Integrating a honey network with a target network to counter IP and peer-checking evasion techniques

US 10,044,675 B1
Filed: 09/30/2014
Issued: 08/07/2018
Est. Priority Date: 09/30/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor coupled to a memory, wherein the processor is configured to;

generate a device profile data store that includes a plurality of attributes of each of a plurality of devices in a target network environment;

instantiate a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store using a virtual clone manager, wherein the honey network is hosted by a cloud security service;

receive a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment;

detonate the malware sample executed on the virtual clone for the target device in the honey network; and

route an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the firewall device in the target network environment for proxying the external communication through the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for integrating a honey network with a target network environment (e.g., an enterprise network) to counter IP and peer-checking evasion techniques are disclosed. In some embodiments, a system for integrating a honey network with a target network environment includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target network environment based on one or more attributes for a target device in the device profile data store; and a honey network policy that is configured to route an external network communication from the virtual clone for the target device in the honey network to an external device through the target network environment.

Citations

24 Claims

1. A system, comprising:
- a processor coupled to a memory, wherein the processor is configured to;
  
  generate a device profile data store that includes a plurality of attributes of each of a plurality of devices in a target network environment;
  
  instantiate a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store using a virtual clone manager, wherein the honey network is hosted by a cloud security service;
  
  receive a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment;
  
  detonate the malware sample executed on the virtual clone for the target device in the honey network; and
  
  route an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the firewall device in the target network environment for proxying the external communication through the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system recited in claim 1, wherein the virtual clone is executed in an instrumented virtual machine (VM) environment on a VM server.
  - 3. The system recited in claim 1, wherein the virtual clone is a customized VM image that is executed in an instrumented virtual machine (VM) environment.
  - 4. The system recited in claim 1, wherein the processor is further configured to:
    - monitor one or more activities of the virtual clone for the target device in the honey network, wherein the one or more activities are logged in a honey network log.
  - 5. The system recited in claim 1, wherein the processor is further configured to:
    - extract a plurality of attributes associated with the target device from the device profile data store using a device profile data analyzer.
  - 6. The system recited in claim 1, wherein the processor is further configured to:
    - select a VM image from a VM image library using a virtual machine (VM) image selector.
  - 7. The system recited in claim 1, wherein the processor is further configured to:
    - configure a VM image to synchronize attributes of the VM image with attributes of the target device in the target network environment using a virtual machine (VM) image configurer, wherein the VM image is customized based on one or more of the plurality of attributes associated with the target device.
  - 8. The system recited in claim 1, wherein the processor is further configured to:
    - instantiate a customized VM image in an instrumented VM environment using a virtual machine (VM) instance launcher, wherein the instantiated customized VM image corresponds to the virtual clone of the target device in the target network environment.
  - 9. The system recited in claim 1, wherein the processor is further configured to:
    - select a VM image from a virtual machine (VM) image library that includes one or more VM images using the virtual clone manager, wherein the VM image library is customized based on one or more attributes for the target device in the device profile data store, and wherein the customized VM image is executed in an instrumented VM environment.
  - 10. The system recited in claim 1, wherein the processor is further configured to:
    - manage a plurality of virtual clones executed in an instrumented VM environment using a virtual machine (VM) instance manager, wherein the plurality of virtual clones executed in the instrumented VM environment corresponds to the honey network.
  - 11. The system recited in claim 1, wherein the external communication is routed through the firewall device in the target network environment so that the external communication to the external device is from the external IP address assigned to the Internet-facing interface of the firewall device in the target network environment to counter IP and peer-checking evasion techniques.
  - 12. The system recited in claim 1, wherein the honey network routing table is updated if at least one of the virtual clones is removed from the honey network, if a new virtual clone is added in the honey network, and/or to update an availability field value for at least one of the virtual clones.
  - 13. The system recited in claim 1, wherein processor is further configured to:
    - route the external network communication that was initiated from the malware sample executed on the virtual clone for the target device in the honey network to the external device through the target network environment based on a honey network policy for proxying the external communication through the firewall device and a proxy server in the target network environment to the external device based on the honey network routing table that provides the mapping between the first IP address of the virtual clone and the second IP address of the target device to counter IP and peer-checking evasion techniques.
  - 14. The system recited in claim 1, wherein the honey network policy is configured to include a plurality of specified IP addresses and/or specified Classless Inter-Domain Routing (CIDR) ranges for allowed communications from the virtual clone in the honey network to the target device in the target network environment, and wherein if another virtual clone in the honey network does not exist for another target device, then the external communication is routed from the virtual clone in the honey network to the another device in the target network environment such that peer checks by an attacker cannot be used to determine that the malware sample was detonated on the virtual clone in the honey network.

15. A method, comprising:
- storing a plurality of attributes of each of a plurality of devices in a target network environment in a device profile data store;
  
  instantiating a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store, wherein the honey network is hosted by a cloud security service;
  
  receiving a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment;
  
  detonating the malware sample executed on the virtual clone for the target device in the honey network; and
  
  routing an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the target network environment based on a honey network policy for proxying the external communication through the firewall device in the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein the virtual clone is executed in an instrumented VM environment on a VM server.
  - 17. The method of claim 15, wherein the virtual clone is a customized VM image that is executed in an instrumented VM environment.
  - 18. The method of claim 15, wherein a honey network configuration is synchronized to emulate the plurality of devices in the target network environment.
  - 19. The method of claim 15, further comprising:
    - monitoring one or more activities of the virtual clone for the target device in the honey network, wherein the one or more activities are logged in a honey network log.

20. A computer program product, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
- storing a plurality of attributes of each of a plurality of devices in a target network environment in a device profile data store;
  
  instantiating a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store, wherein the honey network is hosted by a cloud security service;
  
  receiving a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment;
  
  detonating the malware sample executed on the virtual clone for the target device in the honey network;
  
  detonating a malware sample executed on the virtual clone in the honey network; and
  
  routing an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the target network environment based on a honey network policy for proxying the external communication through the firewall device in the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The computer program product recited in claim 20, wherein the virtual clone is executed in an instrumented VM environment on a VM server.
  - 22. The computer program product recited in claim 20, wherein the virtual clone is a customized VM image that is executed in an instrumented VM environment.
  - 23. The computer program product recited in claim 20, wherein a honey network configuration is synchronized to emulate the plurality of devices in the target network environment.
  - 24. The computer program product recited in claim 20, further comprising computer instructions for:
    - monitoring one or more activities of the virtual clone for the target device in the honey network, wherein the one or more activities are logged in a honey network log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Ettema, Taylor, Xie, Huagang
Primary Examiner(s)
Tran, Tri

Application Number

US14/503,145
Time in Patent Office

1,407 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 8/60   Software deployment

G06F 8/63   Image based installation; C...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1491   using deception as counterm...

Integrating a honey network with a target network to counter IP and peer-checking evasion techniques

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Integrating a honey network with a target network to counter IP and peer-checking evasion techniques

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links