Deception using distributed threat detection

US 10,091,238 B2
Filed: 03/02/2017
Issued: 10/02/2018
Est. Priority Date: 02/11/2014
Status: Active Grant

First Claim

Patent Images

1. A method by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, the method comprising:

receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload;

determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet;

identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and

redirecting the data packet to the deception point in the first data network, the deception point;

getting the data packet;

emulating an application providing the service;

producing a response to the data packet using the emulating and the data packet; and

providing the response to the first workload such that the response appears to originate from the second workload.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for deception using distributed threat detection are provided. Exemplary methods by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, include: receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload; determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet; identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and redirecting the data packet to the deception point in the first data network.

227 Citations

20 Claims

1. A method by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, the method comprising:
- receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload;
  
  determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet;
  
  identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and
  
  redirecting the data packet to the deception point in the first data network, the deception point;
  
  getting the data packet;
  
  emulating an application providing the service;
  
  producing a response to the data packet using the emulating and the data packet; and
  
  providing the response to the first workload such that the response appears to originate from the second workload.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the deception point is at least one of a bare-metal server and virtual machine.
  - 3. The method of claim 1, wherein the deception point further performs a method comprising:
    - getting an image for an application;
      
      creating an instance of the application in a container using the image, the creating including;
      
      producing the container using the image;
      
      allocating a filesystem of a host operating system to the container;
      
      adding a read-write layer to the image; and
      
      launching a process specified by the image; and
      
      monitoring behavior from the processing, the monitoring including intercepting library calls, function calls, messages, and events from the container.
  - 4. The method of claim 1, wherein the redirecting includes using a tunnel to forward the data packet to the deception point.
  - 5. The method of claim 1, wherein the determining includes comparing the at least some of the 5-tuple of the data packet to a low-level rule set.
  - 6. The method of claim 5, wherein the low-level rule set is produced using a high-level policy.
  - 7. The method of claim 1, wherein the determining comprises analyzing the data packet using predefined attack signatures.
  - 8. The method of claim 1, wherein the providing the response to the first workload includes sending the response through the enforcement point.
  - 9. The method of claim 1, wherein the providing the response to the first workload includes using network address translation to send the response.
  - 10. The method of claim 1, wherein the first data network and the second data network are in the same logical subnetwork and in different physical networks.

11. An enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, the enforcement point comprising:
- at least one hardware processor; and
  
  a memory coupled to the at least one hardware processor, the memory storing instructions executable by the at least one hardware processor to perform a method comprising;
  
  receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload;
  
  determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet;
  
  identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and
  
  redirecting the data packet to the deception point in the first data network, the deception point;
  
  getting the data packet;
  
  emulating an application providing the service;
  
  producing a response to the data packet using the emulating and the data packet; and
  
  providing the response to the first workload such that the response appears to originate from the second workload.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The enforcement point of claim 11, wherein the deception point is at least one of a bare-metal server and virtual machine.
  - 13. The enforcement point of claim 11, wherein the deception point further performs a method comprising:
    - getting an image for an application;
      
      creating an instance of the application in a container using the image, the creating including;
      
      producing the container using the image;
      
      allocating a filesystem of a host operating system to the container;
      
      adding a read-write layer to the image; and
      
      launching a process specified by the image; and
      
      monitoring behavior from the processing, the monitoring including intercepting library calls, function calls, messages, and events from the container.
  - 14. The enforcement point of claim 11, wherein the redirecting includes using a tunnel to forward the data packet to the deception point.
  - 15. The enforcement point of claim 11, wherein the determining includes comparing the at least some of the 5-tuple of the data packet to a low-level rule set.
  - 16. The enforcement point of claim 15, wherein the low-level rule set is produced using a high-level security policy.
  - 17. The enforcement point of claim 11, wherein the determining comprises analyzing the data packet using predefined attack signatures.
  - 18. The enforcement point of claim 11, wherein the providing the response to the first workload includes sending the response through the enforcement point.
  - 19. The enforcement point of claim 11, wherein the providing the response to the first workload includes using network address translation to send the response.
  - 20. The enforcement point of claim 11, wherein the first data network and the second data network are in the same logical subnetwork and in different physical networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Shieh, Choung-Yaw, Woolward, Marc, Liu, Zhiping, Hou, Cheng-Lin, Williamson, Matthew M., Cheng, Yi Hung, Hsu, Chien Yang, Tseng, Hsin Tien
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US15/448,581
Publication Number

US 20170180421A1
Time in Patent Office

579 Days
Field of Search

726 1, 726 22, 713165, 713168
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Deception using distributed threat detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

227 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Deception using distributed threat detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

227 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links