Network intrusion diversion using a software defined network
First Claim
1. A method for diverting a client device from a production device in a network, the method comprising:
- receiving, at a deception network device, an indication that a connection is suspicious, wherein the connection is a protocol-based network connection between the client device and the production device, and wherein the production device has an Internet Protocol (IP) address;
stalling the connection to divert communications over the connection to a decoy host on a host emulator, wherein the connection is stalled in response to receiving the indication, wherein stalling causes the client device to terminate the connection;
receiving a reconnection request for the client device to reconnect to the production device, wherein the reconnection request is received after the connection is stalled;
determining a configuration of the production device;
configuring the host emulator using the configuration, wherein configuring the host emulator includes assigning the IP address of the production device to the decoy host, and wherein, when configured, the decoy host has a similar hardware and software configuration as the production device; and
requesting redirection of the reconnection request to the host emulator, wherein requesting redirection facilitates a second connection between the client device and the host emulator, and wherein the host emulator enables an appearance of a successful intrusion into the production device by the second connection.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, devices, and systems are described for diverting a computer hacker from a physical or other targeted production computer to a decoy software-based host emulator that emulates the physical computer. The decoy has the exact same IP address as the physical computer. In order to avoid packet collisions, a programmable physical switch and a virtual networking switch are employed, both of which can use software-defined networking (SDN). The virtual switch prevents packets from the decoy from flowing out of its virtual network until commanded. Upon a command, the physical switch redirects specific flows to the virtual switch, and the virtual switch opens specific flows from the decoy. The specific flows are those with packets containing the hacker'"'"'s computer IP address, production computer IP address, and production computer port. The packets are associated with TCP connections or UDP sessions. The decoy host emulator can be a virtual machine (VM) running alongside many other VMs in a single computer. If the hacker performs a horizontal scan of the network, additional flows are diverted to other decoy host emulators.
30 Citations
30 Claims
-
1. A method for diverting a client device from a production device in a network, the method comprising:
-
receiving, at a deception network device, an indication that a connection is suspicious, wherein the connection is a protocol-based network connection between the client device and the production device, and wherein the production device has an Internet Protocol (IP) address; stalling the connection to divert communications over the connection to a decoy host on a host emulator, wherein the connection is stalled in response to receiving the indication, wherein stalling causes the client device to terminate the connection; receiving a reconnection request for the client device to reconnect to the production device, wherein the reconnection request is received after the connection is stalled; determining a configuration of the production device; configuring the host emulator using the configuration, wherein configuring the host emulator includes assigning the IP address of the production device to the decoy host, and wherein, when configured, the decoy host has a similar hardware and software configuration as the production device; and requesting redirection of the reconnection request to the host emulator, wherein requesting redirection facilitates a second connection between the client device and the host emulator, and wherein the host emulator enables an appearance of a successful intrusion into the production device by the second connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A network deception system comprising:
-
one or more processors; and a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including; receiving an indication that a connection is suspicious, wherein the connection is a protocol-based network connection between a client device and a production device in a network, and wherein the production device has an Internet Protocol (IP) address; stalling the connection to divert communications over the connection to a decoy host on a host emulator, wherein the connection is stalled in response to receiving the indication, wherein stalling causes the client device to terminate the connection; receiving a reconnection request for the client device to reconnect to the production device, wherein the reconnection request is received after the connection is stalled; determining a configuration of the production device; configuring the host emulator using the configuration, wherein configuring the host emulator includes assigning the IP address of the production device to the decoy host, and wherein, when configured, the decoy host has a similar hardware and software configuration as the production device; and requesting redirection of the reconnection request to the host emulator, wherein requesting redirection facilitates a second connection between the client device and the host emulator, and wherein the host emulator enables an appearance of a successful intrusion into the production device by the second connection. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
-
receive an indication that a connection is suspicious, wherein the connection is a protocol-based connection between a client device and a production device in a network, and wherein the production device has an Internet Protocol (IP) address; stall the connection to divert communications over the connection to a decoy host on a host emulator, wherein the connection is stalled in response to receiving the indication, wherein stalling causes the client device to terminate the connection; receive a reconnection request for the client device to reconnect to the production device, wherein the reconnection request is received after the connection is stalled; determine a configuration of the production device; configure the host emulator using the configuration, wherein configuring the host emulator includes assigning the IP address of the production device to the decoy host, and wherein, when configured, the decoy host has a similar hardware and software configuration as the production device; and request redirection of the reconnection request to the host emulator, wherein requesting redirection facilitates a second connection between the client device and the host emulator, and wherein the host emulator enables an appearance of a successful intrusion into the production device by the second connection. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
Specification