Technical Field
This application relates generally to mitigating computer network attacks and more particularly to the automated selection of an appropriate access control entity to install in a router, firewall or similar device to mitigate the attack.
Brief Description of the Related Art
It is known in the art to detect and mitigate cyber-attacks by identifying malicious network traffic and installing an appropriate access control list to block attacks from reaching protected infrastructure. One notable kind of attack is a volumetric attack, also referred to as a denial of service (DoS) attack; however, many kinds of attacks exist and they are continually evolving.
An access control entity (ACE) is a rule that describes parameters of traffic such that the traffic can be denied or exclusively permitted. An access control list (ACL) is a set of one or more ACE rules used to filter network traffic. Typically it describes the parameters of traffic that should be denied. An ACL is sometimes referred to as a blacklist. As an ACL is a logical grouping of ACE rules, the ACL can be associated with a particular type of attack, or a particular type of traffic or content, or a particular type of application (e.g., that is being protected).
ACE rules are typically installed in a network protection device such as a router, firewall, intrusion prevention device, or the like. Often, device manufacturers use different rule structures and syntax for ACEs. In other words, different manufacturers may have different ways of expressing a logical test that defines traffic to be blocked. Once an ACE rule is installed, typically the implicated traffic is blocked on a packet by packet basis. That is, ACE rules are applied to each packet, resulting in a determination of whether to block the packet or allow it through.
In some cases, ACEs may be installed in routers, firewalls, or other devices and integrated into a dedicated infrastructure designed to analyze and if necessary block traffic on a large scale. These are sometimes referred to as a network “data cleaning center” or equivalently a “scrubbing center”. A description of a data cleaning center and associated technologies for attack mitigation can be found in U.S. Pat. No. 7,478,429, issued Jan. 13, 2009, owned by the assignee hereof, and which is hereby incorporated by reference in its entirety and for all purposes. As mentioned in that patent, a data cleaning center may have an associated security operations center (SOC), staffed 24×7 by highly-skilled professionals who monitor traffic for threats and who author and deploy appropriate ACEs on a near real-time basis. Speed and accuracy are paramount when developing ACEs. A service provider entity may operate the data cleaning center (and/or a platform of many such centers) as a multi-tenant platform to provide a network security service offering. This may be thought of as an IaaS (Infrastructure-as-a-Service). Customers may include website and enterprise network owners who desire to have their resources protected by the service provider. Each customer can be associated with a particular set of one or more ACEs (i.e., an ACL) designed to be applied to that customer's inbound traffic.
As noted above, currently ACEs are created manually by SOC personnel who evaluate the attack versus clean traffic and then compose ACEs, typically with five or more parameters. There is an inherent delay in manually creating an ACE. Furthermore, such an approach may result in an ACE that is under-inclusive or over-inclusive. And, it may not take advantage of any or all pre-existing ACEs that have been used in the past, thus missing an important source of institutional knowledge. As a result of these shortcomings, a manually created ACE may not be completely effective, leading to more delay as personnel identify the deficiencies in the ACE and manually refine it or create more ACEs. It would be advantageous to have the ability to promptly, automatically and accurately identify an ACE to use, preferably with a quantitative confidence score. Preferably, such a solution would be compatible with a variety of ACE formats from a wide range of device types and manufacturers.
The teachings of this patent document address and solve the problems identified above, as well as others, and as such have a variety of technical benefits and advantages.