Threat engagement and deception escalation
First Claim
1. A method, comprising:
- configuring, by a network device on a network, an address deception mechanism, wherein configuring the address deception mechanism includes assigning a Media Access Control (MAC) address and an Internet Protocol (IP) address to the address deception mechanism;
receiving network traffic addressed to the address deception mechanism;
determining that the network traffic is suspect based on the network traffic having been addressed to the address deception mechanism;
initiating a low-interaction deception mechanism, wherein the low-interaction deception mechanism is capable of responding to the network traffic, and wherein initiating the low-interaction deception mechanism includes de-assigning the MAC address and the IP address from the address deception mechanism and assigning the MAC address and the IP address to the low-interaction deception mechanism;
directing the network traffic to the low-interaction deception mechanism;
receiving additional network traffic, wherein the additional network traffic is addressed to the low-interaction deception mechanism;
determining whether the low-interaction deception mechanism is able to accept the additional network traffic;
initiating a high-interaction deception mechanism when the low-interaction deception mechanism is not able to accept the additional network traffic, wherein initiating the high-interaction deception mechanism includes de-assigning the MAC address and the IP address from the low-interaction deception mechanism and assigning the MAC address and the IP address to the high-interaction deception mechanism; and
directing the additional network traffic to the high-interaction deception mechanism.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are methods, network devices, and computer-program products for a network deception system. The network deception system can engage a network threat with a deception mechanism, and dynamically escalating the deception to maintain the engagement. The system can include super-low, low, and high-interaction deceptions. The super-low deceptions can respond to requests for address information, and requires few computing resources. When network traffic directed to the super-low deception requires a more complex response, the system can initiate a low-interaction deception. The low-interaction deception can emulate multiple devices, which can give the low-interaction deception away as a deception. Hence, when the network traffic includes an attempted connection, the system can initiate a high-interaction deception. The high-interaction more closely emulates a network device, and can be more difficult to identify as a deception. The high-interaction deception can fully engage a network threat, and can be initiated only as needed.
21 Citations
27 Claims
-
1. A method, comprising:
-
configuring, by a network device on a network, an address deception mechanism, wherein configuring the address deception mechanism includes assigning a Media Access Control (MAC) address and an Internet Protocol (IP) address to the address deception mechanism; receiving network traffic addressed to the address deception mechanism; determining that the network traffic is suspect based on the network traffic having been addressed to the address deception mechanism; initiating a low-interaction deception mechanism, wherein the low-interaction deception mechanism is capable of responding to the network traffic, and wherein initiating the low-interaction deception mechanism includes de-assigning the MAC address and the IP address from the address deception mechanism and assigning the MAC address and the IP address to the low-interaction deception mechanism; directing the network traffic to the low-interaction deception mechanism; receiving additional network traffic, wherein the additional network traffic is addressed to the low-interaction deception mechanism; determining whether the low-interaction deception mechanism is able to accept the additional network traffic; initiating a high-interaction deception mechanism when the low-interaction deception mechanism is not able to accept the additional network traffic, wherein initiating the high-interaction deception mechanism includes de-assigning the MAC address and the IP address from the low-interaction deception mechanism and assigning the MAC address and the IP address to the high-interaction deception mechanism; and directing the additional network traffic to the high-interaction deception mechanism. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network device, comprising:
-
one or more processors; and a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including; configuring an address deception mechanism, wherein configuring the address deception mechanism includes assigning a Media Access Control (MAC) address and an Internet Protocol (IP) address to the address deception mechanism; receiving network traffic addressed to the address deception mechanism; determining that the network traffic is suspect based on the network traffic having been addressed to the address deception mechanism; initiating a low-interaction deception mechanism, wherein the low-interaction deception mechanism is capable of responding to the network traffic, and wherein initiating the low-interaction deception mechanism includes de-assigning the MAC address and the IP address from the address deception mechanism and assigning the MAC address and the IP address to the low-interaction deception mechanism;
andirecting the network traffic to the higher interaction interactive low-interaction deception mechanism; receiving additional network traffic, wherein the additional network traffic is addressed to the low-interaction deception mechanism; determining whether the low-interaction deception mechanism is able to respond to the additional network traffic; initiating a high-interaction deception mechanism when the low-interaction deception mechanism is not able to respond to the additional network traffic, wherein initiating the high-interaction deception mechanism includes de-assigning the MAC address and the IP address from the low-interaction deception mechanism and assigning the MAC address and the IP address to the high-interaction deception mechanism; and directing the additional network traffic to the high-interaction deception mechanism. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
-
configure an address deception mechanism, wherein configuring the address deception mechanism includes assigning a Media Access Control (MAC) address and an Internet Protocol (IP) address to the address deception mechanism; receive network traffic addressed to the address deception mechanism; determine that the network traffic is suspect based on the network traffic having been address to the address deception mechanism; initiate a low-interaction deception mechanism, wherein the low-interaction deception mechanism is capable of responding to the network traffic, and wherein initiating the low-interaction deception mechanism includes de-assigning the MAC address and the IP address from the address deception mechanism and assigning the MAC address and the IP address to the low-interaction deception mechanism; direct the network traffic to the low-interaction deception mechanism; receive additional network traffic, wherein the additional network traffic is addressed to the low-interaction deception mechanism; determine whether the low-interaction deception mechanism is able to respond to the additional network traffic; initiate a high-interaction deception mechanism when the low-interaction deception mechanism is not able to respond to the additional network traffic, wherein initiating the high-interaction deception mechanism includes de-assigning the MAC address and the IP address from the low-interaction deception mechanism and assigning the MAC address and the IP address to the high-interaction deception mechanism; and direct the additional network traffic to the high-interaction deception mechanism. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification