Threat engagement and deception escalation

US 10,033,762 B2
Filed: 04/25/2017
Issued: 07/24/2018
Est. Priority Date: 04/26/2016
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

configuring, by a network device on a network, an address deception mechanism, wherein configuring the address deception mechanism includes assigning a Media Access Control (MAC) address and an Internet Protocol (IP) address to the address deception mechanism;

receiving network traffic addressed to the address deception mechanism;

determining that the network traffic is suspect based on the network traffic having been addressed to the address deception mechanism;

initiating a low-interaction deception mechanism, wherein the low-interaction deception mechanism is capable of responding to the network traffic, and wherein initiating the low-interaction deception mechanism includes de-assigning the MAC address and the IP address from the address deception mechanism and assigning the MAC address and the IP address to the low-interaction deception mechanism;

directing the network traffic to the low-interaction deception mechanism;

receiving additional network traffic, wherein the additional network traffic is addressed to the low-interaction deception mechanism;

determining whether the low-interaction deception mechanism is able to accept the additional network traffic;

initiating a high-interaction deception mechanism when the low-interaction deception mechanism is not able to accept the additional network traffic, wherein initiating the high-interaction deception mechanism includes de-assigning the MAC address and the IP address from the low-interaction deception mechanism and assigning the MAC address and the IP address to the high-interaction deception mechanism; and

directing the additional network traffic to the high-interaction deception mechanism.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods, network devices, and computer-program products for a network deception system. The network deception system can engage a network threat with a deception mechanism, and dynamically escalating the deception to maintain the engagement. The system can include super-low, low, and high-interaction deceptions. The super-low deceptions can respond to requests for address information, and requires few computing resources. When network traffic directed to the super-low deception requires a more complex response, the system can initiate a low-interaction deception. The low-interaction deception can emulate multiple devices, which can give the low-interaction deception away as a deception. Hence, when the network traffic includes an attempted connection, the system can initiate a high-interaction deception. The high-interaction more closely emulates a network device, and can be more difficult to identify as a deception. The high-interaction deception can fully engage a network threat, and can be initiated only as needed.

21 Citations

View as Search Results

27 Claims

1. A method, comprising:
- configuring, by a network device on a network, an address deception mechanism, wherein configuring the address deception mechanism includes assigning a Media Access Control (MAC) address and an Internet Protocol (IP) address to the address deception mechanism;
  
  receiving network traffic addressed to the address deception mechanism;
  
  determining that the network traffic is suspect based on the network traffic having been addressed to the address deception mechanism;
  
  initiating a low-interaction deception mechanism, wherein the low-interaction deception mechanism is capable of responding to the network traffic, and wherein initiating the low-interaction deception mechanism includes de-assigning the MAC address and the IP address from the address deception mechanism and assigning the MAC address and the IP address to the low-interaction deception mechanism;
  
  directing the network traffic to the low-interaction deception mechanism;
  
  receiving additional network traffic, wherein the additional network traffic is addressed to the low-interaction deception mechanism;
  
  determining whether the low-interaction deception mechanism is able to accept the additional network traffic;
  
  initiating a high-interaction deception mechanism when the low-interaction deception mechanism is not able to accept the additional network traffic, wherein initiating the high-interaction deception mechanism includes de-assigning the MAC address and the IP address from the low-interaction deception mechanism and assigning the MAC address and the IP address to the high-interaction deception mechanism; and
  
  directing the additional network traffic to the high-interaction deception mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the low-interaction deception mechanism can be configured to resemble multiple network devices by assigning multiple MAC addresses to the low-interaction deception mechanism.
  - 3. The method of claim 1, wherein the high-interaction deception mechanism is configured with a particular operating system and particular services and is assigned only one MAC address at a time.
  - 4. The method of claim 1, wherein the low-interaction deception mechanism is executing on the network device.
  - 5. The method of claim 1, wherein the low-interaction deception mechanism is executing on another network device.
  - 6. The method of claim 1, wherein the address deception mechanism is able to respond to network traffic that does not require a persistent connection.
  - 7. The method of claim 1, wherein the low-interaction deception mechanism is able to respond to network traffic probing for hardware or software configuration information for the low-interaction deception mechanism.
  - 8. The method of claim 1, wherein the low-interaction deception mechanism is not allowed to accept a connection request.
  - 9. The method of claim 1, further comprising:
    - delaying responding to the additional network traffic, wherein the high-interaction deception mechanism is initiated during the delay.

10. A network device, comprising:
- one or more processors; and
  
  a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including;
  
  configuring an address deception mechanism, wherein configuring the address deception mechanism includes assigning a Media Access Control (MAC) address and an Internet Protocol (IP) address to the address deception mechanism;
  
  receiving network traffic addressed to the address deception mechanism;
  
  determining that the network traffic is suspect based on the network traffic having been addressed to the address deception mechanism;
  
  initiating a low-interaction deception mechanism, wherein the low-interaction deception mechanism is capable of responding to the network traffic, and wherein initiating the low-interaction deception mechanism includes de-assigning the MAC address and the IP address from the address deception mechanism and assigning the MAC address and the IP address to the low-interaction deception mechanism;
  
  andirecting the network traffic to the higher interaction interactive low-interaction deception mechanism;
  
  receiving additional network traffic, wherein the additional network traffic is addressed to the low-interaction deception mechanism;
  
  determining whether the low-interaction deception mechanism is able to respond to the additional network traffic;
  
  initiating a high-interaction deception mechanism when the low-interaction deception mechanism is not able to respond to the additional network traffic, wherein initiating the high-interaction deception mechanism includes de-assigning the MAC address and the IP address from the low-interaction deception mechanism and assigning the MAC address and the IP address to the high-interaction deception mechanism; and
  
  directing the additional network traffic to the high-interaction deception mechanism.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The network device of claim 10, wherein the low-interaction deception mechanism is configured to respond to one or more network addresses.
  - 12. The network device of claim 10, wherein the high-interaction deception mechanism is configured with a particular operating system and particular services.
  - 13. The network device of claim 10, wherein the low-interaction deception mechanism is executing on the network device.
  - 14. The network device of claim 10, wherein the low-interaction deception mechanism is executing on another network device.
  - 15. The network device of claim 10, wherein the address deception mechanism is able to respond to network traffic that does not require a persistent connection.
  - 16. The network device of claim 10, wherein the low-interaction deception mechanism is able to respond to network traffic probing for hardware or software configuration information for the low-interaction deception mechanism.
  - 17. The network device of claim 10, wherein the low-interaction deception mechanism is not allowed to accept a connection request.
  - 18. The network device of claim 10, wherein the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - delaying responding to the additional network traffic, wherein the high-interaction deception mechanism is initiated during the delay.

19. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
- configure an address deception mechanism, wherein configuring the address deception mechanism includes assigning a Media Access Control (MAC) address and an Internet Protocol (IP) address to the address deception mechanism;
  
  receive network traffic addressed to the address deception mechanism;
  
  determine that the network traffic is suspect based on the network traffic having been address to the address deception mechanism;
  
  initiate a low-interaction deception mechanism, wherein the low-interaction deception mechanism is capable of responding to the network traffic, and wherein initiating the low-interaction deception mechanism includes de-assigning the MAC address and the IP address from the address deception mechanism and assigning the MAC address and the IP address to the low-interaction deception mechanism;
  
  direct the network traffic to the low-interaction deception mechanism;
  
  receive additional network traffic, wherein the additional network traffic is addressed to the low-interaction deception mechanism;
  
  determine whether the low-interaction deception mechanism is able to respond to the additional network traffic;
  
  initiate a high-interaction deception mechanism when the low-interaction deception mechanism is not able to respond to the additional network traffic, wherein initiating the high-interaction deception mechanism includes de-assigning the MAC address and the IP address from the low-interaction deception mechanism and assigning the MAC address and the IP address to the high-interaction deception mechanism; and
  
  direct the additional network traffic to the high-interaction deception mechanism.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer-program product of claim 19, wherein the low-interaction deception mechanism is configured to respond to one or more network addresses.
  - 21. The computer-program product of claim 19, wherein the high-interaction deception mechanism is configured with a particular operating system and particular services.
  - 22. The computer-program product of claim 19, wherein the low-interaction deception mechanism is executing on a same network device that includes the one or more processors.
  - 23. The computer-program product of claim 19, wherein the low-interaction deception mechanism is executing on different network device than a network device that includes the one or more processors.
  - 24. The computer-program product of claim 19, wherein the address deception mechanism is able to respond to network traffic that does not require a persistent connection.
  - 25. The computer-program product of claim 19, wherein the low-interaction deception mechanism is able to respond to network traffic probing for hardware or software configuration information for the low-interaction deception mechanism.
  - 26. The computer-program product of claim 19, wherein the low-interaction deception mechanism is not allowed to accept a connection request.
  - 27. The computer-program product of claim 19, further comprising instructions that, when executed by one or more processors, cause the one or more processors to:
    - delay responding to the additional network traffic, wherein the high-interaction deception mechanism is initiated during the delay.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acalvio Technologies, Inc.
Original Assignee
Acalvio Technologies, Inc.
Inventors
Wu, Johnson, Gopalakrishna, Rajendra A., Gukal, Sreenivas, Varadarajan, Rammohan
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/496,716
Publication Number

US 20170310704A1
Time in Patent Office

455 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0816   the condition being an adap...

H04L 41/0886   Fully automatic configuration

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

Threat engagement and deception escalation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Threat engagement and deception escalation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links