Integrating a honey network with a target network to counter IP and peer-checking evasion techniques
First Claim
1. A system, comprising:
- a processor coupled to a memory, wherein the processor is configured to;
generate a device profile data store that includes a plurality of attributes of each of a plurality of devices in a target network environment;
instantiate a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store using a virtual clone manager, wherein the honey network is hosted by a cloud security service;
receive a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment;
detonate the malware sample executed on the virtual clone for the target device in the honey network; and
route an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the firewall device in the target network environment for proxying the external communication through the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for integrating a honey network with a target network environment (e.g., an enterprise network) to counter IP and peer-checking evasion techniques are disclosed. In some embodiments, a system for integrating a honey network with a target network environment includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target network environment based on one or more attributes for a target device in the device profile data store; and a honey network policy that is configured to route an external network communication from the virtual clone for the target device in the honey network to an external device through the target network environment.
-
Citations
24 Claims
-
1. A system, comprising:
a processor coupled to a memory, wherein the processor is configured to; generate a device profile data store that includes a plurality of attributes of each of a plurality of devices in a target network environment; instantiate a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store using a virtual clone manager, wherein the honey network is hosted by a cloud security service; receive a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment; detonate the malware sample executed on the virtual clone for the target device in the honey network; and route an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the firewall device in the target network environment for proxying the external communication through the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
15. A method, comprising:
-
storing a plurality of attributes of each of a plurality of devices in a target network environment in a device profile data store; instantiating a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store, wherein the honey network is hosted by a cloud security service; receiving a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment; detonating the malware sample executed on the virtual clone for the target device in the honey network; and routing an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the target network environment based on a honey network policy for proxying the external communication through the firewall device in the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer program product, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
-
storing a plurality of attributes of each of a plurality of devices in a target network environment in a device profile data store; instantiating a virtual clone in a honey network of one or more devices in the target network environment based on a honey network policy and based on one or more attributes for a target device in the device profile data store, wherein the honey network is hosted by a cloud security service; receiving a malware sample at the cloud security service for detonation on the virtual clone for the target device in the honey network, wherein the malware sample is based at least in part on a suspicious network communication destined for the target device in the target network environment that was detected at a firewall device in the target network environment; detonating the malware sample executed on the virtual clone for the target device in the honey network; detonating a malware sample executed on the virtual clone in the honey network; and routing an external network communication that is initiated from the malware sample executed on the virtual clone for the target device in the honey network to an external device through the target network environment based on a honey network policy for proxying the external communication through the firewall device in the target network environment to the external device based on a honey network routing table that provides a mapping between a first IP address of the virtual clone and a second IP address of the target device, wherein the external communication from the malware sample is routed through the firewall device in the target network environment so that the external communication from the malware sample to the external device is from an external IP address assigned to an Internet-facing interface of the firewall device in the target network environment to appear to the external device to be associated with the target network environment as opposed to another IP address associated with the cloud security service facilitating the honey network, wherein the honey network routing table includes IP-based routing rules for integration of the target network environment with the honey network to indicate whether or not a communication from a compromised device to the target device should be redirected to the virtual clone in the honey network if the virtual clone that was previously instantiated is available, and wherein the external device is external to the target network environment and is external to the honey network. - View Dependent Claims (21, 22, 23, 24)
-
Specification