Deception using distributed threat detection
First Claim
1. A method by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, the method comprising:
- receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload;
determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet;
identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and
redirecting the data packet to the deception point in the first data network, the deception point;
getting the data packet;
emulating an application providing the service;
producing a response to the data packet using the emulating and the data packet; and
providing the response to the first workload such that the response appears to originate from the second workload.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for deception using distributed threat detection are provided. Exemplary methods by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, include: receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload; determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet; identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and redirecting the data packet to the deception point in the first data network.
227 Citations
20 Claims
-
1. A method by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, the method comprising:
-
receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload; determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet; identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and redirecting the data packet to the deception point in the first data network, the deception point; getting the data packet; emulating an application providing the service; producing a response to the data packet using the emulating and the data packet; and providing the response to the first workload such that the response appears to originate from the second workload. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, the enforcement point comprising:
-
at least one hardware processor; and a memory coupled to the at least one hardware processor, the memory storing instructions executable by the at least one hardware processor to perform a method comprising; receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload; determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet; identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and redirecting the data packet to the deception point in the first data network, the deception point; getting the data packet; emulating an application providing the service; producing a response to the data packet using the emulating and the data packet; and providing the response to the first workload such that the response appears to originate from the second workload. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification