 Method and apparatus for retarting pipeline processing |
| According to the invention, pipeline throughput is improved by a processing pipeline architecture ... |
|
| Method and system in display device interface for managing surface memory |
| The invention provides a display device interface and associated methods for managing surface ... |
|
| Display device interface including support for generalized flipping of surfaces |
| The invention provides a method and system for supporting generalized flipping of surfaces. S... |
|
| Graphics system using clip bits to decide acceptance, rejection, clipping |
| The present invention comprises a computer graphics system which employs an improved method of clip ... |
|
| ATM address translation method and apparatus |
| The present invention provides a unique method and apparatus for performing an address translation ... |
|
| Serving data from a resource limited system |
| The present invention provides a method for serving data from a networked device. Data is generated ... |
|
| System and method for personalizing electronic mail messages |
| Methods, systems, and articles of manufacture consistent with the present invention provide an e-... |
|
| Updating data from a source computer to groups of destination computers |
| Viewed from one aspect the present invention provides a computer program product for controlling a ... |
|
| Method for managing multiple virtual storages divided into families |
| An object of the present invention is to provide, for the user, means for data sharing and easy ... |
|
|
Method for automatic intrusion detection and deflection in a network
| Details |
Inventors: Comay, Oded; Shikmoni, Doron; Yeshurun, Yehezkel; Amir, Oded;
Assignee: Forescout Technologies Inc. (Wilmington, DE)
Primary Examiner: Hayes; Gail
Assistant Examiner: Revak; Christopher A.
Attorney, Agent or Firm: Friedman; Mark M.
A method and a system for providing security to a network by at least identifying an unauthorized user who is attempting to gain access to a node on the network, and preferably by then actively blocking that unauthorized user from further activities. Detection is facilitated by the unauthorized user providing a "mark", or specially crafted false data, which the unauthorized user gathers during the information collection stage performed before an attack. The mark is designed such that any attempt by the unauthorized user to use such false data results in the immediate identification of the unauthorized user as hostile, and indicates that an intrusion of the network is being attempted. Preferably, further access to the network is then blocked by diverting traffic from the unauthorized user to a secure zone, where the activities of the unauthorized user can be contained without damage to the network. |
|
DETAILED DESCRIPTION OF THE INVENTION The present invention is of a method and a system for providing security to a network by at least identifying an un authorized user who is attempting to gain access to a node on the network, and preferably by then actively blocking that unauthorized user from further activities.
Detection is facilitated by providing an "mark", or specially crafted false data, which the unauthorized user gathers during the information collection stage performed before an attack.
The information collection stage typically involves a process of probing the network in order to collect information concerning the vulnerabilities and weaknesses of the network.
The mark is designed such that any attempt by the unauthorized user to use such false data results in the immediate identification of the unauthorized user as hostile, and indicates that an intrusion of the network is being attempted.
Once the unauthorized user has been identified as hostile, a few possibilities are available.
In an active embodiment of the method of the present invention, further activities by the unauthorized user are proactively handled, preferably by being blocked.
More preferably, traffic from the source controlled by the unauthorized user is diverted to a secure zone of the network, in which the intruder cannot cause actual damage.
The principles and operation of a method and a system according to the present invention may be better understood with reference to the drawings and the accompanying description, it being understood that these drawings are given for illustrative purposes only and are not meant to be limiting.
Although the following description centers upon a packet-switched network, in which communication is performed and data is transmitted in the form of packets, it is understood that this is for the purposes of description only, and is without any intention of being limiting, as the present invention is also operable with other types of networks.
Referring now to the drawings, FIG
|
| Related patents |
|
|
Enhanced browser application for service related to the transportation of a message
It is an object of the present invention to provide a universal browser, compatible with common commercial browsers, that incorporates preferences and/or applications ...
|
|
|
Representing and verifying network management policies using collective constraints
The foregoing needs and objects, and other needs and objects that will become apparent from the following description, are achieved by the invention, which comprises, in ...
|
|
|
Systems and method for hiding from a computer system entry of a personal identification number (pin) to a smart card
A system and method for isolating a computer system from entry of a personal identification number (PIN) to a smart card. The system and method includes a computer ...
|
|
|
Method and system for updating a root of trust measurement function in a personal computer
The present invention provides a method and system for updating a root of trust measurement function in a personal computer. The following description is presented to ...
|
|
|
Spatial domain mechanism
OF VARIOUS EMBODIMENTS Referring to FIG. 1, a system 30 includes a host 32 coupled to a first storage device 34. The system 30 also includes a second storage device 36, ...
|
|
|
RF receiver having improved signal-to-noise ratio and method of operation
To address the above-discussed deficiencies of the prior art, it is a primary object of the present invention to provide, for use in a CDMA receiver, a noise reduction ...
|
|
|
Technique for transmitting incoming multi-link point-to-point (PPP) packet traffic over multiple outgoing links in a multi-link bundle
The present invention overcomes the deficiencies in the art and satisfies these needs by setting, in direct contravention to conventional multi-link protocol processing, ...
|
|
|
Quality of service improvement of internet real-time media transmission by transmitting redundant voice/media frames
This invention improves the reliability and reduces the delays and packet losses of Internet media transmissions over packet switching networks such as Internet and I...
|
|
|
Method, mobile station, basestation and mobile communications system for performing handoff independently for groups of physical direct sequence-code division multiple access channels
It is an object of the present invention to mitigate one or more disadvantages of the prior art and, in particular, to provide a technique for handing off an active ...
|
|
|
Method of preserving data packet sequencing
In essence, the present invention augments the UDP protocol to attain similar characteristics as FR. Since the UDP protocol does not enforce packet sequencing, the ...
|
|
|
Processing Data 
