GB2424291A - Blocking network attacks based on device vulnerability - Google Patents
Blocking network attacks based on device vulnerability Download PDFInfo
- Publication number
- GB2424291A GB2424291A GB0505511A GB0505511A GB2424291A GB 2424291 A GB2424291 A GB 2424291A GB 0505511 A GB0505511 A GB 0505511A GB 0505511 A GB0505511 A GB 0505511A GB 2424291 A GB2424291 A GB 2424291A
- Authority
- GB
- United Kingdom
- Prior art keywords
- attack
- data
- attacks
- network
- vulnerable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
A system for preventing software based attacks on one or more devices 5a-5c on a network 1 comprises a scanner 11, an attack prevention device 13 and a data blocker 15 e.g. firewall. The scanner periodically monitors the devices to determine the extent to which each device is vulnerable to attacks. The attack prevention device receives the data from the scanner and stores it in a database. The data blocker detects attacks contained in data being transmitted to the network and selectively blocks the data according to the information stored in the database. If an attack is not effective on the device to which it is addressed the data is allowed to pass. In one embodiment detected attacks may be assigned different priority levels, e.g. an attack which is addressed to a vulnerable device may be assigned a higher priority level than an attack which is addressed to a device which is only partly vulnerable to the attack. The system may issue warnings to a user when an effective attack is detected. This relieves the user from having to deal with spurious warnings.
Description
ATTACK PREVENTION
The present invention relates to network based systems for detecting and preventing software attacks to devices on the network.
A typical network comprises a plurality of inter-connected device, often known as host devices, which may communicate with one another over the network. One problem associated with networks is that of hacking in which a hacker in control of one device on the network attempts to gain unauthorised access to or control of another device on the network for illegitimate or malicious reasons. For example, a hacker may attempt to access sensitive data such as secret banking information and passwords on a personal computer. The problem of hacking is particularly acute on the internet as a hacker connected to the internet could potentially gain access to any other devices also connected to the internet. One technique used by hackers is to upload small computer programs such as Trojans onto the network which are then inadvertently downloaded by other devices on the network. The programs then allow the hacker to access data on the device onto which the program is loaded or allow the hacker to remotely control the device. The techniques used by hackers often rely on weaknesses or faults in software such as operating systems executed by host devices. Such attempts to gain unauthorised access to host devices are often referred to as attacks.
In order to prevent attacks on host devices, a number of systems have been developed to detect such attacks and to block them. For example, in order to protect one or more host devices from attacks, a monitoring program known as a firewall may be employed. A firewall is designed to monitor the data flowing to and from one or more devices in order to detect the presence of attacks and to block the data flow if an attack is detected. For example, a firewall may be arranged to block data if the source address of the data is one of a predetermined list of addresses known to be the source of attacks. Firewalls may also block data based on other characteristics such as the destination address of the data, port numbers or transport layer protocols. Another means to detect attacks in network data flow is to analyse the data for the presence of characteristic signatures. These signatures consist of strings of characters which occur in known attacks. When a signature of a known attack is detected in the data flow, the data flow may be blocked. Other attack detection systems are known to those skilled in the art including systems based on detecting unusual network behaviour, for example port scanning or other behaviour which is atypical under normal network conditions. When an attack is detected, the attack detection system may issue a warning or notification to a user so that steps can be taken to deal with the attack.
One problem with known attack detection and prevention systems is that they are unreliable and often generate warnings when genuine attacks do not actually exist. Usually, an attack in the form of malicious software is designed to attack a device executing software that is of a particular type. For example, an attack may CRTh4) be designed to exploit a weakness in the Windows operating system used by a device. This particular attack would therefore be ineffective on a device using the (-#Tt1) UNIX operating system. In known systems, when the attack is detected, a warning to the user would be generated, even though the attack may actually be ineffective and not require action. This results in a large number of false positive results and so a large amount of time is required by a user to sort through the attack warnings to decide which of these are legitimate and to reconfigure the system. What often occurs in practice is that a user will simply allow the data flow for alt attack warnings, anticipating that they are simply false results, running the risk of allowing data flow when a genuine attack exists. In some cases, what would be a genuine attack for one device may actually be a legitimate process for another device. In this case, data flow may be blocked when an attack is detected even though the data flow represents legitimate processes.
A further problem with existing attack detection and prevention systems is that they require a considerable amount of time to initially configure and to reconfigure when new attacks are discovered. Typically, a user has to manually configure a system to take all known attacks into account. Where there are a large number of attacks as is usually the case this can be extremely laborious and time consuming. When new attacks are frequently discovered it can be extremely inconvenient to manually reconfigure the system for each new attack. In practice the system may be reconfigured only occasionally so that the system does not provide protection for the most recent attacks until reconfiguration takes place, which may be some time after the attack is first known.
We have appreciated the need to provide an attack detection and prevention system which is reliable and in which the number of spurious detections of attacks is minimised. We have also appreciated the need for an attack detection system which is convenient to configure and to update to take into account new attacks.
Preferred embodiments of the invention will now be described with reference to the accompanying Figure which is a schematic diagram of a system embodying the invention.
The system shown in Figure 1 may be used to protect a first sub-network 1 from attacks originating from a second sub-network 3. Attacks include processes initiated by hackers to attempt to illegitimately gain access to or control devices on a network. For example, an attack may attempt to exploit a weakness or flaw in a particular operating system or other software executed by a device. The first sub-network 1 may comprise, for example, an intranet in an office and the second sub-network 3 may comprise, for example, the internet. The first sub-network 1 comprises one or more devices 5 which are connected together via a series of communication links (not shown) arranged so that data may be transmitted between the devices 5. The second sub-network 3 similarly comprises one or more devices 7 which are connected together via a series of communication links (not shown). The devices 5 or the devices 7 may be remotely located from each other. The first sub-network 1 and the second sub-network 3 are connected together via a single communication link 9. The communication link 9 is the only route through which data may be transmitted between the first sub-network 1 and the second sub-network 3. In this way, the network traffic originating from and destined to the first sub-network 1 may be more easily monitored.
The system comprises a scanner 11, an attack prevention device 13 and a data blocker 15. The scanner 11 is arranged to automatically scan or monitor each of the devices 5 in the first sub-network 1 to determine whether any of the devices 5 are vulnerable to any known attack. A device 5 may be said to be vulnerable to a particular attack if the attack is effective on the device 5. For example, a device 5 which uses the Windows operating system is vulnerable to attacks designed to exploit weaknesses in the Windows operating system. However, a device 5 using the UNIX operating system would not be vulnerable to these attacks. In another example, an attack designed for a Windows operating system without a patch P may be ineffective on a Windows operating system having the patch P. When a device is vulnerable to an attack, this may be referred to as being a vulnerability of the device.
The scanner 11 is arranged to store and execute one or more software scanning routines, in the form of plug-ins for example, each routine designed to test whether a device 5 or the software running on a device 5 is vulnerable to a particular attack. For example, one routine may be used to test whether a device is vulnerable to a particular attack designed for the Windows operating system.
A second routine may be used to test whether a device 5 is vulnerable to an attack designed for the UNIX operating system. A routine may be programmed to communicate with a device 5 and to determine which operating system the device 5 is using by means of one or more operating system identification parameters that form part of the operating system. The routine then compares the identifications with one or more predetermined identifications to enable the operating system being used to be identified. A routine may also be programmed to perform one or more test functions to test whether a particular attack is effective on a device 5. The test functions may mimic a real attack, but without adversely affecting the device, and analyse the device's response. Other techniques for determining whether a device or software running on a device is vulnerable to aparticular attack are known to those skilled in the art.
In order to monitor the devices 5, the scanner 11 communicates with each device via a series of communication links 17. Each routine stored in the scanner 11 is executed for each device 5 in the first sub-network 1. In this way, the extent to which each device 5 is vulnerable to each known attack may be determined. Any required data exchange between the scanner 11 and a device 5 during the scanning process may be performed using the appropriate communication link 17. To initially configure the scanner 11 it is necessary to store the scanning routine for each known attack in the scanner 11. This process may be carried out manually. However, preferably the process of configuring the scanner 11 is automatic. This may be achieved by means of an automatic start-up configuration routine in which the scanner accesses an existing database of known attacks, and downloads the appropriate scanning routine for each attack. When a new attack is discovered, the appropriate new scanning routine may be stored in the scanner. As with the initial configuration of the scanner 11, this may be performed manually although it is preferably performed automatically. This may be achieved by means of an automatic update feature in which new scanning routines, for example those periodically released by operating system designers or specialist attack prevention services, are automatically transmitted to and stored in the scanner. The scanner 11 may also periodically access the database of known attacks to download any new scanning routines that are not already stored in the scanner 11.
The scanning process described above is repeated periodically so that the extent to which any of the devices are vulnerable to any new attacks is determined as soon as possible. This reduces the risk of a new attack not being detected because the system is not yet configured to take the new attack into account.
Preferably, the scanning process and scanner updating is performed continuously so as maximise the effectiveness of the system.
The attack prevention device 13 is arranged to store a database containing information relating to the extent to which each of the devices is vulnerable to each known attack. For example, the database in the attack prevention device 13 comprises a list of the devices 5 in the first sub-network 1 together with information relating to which attacks each device is vulnerable to. When the scanner 11 has determined that a particular device 5 is vulnerable to a particular attack, the scanner 11 transmits this information via a communication link 19 to the attack prevention device 13 which updates the database accordingly. In this way, the database stored in the attack prevention device 13 will contain entries of the form device X is vulnerable to attack A'. The identification of devices and attacks in the entries stored in the database may be made in any suitable manner, for example using predefined identification codes.
Since the devices 5 are continually monitored by the scanner 11 for vulnerabilities, entries in the database may be continually added or deleted by the attack prevention device 13 based on information received from the scanner 11.
For example, if the operating system used by a particular device X is upgraded or modified to rectify a weakness exploited by an attack A so that attack A is no longer effective on device X, the scanner 11 will detect this change on the next scan. This information is then transmitted from the scanner 11 to the attack prevention device 13 resulting in the entry device X is vulnerable to attack A' being deleted. If a new attack B is discovered and the scanner 11 determines that a device Y is vulnerable to that attack, then a new entry device Y is vulnerable to attack B' is added to the database.
When a vulnerability has been detected for a particular device, the system may be arranged to attempt to eliminate the vulnerability. For example, when a vulnerability to an attack is discovered, the system may be arranged to search for and download any appropriate software upgrades or patches. Preferably, this process is performed automatically. Alternatively, when a vulnerability is detected, a warning may be communicated to a user indicating which device is vulnerable to which attack to allow the user to manually upgrade the device or the software used by the device. In one embodiment, where a vulnerability cannot be eliminated, for example if no appropriate software upgrade is available, the system may cause the device which is susceptible to the attack to be temporarily shut down until a suitable upgrade is available.
The data blocker 15 intercepts the communication link 9 connecting the first sub- network 1 and the second sub-network 3 and is arranged to selectively block data transmitted along the communication link 9 according to a set of predetermined criteria. In particular, the data blocker 15 is arranged to block data according to the contents of the database maintained by the attack prevention device 13. For example, if the data blocker detects that data being transmitted from the second sub-network 3 to the first sub-network 1 contains an attack A and the data is due to be transmitted to a device X in the first sub-network 1, the data blocker 15 will access information contained in the database maintained by the attack prevention device 13. If the database contains an entry indicating that the device X is vulnerable to attack A, then the data blocker blocks the data. Conversely, if the database does not contain an entry indicating that the device X is vulnerable to attack A then the data blocker allows the data transfer. In this latter case, the data transfer is allowed even though an attack has been detected because the attack is not effective on the device to which it is addressed. This relieves the user from having to deal with a spurious warning.
The data blocker may determine the identity of the device to which the data is due to be transmitted for example by analysing an IP address and/or device port number associated with the data. The data blocker may identify attacks using any suitable method including those described above such as signature recognition.
When an effective attack (meaning an attack that is addressed to a device which is vulnerable to the attack) has been detected, the data blocker may be arranged to issue a warning to the user so that the user is aware of the attack. The system may provide the option to examine the details of the attack so that the user can confirm that the attack should be blocked or to override the system and allow the data flow in which the attack was detected. Since the number of spurious warnings is minimised due to the fact that the destination of the attack is taken into account, the number of warnings issued to a user is significantly reduced.
The system shown in figure 1 monitors the data transmitted along communication link 9. Since this is the only route through which the first sub-network I may be accessed, all data transmitted to the first sub-network 1 is monitored. If further communication links are provided to access the first sub-network 1, to ensure maximum security, each communication link should be monitored by a system similar to the system shown in Figure 1. Alternatively, a single system may be arranged to monitor several different communication links. What is important is that all data routes between the first sub-network 1 and other parts of a network, such as the second sub-network 3, are intercepted by a data blocker 15 controlled in a manner described above.
In one embodiment, detected attacks may be assigned different levels of priority.
For example, a detected attack which is addressed to a device which is vulnerable to that particular attack may be assigned the highest priority level. An attack which is addressed to a device which is partly vulnerable to the attack may be assigned a lower priority. An attack which is addressed to a device which is not vulnerable to that attack at all may be assigned the lowest priority. The system may then be configured to issue a warning to the user if a detected attack has a priority greater than or equal to a predetermined user-set level, If the predetermined level is set to the lowest priority level, then all attacks, regardless of their destination, will result in the issue of a warning in a similar way as occurs with known systems. However, by increasing the priority level at which a warning is issued, attacks of low suspicion may be filtered so that only highly suspicious or effective attacks result in a warning being issued. In this way, the present invention provides an attack filter whose sensitivity can be modified.
The scanner 11, attack prevention device 13 and data blocker 15 each comprise a memory (not shown) for storing the appropriate computer executable code necessary to perform their functions, and a processor (not shown) for executing the code. When the system is used, the computer executable code is retrieved from the memories and executed by the processors according to the functioning of the system.
Claims (21)
1. A system for preventing software based attacks on one or more devices on a network comprising: - a scanner arranged to monitor the devices to determine the extent to which each device on the network is vulnerable to one or more attacks; - an attack prevention device arranged to receive data from the scanner relating to the extent to which each device on the network is vulnerable to the one or more attacks and to store the data in a database; and a data blocker arranged to detect attacks contained in data being transmitted to the network and to selectively block the data according to the information stored in the database in the attack prevention device.
2. The system of claim 1 in which the data blocker is arranged to block data if the data contains an attack A, if the data is due to be transmitted to a device X on the network, and if the information contained in the database indicates that the device X is vulnerable to the attack A.
3. The system of claim 1 or 2 in which the system is arranged to issue a warning message to a user only when an effective attack is detected.
4. The system of claim 1, 2 or 3 in which the scanner is further arranged to periodically monitor each of the devices.
5. The system of claim 4 in which the database in the attack prevention device is updated each time a device is monitored.
6. The system of any preceding claim in which the scanner determines the extent to which a device is vulnerable to an attack A by executing a scanning routine associated with the attack A.
7. The system of claim 6 in which one or more scanning routines are automatically loaded into the scanner upon initialisation of the system.
8. The system of claim 6 or 7 in which new scanning routines are automatically loaded into the scanner when new attacks become known.
9. The system of any preceding claim in which an attack detected by the data blocker is assigned a priority level according to the extent to which the detected attack is effective on the device to which the attack was destined.
10. The system of any preceding claim in which the data blocker is a firewall.
11. A method for preventing software based attacks on one or more devices on a network comprising the steps of: - monitoring the devices to determine the extent to which each device on the network is vulnerable to one or more attacks; - storing data relating to the extent to which each device on the network is vulnerable to the one or more attacks; detecting attacks contained in data being transmitted to the network; and - selectively blocking the data according to the stored data.
12. The method of claim 11 in which the step of selectively blocking the data comprises the further step of blocking data if the data contains an attack A, if the data is due to be transmitted to a device X on the network, and if the information contained in the database indicates that the device X is vulnerable to the attack A.
13. The method of claim 11 or 12 comprising the further step of issuing a warning message to a user only when an effective attack is detected.
14. The method of claim 11, 12 or 13 in which the step of monitoring the devices comprises the further step of periodically monitoring each of the devices.
15. The method of claim 14 comprising the further step of updating the stored data each time a device is monitored.
16. The method of any of claims 11 to 15 in which the step of monitoring the devices comprising the further step of determining the extent to which a device is vulnerable to an attack A by executing a scanning routine associated with the attack A.
17. The method of claim 16 comprising the further step of automatically loading one or more scanning routines upon initialisation of the system.
18. The method of claim 16 or 17 comprising the further step of automatically loading new scanning routines when new attacks become known.
19. The method of any of claims 11 to 18 in which the step of detecting attacks comprises the further step of assigning a priority level to a detected attack according to the extent to which the detected attack is effective on the device to which the attack was destined.
20. A computer program comprising computer executable instructions which when executed by a processor, causes the processor to perform the method of any of claims 11 to 19.
21. A computer program product comprising computer executable instructions according to claim 20.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0505511A GB2424291A (en) | 2005-03-17 | 2005-03-17 | Blocking network attacks based on device vulnerability |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0505511A GB2424291A (en) | 2005-03-17 | 2005-03-17 | Blocking network attacks based on device vulnerability |
Publications (2)
Publication Number | Publication Date |
---|---|
GB0505511D0 GB0505511D0 (en) | 2005-04-27 |
GB2424291A true GB2424291A (en) | 2006-09-20 |
Family
ID=34531436
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB0505511A Pending GB2424291A (en) | 2005-03-17 | 2005-03-17 | Blocking network attacks based on device vulnerability |
Country Status (1)
Country | Link |
---|---|
GB (1) | GB2424291A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3842974A4 (en) * | 2018-10-17 | 2021-11-17 | Panasonic Intellectual Property Corporation of America | Information processing device, information processing method, and program |
EP4135261A1 (en) * | 2018-10-17 | 2023-02-15 | Panasonic Intellectual Property Corporation of America | Information processing device, information processing method, and program |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001084270A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | Method and system for intrusion detection in a computer network |
US6415321B1 (en) * | 1998-12-29 | 2002-07-02 | Cisco Technology, Inc. | Domain mapping method and system |
WO2003100617A1 (en) * | 2002-05-22 | 2003-12-04 | Lucid Security Corporation | Adaptive intrusion detection system |
US20040064726A1 (en) * | 2002-09-30 | 2004-04-01 | Mario Girouard | Vulnerability management and tracking system (VMTS) |
US20050005171A1 (en) * | 2003-07-01 | 2005-01-06 | Oliphant Brett M. | Real-time vulnerability monitoring |
US20050022028A1 (en) * | 2003-04-16 | 2005-01-27 | Aron Hall | Network security apparatus and method |
-
2005
- 2005-03-17 GB GB0505511A patent/GB2424291A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6415321B1 (en) * | 1998-12-29 | 2002-07-02 | Cisco Technology, Inc. | Domain mapping method and system |
WO2001084270A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | Method and system for intrusion detection in a computer network |
WO2003100617A1 (en) * | 2002-05-22 | 2003-12-04 | Lucid Security Corporation | Adaptive intrusion detection system |
US20040064726A1 (en) * | 2002-09-30 | 2004-04-01 | Mario Girouard | Vulnerability management and tracking system (VMTS) |
US20050022028A1 (en) * | 2003-04-16 | 2005-01-27 | Aron Hall | Network security apparatus and method |
US20050005171A1 (en) * | 2003-07-01 | 2005-01-06 | Oliphant Brett M. | Real-time vulnerability monitoring |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3842974A4 (en) * | 2018-10-17 | 2021-11-17 | Panasonic Intellectual Property Corporation of America | Information processing device, information processing method, and program |
EP4135261A1 (en) * | 2018-10-17 | 2023-02-15 | Panasonic Intellectual Property Corporation of America | Information processing device, information processing method, and program |
Also Published As
Publication number | Publication date |
---|---|
GB0505511D0 (en) | 2005-04-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109684832B (en) | System and method for detecting malicious files | |
US11082435B1 (en) | System and method for threat detection and identification | |
US7278161B2 (en) | Protecting a data processing system from attack by a vandal who uses a vulnerability scanner | |
US8359645B2 (en) | Dynamic protection of unpatched machines | |
US9282109B1 (en) | System and method for analyzing packets | |
US8006305B2 (en) | Computer worm defense system and method | |
US11962606B2 (en) | Protecting serverless applications | |
US10417420B2 (en) | Malware detection and classification based on memory semantic analysis | |
US20040049698A1 (en) | Computer network security system utilizing dynamic mobile sensor agents | |
US11070570B2 (en) | Methods and cloud-based systems for correlating malware detections by endpoint devices and servers | |
CN110119619B (en) | System and method for creating anti-virus records | |
US20060294588A1 (en) | System, method and program for identifying and preventing malicious intrusions | |
US7533413B2 (en) | Method and system for processing events | |
US20080201722A1 (en) | Method and System For Unsafe Content Tracking | |
US20060282896A1 (en) | Critical period protection | |
KR20060041865A (en) | Network security device and method for protecting a computing device in a networked environment | |
CN101399827A (en) | Method and system for safely installing patch to system | |
US11803647B2 (en) | Computer system vulnerability lockdown mode | |
US20220417255A1 (en) | Managed detection and response system and method based on endpoints | |
CN101316171B (en) | Virus precaution method and device | |
GB2424291A (en) | Blocking network attacks based on device vulnerability | |
US11093615B2 (en) | Method and computer with protection against cybercriminal threats | |
CN115603985A (en) | Intrusion detection method, electronic device and storage medium | |
US20230388340A1 (en) | Arrangement and method of threat detection in a computer or computer network | |
CN114866355B (en) | Message flow forwarding method, device and computer equipment |