US0082.

55996B2

(12) United States Patent (10) Patent No.: US 8.255,996 B2

Elrod et al. (45) Date of Patent: Aug. 28, 2012

(54) NETWORK THREAT DETECTION AND 786W w

23. G onnenberg
MITIGATION 7,095,716 B1 8, 2006 Keet al.
7,234,168 B2 6/2007 Gupta et al.
(75) Inventors: Craig T. Elrod, Santa Clara, CA (US); 7,257,515 B2 8/2007 Ei"
Prakash Kashyap, Cupertino, CA (US) 7,293,238 B1 * 1 1/2007 Brook et al. .................. 71.5/736
7,409,714 B2 8/2008 Gupta et al.
7,412,722 B1 8, 2008 Norris et al.
(73) Assignee: Extreme Networks, Inc., Santa Clara, 7,424,024 B2 9/2008 Chen et al.
CA (US) 7,451,212 B2 11/2008 Friedman
7,546,635 B1 6/2009 Krohn et al.
(*) Notice: Subject to any disclaimer, the term of this 7.593,343 B1 9, 2009 Croak et al.
patent is extended or adjusted under 35 7,594,259 B1 9, 2009 Audet et al.
U.S.C. 154(b) by 1165 days. 7,690,040 B2 3/2010 Frattura et al.
(Continued)
(21) Appl. No.: 11/322.942 FOREIGN PATENT DOCUMENTS
(22) Filed: Dec. 30, 2005 WO WO 2005,112390 A1 * 12/2004
(65) Prior Publication Data OTHER PUBLICATIONS
Kim et al., “A Flow-based Method for Abnormal Network Traffic
US 2007/O15730.6 A1 Jul. 5, 2007 Detection.” http://dpnmpostech.ac.kr/papers/NOMS/04/security
(51) Int. Cl analysis camera-ready attack-analysis-v5-revision.pdf, Apr. 2004.
H04L 29/06 (2006.01) (Continued)
(52) U.S. Cl. ............ 726/23: 726/22; 713/189: 713/190;
713/191; 713/192: 713/193; 713/194; 713/201; Primary Examiner - Jeffrey Pwll
370/395.54; 370/245; 455/411 Assistant Examiner — Hee Song
(58) Field of Classification Search .......... 713/189 194, (74) Attorney, Agent, or Firm — Blakely, Sokoloff, Taylor &
713/201: 370/395.54, 245; 726/22, 23; 455/411 Zafiman
See application file for complete search history.
(57) ABSTRACT
(56) References Cited A network switch automatically detects undesired network
U.S. PATENT DOCUMENTS
traffic and mirrors the undesired traffic to a security manage
ment device. The security management device determines the
5,450.483. A 9, 1995 Williams source of the undesired traffic and redirects traffic from the
6,003,084 A 12/1999 Green et al. Source to itself. The security management device also auto
6,356,629 B1 3, 2002 Fourie et al.
6,363.489 B1* 3/2002 Comay et al. ................... 726/22 matically sends a policy to a switch to block traffic from the
6,721,424 B1 4/2004 Radatti SOUC.
6,771,649 B1* 8/2004 Tripunitara et al. ..... 370,395.54
7,027,398 B2 4/2006 Fang 24 Claims, 3 Drawing Sheets

Automatically Detect Network

Threats
210

Mirror Threat Traffic to Security

Management
220

Build Model of Communication

Stream to Determir e Source of
Threatlattack
230

Redirect the Threat Traffic

240

Build Policy to Mitigate Threat

250

Enforce Policy
260
 US 8,255,996 B2
Page 2

U.S. PATENT DOCUMENTS OTHER PUBLICATIONS

7,748,040 B2 * 6/2010 Adelstein et al. ............... 726/25 Bruschi et al., “S-ARP: a Secure Address Resolution Protocol',
7,843,914 B2 11/2010 Havemann et al. Proceedings of the 19th AnnualComputer Security Applications
8,000,329 B2 8, 2011 Fendick et al.
2001/0044893 A1 11/2001 Skemer Conference (ACSAC 2003), pp. 66-74, Dec. 2003. IEEE.*
2002fOO15387 A1 2/2002 Houh Luca Deri, "Passively Monitoring Networks at Gigabit Speeds Using
2002fOO85561 A1 7/2002 Choi et al. Commodity Hardware and Open Source Software'. http://www.
2002/01337.17 A1* 9/2002 Ciongoli et al. .............. T13 201 inlanr.net/PAM2003/PAM2003papers/3775.pdf., 2003.*
2003/OOO9699 A1* 1/2003 Gupta et al. ... 713,201 Georgios Portokalids, “Zero Hour Worm Detection and Containment
2004/00986.18 A1* 5, 2004 Kim et al. ... 713,201 using Honeypots”. http://www.cs.columbia.edu/~porto/Home
2004/0172557 A1* 9, 2004 Nakae et al. ... 713,201 files/thes-full-2side.pdf. 2004, pp. 1-73.*
2004/O25O158 A1: 12/2004 Le Pennec et al. . . . . . . . . . . . . . . 714.f4
Non-Final Office Action for U.S. Appl. No. 1 1/694,767, Mailed Oct.
2004/O255167 Al 12/2004 Knight .......................... T13 201 5, 2009, 12 Pages.
2005/0050365 A1 3f2005 Seki et al. 713,201 Final Office Action for U.S. Appl. No. 1 1/694,767, mailed Jun. 22.
2005/O136891 A1* 6/2005 Wang et al. . 455,410 2010, 18 pages.
2005/0216770 A1* 9, 2005 Rowett et al. .. 713,201 Non-Final Office Action for U.S. Appl. No. 1 1/694,767, Mailed Jun.
2006, OO18466 A1 1/2006 Adelstein et al. .. ... 380/46 17, 2011, 18 pages.
2006/0095969 A1* 5, 2006 Portolani et al. ... T26/23 Final Office Action for U.S. Appl. No. 1 1/694,767, Mailed Oct. 24,
2011, 20 pages.
2006, O123481 A1* 6/2006 Bhatnagar et al. . ... 726/24 Notice of Allowance for U.S. Appl. No. 1 1/694,767. Mailed Jan. 30,
2006, O153153 A1* 7/2006 Bhagwat et al. ... 370,338 2012, 11 pages.
2007/0192862 A1* 8, 2007 Vermeulen et al. . . . . . . . . . . . . T26/23

2008/O127349 A1 5, 2008 Ormazabal et al. * cited by examiner

U.S. Patent Aug. 28, 2012 Sheet 1 of 3 US 8.255,996 B2

?GT
U.S. Patent Aug. 28, 2012 Sheet 2 of 3 US 8.255,996 B2
U.S. Patent Aug. 28, 2012 Sheet 3 of 3 US 8.255,996 B2

Automatically Detect Network

Threats
210

Mirror Threat Traffic to Security

Management
220

Build Model of Communication

Stream to Determine Source of
Threat/Attack
230

Redirect the Threat Traffic

240

Build Policy to Mitigate Threat

250

Enforce Policy
260
 US 8,255,996 B2
1. 2
NETWORK THREAT DETECTION AND packet from the attacker (or the forged source address) to
MTIGATION complete the connection as part of the normal TCP three-way
handshake used to set up a connection. However, in a TCP
FIELD flood attack, no TCP ACK packet is ever sent back to the
target system to complete the connection. This causes half
Embodiments of the invention relate to network security, open connections, which tie up the target system until the
and more particularly to network threat detection and mitiga attack ends.
tion. Another example of a DoS attack is a Smurf attack, which
BACKGROUND 10
uses the PING (Packet Internet Grouper) utility to flood a
target system with PING responses. In this case, the attacker
broadcasts a PING request to an entire network. However, the
Hacking is a term that is often used to describe the acts of attacker uses a source address in the PING request to make it
a computer user who trespasses on computer systems for any appear that the request is coming from the target system's IP
number of reasons. Oftentimes, these intruders hack into a address. Thus, a flood of PING responses is sent to the target
system/network with the intention of launching some form of 15 system, bogging down the target system.
attack against the system/network. An attacker, as used Most networks employ some form of network security to
herein, refers to any computer user who hacks, trespasses, or help against many of the attacks discussed above. However,
intrudes onto a computer system or network and attempts to many network security systems and/or devices rely on signa
compromise the integrity or performance of the system or ture-based security techniques. In other words, these security
network. The term attacker may also be used herein to refer to systems maintain a list of known security threats, or signa
a host system or remote host through which an attack is tures, and can only prevent or mitigate damage based on these
launched (i.e. the source of harmful or potentially harmful known security threats. One problem with signature-based
traffic). security is that it is not effective in preventing or mitigating
Attackers can be very sophisticated and difficult to detect. unknown security threats and Day-Zero attacks. Additionally,
Most attackers operate through a remote system or even a 25
many of today's network security systems need to be “in
chain of several remote systems to obscure their identity line' with the network to mitigate threats and can, therefore,
and/or location. Attackers are often very thorough and end up being bottlenecks or points of failure.
methodical in using reconnaissance to create a detailed map
of a network that provides details on any network vulnerabili BRIEF DESCRIPTION OF THE DRAWINGS
ties. 30
Reconnaissance typically involves a process of gathering The following description includes discussion of various
information, scanning the target network, and probing for figures having illustrations given by way of example of imple
weaknesses in the target network before launching an attack. mentations of embodiments of the invention. The drawings
In the information-gathering phase, attackers collect infor should be understood by way of example, and not by way of
mation about a network (e.g. a company network) in an 35 limitation.
attempt to obtain as many domain names as possible. The FIG. 1A is a block diagram of an embodiment of the
domain names are then used to query domain name servers invention.
(DNS servers) for network Internet Protocol (IP) addresses. FIG.1B is a block diagram of an embodiment of the inven
This process is sometimes called footprinting. Additionally, tion.
attackers may also perform a broad Sweep of a network to 40
FIG. 2 is a flow diagram of an embodiment of the invention.
probe for IP addresses.
In the Scanning phase, an attacker can learn which services SUMMARY OF THE INVENTION
are running on each host and which ports the services are
using. Application services can be accessed from a network A threatentering a network is detected at a network Switch.
through a Transmission Control Protocol (TCP) or User Data 45 The Switch employs a policy containing policy rules to mea
gram Protocol (UDP) port address. sure and examine network traffic flows. Traffic flows meeting
In the final phase of reconnaissance, attackers search the a certain profile or exceeding a certain threshold are consid
target network specifically for resources such as devices and ered threats and are mirrored to a security management
file resources in order to acquire information about network device. The security management device is able to extract
security and network vulnerabilities. 50 information from the mirrored traffic, including packet fields
Once the reconnaissance process is complete, an attacker from individual packets. Additional information is sent from
may launch an attack. There are many types of network the Switch's forwarding database to the security management
attacks that can cause serious performance problems on a device. The security management device uses the information
network. Attacks including, but not limited to, Denial of to determine the source and/or destination of the threat. Once
Service (DoS), Distribute DoS (DDoS), viruses, worms, 55 the source of the threat is known, the security management
polymorphic viruses, blended attacks, and Day-Zero threats device redirects the traffic related to the threat. In addition, the
can be launched against a network to disrupt configuration security management device builds a policy designed to miti
and routing information and physical network components. gate the threat. This policy is sent to the network switch that
Attacks can also tie up and/or consume network bandwidth, originally detected the threat. The switch enforces the policy
central processing unit (CPU) time, and disk space. 60 in real-time to mitigate the threat.
One example of a DoS attack is a TCP Flood attack. In a
TCP flood attack, an attacker sends a flood of TCP synchro DETAILED DESCRIPTION
nize (SYN) packets to a target system, often with a forged
Source address. Each of these packets is handled like a con As used herein, references to one or more "embodiments'
nection request by the target system. Thus, the target device 65 are to be understood as describing a particular feature, struc
responds to the request by sending a TCP synchronize/ac ture, or characteristic included in at least one implementation
knowledge (SYN/ACK) packet and waits for a TCP ACK of the invention. Thus, phrases such as “in one embodiment'
 US 8,255,996 B2
3 4
or “in an alternate embodiment” appearing herein describe tions of FDB information and packet field information may
various embodiments and implementations of the invention, also be used. Thus, the security management device is able to
and do not necessarily all refer to the same embodiment. combine collected information to constructor build a model/
However, they are also not necessarily mutually exclusive. representation that defines/describes the communication
Descriptions of certain details and implementations follow, stream between the source and the target of an attack.
including a description of the figures, which may depict some Once the source of an attack has been determined, the
or all of the embodiments described below, as well as discuss security management device redirects the source data
ing other potential embodiments or implementations of the stream(s). In one embodiment, redirecting involves re-writ
inventive concepts presented herein. An overview of embodi ing the ARP table on the attacker's system by sending unso
ments of the invention is provided below, followed by a more 10 licited ARP requests that substitute the MAC address of the
detailed description with reference to the drawings. security management device in place of the MAC address of
In one embodiment of the invention, threats are detected at the intended target system. In other embodiments, redirecting
a network switch. As used herein, threat may refer to network can be done using ACLS, policy routing, virtual local area
traffic that is a precursor to harmful network activity or that network (VLAN) identification (ID), Hypertext Transfer Pro
otherwise threatens the integrity/performance of the network 15 tocol (HTTP) information, or XML tags. In all embodiments,
or a system/device on the network. The terms “threat' or redirecting causes traffic and/or data streams from the
“network threat” may also be used interchangeably with attacker to be redirected and sent to the security management
“attack,” “network attack,” “attacker,” “harmful traffic,” “sus device instead of the intended target system. The security
picious traffic,” “source, or “source of harmful traffic” as management device Subsequently drops, ignores, or selec
used herein. tively passes the redirected traffic and/or data stream(s).
Threats are detected by a Switch using dynamic policy rules In addition to redirecting the attacker's system, the security
designed to detect artifacts and identify footprints of the management device dynamically builds a policy to be
threats. In one embodiment, the Switch utilizes CLEAR-Flow employed at the Switch. A policy defines an action or set of
technology, available from EXTREME NETWORKS, INC. actions to be carried out when a predetermined event or set of
of Santa Clara, Calif. Dynamic policy rules are implemented, 25 events occurs. In one embodiment, this policy causes the
for example, using access control lists (ACLS), which define switch to block traffic from the source of an attack based on
profiles of potentially problematic network traffic flows and the IP address(es) of the attacker. In other embodiments, the
corresponding actions to be taken by the switch if traffic flows policy causes the switch to block traffic based on MAC
meeting any one of these profiles are measured. In one address(es), VLAN IDs, or switch port number(s) used by an
embodiment, a Switch measures the ratio of incoming 30 attacker. Further embodiments include a policy that causes
Address Resolution Protocol (ARP) requests to outgoing the switch to quarantine traffic from the attacker to an isolated
ARP responses in the network traffic. If the ratio is above a VLAN, throttle traffic from the attacker by limiting the net
predetermined threshold, the Switch, using dynamic policy work bandwidth to the attacker, or warn other switches of the
rules, may determine that a threat exists. In another embodi threat/attack.
ment, the switch measures the ratio of incoming TCP SYN 35 Once a policy has been built/created, the security manage
packets to outgoing TCPACK packets. Again, if the ratio is ment device sends the policy to the switch that detected the
above a predetermined threshold, the switch may determine threat, for example, using the XML API mentioned above.
that a threat exists. The switch then enforces the policy to mitigate the threat/
In addition to measuring ratios of packets, ACLS may be attack.
used in a Switch to measure other usage-based packet statis 40 FIG. 1A illustrates an embodiment of the invention. Harm
tics including, but not limited to, cumulative counts of packets ful traffic 101 enters a network 100 through a switch 110, 120,
meeting a certain profile, cumulative counts of packet bytes or 130. Each switch monitors/examines every packet that
from packets meeting a certain profile, rates, or changes in arrives in real-time at a one gigabit per second (Gibfs) for
rates, at which packets are received, etc. warding rate or a ten Gb/s forwarding rate. In other embodi
In one embodiment, network threats are copied and sent 45 ments, the Switch monitors/examines packets arriving at
from the switch to a security management device for further other forwarding rates.
analyzing. This process of sending copies of network threats In one embodiment, each Switch contains a security agent
may also be referred to as mirroring. In addition to mirroring 102 to monitor/examine traffic flowing through the switch.
network threats, the switch sends other useful information to Security agents 102 each contain a policy file with access
the security management device, for example, using an 50 control list (ACL) rules that allow security agents 102 to
Extensible Markup Language Interface (XML) application collect counters and statistics on traffic flowing through
program interface (API). The useful information can include switches. Additional rules are included in the policy files to
details from the switch's forwarding database (FDB) such as monitor the ACL counters and statistics. The ACL rules also
media access control (MAC) addresses, IP addresses, and define profiles of potentially problematic network traffic
corresponding Switch port numbers. 55 flows and corresponding actions to be taken by a Switch if
The security management device is able to build commu traffic flows meeting one of these profiles are measured. The
nication streams with the information received from the policy files may be updated dynamically, which will be dis
Switch to determine the exact source of a threat and/or target cussed in more detail later. Security agents 102 may also
of attack. Building communication streams can involve iden monitor a cumulative counter, a change or delta in a counter
tifying, analyzing, tracking, and/or extracting certain packet 60 over a time interval, the ratio of two cumulative counters, and
fields or other information from network traffic, including the ratio of a change or delta in two counters over a time
packets. In one embodiment, the security management device interval.
may track the Source IPAddress field and the Destination IP Each switch is capable of detecting harmful traffic 101
Address field of packets to determine the source and the target using the dynamic policy rules discussed above. In one
of the attack. In another embodiment, the security manage 65 embodiment, harmful traffic is detected when a ratio of mea
ment device uses the information from the Switch's FDB to sured ARP requests to ARP replies exceeds a specified thresh
determine the Source and the target of the attack. Combina old. In another embodiment, harmful traffic is detected when
 US 8,255,996 B2
5 6
a ratio of measured TCP SYN packets to TCPACK packets the dynamic ACL at the respective switch(es) in real-time
exceeds a specified threshold. Harmful traffic is mirrored to a while the switch(es) continue(s) to mirror suspicious traffic to
security management device (SMD) 140 reachable via, for SMD 140.
example, a dedicated port, upon detection by a Switch. Traffic While monitoring Suspicious traffic and updating policy
that does not violate policy rules, however, passes through the 5 files insecurity agents 102, SMD 140 may also determine that
switch normally. Only harmful or potentially harmful traffic Suspicious traffic is actually harmful traffic representing a real
is mirrored to SMD 140. In one embodiment, traffic mirrored threat to the integrity/stability of the network or a client/
to SMD is labeled with the threat-type “suspicious.” Mirror server operating on the network. In one embodiment, SMD
ing suspicious traffic to SMD 140 allows SMD 140 to operate 10 140 escalates the threat type from “yellow alert” to “red alert”
“virtually' in-line rather than physically in-line with the net the when a real threat is detected and takes action(s) to mitigate
threat.
work. In other words, it is not necessary for traffic to pass
through SMD 140 to reach a destination because only copies streamone In embodiment, SMD 140 redirects the source data
of suspicious traffic are passed to SMD 140. Thus, SMD 140 in responsethe (i.e. Source of the Suspicious traffic), for example,
to the red alert threat level. Redirecting is the
operates without the latency or point-of-failure risks inherent 15 redirecting of network traffic (e.g. packets, data streams, etc.)
in traditional/physical in-line operation. In one embodiment, from an intended destination to an alternate destination where
SMD 140 is a single device deployed at the network core, the redirection is not initiated by the source of the traffic. In
illustrated in FIG. 1A. In other embodiments, SMD 140 can other words, redirecting occurs when an attacker sends harm
be deployed at different locations within the network, includ ful or Suspicious traffic to an intended destination and some
ing at a network edge. 2O thing/someone other than the attacker initiates a redirection
In another embodiment, SMD functionality is imple of that traffic to an alternate destination. In most cases, the
mented using a combination of SMD 140 and a network attacker will be unaware of the redirection of traffic, though it
management server 150. FIG. 1B is an illustration of yet is not necessary that the attacker be unaware of this redirec
another embodiment where SMD functionality, including tion.
threat detection logic, is implemented as an application-spe- 25 In one embodiment, SMD 140 redirects the source data
cific integrated circuit (ASIC) or a system-on-a-chip (SoC) stream by reformulating the ARP tables of the source com
within core switch 130 or any other network switch. puter system. ARP table reformulation involves sending
SMD 140 uses behavior-based threat detection methods to unsolicited ARP responses to the source computer system.
further classify, analyze and/or mitigate Suspicious traffic Once received, these unsolicited ARP responses substitute
mirrored from a switch. In one embodiment, SMD 140 builds 30 the MAC address of SMD 140 in place of the MAC address of
a communication stream by extracting information from Sus the intended destination/target system. Thus, the ARP refor
picious traffic. Building a communication stream involves mulation causes all traffic from the source computer system
assembling information that allows SMD 140 to characterize that is intended for a particular target system to be received
the exact source and destination of the Suspicious traffic. In instead by SMD 140. In other embodiments, redirecting can
one embodiment, the information extracted by SMD 140 35 be done using ACLS, policy routing, virtual local area net
includes source and destination IP addresses from the address work (VLAN) identification (ID), Hypertext Transfer Proto
fields of packets. In another embodiment, each switch for col (HTTP) information, or XML tags. In each of the above
wards information from its forwarding database (FDB) to examples, SMD 140 initiates the redirecting process that
SMD 140 using an XML application program interface causes traffic intended for a particular target system to be
(API). The forwarded information correlates MAC addresses 40 redirected to SMD 140.
with IP addresses and port numbers. SMD 140 uses this SMD 140 can handle redirected traffic (e.g. packet traffic)
information to determine the exact source and destination of in different ways. SMD 140 may ignore redirected packet
the Suspicious traffic. traffic or silently discard it. In either case, the effect is that
Network threats/attackers typically conduct network SMD 140 becomes a dead end for this traffic, thus eliminating
reconnaissance, including probing the network’s address 45 any potential harm to the network from the traffic. However,
space. Most networks actually utilize only a portion of the if traffic flow conditions change or SMD 140 otherwise deter
available address space. Thus, in one embodiment, SMD 140 mines that certain packets are harmless, those packets may be
uses virtual decoys in the unused address space of the network forwarded to their originally intended destination.
to identify threats conducting reconnaissance. In another In addition to redirecting the source data stream, SMD 140
embodiment, SMD 140 provides false data about the net- 50 builds a policy to mitigate the threat and/or block the source
works topology to the source of a threat to interfere with of the attack. In one embodiment, a policy engine 142 auto
attempts to acquire precise data about operating systems and matically generates policy rules for the policy. In another
application versions present on the network. Providing false embodiment, NMS 150 generates policy rules for the policy.
data about the networks topology can delay the launch of an In one embodiment, the policy is designed to cause net
attack, creating more time to mitigate a threat and potentially 55 work switches to block traffic based on the IP address(es) of
prevent an attack altogether. the attacker. In other words, all traffic having a particular
Having determined the exact source (e.g. MAC address) source IP address or source? destination IP address combina
and destination of suspicious traffic, SMD 140 continues to tion is blocked when detected at one of the network switches.
monitor the suspicious traffic. In one embodiment, SMD 140 In other embodiments, the policy causes network Switches to
uses internal policy rules to further analyze suspicious traffic 60 block traffic based on MAC address(es), VLAN ID(s), switch
and, when conditions are met, escalate the threat-type from port number(s), or other identifying information.
“suspicious to “yellow alert.” SMD 140 sends a dynamic It is not necessary that the policy cause a Switch to block
ACL to security agent(s) 102 to further refine the policy for traffic. Alternative embodiments may include a policy that
suspicious traffic flows. The ACL is dynamic in the sense that causes a Switch to quarantine harmful traffic to an isolated
it is automatically sent to security agent(s) 102 in response to 65 VLAN, throttle traffic from the attacker by limiting the net
measured traffic flows—no network administrator/operator work bandwidth available to the attacker, or warn other
action or intervention is needed. Security agent(s) 102 apply switches of the threat/attack.
 US 8,255,996 B2
7 8
After the policy has been built/created, it is sent from SMD identification (ID), Hypertext Transfer Protocol (HTTP)
140 to the switch(es). In one embodiment, SMD 140 sends the information, or XML tags. In each of the above examples,
policy to all switches. In another embodiment, SMD 140 security management initiates the redirecting process that
sends the policy only to one Switch. For example, if only a causes traffic intended for a particular target system to be
single Switch stands logically between an attacker and the rest redirected to an alternate destination. In one embodiment,
of the network, SMD 140 may only need to send the policy to threat traffic is redirected to a security management device
that single Switch. Security agent 102 implements the policy connected to a switch. In another embodiment, threat traffic is
in real-time once it is received at the Switch to mitigate harm redirected a particular Switch having security management
ful traffic. functionality. In yet another embodiment, redirecting causes
FIG. 2 is a flow diagram illustrating an embodiment of the 10 threat traffic to be redirected to a network management server.
invention. Whena threatenters the network it is automatically Security management also dynamically builds/creates a
detected 210. The network has the capability of measuring policy to mitigate the threat 250. In one embodiment, security
traffic flows. In one embodiment, a Switch or other network management generates policy rules that cause a Switch or
device measures the ratio of incoming ARP requests to out other network device to block all incoming traffic from a
going ARP responses in the network traffic. If the ratio is 15 particular source or block traffic having a particular destina
above a predetermined threshold, the switch or other network tion. In other embodiments, the Switch redirects traffic based
device, using dynamic policy rules, may determine that a on MAC addresses or IP addresses detected in incoming
threat exists. In another embodiment, the Switch or other traffic. Other characteristics or profiles may also be used in
network device measures the ratio of incoming TCP SYN determining which traffic to block. In addition to blocking
packets to outgoing TCPACK packets. Again, if the ratio is traffic, policy rules can be created to cause a Switch or other
above a predetermined threshold, the switch or other network network device to throttle traffic from a particular source or
device may determine that a threat exists. throttle traffic traveling toward a particular destination. Other
In addition to measuring ratios of packets, ACLS may be embodiments include rules for quarantining threat traffic to a
used in a Switch to measure other usage-based packet statis designated VLAN and rules that cause other network
tics including, but not limited to, cumulative counts of packets 25 switches or device to be warned of a threat/attack.
meeting a certain profile, cumulative counts of packet bytes Once a policy has been created, it is sent to one or more
from packets meeting a certain profile, rates at which packets network switches/devices, where it is enforced 260. Network
are received, etc. Switches/devices continue to monitor/examine traffic in real
When a Switch or other device determines that a traffic flow time. As conditions or traffic flows change, security manage
has exceeded a predetermined threshold, meets a certain pro 30 ment may modify the policy for a particular switch/device or
file, or is otherwise a threat, the switch/device mirrors that set of switches/devices.
traffic flow to security management 220. In one embodiment, What is claimed is:
a security management device having a dedicated port to 1. In a security management device, a method of detecting
receive mirrored threat traffic handles security management. and mitigating a network threat, comprising:
In another embodiment, a security management device shares 35 providing false data about a network topology in which the
security management tasks with a network management security management device operates to a source of a
server. In yet another embodiment, security management network threat, wherein the false data is provided by the
functionality is implemented on an ASIC within a network security management device responsive to a probe
Switch. Security management can extract information from received at a virtual decoy established by the security
the mirrored threat traffic flows, including packet fields from 40 management device within otherwise unused address
individual packets. Thus, security management can extract space available to the network topology;
source and destination IP address fields from packets in the receiving mirrored traffic from a network Switch commu
mirrored threat traffic. nicably interfaced with the security management device,
In one embodiment, the switch or other network device that wherein the mirrored traffic is a copy of traffic in a
detects a threat sends other information to security manage 45 communication stream initially received at the network
ment in addition to mirroring the threat traffic flow, including switch and suspected to be undesired traffic by the net
information from the switch's forwarding database that cor work Switch, and wherein the security management
relates MAC addresses with IP addresses and/or port num device is to conduct threat analysis on the mirrored
bers. With this information, security management re-creates, network traffic received;
or builds, a model of the communication stream between the 50 analyzing the mirrored traffic to determine the source of the
source of the threat traffic and the intended destination of the undesired traffic and the network threat based on infor
threat traffic to determine the exact source and intended des mation within the mirrored traffic and based on infor
tination of the threat/attack 230. mation provided by the network switch;
Once the source of the threat traffic is known, security causing the communication stream initially received at the
management redirects the threat traffic 240. Redirecting is the 55 network switch to be sent from the source of the undes
redirecting of network traffic (e.g. packets, data streams, etc.) ired traffic and the network threat to the security man
from an intended destination to an alternate destination where agement device instead of the network Switch targeted
the redirection is not initiated by the source of the traffic. In by the source using a reformulated ARP table of the
other words, redirecting occurs when an attacker, having Source, and based further on one or more of Access
intended to send traffic to a particular destination, sends the 60 Control Lists (ACLs), policy-based routing, Virtual
traffic to an alternate destination due to some form of traffic Local Area Network Identifications (VLAN IDs),
redirection not initiated/intended by the attacker. HyperText Transfer Protocol (HTTP) information, or
In one embodiment, security management redirects the Extensible Markup Language (XML) tags; and
threat traffic by reformulating the ARP tables of the source blocking traffic from the source of the undesired traffic and
computer system (i.e. the computer system sending the threat 65 the network threat at the security management device.
traffic). In other embodiments, redirecting can be done using 2. The method of claim 1, wherein the traffic in the com
ACLs, policy routing, virtual local area network (VLAN) munication stream initially received at the network switch is
 US 8,255,996 B2
10
Suspected to be undesired traffic based on: measuring a ratio IDs), HyperText Transfer Protocol (HTTP) informa
of Address Resolution Protocol (ARP) requests to ARP tion, or Extensible Markup Language (XML) tags;
replies in a network traffic stream; and and
comparing the measured ratio to a threshold ratio. block traffic from the source of the undesired traffic and
3. The method of claim 1, wherein the traffic in the com- 5 the network threat at the security management device.
munication stream initially received at the network switch is 13. The system of claim 12, where the security manage
Suspected to be undesired traffic based on: measuring a ratio ment device is virtually in-line within the network and not
of Transmission Control Protocol (TCP) SYN packets to TCP physically in-line with the network, and wherein only copies
ACK packets in a network traffic stream; and of traffic suspected to be undesired traffic are passed to the
comparing the measured ratio to a threshold. 10 security management device.
4. The method of claim 1, wherein analyzing the mirrored 14. The system of claim 12, wherein the security manage
traffic to determine the source comprises determining a ment device causes the communication stream to be redi
Media Access Control (MAC) address of the source. rected from the source of the undesired traffic to the security
5. The method of claim 1, further comprising determining management device.
a destination for the undesired traffic. 15 15. The system of claim 12, wherein the security manage
6. The method of claim 5, wherein the source and destina ment device receives undesired traffic on a dedicated port.
tion addresses are Internet Protocol (IP) addresses. 16. An apparatus for detecting and mitigating a network
7. The method of claim 6, wherein determining the source threat, the apparatus comprising:
and destination addresses comprises extracting a source IP means for providing false data about a network topology in
address and a destination IP address from a header of an IP
packet in the undesired traffic. which the security management device operates to a
8. The method of claim 1, wherein causing the communi source of a network threat, wherein the false data is
cation stream initially received at the network switch to be provided by the security management device responsive
sent from the source to the security management device com to a probe received at a virtual decoy established by the
prises causing traffic originating from the Source to be sent security management device within otherwise unused
directly to the security management device. 25 address space available to the network topology;
9. The method of claim 1, wherein the reformulated ARP means for receiving mirrored traffic from a network switch
table of the source causes traffic originating from the Source communicably interfaced with the security management
to be sent to an address of the security management device. device, wherein the mirrored traffic is a copy of traffic in
10. The method of claim 1, wherein causing the commu a communication stream initially received at the net
nication stream initially received at the network switch to be 30 work switch and suspected to be undesired traffic by the
sent to the security management device comprises causing network Switch, and wherein the security management
traffic from the source to be redirected to the security man device is to conduct threat analysis on the mirrored
agement device. network traffic received;
11. The method of claim 1, further comprising sending a means for analyzing the mirrored traffic to determine the
policy to one or more network Switches communicably inter 35 source of the undesired traffic and the network threat
faced with the security management device to block traffic based on information within the mirrored traffic and
from the source, wherein one of the one or more network based on information provided by the network switch;
Switches is a Switch that is nearest to the source.
12. A system for detecting and mitigating a network threat, means for causing the communication stream initially
comprising: received at the network switch to be sent from the source
40 of the undesired traffic and the network threat to the
a security management device to provide false data about a
network topology in which the security management security management device instead of the network
device operates to a source of a network threat, wherein switch targeted by the source using a reformulated ARP
the false data is provided by the security management table of the source, and based further on one or more of
device responsive to a probe received at a virtual decoy Access Control Lists (ACLS), policy-based routing, Vir
established by the security management device within 45 tual Local Area Network Identifications (VLAN IDs),
otherwise unused address space available to the network HyperText Transfer Protocol (HTTP) information, or
topology: Extensible Markup Language (XML) tags; and
a network switch communicably interfaced with the secu means for blocking traffic from the source of the undesired
rity management device to automatically detect undes traffic and the network threat at the security management
ired traffic in a communication stream received at the 50 device.
network switch; 17. The apparatus of claim 16, further comprising: means
the network switch to further mirror the automatically for measuring a ratio of Address Resolution Protocol (ARP)
detected undesired traffic to the security management requests to ARP replies in a network traffic stream; and
device for threat analysis on the automatically detected means for comparing the measured ratio to a threshold
undesired traffic received; 55 ratio to determine whether traffic in the communication
the security management device to further: stream is suspected to be the undesired traffic.
receive undesired traffic mirrored from the Switch; 18. The apparatus of claim 16, further comprising: means
determine the source of the undesired traffic and the
network threat based on forwarding database (FDB) for measuring a ratio of Transmission Control Protocol (TCP)
information received from the network switch; cause SYN packets to TCPACK packets in a network traffic stream;
60 and
the communication stream initially received at the
network switch to be sent from the source of the means for comparing the measured ratio to a threshold to
undesired traffic and the network threat to the security determine whether traffic in the communication stream
management device instead of the network Switch is suspected to be the undesired traffic.
targeted by the source using a reformulated ARP table 19. The apparatus of claim 16, further comprising means
of the source, and based further on one or more of 65 for determining the source of the threat and/or the undesired
Access Control Lists (ACLS), policy-based routing, traffic received based on a Media Access Control (MAC)
Virtual Local Area Network Identifications (VLAN address of the source.
 US 8,255,996 B2
11 12
20. The apparatus of claim 16, further comprising means 23. The apparatus of claim 16, wherein the means for
for determining a destination for the undesired traffic. causing the communication stream initially received at the
21. The apparatus of claim 16, wherein the means for network Switch to be sent to the security management device
causing the communication stream initially received at the comprises causing traffic from the Source to be redirected to
network switch to be sent from the source to the security the security management device.
management device comprises causing traffic originating 24. The apparatus of claim 16, further comprising means
from the source to be sent directly to the security management for automatically sending a policy to one or more network
device. Switches communicably interfaced with the security manage
ment device to block traffic from the source, wherein one of
22. The apparatus of claim 16, wherein the reformulated to the one or more network Switches is a Switch that is nearest to
ARP table of the source causes traffic originating from the the source.
Source to be sent to an address of the security management
device.