Network intrusion diversion using a software defined network

US 10,193,924 B2
Filed: 09/08/2015
Issued: 01/29/2019
Est. Priority Date: 09/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method for diverting a client device from a production device in a network, the method comprising:

receiving, at a deception network device, an indication that a connection is suspicious, wherein the connection is a protocol-based network connection between the client device and the production device, and wherein the production device has an Internet Protocol (IP) address;

stalling the connection to divert communications over the connection to a decoy host on a host emulator, wherein the connection is stalled in response to receiving the indication, wherein stalling causes the client device to terminate the connection;

receiving a reconnection request for the client device to reconnect to the production device, wherein the reconnection request is received after the connection is stalled;

determining a configuration of the production device;

configuring the host emulator using the configuration, wherein configuring the host emulator includes assigning the IP address of the production device to the decoy host, and wherein, when configured, the decoy host has a similar hardware and software configuration as the production device; and

requesting redirection of the reconnection request to the host emulator, wherein requesting redirection facilitates a second connection between the client device and the host emulator, and wherein the host emulator enables an appearance of a successful intrusion into the production device by the second connection.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices, and systems are described for diverting a computer hacker from a physical or other targeted production computer to a decoy software-based host emulator that emulates the physical computer. The decoy has the exact same IP address as the physical computer. In order to avoid packet collisions, a programmable physical switch and a virtual networking switch are employed, both of which can use software-defined networking (SDN). The virtual switch prevents packets from the decoy from flowing out of its virtual network until commanded. Upon a command, the physical switch redirects specific flows to the virtual switch, and the virtual switch opens specific flows from the decoy. The specific flows are those with packets containing the hacker'"'"'s computer IP address, production computer IP address, and production computer port. The packets are associated with TCP connections or UDP sessions. The decoy host emulator can be a virtual machine (VM) running alongside many other VMs in a single computer. If the hacker performs a horizontal scan of the network, additional flows are diverted to other decoy host emulators.

30 Citations

30 Claims

1. A method for diverting a client device from a production device in a network, the method comprising:
- receiving, at a deception network device, an indication that a connection is suspicious, wherein the connection is a protocol-based network connection between the client device and the production device, and wherein the production device has an Internet Protocol (IP) address;
  
  stalling the connection to divert communications over the connection to a decoy host on a host emulator, wherein the connection is stalled in response to receiving the indication, wherein stalling causes the client device to terminate the connection;
  
  receiving a reconnection request for the client device to reconnect to the production device, wherein the reconnection request is received after the connection is stalled;
  
  determining a configuration of the production device;
  
  configuring the host emulator using the configuration, wherein configuring the host emulator includes assigning the IP address of the production device to the decoy host, and wherein, when configured, the decoy host has a similar hardware and software configuration as the production device; and
  
  requesting redirection of the reconnection request to the host emulator, wherein requesting redirection facilitates a second connection between the client device and the host emulator, and wherein the host emulator enables an appearance of a successful intrusion into the production device by the second connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the connection is stalled on behalf of the production device.
  - 3. The method of claim 1, wherein, after configuring the host emulator, both the host emulator and the product device are configured with the IP address.
  - 4. The method of claim 1, wherein a physical switch connects the network with a virtual switch, wherein the host emulator is connected to the virtual switch, and wherein the physical switch determines whether to forward packets for the IP address to the network or the virtual switch.
  - 5. The method of claim 4, further comprising:
    - configuring the physical switch to divert packets sent by the client device, wherein a packet for the IP address that is sent by the client device is diverted to the virtual switch, wherein a packet for the IP address that is sent by a different client device is forwarded to the network, and wherein the physical switch is configured in response to receiving the indication that the connection is suspicious.
  - 6. The method of claim 1, wherein the host emulator is a virtual machine, and wherein configuring the host emulator includes configuring the virtual machine to emulate a portion of an operating system used by the production device and to emulate a portion of a service provided by the production device.
  - 7. The method of claim 1, wherein the connection is stalled in response to determining that the connection has not been terminated.
  - 8. The method of claim 1, wherein configuring the host emulator includes configuring the host emulator to respond to address resolution requests directed to the IP address.
  - 9. The method of claim 1, wherein redirection of the second connection does not use network address translation.
  - 10. The method of claim 1, wherein the host emulator emulates an interface profile of the production device, wherein an internal view of the interface profile is a same view as an external view of the interface profile, wherein the external view is visible from the network, and wherein the internal view is visible when logged in to the host emulator.
  - 11. The method of claim 1, further comprising:
    - configuring a virtual switch to accept packets from the client device and to direct the packets to the host emulator, wherein requesting redirection includes sending a request to a physical switch to redirect the reconnection request to the virtual switch, and wherein the virtual switch directs the reconnection request to the host emulator.

12. A network deception system comprising:
- one or more processors; and
  
  a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including;
  
  receiving an indication that a connection is suspicious, wherein the connection is a protocol-based network connection between a client device and a production device in a network, and wherein the production device has an Internet Protocol (IP) address;
  
  stalling the connection to divert communications over the connection to a decoy host on a host emulator, wherein the connection is stalled in response to receiving the indication, wherein stalling causes the client device to terminate the connection;
  
  receiving a reconnection request for the client device to reconnect to the production device, wherein the reconnection request is received after the connection is stalled;
  
  determining a configuration of the production device;
  
  configuring the host emulator using the configuration, wherein configuring the host emulator includes assigning the IP address of the production device to the decoy host, and wherein, when configured, the decoy host has a similar hardware and software configuration as the production device; and
  
  requesting redirection of the reconnection request to the host emulator, wherein requesting redirection facilitates a second connection between the client device and the host emulator, and wherein the host emulator enables an appearance of a successful intrusion into the production device by the second connection.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The network deception system of claim 12, wherein the connection is stalled on behalf of the production device.
  - 14. The network deception system of claim 12, wherein, after configuring the host emulator, both the host emulator and the product device are configured with the IP address.
  - 15. The network deception system of claim 12, wherein a physical switch connects the network with a virtual switch, wherein the host emulator is connected to the virtual switch, and wherein the physical switch determines whether to forward packets for the IP address to the network or the virtual switch.
  - 16. The network deception system of claim 15, wherein the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - configuring the physical switch to divert packets sent by the client device, wherein a packet for the IP address that is sent by the client device is diverted to the virtual switch, wherein a packet for the IP address that is sent by a different client device is forwarded to the network, and wherein the physical switch is configured in response to receiving the indication that the connection is suspicious.
  - 17. The network deception system of claim 12, wherein the host emulator is a virtual machine, and wherein configuring the host emulator includes configuring the virtual machine to emulate a portion of an operating system used by the production device and to emulate a portion of a service provided by the production device.
  - 18. The network deception system of claim 12, wherein the connection is stalled in response to determining that the connection has not been terminated.
  - 19. The network deception system of claim 12, wherein configuring the host emulator includes configuring the host emulator to respond to address resolution requests directed to the IP address.
  - 20. The network deception system of claim 12, wherein redirection of the reconnection request does not use network address translation.
  - 21. The network deception system of claim 12, wherein the host emulator emulates an interface profile of the production device, wherein an internal view of the interface profile is a same view as an external view of the interface profile, wherein the external view is visible from the network, and wherein the internal view is visible when logged in to the host emulator.

22. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
- receive an indication that a connection is suspicious, wherein the connection is a protocol-based connection between a client device and a production device in a network, and wherein the production device has an Internet Protocol (IP) address;
  
  stall the connection to divert communications over the connection to a decoy host on a host emulator, wherein the connection is stalled in response to receiving the indication, wherein stalling causes the client device to terminate the connection;
  
  receive a reconnection request for the client device to reconnect to the production device, wherein the reconnection request is received after the connection is stalled;
  
  determine a configuration of the production device;
  
  configure the host emulator using the configuration, wherein configuring the host emulator includes assigning the IP address of the production device to the decoy host, and wherein, when configured, the decoy host has a similar hardware and software configuration as the production device; and
  
  request redirection of the reconnection request to the host emulator, wherein requesting redirection facilitates a second connection between the client device and the host emulator, and wherein the host emulator enables an appearance of a successful intrusion into the production device by the second connection.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The computer-program product of claim 22, wherein the connection is stalled on behalf of the production device.
  - 24. The computer-program product of claim 22, wherein, after configuring the host emulator, both the host emulator and the product device are configured with the IP address.
  - 25. The computer-program product of claim 22, wherein a physical switch connects the network with a virtual switch, wherein the host emulator is connected to the virtual switch, and wherein the physical switch determines whether to forward packets for the IP address to the network or the virtual switch.
  - 26. The computer-program product of claim 25, further including instructions that, when executed by the one or more processors, cause the one or more processors to:
    - configure the physical switch to divert packets sent by the client device, wherein a packet for the IP address that is sent by the client device is diverted to the virtual switch, wherein a packet for the IP address that is sent by a different client device is forwarded to the network, and wherein the physical switch is configured in response to receiving the indication that the connection is suspicious.
  - 27. The computer-program product of claim 22, wherein the connection is stalled in response to determining that the connection has not been terminated.
  - 28. The computer-program product of claim 22, wherein configuring the host emulator configuring the host emulator to respond to address resolution requests directed to the IP address.
  - 29. The computer-program product of claim 22, wherein redirection of the second connection does not use network address translation.
  - 30. The computer-program product of claim 22, wherein the host emulator emulates an interface profile of the production device, wherein an internal view of the interface profile is a same view as an external view of the interface profile, wherein the external view is visible from the network, and wherein the internal view is visible when logged in to the host emulator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acalvio Technologies, Inc.
Original Assignee
Acalvio Technologies, Inc.
Inventors
Wu, Johnson L., Hart, Catherine V., Versola, Leo R., Winsborrow, Eric
Primary Examiner(s)
Lesniewski, Victor

Application Number

US14/847,470
Publication Number

US 20160080415A1
Time in Patent Office

1,239 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1491 using deception as counterm...

Network intrusion diversion using a software defined network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Network intrusion diversion using a software defined network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links