for the attack signatures to be downloaded from a trusted source, similar to the way antivirus definitions are continually updated from a trusted source.
  • the attack signatures 810 and 910 may be downloaded and updated automatically without requiring any effort on the part of a human system administrator.
  • the notification rules 820 and 920 are typically defined manually by the human system administrator. Because each attack signature typically has a corresponding notification rule as shown in FIG. 10 , the addition of new attack signatures via an automatic update may require the system administrator to generate or identify which notification rule applies to each new attack signature.
  • NIDS 1 710 and NIDS 2 720 perform method 1100 in FIG. 11 .
  • the NIDS monitors network traffic (step 1110 ).
  • the system administrator not only must the system administrator manually define each notification rule, the system administrator must also take action manually once a notification is received from a NIDS. Because network traffic flows much faster than a human system administrator can take action to prevent the intrusion, there is a lag time between when the NIDS detects a network intrusion and when the network intrusion is stopped by the actions of the system administrator.
  • a method 1200 shows the steps that are performed to configure and maintain a prior art NIDS, such as NIDS 1 710 and NIDS 2 720 in FIGS. 7-9 .
  • the network administrator determines the network topology and configuration (step 1210 ). For complex networks, this is no easy task. The network administrator must be aware of every network, sub-network, virtual network, switch, server, router, etc. in the networked computer system. The network administrator must also define the attack signatures (step 1220 ). Note this may be done via a subscription service as referenced above so the system administrator does not have to manually create each and every attack signature.
  • the network administrator must manually generate the notification rules for Network 1 (step 1230 ), and must manually generate the notification rules for Network 2 (step 1240 ).
  • the network administrator then provides the notification rules for Network 1 to NIDS 1 (step 1250 ), and provides the notification rules for Network 2 to NIDS 2 (step 1260 ).
  • step 1280 NO
  • method 1200 loops back to step 1270 and continues.
  • configuring and maintaining a prior art NIDS is a highly manual effort that must be performed by a highly skilled system administrator that understands all aspects of the network topology in the networked computer system. Having such a system that so heavily relies on human intervention lends itself to human errors and necessarily requires delays due to the needed human intervention.
  • FIG. 13 Such a configuration is shown in FIG. 13 .
  • server groups 1310 , 1320 , 1330 and 1340 may be interconnected with a Distributed Virtual Ethernet (DVE) switch fabric 1360 , such as Juniper Network's Qfabric.
  • DVE Distributed Virtual Ethernet
  • the DVE switch fabric 1360 includes a DVE Information Bridge 1370 that provides an interface for accessing the virtual view 1362 of the networks and systems in the DVE switch fabric 1360 .
  • DVE admin/config tools 1380 allow interacting with the DVE switch fabric via the DVE information bridge 1370 to configure the DVE switch fabric 1360 .
  • the DVE switch fabric 1360 is preferably a combination of hardware and software, but could also be a purely software implementation.
  • Note server group 1330 is connected to the Internet 150 , as is server group 1340 . By using a distributed virtual switch fabric such as the DVE switch fabric 1360 shown in FIG. 13 , a virtual view 1362 of the entire network may be provided in one place.
  • a networked computer system 100 includes four server groups 110 , 120 , 130 and 140 interconnected with the same DVE switch fabric 1360 shown in the prior art networked computer system in FIG. 13 .
  • Server group 130 is connected to the Internet 150 , as is server group 140 .
  • DVE switch fabric 1360 includes the same DVE information bridge 1370 shown in FIG. 13 that allows access to the virtual view 1362 , and the same DVE admin/config tools 1380 in FIG. 13 are used to administer and configure the DVE switch fabric 1360 in FIG.
  • NIDS 190 is also provided that has significantly enhanced features and capabilities when compared to the prior art NIDS 710 and 720 shown in FIGS. 7-9 .
  • NIDS 190 includes a DVE switch fabric interface 191 that allows the NIDS to communicate with the DVE switch fabric 1360 via the DVE information bridge 1370 to access the virtual view 1362 of the networked computer system, thereby providing to the NIDS 190 all details of all system in the network.
  • NIDS 190 also includes a network topology/configuration 192 , which is preferably derived from the virtual view 1362 provided by the DVE switch fabric 1360 .
  • NIDS 190 also includes attack signatures 193 .
  • attack signatures 193 could be the same as prior art attack signatures, or could have additional or different information.
  • Notification rules 194 are provided so a system administrator may be notified of a network intrusion.
  • the number of notification rules 194 in NIDS 190 is significantly less than the number of notification rules for the prior art NIDS, such as notification rules 820 in FIG. 8 and notification rules 920 in FIG. 9 .
  • the only thing the NIDS could do when a network intrusion was detected was to notify the system administrator, so each attack signature has a corresponding notification rule, as shown in FIG. 10 .
  • NIDS 190 in contrast, some network intrusions may be addressed by a notification to the system administrator, but most can be handled by a service action mechanism 195 that may automatically perform one or more service actions automatically without requiring input from a human system administrator. Because so many intrusion problems may be handled by the service action mechanism 195 in NIDS 190 automatically without human intervention, the number of notification rules 194 is less than in the prior art.
  • the response time of the NIDS 190 in addressing a network intrusion is very fast, orders of magnitude faster than notifying a system administrator and waiting for the system administrator to manually take corrective action. In fact, the response time of the NIDS 190 can be fast enough to actually prevent the detected network intrusion.
  • a method 200 shows steps performed by NIDS 190 after being configured to detect network intrusion.
  • the NIDS determines whether to notify the system administrator or whether to take automatic action.
  • the NIDS alerts the system administrator as specified in the notification rule corresponding to the satisfied attack signature (step 240 ).
  • step 230 TAKE ACTION
  • the NIDS automatically performs one or more service actions corresponding to one or more satisfied attack signatures (step 250 ).
  • the NIDS then alerts the system administrator regarding the automatic actions taken in step 250 (step 260 ). Method 200 is then done.
  • a method 300 shows the steps for configuring and maintaining the NIDS 190 shown in FIG. 1 .
  • the NIDS accesses the DVE information bridge to determine network topology and configuration for all networks in the fabric (step 310 ). This is done by accessing the virtual view 1362 .
  • the network administrator defines attack signatures for all networks in the fabric (step 320 ). As in the prior art, the attack signatures could be downloaded and updated from a suitable provider of attack signatures.
  • the network administrator still manually generates all needed notification rules for all networks in the fabric (step 330 ).
  • the network administrator also defines service actions for all networks in the fabrics (step 340 ). In the most preferred implementation, each attack signature will have either a corresponding notification rule or a corresponding automated service action.
  • the NIDS detects changes in the network (step 350 ). For example, if an existing blade server is replaced with a new blade server, the NIDS will see network traffic from an unrecognized MAC address.
  • the NIDS determines whether changes in the network can be dealt with autonomically (step 360 ), which is to say, without intervention by a human system administrator.
  • the NIDS in step 360 could query the virtual view in the DVE switch fabric via the DVE information bridge to determine if the new MAC address is an authorized system in the networked computer system. For the example above, the virtual view provided by the DVE switch fabric will indicate the new MAC address belongs to the replacement blade.
  • the NIDS makes autonomic changes to deal with the detected changes in the network (step 370 ). For example, when the NIDS 190 queries the virtual view in the DVE switch fabric and discovers the old server has been removed (as indicated by the removal of the corresponding MAC address) and the new server has been installed (as indicated by the presence of the new corresponding MAC address), the NIDS 190 will update its internal network topology and configuration 192 to reflect the new server with the new MAC address, and will delete the old server and MAC address corresponding to the server that was removed.
  • the NIDS can make autonomic changes to deal with detected changes in the network (step 370 ), which requires no interaction with the system administrator.
  • the NIDS notifies the network administrator to indicate the detected changes in the network (step 380 ) so the system administrator may take appropriate action. Method 300 is then done.
  • FIG. 5 shows a table 510 that specifies some NIDS service actions that could be included in the service actions 196 shown in FIG. 1 .
  • some possible NIDS service actions include monitoring the compromised host 520 , quarantining the compromised host 530 , moving the compromised host to another network 540 , and shutting down the compromised host 550 .
  • the DVE switch fabric provides a virtual view of all systems and networks in the networked computer system, and provides tools for reconfiguring the networks and systems
  • the DVE switch fabric provides the needed functionality for the NIDS to perform service actions such as those shown in FIG. 5 by interacting with the DVE switch fabric to perform those service actions.
  • the NIDS 190 can instruct the DVE switch fabric 1360 to shut down the compromised server.
  • the DVE switch fabric 1360 thus provides information in the form of a virtual view of the entire network along with an interface that allows greatly enhancing the functionality of the NIDS 190 when compared to prior art NIDS 710 and 720 shown in FIGS. 7-9 .
  • a NIDS needs to be deployed to monitor all network traffic in a virtual local area network (vlan) X running on a physical network Y.
  • vlan virtual local area network
  • the system administrator would deploy a prior art NIDS somewhere in the physical network Y.
  • the system administrator would then have to manually enter all network end points, speeds and any other needed network topology or configuration information into the NIDS.
  • the system administrator would also have to manually enter all the trusted adapter MAC addresses into the NIDS.
  • the system administrator would also have to configure the notification rules for the various attack signatures.
  • the system administrator can then enable the NIDS to monitor the network traffic in vlan X and physical network Y.
  • the NIDS watches the incoming/outgoing traffic for vlan X and physical network Y, and learns Internet Protocol (IP) addresses, Address Resolution Protocols (ARPs), gateways, etc.
  • IP Internet Protocol
  • ARPs Address Resolution Protocols
  • gateways etc.
  • network traffic is then monitored and compared to the attack signatures, and a system administrator is notified when the network traffic satisfies any attack signature.
  • the NIDS 190 For the NIDS 190 shown in FIG. 1 , for the same example above where the NIDS needs to be deployed to monitor all network traffic in vlan X running on a physical network Y, the NIDS 190 is deployed in the physical network Y.
  • the NIDS 190 queries the virtual view 1362 in the DVE switch fabric 1360 in FIG. 1 via the DVE information bridge 1370 to determine the network topology and MAC addresses for vlan X and physical network Y.
  • the system administrator configures any needed notification rules, and also specifies any needed service actions. In the most preferred implementation, there is a notification rule or service action specified for each attack signature.
  • the NIDS is then enabled to monitor network traffic in vlan X and physical network Y.
  • the NIDS watches the incoming/outgoing traffic for vlan X and physical network Y, and learns Internet Protocol (IP) addresses, Arps, gateways, etc. As shown in FIG. 2 , network traffic is then monitored and compared to the attack signatures, and when an attack signature is satisfied, the NIDS either alerts the system administrator or automatically performs one or more service actions to take care of the network intrusion without requiring input from a system administrator.
  • IP Internet Protocol
  • a second example we assume an existing network adapter is swapped for a new network adapter while the network is up and running
  • the node, blade or PCI slot that contains the network adapter to be serviced is powered down.
  • the hardware swap of the network adapters is performed.
  • the hardware is powered on, and the link goes active.
  • the new hardware sees network traffic and is part of the network.
  • the NIDS detects network packets from a MAC address that is unrecognized, and as a result, alerts the system administrator as shown in FIG. 11 .
  • the system administrator will typically respond to the NIDS alarm by suspending the NIDS.
  • the system administrator must then reconfigure the NIDS to delete all old rules/learning based on the old MAC address that has been removed, and must add the new MAC address to the list of trusted host MAC addresses in the NIDS.
  • the system administrator then re-enables the NIDS, which begins to re-learn what the network traffic looks like in the new configuration. Note that suspending then re-enabling the prior art NIDS results in a period of time when the network is not protected by the NIDS.
  • the node, blade or PCI slot that contains the network adapter to be serviced is powered down.
  • the hardware swap of the network adapters is performed.
  • the hardware is powered on, and the link goes active.
  • the new hardware sees traffic and is part of the network.
  • the NIDS detects network packets from a MAC address that is unrecognized, and as a result, queries the virtual view 1362 in the DVE switch fabric 1360 via the DVE information bridge 1370 , which tells the NIDS the new network adapter is a replacement for the old network adapter.
  • the NIDS autonomically updates its rules and traffic records to change from the old MAC address to the new MAC address.
  • the NIDS thus autonomically adjusts to the swap in network cards without suspending and re-enabling the NIDS, as required in the prior art.
  • the result is a more secure network because the NIDS is always operational.
  • NIDS is up and running, and detects an IP-spoof attack.
  • NIDS 710 and 720 shown in FIGS. 7-9 a host MAC address is identified as the compromised host, and an alert is sent to the system administrator as shown in FIG. 11 .
  • the system administrator manually queries network configuration to determine which node or blade the compromised MAC address is in.
  • the system administrator may then manually shut down the compromised network link, at which point the network is secure again. Notice the time delay between notifying a system administrator and the system administrator shutting down the compromised hardware may be several minutes, possibly more, which could result in the network being vulnerable to the IP-spoof attack during that time delay.
  • the NIDS 190 in FIG. 1 for the same third example above, we assume the NIDS is up and running, and detects an IP-spoof attack.
  • a host MAC address is identified as the compromised host.
  • the NIDS 190 accesses the virtual view 1362 in the DVE switch fabric 1360 via the DVE information bridge 1370 , and instructs the DVE switch fabric 1360 to shut down the compromised host with the specified MAC address.
  • the DVE switch fabric 1360 uses its internal MAC address database to translate the specified MAC address to a particular node or blade.
  • the DEV switch fabric 1360 then shuts down the network link for the node or blade corresponding to the MAC address, and the network is secure again.
  • the system administrator then gets an alert about the compromised host on the network.
  • the time delay between intrusion detection and shut down of the compromised host is very small compared to the time to notify a system administrator, who must then manually correlate the problem MAC address to hardware, and then manually shut down the hardware.
  • the NIDS presented herein provides a much more secure network because it always runs, it autonomically adjusts for changes in the network, and it can take service actions immediately to address a network intrusion.
  • aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
  • a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language, Streams Processing language, or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • the methods disclosed herein may be performed as part of providing a web-based service.
  • a service could include, for example, offering the method to online users in exchange for payment.
  • the disclosure and claims are directed to a network intrusion detection system (NIDS) that works in conjunction with a virtual view in a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems.
  • the NIDS accesses network information from of the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions.
  • the result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

A network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.

Description

    BACKGROUND
  • 1. Technical Field
  • This disclosure generally relates to networked computer systems, and more specifically relates to network intrusion detection in a network that includes a distributed virtual switch fabric.
  • 2. Background Art
  • Networked computer systems are the life blood of today's business world. With the explosion of information available on the Internet, and the corresponding explosion of network technology used by companies both large and small, the complexity of networked computer system continues to increase. One important aspect for networked computer systems is security, which includes making sure that unauthorized agents do not intrude on the network. Network Intrusion Detection Systems (NIDS) have been developed that allow a system administrator to configure notification rules that correspond to certain attack signatures. When an attack that matches an attack signature is detected by the NIDS, the NIDS notifies the system administrator as specified in the corresponding notification rule. In this manner, a system administrator is made aware of the unauthorized network intrusion, and in response can take steps to counteract the network intrusion.
  • Many modern networks include a relatively large number of network devices, and may also include many different levels of networks, including networks between systems, networks within system, and virtual networks between or within systems. Known NIDS require the system administrator to manually configure the NIDS according to the network topology. This can be a daunting task for many of today's complex networked computer systems. In addition, known NIDS only notify the system administrator when a network intrusion is detected. Known NIDS must also be manually updated by the network administrator anytime a change to the network occurs, such as adding or replacing a network device. Without a way to perform network intrusion detection on complex networks without requiring so much human knowledge and interaction, providing the desired level of security for intrusion detection on modern networks will be difficult.
    • BRIEF SUMMARY
  • A network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information on a bridge of the distributed virtual switch fabric, which gives the NIDS access to hardware information for all networking devices in the network. Because the NIDS can discover the network topology by interrogating the bridge on the distributed virtual switch fabric, manual configuration of network topology within the NIDS by a system administrator is not required. In addition, access to the network information via the bridge gives the NIDS the capability of not only monitoring and alerting a human system administrator, but the NIDS may also take various service actions when an intrusion is detected, without any action required of a human system administrator. These service actions may be taken immediately, dramatically increasing the security of the network by automatically neutralizing any detected intrusions immediately using an automated service action instead of merely notifying a system administrator. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
  • The foregoing and other features and advantages will be apparent from the following more particular description, as illustrated in the accompanying drawings.
    • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)
  • The disclosure will be described in conjunction with the appended drawings, where like designations denote like elements, and:
  • FIG. 1 is a block diagram of a networked computer system that includes a network intrusion detection system that receives network topology and configuration information from a distributed virtual Ethernet switch fabric;
  • FIG. 2 is a flow diagram of a method performed by the NIDS in FIG. 1 when monitoring network traffic for a network intrusion;
  • FIG. 3 is a flow diagram of a method for configuring the NIDS in FIG. 1 and for the NIDS to autonomically change its configuration when the NIDS detects a change in the network;
  • FIG. 4 is a block diagram showing possible network changes that could be handled autonomically by the NIDS in FIG. 1;
  • FIG. 5 is a block diagram showing possible service actions that could be performed by the NIDS in response to a detected network intrusion;
  • FIG. 6 is a block diagram showing a sample prior art networked computer system;
  • FIG. 7 is a block diagram showing the sample prior art networked computer system after adding two prior art NIDS;
  • FIG. 8 is a block diagram showing prior art attack signatures for network 1 and notification rules for network 1 defined in NIDS1 in FIG. 7;
  • FIG. 9 is a block diagram showing prior art attack signatures for network 2 and notification rules for network 2 defined in NIDS2 in FIG. 7;
  • FIG. 10 is a block diagram showing a prior art correlation between an attack signature and a corresponding notification rule;
  • FIG. 11 is a flow diagram of a method for the prior art NIDS (such as NIDS1 and NIDS2 in FIG. 7) to monitor network traffic for a network intrusion;
  • FIG. 12 is a flow diagram of a method for configuring a prior art NIDS (such as NIDS1 and NIDS2 in FIG. 7); and
  • FIG. 13 is a prior art networked computer system interconnected using a distributed virtual Ethernet switch fabric that provides a virtual view of the systems and networks in the networked computer system.
    •  DETAILED DESCRIPTION
  • The claims and disclosure herein provide a network intrusion detection system (NIDS) that works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from of the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
  • Referring to FIG. 6, a sample prior art networked computer system 600 is shown, which includes for this particular example four server groups 610, 620, 630 and 640. Server group 610 is coupled to server group 620 via Network 2. Server group 610 is coupled to server group 640 via Network 2. Server groups 620, 630 and 640 are interconnected via Network 1. Server group 630 has a connection to the Internet 150, as does server group 640. Note that each server group may include any suitable number of computer systems, network switches, or other hardware, such as racks of servers, power supplies, storage area networks, disk drives, etc. In addition, there may be multiple levels of networks, including external networks between systems, internal networks within a system, and even virtual networks within a system or between systems.
  • FIG. 7 shows a networked computer system 700 that is the same networked computer system 600 of FIG. 6 with the addition of two prior art Network Intrusion Detection Systems (NIDS) 710 and 720. NIDS1 710 is used to detect network intrusion into Network 1 that interconnects server groups 620, 630 and 640, while NIDS2 720 is used to detect network intrusion into Network 2 that interconnects server group 610 to server groups 620 and 640. These prior art NIDS 710 and 720 are shown in FIGS. 8 and 9, respectively. NIDS1 710 includes attack signatures for network 1 810 and notification rules for network 1 820. In similar fashion, NIDS 720 includes attack signatures for network 2 910 and notification rules for network 2 920. The attack signatures specify network traffic that may be an intrusion. Typically, for each attack signature, there is a corresponding notification rule, as shown at 1010 in FIG. 10. The attack signatures may be generated manually by the system administrator, but it is more common for the attack signatures to be downloaded from a trusted source, similar to the way antivirus definitions are continually updated from a trusted source. By subscribing to a service that allows downloading and automatically updating attack signatures, the attack signatures 810 and 910 may be downloaded and updated automatically without requiring any effort on the part of a human system administrator. The notification rules 820 and 920, in contrast, are typically defined manually by the human system administrator. Because each attack signature typically has a corresponding notification rule as shown in FIG. 10, the addition of new attack signatures via an automatic update may require the system administrator to generate or identify which notification rule applies to each new attack signature.
  • NIDS1 710 and NIDS2 720 perform method 1100 in FIG. 11. The NIDS monitors network traffic (step 1110). When the network traffic does not satisfy an attack signature (i.e., does not qualify as a network intrusion) (step 1120=NO), method 1100 returns to step 1110 and continues. When the network traffic satisfies an attack signature (step 1120=YES), the NIDS sends one or more network messages to alert a human system administrator as specified in the notification rule corresponding to the satisfied attack signature (step 1130). In the prior art, not only must the system administrator manually define each notification rule, the system administrator must also take action manually once a notification is received from a NIDS. Because network traffic flows much faster than a human system administrator can take action to prevent the intrusion, there is a lag time between when the NIDS detects a network intrusion and when the network intrusion is stopped by the actions of the system administrator.
  • Referring to FIG. 12, a method 1200 shows the steps that are performed to configure and maintain a prior art NIDS, such as NIDS1 710 and NIDS2 720 in FIGS. 7-9. First, the network administrator determines the network topology and configuration (step 1210). For complex networks, this is no easy task. The network administrator must be aware of every network, sub-network, virtual network, switch, server, router, etc. in the networked computer system. The network administrator must also define the attack signatures (step 1220). Note this may be done via a subscription service as referenced above so the system administrator does not have to manually create each and every attack signature. However, the network administrator must manually generate the notification rules for Network 1 (step 1230), and must manually generate the notification rules for Network 2 (step 1240). The network administrator then provides the notification rules for Network 1 to NIDS 1 (step 1250), and provides the notification rules for Network 2 to NIDS 2 (step 1260). The network administrator then monitors changes in the network (step 1270). For example, let's assume a server blade in a rack is replaced with a new server blade. The new server blade will have a different MAC address than the old server blade. If the changes in the network require changes to the notification rules (step 1280=YES), the network administrator must manually generate changes to the notification rules (step 1290) to accommodate the changes in the network. If the changes in the network do not require changes to the notification rules (step 1280=NO), method 1200 loops back to step 1270 and continues. We see from the steps in FIG. 12 that configuring and maintaining a prior art NIDS is a highly manual effort that must be performed by a highly skilled system administrator that understands all aspects of the network topology in the networked computer system. Having such a system that so heavily relies on human intervention lends itself to human errors and necessarily requires delays due to the needed human intervention.
  • As advances in networking have been made, an effort has resulted in providing a virtual view of many different networks in a networked computer system. Some network professionals refer to a complex set of networks as a “network fabric”, which implies that one fabric covers all network connections and all systems in the networked computer system. For example, Juniper Networks has developed a product called Qfabric that allows providing a virtual view of all networks and systems in a networked computer system. Such a configuration is shown in FIG. 13. Four server groups 1310, 1320, 1330 and 1340 (similar to those shown in FIGS. 6 and 7) may be interconnected with a Distributed Virtual Ethernet (DVE) switch fabric 1360, such as Juniper Network's Qfabric. The DVE switch fabric 1360 includes a DVE Information Bridge 1370 that provides an interface for accessing the virtual view 1362 of the networks and systems in the DVE switch fabric 1360. DVE admin/config tools 1380 allow interacting with the DVE switch fabric via the DVE information bridge 1370 to configure the DVE switch fabric 1360. The DVE switch fabric 1360 is preferably a combination of hardware and software, but could also be a purely software implementation. Note server group 1330 is connected to the Internet 150, as is server group 1340. By using a distributed virtual switch fabric such as the DVE switch fabric 1360 shown in FIG. 13, a virtual view 1362 of the entire network may be provided in one place. This greatly eases the burden on the system administrator because all the information needed about the entire networked computer system may be accessed in one place, and by querying to the DVE switch fabric 1360 via the DVE information bridge 1370, a system administrator may learn about any and all aspects of the networked computer system from the virtual view 1362.
  • The presence of the DVE switch fabric 1360 with its virtual view 1362 of the networked computer system allows a new and improved NIDS that is much easier to configure and maintain, and can take automatic service actions when a network intrusion is detected. Referring to FIG. 1, a networked computer system 100 includes four server groups 110, 120, 130 and 140 interconnected with the same DVE switch fabric 1360 shown in the prior art networked computer system in FIG. 13. Server group 130 is connected to the Internet 150, as is server group 140. DVE switch fabric 1360 includes the same DVE information bridge 1370 shown in FIG. 13 that allows access to the virtual view 1362, and the same DVE admin/config tools 1380 in FIG. 13 are used to administer and configure the DVE switch fabric 1360 in FIG. 1. A NIDS 190 is also provided that has significantly enhanced features and capabilities when compared to the prior art NIDS 710 and 720 shown in FIGS. 7-9. NIDS 190 includes a DVE switch fabric interface 191 that allows the NIDS to communicate with the DVE switch fabric 1360 via the DVE information bridge 1370 to access the virtual view 1362 of the networked computer system, thereby providing to the NIDS 190 all details of all system in the network. NIDS 190 also includes a network topology/configuration 192, which is preferably derived from the virtual view 1362 provided by the DVE switch fabric 1360. NIDS 190 also includes attack signatures 193. These attack signatures 193 could be the same as prior art attack signatures, or could have additional or different information. Notification rules 194 are provided so a system administrator may be notified of a network intrusion. However, the number of notification rules 194 in NIDS 190 is significantly less than the number of notification rules for the prior art NIDS, such as notification rules 820 in FIG. 8 and notification rules 920 in FIG. 9. In the prior art, the only thing the NIDS could do when a network intrusion was detected was to notify the system administrator, so each attack signature has a corresponding notification rule, as shown in FIG. 10. In NIDS 190, in contrast, some network intrusions may be addressed by a notification to the system administrator, but most can be handled by a service action mechanism 195 that may automatically perform one or more service actions automatically without requiring input from a human system administrator. Because so many intrusion problems may be handled by the service action mechanism 195 in NIDS 190 automatically without human intervention, the number of notification rules 194 is less than in the prior art. In addition, the response time of the NIDS 190 in addressing a network intrusion is very fast, orders of magnitude faster than notifying a system administrator and waiting for the system administrator to manually take corrective action. In fact, the response time of the NIDS 190 can be fast enough to actually prevent the detected network intrusion.
  • Referring to FIG. 2, a method 200 shows steps performed by NIDS 190 after being configured to detect network intrusion. The NIDS monitors network traffic (step 210). When the network traffic does not satisfy any attack signature (step 220=NO), method 200 loops back to step 210 and continues. When the network traffic satisfies one or more attack signatures (step 220=YES), the NIDS determines whether to notify the system administrator or whether to take automatic action. When the NIDS is to notify the system administrator (step 230=NOTIFY), the NIDS alerts the system administrator as specified in the notification rule corresponding to the satisfied attack signature (step 240). When the NIDS is to take action (step 230=TAKE ACTION), the NIDS automatically performs one or more service actions corresponding to one or more satisfied attack signatures (step 250). The NIDS then alerts the system administrator regarding the automatic actions taken in step 250 (step 260). Method 200 is then done.
  • Referring to FIG. 3, a method 300 shows the steps for configuring and maintaining the NIDS 190 shown in FIG. 1. The NIDS accesses the DVE information bridge to determine network topology and configuration for all networks in the fabric (step 310). This is done by accessing the virtual view 1362. The network administrator defines attack signatures for all networks in the fabric (step 320). As in the prior art, the attack signatures could be downloaded and updated from a suitable provider of attack signatures. The network administrator still manually generates all needed notification rules for all networks in the fabric (step 330). The network administrator also defines service actions for all networks in the fabrics (step 340). In the most preferred implementation, each attack signature will have either a corresponding notification rule or a corresponding automated service action. The NIDS then detects changes in the network (step 350). For example, if an existing blade server is replaced with a new blade server, the NIDS will see network traffic from an unrecognized MAC address. The NIDS determines whether changes in the network can be dealt with autonomically (step 360), which is to say, without intervention by a human system administrator. For example, the NIDS in step 360 could query the virtual view in the DVE switch fabric via the DVE information bridge to determine if the new MAC address is an authorized system in the networked computer system. For the example above, the virtual view provided by the DVE switch fabric will indicate the new MAC address belongs to the replacement blade. When the changes in the network may be dealt with autonomically (step 360=YES), the NIDS makes autonomic changes to deal with the detected changes in the network (step 370). For example, when the NIDS 190 queries the virtual view in the DVE switch fabric and discovers the old server has been removed (as indicated by the removal of the corresponding MAC address) and the new server has been installed (as indicated by the presence of the new corresponding MAC address), the NIDS 190 will update its internal network topology and configuration 192 to reflect the new server with the new MAC address, and will delete the old server and MAC address corresponding to the server that was removed. Because this particular change (a swap of a new server for an old server) can be detected by querying the virtual view in the DVE switch fabric, the NIDS can make autonomic changes to deal with detected changes in the network (step 370), which requires no interaction with the system administrator. For any network changes that cannot be dealt with autonomically (step 360=NO), the NIDS notifies the network administrator to indicate the detected changes in the network (step 380) so the system administrator may take appropriate action. Method 300 is then done.
  • There are different changes to the network that can be handled autonomically, as shown in table 410 in FIG. 4. Network changes that may be handled autonomically by the NIDS include the addition of a new network device 420, or the swapping out of a network device 430. Both of these may be autonomically handled because network packets with a new MAC address will appear on the network, which are detected by the NIDS. In response, the NIDS can autonomically query the virtual view in the DVE switch fabric and make any needed changes to its network topology and configuration 192 without notifying a system administrator. FIG. 5 shows a table 510 that specifies some NIDS service actions that could be included in the service actions 196 shown in FIG. 1. For example, some possible NIDS service actions include monitoring the compromised host 520, quarantining the compromised host 530, moving the compromised host to another network 540, and shutting down the compromised host 550. Because the DVE switch fabric provides a virtual view of all systems and networks in the networked computer system, and provides tools for reconfiguring the networks and systems, the DVE switch fabric provides the needed functionality for the NIDS to perform service actions such as those shown in FIG. 5 by interacting with the DVE switch fabric to perform those service actions. For example, if a particular server is compromised, the NIDS 190 can instruct the DVE switch fabric 1360 to shut down the compromised server. The DVE switch fabric 1360 thus provides information in the form of a virtual view of the entire network along with an interface that allows greatly enhancing the functionality of the NIDS 190 when compared to prior art NIDS 710 and 720 shown in FIGS. 7-9.
  • Some examples are now provided to illustrate the difference between the function of prior art NIDS and the NIDS 190 disclosed herein. For the first example, let's assume a NIDS needs to be deployed to monitor all network traffic in a virtual local area network (vlan) X running on a physical network Y. In the prior art, the system administrator would deploy a prior art NIDS somewhere in the physical network Y. The system administrator would then have to manually enter all network end points, speeds and any other needed network topology or configuration information into the NIDS. The system administrator would also have to manually enter all the trusted adapter MAC addresses into the NIDS. The system administrator would also have to configure the notification rules for the various attack signatures. The system administrator can then enable the NIDS to monitor the network traffic in vlan X and physical network Y. The NIDS watches the incoming/outgoing traffic for vlan X and physical network Y, and learns Internet Protocol (IP) addresses, Address Resolution Protocols (ARPs), gateways, etc. As shown in FIG. 11, network traffic is then monitored and compared to the attack signatures, and a system administrator is notified when the network traffic satisfies any attack signature.
  • For the NIDS 190 shown in FIG. 1, for the same example above where the NIDS needs to be deployed to monitor all network traffic in vlan X running on a physical network Y, the NIDS 190 is deployed in the physical network Y. The NIDS 190 queries the virtual view 1362 in the DVE switch fabric 1360 in FIG. 1 via the DVE information bridge 1370 to determine the network topology and MAC addresses for vlan X and physical network Y. The system administrator configures any needed notification rules, and also specifies any needed service actions. In the most preferred implementation, there is a notification rule or service action specified for each attack signature. The NIDS is then enabled to monitor network traffic in vlan X and physical network Y. The NIDS watches the incoming/outgoing traffic for vlan X and physical network Y, and learns Internet Protocol (IP) addresses, Arps, gateways, etc. As shown in FIG. 2, network traffic is then monitored and compared to the attack signatures, and when an attack signature is satisfied, the NIDS either alerts the system administrator or automatically performs one or more service actions to take care of the network intrusion without requiring input from a system administrator. This first example illustrates how much easier it is to configure and maintain NIDS 190 when compared to the prior art NIDS.
  • In a second example, we assume an existing network adapter is swapped for a new network adapter while the network is up and running In the prior art, the node, blade or PCI slot that contains the network adapter to be serviced is powered down. The hardware swap of the network adapters is performed. The hardware is powered on, and the link goes active. The new hardware sees network traffic and is part of the network. The NIDS detects network packets from a MAC address that is unrecognized, and as a result, alerts the system administrator as shown in FIG. 11. The system administrator will typically respond to the NIDS alarm by suspending the NIDS. The system administrator must then reconfigure the NIDS to delete all old rules/learning based on the old MAC address that has been removed, and must add the new MAC address to the list of trusted host MAC addresses in the NIDS. The system administrator then re-enables the NIDS, which begins to re-learn what the network traffic looks like in the new configuration. Note that suspending then re-enabling the prior art NIDS results in a period of time when the network is not protected by the NIDS.
  • For the NIDS 190 in the same second example, where an existing network adapter is swapped for a new network adapter while the network is up and running, the node, blade or PCI slot that contains the network adapter to be serviced is powered down. The hardware swap of the network adapters is performed. The hardware is powered on, and the link goes active. The new hardware sees traffic and is part of the network. The NIDS detects network packets from a MAC address that is unrecognized, and as a result, queries the virtual view 1362 in the DVE switch fabric 1360 via the DVE information bridge 1370, which tells the NIDS the new network adapter is a replacement for the old network adapter. The NIDS autonomically updates its rules and traffic records to change from the old MAC address to the new MAC address. The NIDS thus autonomically adjusts to the swap in network cards without suspending and re-enabling the NIDS, as required in the prior art. The result is a more secure network because the NIDS is always operational.
  • In a third example, we assume the NIDS is up and running, and detects an IP-spoof attack. For the prior art NIDS, such as NIDS 710 and 720 shown in FIGS. 7-9, a host MAC address is identified as the compromised host, and an alert is sent to the system administrator as shown in FIG. 11. There is naturally some time lapse between the time the system administrator gets the alert and the time the system administrator can address this problem. The system administrator manually queries network configuration to determine which node or blade the compromised MAC address is in. The system administrator may then manually shut down the compromised network link, at which point the network is secure again. Notice the time delay between notifying a system administrator and the system administrator shutting down the compromised hardware may be several minutes, possibly more, which could result in the network being vulnerable to the IP-spoof attack during that time delay.
  • For the NIDS 190 in FIG. 1 for the same third example above, we assume the NIDS is up and running, and detects an IP-spoof attack. A host MAC address is identified as the compromised host. The NIDS 190 accesses the virtual view 1362 in the DVE switch fabric 1360 via the DVE information bridge 1370, and instructs the DVE switch fabric 1360 to shut down the compromised host with the specified MAC address. The DVE switch fabric 1360 uses its internal MAC address database to translate the specified MAC address to a particular node or blade. The DEV switch fabric 1360 then shuts down the network link for the node or blade corresponding to the MAC address, and the network is secure again. The system administrator then gets an alert about the compromised host on the network. Because the NIDS reacted immediately to shut down the compromised host, the time delay between intrusion detection and shut down of the compromised host is very small compared to the time to notify a system administrator, who must then manually correlate the problem MAC address to hardware, and then manually shut down the hardware. The NIDS presented herein provides a much more secure network because it always runs, it autonomically adjusts for changes in the network, and it can take service actions immediately to address a network intrusion.
  • As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language, Streams Processing language, or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • The methods disclosed herein may be performed as part of providing a web-based service. Such a service could include, for example, offering the method to online users in exchange for payment.
  • The disclosure and claims are directed to a network intrusion detection system (NIDS) that works in conjunction with a virtual view in a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from of the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.
  • One skilled in the art will appreciate that many variations are possible within the scope of the claims. Thus, while the disclosure is particularly shown and described above, it will be understood by those skilled in the art that these and other changes in form and details may be made therein without departing from the spirit and scope of the claims.

Claims (8)

1. A computer-implemented method for detecting network intrusions in a networked computer system that includes a plurality of networks interconnecting a plurality of systems, the plurality of systems including a distributed virtual switch fabric that provides a virtual view of the plurality of networks and the plurality of systems, the method comprising the steps of:
querying the distributed virtual switch fabric to determine from the virtual view network topology and configuration of the networked computer system;
defining a plurality of attack signatures that specify characteristics of network intrusions;
defining a plurality of service actions that each may be performed automatically without input from a human system administrator when a network intrusion that matches at least one of the plurality of attack signatures is detected by the network intrusion detection system;
detecting a network intrusion in the networked computer system that matches at least one of the plurality of attack signatures; and
in response to detecting the network intrusion that matches the at least one of the plurality of attack signatures, autonomically performing at least one of the plurality of service actions without input from a human system administrator.
2. The method of claim 1 wherein the plurality of service actions comprises monitoring a compromised host that originated network traffic detected as the network intrusion.
3. The method of claim 1 wherein the plurality of service actions comprises quarantining a compromised host that originated network traffic detected as the network intrusion.
4. The method of claim 1 wherein the plurality of service actions comprises moving to a different network a compromised host that originated network traffic detected as the network intrusion to a different network.
5. The method of claim 1 wherein the plurality of service actions comprises shutting down a compromised host that originated network traffic detected as the network intrusion.
6. The method of claim 1 further comprising the steps of:
detecting an addition to the plurality of systems;
querying the distributed virtual switch fabric to determine if the addition is reflected in the virtual view of the plurality of networks and the plurality of systems; and
when the addition is reflected in the virtual view, autonomically changing the network topology and configuration without input from a human system administrator.
7. The method of claim 1 further comprising the steps of:
detecting a change to the plurality of systems;
querying the distributed virtual switch fabric to determine if the change is reflected in the virtual view of the plurality of networks and the plurality of systems; and
when the change is reflected in the virtual view, autonomically changing the network topology and configuration without input from a human system administrator.
8. A computer-implemented method for detecting network intrusions in a networked computer system that includes a plurality of networks interconnecting a plurality of systems, the plurality of systems including a distributed virtual switch fabric that provides a virtual view of the plurality of networks and the plurality of systems, the method comprising the steps of:
(A) configuring a network intrusion detection system by performing the steps of:
querying the distributed virtual switch fabric to determine from the virtual view network topology and configuration of the networked computer system;
defining a plurality of attack signatures that specify characteristics of network intrusions;
defining a plurality of service actions that each may be performed automatically without input from a human system administrator when a network intrusion that matches at least one of the plurality of attack signatures is detected by the network intrusion detection system;
(B) running the network intrusion detection system, which performs the steps of:
monitoring network traffic in the networked computer system;
detecting a network intrusion in the networked computer system that matches at least one of the plurality of attack signatures; and
in response to detecting the network intrusion that matches the at least one of the plurality of attack signatures, when a corresponding action for the detected network intrusion is to notify a human system administrator, notifying the human system administrator of the network intrusion, and when the corresponding action for the detected network intrusion is to perform a specified service action, automatically performing the specified service action and notifying the system administrator, wherein the specified service action comprises performing at least one of the following steps:
monitoring a compromised host that originated network traffic detected as the network intrusion;
quarantining the compromised host;
moving to a different network the compromised host; and
shutting down the compromised host.
US13/685,784 2012-02-20 2012-11-27 Network intrusion detection in a network that includes a distributed virtual switch fabric Abandoned US20130219500A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/685,784 US20130219500A1 (en) 2012-02-20 2012-11-27 Network intrusion detection in a network that includes a distributed virtual switch fabric

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/400,476 US8640239B2 (en) 2012-02-20 2012-02-20 Network intrusion detection in a network that includes a distributed virtual switch fabric
US13/685,784 US20130219500A1 (en) 2012-02-20 2012-11-27 Network intrusion detection in a network that includes a distributed virtual switch fabric

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/400,476 Continuation US8640239B2 (en) 2012-02-20 2012-02-20 Network intrusion detection in a network that includes a distributed virtual switch fabric

Publications (1)

Publication Number Publication Date
US20130219500A1 true US20130219500A1 (en) 2013-08-22

Family

ID=48983420

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/400,476 Active US8640239B2 (en) 2012-02-20 2012-02-20 Network intrusion detection in a network that includes a distributed virtual switch fabric
US13/685,784 Abandoned US20130219500A1 (en) 2012-02-20 2012-11-27 Network intrusion detection in a network that includes a distributed virtual switch fabric

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/400,476 Active US8640239B2 (en) 2012-02-20 2012-02-20 Network intrusion detection in a network that includes a distributed virtual switch fabric

Country Status (1)

Country Link
US (2) US8640239B2 (en)

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140269299A1 (en) * 2013-03-14 2014-09-18 Hewlett-Packard Development Company, L.P. Network controller normalization of network traffic
US20140331274A1 (en) * 2013-05-01 2014-11-06 Fortinet, Inc. Security system for physical or virtual environments
US9450974B2 (en) 2014-03-20 2016-09-20 International Business Machines Corporation Intrusion management
US20160359889A1 (en) * 2015-06-05 2016-12-08 Cisco Technology, Inc. Technologies for managing compromised sensors in virtualized environments
US10289438B2 (en) 2016-06-16 2019-05-14 Cisco Technology, Inc. Techniques for coordination of application components deployed on distributed virtual machines
US10374904B2 (en) 2015-05-15 2019-08-06 Cisco Technology, Inc. Diagnostic network visualization
US10523512B2 (en) 2017-03-24 2019-12-31 Cisco Technology, Inc. Network agent for generating platform specific network policies
US10523541B2 (en) 2017-10-25 2019-12-31 Cisco Technology, Inc. Federated network and application data analytics platform
US10554501B2 (en) 2017-10-23 2020-02-04 Cisco Technology, Inc. Network migration assistant
US10574575B2 (en) 2018-01-25 2020-02-25 Cisco Technology, Inc. Network flow stitching using middle box flow stitching
US10594560B2 (en) 2017-03-27 2020-03-17 Cisco Technology, Inc. Intent driven network policy platform
US10594542B2 (en) 2017-10-27 2020-03-17 Cisco Technology, Inc. System and method for network root cause analysis
US10680887B2 (en) 2017-07-21 2020-06-09 Cisco Technology, Inc. Remote device status audit and recovery
US10708152B2 (en) 2017-03-23 2020-07-07 Cisco Technology, Inc. Predicting application and network performance
US10708183B2 (en) 2016-07-21 2020-07-07 Cisco Technology, Inc. System and method of providing segment routing as a service
US10764141B2 (en) 2017-03-27 2020-09-01 Cisco Technology, Inc. Network agent for reporting to a network policy system
US10798015B2 (en) 2018-01-25 2020-10-06 Cisco Technology, Inc. Discovery of middleboxes using traffic flow stitching
US10797970B2 (en) 2015-06-05 2020-10-06 Cisco Technology, Inc. Interactive hierarchical network chord diagram for application dependency mapping
US10826803B2 (en) 2018-01-25 2020-11-03 Cisco Technology, Inc. Mechanism for facilitating efficient policy updates
US10873794B2 (en) 2017-03-28 2020-12-22 Cisco Technology, Inc. Flowlet resolution for application performance monitoring and management
US10972388B2 (en) 2016-11-22 2021-04-06 Cisco Technology, Inc. Federated microburst detection
US20210126927A1 (en) * 2019-10-28 2021-04-29 Cisco Technology, Inc. Virtual switch-based threat defense for networks with multiple virtual network functions
US10999149B2 (en) 2018-01-25 2021-05-04 Cisco Technology, Inc. Automatic configuration discovery based on traffic flow data
US11128700B2 (en) 2018-01-26 2021-09-21 Cisco Technology, Inc. Load balancing configuration based on traffic flow telemetry
US20210297429A1 (en) * 2020-03-20 2021-09-23 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US11233821B2 (en) 2018-01-04 2022-01-25 Cisco Technology, Inc. Network intrusion counter-intelligence
US11528283B2 (en) 2015-06-05 2022-12-13 Cisco Technology, Inc. System for monitoring and managing datacenters

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015160331A1 (en) 2014-04-15 2015-10-22 Hewlett-Packard Development Company, L.P. Configurable network security
US9935829B1 (en) 2014-09-24 2018-04-03 Amazon Technologies, Inc. Scalable packet processing service
WO2016089435A1 (en) * 2014-12-03 2016-06-09 Hewlett Packard Enterprise Development Lp Updating a virtual network topology based on monitored application data
US11140020B1 (en) 2018-03-01 2021-10-05 Amazon Technologies, Inc. Availability-enhancing gateways for network traffic in virtualized computing environments

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7463590B2 (en) * 2003-07-25 2008-12-09 Reflex Security, Inc. System and method for threat detection and response
US8442048B2 (en) * 2009-11-04 2013-05-14 Juniper Networks, Inc. Methods and apparatus for configuring a virtual network switch

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6775657B1 (en) 1999-12-22 2004-08-10 Cisco Technology, Inc. Multilayered intrusion detection system and method
US7882555B2 (en) 2001-03-16 2011-02-01 Kavado, Inc. Application layer security method and system
US7331061B1 (en) 2001-09-07 2008-02-12 Secureworks, Inc. Integrated computer security management system and method
IL149583A0 (en) 2002-05-09 2003-07-06 Kavado Israel Ltd Method for automatic setting and updating of a security policy
US7228564B2 (en) 2003-07-24 2007-06-05 Hewlett-Packard Development Company, L.P. Method for configuring a network intrusion detection system
US7440467B2 (en) * 2004-05-05 2008-10-21 Gigamon Systems Llc Asymmetric packet switch and a method of use
US7849506B1 (en) 2004-10-12 2010-12-07 Avaya Inc. Switching device, method, and computer program for efficient intrusion detection
US7808897B1 (en) 2005-03-01 2010-10-05 International Business Machines Corporation Fast network security utilizing intrusion prevention systems
US7606225B2 (en) 2006-02-06 2009-10-20 Fortinet, Inc. Integrated security switch
IL189530A0 (en) 2007-02-15 2009-02-11 Marvell Software Solutions Isr Method and apparatus for deep packet inspection for network intrusion detection
US8045550B2 (en) 2007-03-01 2011-10-25 Hewlett-Packard Development Company, L.P. Packet tunneling
CA3002975C (en) 2009-04-01 2020-07-14 Nicira, Inc. Method and apparatus for implementing and managing virtual switches
US8694654B1 (en) * 2010-03-23 2014-04-08 Juniper Networks, Inc. Host side protocols for use with distributed control plane of a switch

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7463590B2 (en) * 2003-07-25 2008-12-09 Reflex Security, Inc. System and method for threat detection and response
US8442048B2 (en) * 2009-11-04 2013-05-14 Juniper Networks, Inc. Methods and apparatus for configuring a virtual network switch

Cited By (94)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140269299A1 (en) * 2013-03-14 2014-09-18 Hewlett-Packard Development Company, L.P. Network controller normalization of network traffic
US9917849B2 (en) * 2013-05-01 2018-03-13 Fortinet, Inc. Security system for physical or virtual environments
US20140331274A1 (en) * 2013-05-01 2014-11-06 Fortinet, Inc. Security system for physical or virtual environments
US9450974B2 (en) 2014-03-20 2016-09-20 International Business Machines Corporation Intrusion management
US10374904B2 (en) 2015-05-15 2019-08-06 Cisco Technology, Inc. Diagnostic network visualization
US10797970B2 (en) 2015-06-05 2020-10-06 Cisco Technology, Inc. Interactive hierarchical network chord diagram for application dependency mapping
US11902122B2 (en) 2015-06-05 2024-02-13 Cisco Technology, Inc. Application monitoring prioritization
US10320630B2 (en) 2015-06-05 2019-06-11 Cisco Technology, Inc. Hierarchichal sharding of flows from sensors to collectors
US10326673B2 (en) 2015-06-05 2019-06-18 Cisco Technology, Inc. Techniques for determining network topologies
US20160359877A1 (en) * 2015-06-05 2016-12-08 Cisco Technology, Inc. Intra-datacenter attack detection
US10439904B2 (en) 2015-06-05 2019-10-08 Cisco Technology, Inc. System and method of determining malicious processes
US10505828B2 (en) * 2015-06-05 2019-12-10 Cisco Technology, Inc. Technologies for managing compromised sensors in virtualized environments
US10516585B2 (en) 2015-06-05 2019-12-24 Cisco Technology, Inc. System and method for network information mapping and displaying
US10516586B2 (en) 2015-06-05 2019-12-24 Cisco Technology, Inc. Identifying bogon address spaces
US11695659B2 (en) 2015-06-05 2023-07-04 Cisco Technology, Inc. Unique ID generation for sensors
US11601349B2 (en) 2015-06-05 2023-03-07 Cisco Technology, Inc. System and method of detecting hidden processes by analyzing packet flows
US10536357B2 (en) 2015-06-05 2020-01-14 Cisco Technology, Inc. Late data detection in data center
US12335275B2 (en) 2015-06-05 2025-06-17 Cisco Technology, Inc. System for monitoring and managing datacenters
US10567247B2 (en) * 2015-06-05 2020-02-18 Cisco Technology, Inc. Intra-datacenter attack detection
US12278746B2 (en) 2015-06-05 2025-04-15 Cisco Technology, Inc. Auto update of sensor configuration
US11902120B2 (en) 2015-06-05 2024-02-13 Cisco Technology, Inc. Synthetic data for determining health of a network security system
US12231308B2 (en) 2015-06-05 2025-02-18 Cisco Technology, Inc. Unique ID generation for sensors
US10623283B2 (en) 2015-06-05 2020-04-14 Cisco Technology, Inc. Anomaly detection through header field entropy
US10659324B2 (en) 2015-06-05 2020-05-19 Cisco Technology, Inc. Application monitoring prioritization
US12231307B2 (en) 2015-06-05 2025-02-18 Cisco Technology, Inc. System and method for user optimized application dependency mapping
US10693749B2 (en) 2015-06-05 2020-06-23 Cisco Technology, Inc. Synthetic data for determining health of a network security system
US11528283B2 (en) 2015-06-05 2022-12-13 Cisco Technology, Inc. System for monitoring and managing datacenters
US11522775B2 (en) 2015-06-05 2022-12-06 Cisco Technology, Inc. Application monitoring prioritization
US10728119B2 (en) 2015-06-05 2020-07-28 Cisco Technology, Inc. Cluster discovery via multi-domain fusion for application dependency mapping
US10735283B2 (en) 2015-06-05 2020-08-04 Cisco Technology, Inc. Unique ID generation for sensors
US10742529B2 (en) 2015-06-05 2020-08-11 Cisco Technology, Inc. Hierarchichal sharding of flows from sensors to collectors
US11502922B2 (en) 2015-06-05 2022-11-15 Cisco Technology, Inc. Technologies for managing compromised sensors in virtualized environments
US12224921B2 (en) 2015-06-05 2025-02-11 Cisco Technology, Inc. Technologies for managing compromised sensors in virtualized environments
US11496377B2 (en) 2015-06-05 2022-11-08 Cisco Technology, Inc. Anomaly detection through header field entropy
US11924073B2 (en) 2015-06-05 2024-03-05 Cisco Technology, Inc. System and method of assigning reputation scores to hosts
US11637762B2 (en) 2015-06-05 2023-04-25 Cisco Technology, Inc. MDL-based clustering for dependency mapping
US12192078B2 (en) 2015-06-05 2025-01-07 Cisco Technology, Inc. System and method of assigning reputation scores to hosts
US12177097B2 (en) 2015-06-05 2024-12-24 Cisco Technology, Inc. Policy utilization analysis
US10904116B2 (en) 2015-06-05 2021-01-26 Cisco Technology, Inc. Policy utilization analysis
US11477097B2 (en) 2015-06-05 2022-10-18 Cisco Technology, Inc. Hierarchichal sharding of flows from sensors to collectors
US12113684B2 (en) 2015-06-05 2024-10-08 Cisco Technology, Inc. Identifying bogon address spaces
US11968103B2 (en) 2015-06-05 2024-04-23 Cisco Technology, Inc. Policy utilization analysis
US11968102B2 (en) 2015-06-05 2024-04-23 Cisco Technology, Inc. System and method of detecting packet loss in a distributed sensor-collector architecture
US11405291B2 (en) 2015-06-05 2022-08-02 Cisco Technology, Inc. Generate a communication graph using an application dependency mapping (ADM) pipeline
US11936663B2 (en) 2015-06-05 2024-03-19 Cisco Technology, Inc. System for monitoring and managing datacenters
US12212476B2 (en) 2015-06-05 2025-01-28 Cisco Technology, Inc. System and method for network policy simulation
US11368378B2 (en) 2015-06-05 2022-06-21 Cisco Technology, Inc. Identifying bogon address spaces
US20160359889A1 (en) * 2015-06-05 2016-12-08 Cisco Technology, Inc. Technologies for managing compromised sensors in virtualized environments
US10862776B2 (en) 2015-06-05 2020-12-08 Cisco Technology, Inc. System and method of spoof detection
US11252060B2 (en) 2015-06-05 2022-02-15 Cisco Technology, Inc. Data center traffic analytics synchronization
US11252058B2 (en) 2015-06-05 2022-02-15 Cisco Technology, Inc. System and method for user optimized application dependency mapping
US10289438B2 (en) 2016-06-16 2019-05-14 Cisco Technology, Inc. Techniques for coordination of application components deployed on distributed virtual machines
US11283712B2 (en) 2016-07-21 2022-03-22 Cisco Technology, Inc. System and method of providing segment routing as a service
US10708183B2 (en) 2016-07-21 2020-07-07 Cisco Technology, Inc. System and method of providing segment routing as a service
US10972388B2 (en) 2016-11-22 2021-04-06 Cisco Technology, Inc. Federated microburst detection
US10708152B2 (en) 2017-03-23 2020-07-07 Cisco Technology, Inc. Predicting application and network performance
US11088929B2 (en) 2017-03-23 2021-08-10 Cisco Technology, Inc. Predicting application and network performance
US11252038B2 (en) 2017-03-24 2022-02-15 Cisco Technology, Inc. Network agent for generating platform specific network policies
US10523512B2 (en) 2017-03-24 2019-12-31 Cisco Technology, Inc. Network agent for generating platform specific network policies
US11509535B2 (en) 2017-03-27 2022-11-22 Cisco Technology, Inc. Network agent for reporting to a network policy system
US12368629B2 (en) 2017-03-27 2025-07-22 Cisco Technology, Inc. Network agent for reporting to a network policy system
US11146454B2 (en) 2017-03-27 2021-10-12 Cisco Technology, Inc. Intent driven network policy platform
US10594560B2 (en) 2017-03-27 2020-03-17 Cisco Technology, Inc. Intent driven network policy platform
US10764141B2 (en) 2017-03-27 2020-09-01 Cisco Technology, Inc. Network agent for reporting to a network policy system
US11202132B2 (en) 2017-03-28 2021-12-14 Cisco Technology, Inc. Application performance monitoring and management platform with anomalous flowlet resolution
US11683618B2 (en) 2017-03-28 2023-06-20 Cisco Technology, Inc. Application performance monitoring and management platform with anomalous flowlet resolution
US10873794B2 (en) 2017-03-28 2020-12-22 Cisco Technology, Inc. Flowlet resolution for application performance monitoring and management
US11863921B2 (en) 2017-03-28 2024-01-02 Cisco Technology, Inc. Application performance monitoring and management platform with anomalous flowlet resolution
US10680887B2 (en) 2017-07-21 2020-06-09 Cisco Technology, Inc. Remote device status audit and recovery
US10554501B2 (en) 2017-10-23 2020-02-04 Cisco Technology, Inc. Network migration assistant
US11044170B2 (en) 2017-10-23 2021-06-22 Cisco Technology, Inc. Network migration assistant
US10523541B2 (en) 2017-10-25 2019-12-31 Cisco Technology, Inc. Federated network and application data analytics platform
US10594542B2 (en) 2017-10-27 2020-03-17 Cisco Technology, Inc. System and method for network root cause analysis
US10904071B2 (en) 2017-10-27 2021-01-26 Cisco Technology, Inc. System and method for network root cause analysis
US11233821B2 (en) 2018-01-04 2022-01-25 Cisco Technology, Inc. Network intrusion counter-intelligence
US11750653B2 (en) 2018-01-04 2023-09-05 Cisco Technology, Inc. Network intrusion counter-intelligence
US10574575B2 (en) 2018-01-25 2020-02-25 Cisco Technology, Inc. Network flow stitching using middle box flow stitching
US10999149B2 (en) 2018-01-25 2021-05-04 Cisco Technology, Inc. Automatic configuration discovery based on traffic flow data
US10798015B2 (en) 2018-01-25 2020-10-06 Cisco Technology, Inc. Discovery of middleboxes using traffic flow stitching
US10826803B2 (en) 2018-01-25 2020-11-03 Cisco Technology, Inc. Mechanism for facilitating efficient policy updates
US11128700B2 (en) 2018-01-26 2021-09-21 Cisco Technology, Inc. Load balancing configuration based on traffic flow telemetry
US12052273B2 (en) * 2019-10-28 2024-07-30 Cisco Technology, Inc. Virtual switch-based threat defense for networks with multiple virtual network functions
US20210126927A1 (en) * 2019-10-28 2021-04-29 Cisco Technology, Inc. Virtual switch-based threat defense for networks with multiple virtual network functions
US20230116947A1 (en) * 2019-10-28 2023-04-20 Cisco Technology, Inc. Virtual switch-based threat defense for networks with multiple virtual network functions
US11558402B2 (en) * 2019-10-28 2023-01-17 Cisco Technology, Inc. Virtual switch-based threat defense for networks with multiple virtual network functions
US20240187424A1 (en) * 2020-03-20 2024-06-06 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US20210297429A1 (en) * 2020-03-20 2021-09-23 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US12231444B2 (en) * 2020-03-20 2025-02-18 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US11888876B2 (en) * 2020-03-20 2024-01-30 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US12294594B2 (en) 2020-03-20 2025-05-06 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US12301478B2 (en) 2020-03-20 2025-05-13 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US11606369B2 (en) * 2020-03-20 2023-03-14 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US12348436B2 (en) 2020-03-20 2025-07-01 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure
US20230208863A1 (en) * 2020-03-20 2023-06-29 Cisco Technology, Inc. Intelligent quarantine on switch fabric for physical and virtualized infrastructure

Also Published As

Publication number Publication date
US20130219497A1 (en) 2013-08-22
US8640239B2 (en) 2014-01-28

Similar Documents

Publication Publication Date Title
US8640239B2 (en) Network intrusion detection in a network that includes a distributed virtual switch fabric
US10812521B1 (en) Security monitoring system for internet of things (IOT) device environments
US10986120B2 (en) Selecting actions responsive to computing environment incidents based on action impact information
US10637888B2 (en) Automated lifecycle system operations for threat mitigation
EP3987421B1 (en) Adaptive scanning
EP4035328B1 (en) Anomaly detection including property changes
US10601844B2 (en) Non-rule based security risk detection
US11252183B1 (en) System and method for ransomware lateral movement protection in on-prem and cloud data center environments
US12289294B2 (en) Dynamic segmentation management
US10798061B2 (en) Automated learning of externally defined network assets by a network security device
US20060095961A1 (en) Auto-triage of potentially vulnerable network machines
US9756075B1 (en) Dynamic hiding of deception mechanism
US11848955B2 (en) Visibility and scanning of a variety of entities
US12401581B2 (en) Entity attribute designation based on logic programming
US20240303336A1 (en) Dynamic security for fabric networks
WO2023121867A1 (en) Centralized network response to mitigate a data-based security risk
JP5307238B2 (en) Intrusion prevention method and system for communication networks
US20230300141A1 (en) Network security management method and computer device
Hafeez et al. Securing edge networks with securebox
Grigorescu et al. CODA footprint continuous security management platform
US10320751B2 (en) DNS server selective block and DNS address modification method using proxy
Adim Hafshejani Design and Deployment of a Cloud Monitoring System for Enhanced Network Security
Polónio Proactive Discovery and Mitigation of Security Vulnerabilities Leveraged by Software-Defined Networks
WO2025178625A1 (en) Dynamic security for fabric networks
Sasikala et al. Secure Conserve Data Split To Avoid Network Intrusion Detection

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LUKAS, JOSHUA;RICARD, GARY R.;THOMPSON, TIMOTHY L.;SIGNING DATES FROM 20130228 TO 20130308;REEL/FRAME:030051/0377

AS Assignment

Owner name: LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD., SINGAPORE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:034194/0111

Effective date: 20140926

Owner name: LENOVO ENTERPRISE SOLUTIONS (SINGAPORE) PTE. LTD.,

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:034194/0111

Effective date: 20140926

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE