Method to prevent root level access attack and measurable sla security and compliance platform
US-2024338440-A1 · Oct 10, 2024 · US
Identifying source of malicious network messages
US9191396B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9191396-B2 |
| Application number | US-22161905-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 8, 2005 |
| Priority date | Sep 8, 2005 |
| Publication date | Nov 17, 2015 |
| Grant date | Nov 17, 2015 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
System, method and program for identifying a subset of a multiplicity of source networks. The subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same IP address. For each of the multiplicity of source networks, a determination is made whether there are fewer intervening hops from the source network to the one destination location than from the source network to other of the plurality of destination locations. If so, the source network is included in the subset. If not, the source network is not included in the subset. One application of the present invention is to identify a source of a denial of service attack. After the subset is identified, filters can be sequentially applied to block messages from respective source networks in the subset to determine which source network in the subset is sending the messages.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for identifying source of malicious network messages, said method comprising steps implemented by a computer of: identifying a subset of a multiplicity of source networks, said subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same Internet Protocol (IP) address, wherein identifying said subset comprises: the computer determining for each of said multiplicity of source networks whether there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations; responsive to a determination that there are fewer intervening hops for said each source network of said multiplicity of source networks, the computer identifying said each source network as included in said subset, and responsive to determining there are not fewer intervening hops for said each source network of said multiplicity of source networks, the computer not identifying said each source network as included in said subset; wherein one or more source networks are continuing to send messages to said one destination location, and further comprising a step of sequentially applying filters to block messages from respective source networks in said subset to determine which source network in said subset is sending said messages, wherein one of said source networks in said subset has sent said messages to said one destination location and said messages are malicious. 2. A method as set forth in claim 1 wherein said one destination location has received many messages from a source network in said subset as part of a denial of service attack. 3. A method as set forth in claim 1 wherein the determining step comprises the step of: collecting from routers information indicating a routing path from each of said multiplicity of source networks to each of said plurality of destination locations. 4. A method as set forth in claim 3 wherein the determining step further comprises the step of: determining from said router paths a number of hops from each of said multiplicity of source networks to each of said plurality of destination locations. 5. A system for identifying source of malicious network messages, said system comprising: a CPU, a computer readable memory and a computer readable storage media; program instructions to identify a subset of a multiplicity of source networks, said subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same Internet Protocol (IP) address, wherein said program instructions to identify said subset comprises: first program instructions to determine for each of said multiplicity of source networks whether there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations; and second program instructions, responsive to a determination that there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, to identify said each source network as included in said subset, and responsive to a determination that there are not fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, for not identifying said each source network as included in said subset; wherein one or more source networks are continuing to send messages to said one destination location, and further comprising program instructions to sequentially apply filters to block messages from respective source networks in said subset to determine which source network in said subset is sending said messages, wherein one of said source networks in said subset has sent said messages to said one destination location and said messages are malicious; and wherein all of the program instructions are stored on the computer readable storage media for execution by the CPU via the computer readable memory. 6. A system as set forth in claim 5 wherein said one destination location has received many messages from a source network in said subset as part of a denial of service attack. 7. A system as set forth in claim 5 wherein the determining means comprises: means for collecting from routers information indicating a routing path from each of said multiplicity of source networks to each of said plurality of destination locations. 8. A system as set forth in claim 7 wherein the determining means further comprises: means for determining from said router paths a number of hops from each of said multiplicity of source networks to each of said plurality of destination locations. 9. A computer program product for source of malicious network messages, said computer program product comprising: a non-transitory computer readable storage medium; program instructions to identify a subset of a multiplicity of source networks, said subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same Internet Protocol (IP) address, wherein said program instructions to identify said subset comprises: first program instructions to determine for each of said multiplicity of source networks whether there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations; and second program instructions, responsive to a determination that there are fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, to identify said each source network as included in said subset, and responsive to a determination that there are not fewer intervening hops from said each source network to said one destination location than from said each source network to other of said plurality of destination locations, to not identify said each source network as included in said subset; wherein one or more source networks are continuing to send messages to said one destination location, and further comprising program instructions to sequentially apply filters to block messages from respective source networks in said subset to determine which source network in said subset is sending said messages, wherein one of said source networks in said subset has sent said messages to said one destination location and said messages are malicious; and wherein all of said program instructions are stored on said non-transitory computer readable storage medium. 10. A computer program product as set forth in claim 9 wherein said one destination location has received many messages from a source network in said subset as part of a denial of service attack. 11. A computer program product as set forth in claim 9 wherein the first program instructions comprise: third program instructions to collect from routers information indicating a routing path from each of said multiplicity of source networks to each of said plurality of destination locations; and wherein said third program instructions are stored on said medium. 12. A computer program product as set forth in claim 11 wherein the first program instructions further comprise: fourth program instructions to determine from said router paths a number of hops from each of said multiplicity of source networks to each of said p
Assignees
Inventors
Classifications
Denial of Service · CPC title
Denial of service attacks against endpoints in a network · CPC title
Tracing the source of attacks · CPC title
Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks · CPC title
- H04L63/1408Primary
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9191396B2 cover?
- System, method and program for identifying a subset of a multiplicity of source networks. The subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same IP address. For each of the multiplicity of source networks, a determination is made whether there are fewer intervening hops from the source network to the one destination…
- Who is the assignee on this patent?
- Nesbitt Richard E, O'Connell Brian M, Pearthree Herbert D, and 2 more
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1408. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 17 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).