公开(公告)号：EP1552401A4

公开(公告)日：2009-03-25

申请号：EP03771555

申请日：2003-06-24

Applicant: IBM

Inventor： CHARI SURESH N ,  CHENG PAU-CHEN ,  LEE KANG-WON ,  SAHU SAMBIT ,  SHAIKH ANEES A

IPC: G06F21/20 ,  H04L29/06 ,  G06F13/00 ,  G06F15/00 ,  G06F15/173 ,  G06F17/30 ,  H04L9/00 ,  H04L9/32 ,  H04L12/56 ,  H04L29/08

CPC classification number: H04L63/1408 ,  H04L63/1458 ,  H04L67/1002

Abstract: Several deterrence mechanisms suitable for content distribution networks (CDN) (120) are provided. These include a hash-based request routing scheme and a site allocation scheme. The hash-based request routing scheme provides a way to distinguish legitimate requests from bogus requests. Using this mechanism, an attacker is required to generate O(n ) amount of traffic to victimize a CDN-hosted site (120) when the site content is served from n CDN caches. Without these modifications, the attacker must generate only 0(n) traffic to bring down the site. The site allocation scheme provides sufficient isolation among CDN-hosted Web sites (120) to prevent an attack on one Web site from making other sites unavailable. Using an allocation strategy based on binary codes, it can be guaranteed that a successful attack on any individual Web site that disables its assigned servers, does not also bring down other Web sites hosted by the CDN (120).

公开(公告)号：WO2006078446A3

公开(公告)日：2009-04-09

申请号：PCT/US2006000081

申请日：2006-01-06

Applicant: IBM ,  CHARI SURESH N ,  CHENG PAU-CHEN ,  RAO JOSYULA R ,  ROHATGI PANKAJ ,  STEINER MICHAEL

Inventor： CHARI SURESH N ,  CHENG PAU-CHEN ,  RAO JOSYULA R ,  ROHATGI PANKAJ ,  STEINER MICHAEL

IPC: G06F11/00 ,  G06F11/30 ,  G06F12/14 ,  H04L9/00

CPC classification number: G06F21/554 ,  G06F21/53

Abstract: An intrusion detection system (IDS), method of protecting computers against intrusions and program product therefor. The IDS determines which applications are to run in native environment (NE) and places the remaining applications in a sandbox. Some of the applications in sandboxes may be placed in a personalized virtual environment (PVE) in the sandbox. Upon detecting an attempted attack, a dynamic honeypot may be started for an application in a sandbox and not in a PVE. A virtualized copy of system resources may be created for each application in a sandbox and provided to the corresponding application in the respective sandbox.

Abstract translation: 入侵检测系统（IDS），防止计算机入侵的方法和程序产品。 IDS确定在本地环境（NE）中运行哪些应用程序，并将剩余的应用程序放在沙箱中。 砂箱中的一些应用程序可能会放置在沙箱中的个性化虚拟环境（PVE）中。 在检测到尝试的攻击时，可以为沙箱而不是PVE中的应用启动动态蜜罐。 可以为沙箱中的每个应用程序创建系统资源的虚拟副本，并提供给相应沙箱中的相应应用程序。

公开(公告)号：WO2006078446A4

公开(公告)日：2009-06-11

申请号：PCT/US2006000081

申请日：2006-01-06

Applicant: IBM ,  CHARI SURESH N ,  CHENG PAU-CHEN ,  RAO JOSYULA R ,  ROHATGI PANKAJ ,  STEINER MICHAEL

Inventor： CHARI SURESH N ,  CHENG PAU-CHEN ,  RAO JOSYULA R ,  ROHATGI PANKAJ ,  STEINER MICHAEL

IPC: G06F11/00 ,  G06F11/30 ,  G06F12/14 ,  H04L9/00

CPC classification number: G06F21/554 ,  G06F21/53

Abstract: An intrusion detection system (IDS), method of protecting computers against intrusions and program product therefor. The IDS determines which applications are to run in native environment (NE) and places the remaining applications in a sandbox. Some of the applications in sandboxes may be placed in a personalized virtual environment (PVE) in the sandbox. Upon detecting an attempted attack, a dynamic honeypot may be started for an application in a sandbox and not in a PVE. A virtualized copy of system resources may be created for each application in a sandbox and provided to the corresponding application in the respective sandbox.

Abstract translation: 入侵检测系统（IDS），保护计算机免受入侵的方法及其程序产品。 IDS确定哪些应用程序要在本地环境（NE）中运行，并将其余应用程序放置在沙箱中。 沙箱中的一些应用程序可能会放置在沙箱中的个性化虚拟环境（PVE）中。 在检测到尝试的攻击后，可以为沙箱中的应用启动动态蜜罐，而不是在PVE中启动。 系统资源的虚拟化副本可以为沙箱中的每个应用程序创建并提供给相应沙箱中的相应应用程序。

公开(公告)号：AU2003247703A1

公开(公告)日：2004-02-16

申请号：AU2003247703

申请日：2003-06-24

Applicant: IBM

Inventor： CHARI SURESH N ,  CHENG PAU-CHEN ,  LEE KANG-WON ,  SAHU SAMBIT ,  SHAIKH ANEES A

IPC: G06F21/20 ,  G06F13/00 ,  G06F15/00 ,  G06F15/173 ,  H04L9/00 ,  H04L9/32 ,  H04L12/56 ,  H04L29/06 ,  H04L29/08

Abstract: Several deterrence mechanisms suitable for content distribution networks (CDN) are provided. These include a hash-based request routing scheme and a site allocation scheme. The hash-based request routing scheme provides a way to distinguish legitimate requests from bogus requests. Using this mechanism, an attacker is required to generate O(n2)amount of traffic to victimize a CDN-hosted site when the site content is served from n CDN caches. Without these modifications, the attacker must generate only O(n) traffic to bring down the site. The site allocation scheme provides sufficient isolation among CDN-hosted Web sites to prevent an attack on one Web site from making other sites unavailable. Using an allocation strategy based on binary codes, it can be guaranteed that a successful attack on any individual Web site that disables its assigned servers, does not also bring down other Web sites hosted by the CDN.

公开(公告)号：CA2493350A1

公开(公告)日：2004-02-05

申请号：CA2493350

申请日：2003-06-24

Applicant: IBM

Inventor： CHENG PAU-CHEN ,  CHARI SURESH N ,  LEE KANG-WON ,  SHAIKH ANEES A ,  SAHU SAMBIT

IPC: G06F21/20 ,  G06F13/00 ,  G06F15/00 ,  G06F15/173 ,  H04L9/00 ,  H04L9/32 ,  H04L12/56 ,  H04L29/06 ,  H04L29/08

Abstract: Several deterrence mechanisms suitable for content distribution networks (CD N) (120) are provided. These include a hash-based request routing scheme and a site allocation scheme. The hash-based request routing scheme provides a way to distinguish legitimate requests from bogus requests. Using this mechanism , an attacker is required to generate O(n2) amount of traffic to victimize a C DN- hosted site (120) when the site content is served from n CDN caches. Without these modifications, the attacker must generate only 0(n) traffic to bring down the site. The site allocation scheme provides sufficient isolation amon g CDN-hosted Web sites (120) to prevent an attack on one Web site from making other sites unavailable. Using an allocation strategy based on binary codes, it can be guaranteed that a successful attack on any individual Web site tha t disables its assigned servers, does not also bring down other Web sites host ed by the CDN (120).