-
公开(公告)号:US07464398B2
公开(公告)日:2008-12-09
申请号:US10440233
申请日:2003-05-19
CPC分类号: H04L63/1458 , H04L29/06 , H04L47/50 , H04L67/322 , H04L69/329
摘要: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.
摘要翻译: 介绍了在通信网络中减轻攻击的系统和方法,如拒绝服务(DoS)攻击。 在网络设备接收的分组的源地址与存储在决策引擎中的已知可靠地址相关。 如果存储在源表中的源地址被认为是合法的,则将数据包放置在高优先级队列中,以便以最高速率进行传输。 具有未知地址的数据包放在较低优先级的队列中,源地址存储在不同的源表中,数据包以较低的速率进行服务。 已知为合法的数据包将从未知表移动到从中提供高优先级队列的表。 以这种方式,防止使用欺骗技术的攻击者超载网络资源。
-
公开(公告)号:US07284269B2
公开(公告)日:2007-10-16
申请号:US10156083
申请日:2002-05-29
CPC分类号: H04L63/0227 , H04L63/0263
摘要: A communications security system has been described. The security system in the form of a firewall is made up of a plurality of communicatively coupled sets of modules in a matrix configuration. The modules may be implemented in hardware and software in order to rely on the advantages of each technology. Data packets are typically coupled to an ingress side of the firewall where policy rules having the highest importance are checked first. The result is a high speed system having carrier class availability.
摘要翻译: 已经描述了通信安全系统。 防火墙形式的安全系统由矩阵配置的多个通信耦合的模块组成。 这些模块可以在硬件和软件中实现,以便依靠每种技术的优点。 数据包通常耦合到防火墙的入口侧,首先检查具有最高重要性的策略规则。 结果是具有载波类可用性的高速系统。
-
公开(公告)号:US07284272B2
公开(公告)日:2007-10-16
申请号:US10158115
申请日:2002-05-31
CPC分类号: H04L63/1408 , H04L63/1458
摘要: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.
摘要翻译: 描述了在基于计算机的网络中防止洪泛型拒绝服务攻击的方法。 通过使用散列算法,将连接建立消息称为SYN数据包与连接终止消息(FIN数据包)进行匹配。 散列算法或消息摘要使用源和目标IP地址,端口号和密钥作为输入参数。 使用散列算法将SYN数据包和FIN数据包映射到存储桶,并为每个存储桶维护统计信息。 保持SYN数据包与FIN数据包之间的对应关系,以关闭安全漏洞。
-
公开(公告)号:US07114182B2
公开(公告)日:2006-09-26
申请号:US10158116
申请日:2002-05-31
CPC分类号: H04L63/1408 , H04L63/1416 , H04L63/1425 , H04L63/1458
摘要: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.
-
公开(公告)号:US07457867B2
公开(公告)日:2008-11-25
申请号:US10684510
申请日:2003-10-15
申请人: Brett Howard , Paul Kierstead
发明人: Brett Howard , Paul Kierstead
IPC分类号: G06F13/00
CPC分类号: H04L63/1408 , G06F21/552 , G06F2221/2101 , H04L41/06 , H04L41/28 , H04L43/00 , H04L63/08 , H04L63/123 , H04L69/326
摘要: A modified security protocol for remotely managed computer-based communications devices is presented. The protocol is based on the Syslog Sign protocol but is altered to allow an entity that collects log events from and/or remotely manages the device to provide authenticated acknowledgement of event logs that have been successfully received. This is achieved through an Acknowledgement Block which is signed by the entity and made available to the device.
摘要翻译: 提出了一种用于远程管理的基于计算机的通信设备的修改的安全协议。 该协议基于Syslog Sign协议,但是被更改为允许从该设备收集日志事件和/或远程管理设备的实体提供已经被成功接收的事件日志的经认证的确认。 这通过确认块实现,该确认块由实体签名并提供给设备。
-
公开(公告)号:US07283461B2
公开(公告)日:2007-10-16
申请号:US10224507
申请日:2002-08-21
申请人: Scott D'Souza , Paul Kierstead
发明人: Scott D'Souza , Paul Kierstead
CPC分类号: H04L63/1458 , H04L43/00
摘要: Methods and apparatus for detecting denial of service attacks on a system in a communications network are provided. A frequency analysis is performed on certain types of packets that arrive with a periodic nature. A frequency power spectrum obtained through Fourier Transform reveals whether the power level of any particular frequency is greater than the average power spectrum. The detection of a higher than average power level is an indication that an attack is in progress.
摘要翻译: 提供了用于检测通信网络中的系统的拒绝服务攻击的方法和装置。 对定期到达的某些类型的数据包执行频率分析。 通过傅里叶变换获得的频率功率谱可以显示任何特定频率的功率电平是否大于平均功率谱。 高于平均功率水平的检测表明正在进行攻击。
-
公开(公告)号:US07190671B2
公开(公告)日:2007-03-13
申请号:US10224506
申请日:2002-08-21
申请人: Scott D'Souza , Paul Kierstead
发明人: Scott D'Souza , Paul Kierstead
CPC分类号: H04L63/1458
摘要: Methods and apparatus for mitigating denial of service attacks in a communications network are described. Frequency domain techniques such as Fourier Transform are used to detect packet flooding in which a frequency spectrum reveals a periodic pattern to the attack packets. A pulse generator is used to create pulses having the frequency and phase of the periodic pattern. New packets arriving simultaneously with the created pulses are dropped from the system and packets which are not synchronized with the pulse generator are passed through the system normally.
摘要翻译: 描述了用于减轻通信网络中的拒绝服务攻击的方法和装置。 使用诸如傅立叶变换的频域技术来检测分组洪泛,其中频谱显示针对攻击分组的周期性模式。 脉冲发生器用于产生具有周期性图案的频率和相位的脉冲。 与创建的脉冲同时到达的新分组从系统中丢弃,并且与脉冲发生器不同步的分组正常通过系统。
-
公开(公告)号:US20050086370A1
公开(公告)日:2005-04-21
申请号:US10684510
申请日:2003-10-15
申请人: Brett Howard , Paul Kierstead
发明人: Brett Howard , Paul Kierstead
CPC分类号: H04L63/1408 , G06F21/552 , G06F2221/2101 , H04L41/06 , H04L41/28 , H04L43/00 , H04L63/08 , H04L63/123 , H04L69/326
摘要: A modified security protocol for remotely managed computer-based communications devices is presented. The protocol is based on the Syslog Sign protocol but is altered to allow an entity that collects log events from and/or remotely manages the device to provide authenticated acknowledgement of event logs that have been successfully received. This is achieved through an Acknowledgement Block which is signed by the entity and made available to the device.
摘要翻译: 提出了一种用于远程管理的基于计算机的通信设备的修改的安全协议。 该协议基于Syslog Sign协议,但是被更改为允许从该设备收集日志事件和/或远程管理设备的实体提供已经被成功接收的事件日志的经认证的确认。 这通过确认块实现,该确认块由实体签名并提供给设备。
-
公开(公告)号:US06529513B1
公开(公告)日:2003-03-04
申请号:US09244204
申请日:1999-02-04
申请人: Brett Howard , Andrew Robison , Roy Pereira , Paul Kierstead , Gabor Solymar
发明人: Brett Howard , Andrew Robison , Roy Pereira , Paul Kierstead , Gabor Solymar
IPC分类号: H04J302
CPC分类号: H04L41/0893 , H04L41/12 , H04L63/0272 , H04L63/0435 , H04L63/0823 , H04L63/083 , H04L63/102 , H04L63/123 , H04L63/20 , Y10S370/911
摘要: A method and system for providing routing information for use in virtual private networks is disclosed. The method supports a variety of different secure network topologies. According to the method a static map is generated including information on each static gateway and resources accessible therethrough. The map also contains security information for accessing and authenticating a gateway.
摘要翻译: 公开了一种用于提供虚拟专用网络中使用的路由信息的方法和系统。 该方法支持各种不同的安全网络拓扑。 根据该方法,生成静态地图,其包括关于每个静态网关和可通过其访问的资源的信息。 该地图还包含访问和验证网关的安全信息。
-
公开(公告)号:US06353886B1
公开(公告)日:2002-03-05
申请号:US09198609
申请日:1998-11-24
申请人: Brett Howard , Paul Kierstead , Gabor Solymar , Andrew Robison , Roy Pereira , Lucien Marcotte
发明人: Brett Howard , Paul Kierstead , Gabor Solymar , Andrew Robison , Roy Pereira , Lucien Marcotte
IPC分类号: G06F126
CPC分类号: H04L41/0893 , H04L41/12 , H04L63/0272 , H04L63/0435 , H04L63/0823 , H04L63/083 , H04L63/102 , H04L63/123 , H04L63/20 , Y10S370/911
摘要: A method and system for implementing network policy is described. The method involves storing policy data using certificates using a certificate database server. Upon retrieval, a policy is then validated as properly certified prior to use. When a policy is not validated, it indicates tampering or improper policy data entry. When policy data is successfully validated, the policy is implemented.
摘要翻译: 描述了实现网络策略的方法和系统。 该方法涉及使用证书数据库服务器存储使用证书的策略数据。 检索后,在使用之前,将一项政策验证为正确认证。 当策略未被验证时,表示篡改或不正确的策略数据输入。 当策略数据成功验证时,策略被实现。
-
-
-
-
-
-
-
-
-
搜索结果
10 条记录 (耗时 0.015 秒)
