Responsive deception mechanisms
First Claim
Patent Images
1. A method performed by a deception system on a network, comprising:
- configuring a network interface of the deception system with a list of Media Access Control (MAC) addresses and Internet Protocol (IP) addresses, wherein each MAC address in the list is associated with an IP address in the list, wherein each IP address and associated MAC address represents an address deception, and wherein, when responding to a request for information about a MAC address or an IP address from the list, the deception system adopts the IP address and the MAC address at the network interface in order to respond to the request;
receiving a packet from the network, wherein the packet is addressed to a particular address deception represented in the list;
determining that a response to the packet requires more than information about a particular MAC address or a particular IP address that represents the particular address deception;
identifying a deception mechanism from a plurality of deception mechanisms hosted by the deception system, wherein the deception mechanism emulates a network device;
starting up the deception mechanism, wherein a running deception mechanism that can respond to the packet is not available until the deception mechanism is started up;
configuring the deception mechanism to respond to the packet;
providing the packet to the deception mechanism;
transmitting a response generated by the deception mechanism onto the network;
receiving a second packet from the network, wherein the second packet is addressed to the deception mechanism;
determining an intent associated with the second packet, wherein the intent includes an interaction with the network device emulated by the deception mechanism, wherein the interaction includes responding to the second packet or a subsequent packet; and
modifying a configuration of the deception mechanism according to the intent, wherein modifying enables the deception mechanism to perform the interaction.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are methods, network devices, and computer-program products for dynamically configuring a deception mechanism in response to network traffic from a possible network threat. In various implementations, a network deception system can receive a packet from a network. The network deception system can determine an intent associated with the packet by examining the contents of the packet. The network deception system can further configure a deception mechanism to respond to the intent, for example with the appropriate network communications, software or hardware configuration, and/or data.
-
Citations
36 Claims
-
1. A method performed by a deception system on a network, comprising:
-
configuring a network interface of the deception system with a list of Media Access Control (MAC) addresses and Internet Protocol (IP) addresses, wherein each MAC address in the list is associated with an IP address in the list, wherein each IP address and associated MAC address represents an address deception, and wherein, when responding to a request for information about a MAC address or an IP address from the list, the deception system adopts the IP address and the MAC address at the network interface in order to respond to the request; receiving a packet from the network, wherein the packet is addressed to a particular address deception represented in the list; determining that a response to the packet requires more than information about a particular MAC address or a particular IP address that represents the particular address deception; identifying a deception mechanism from a plurality of deception mechanisms hosted by the deception system, wherein the deception mechanism emulates a network device; starting up the deception mechanism, wherein a running deception mechanism that can respond to the packet is not available until the deception mechanism is started up; configuring the deception mechanism to respond to the packet; providing the packet to the deception mechanism; transmitting a response generated by the deception mechanism onto the network; receiving a second packet from the network, wherein the second packet is addressed to the deception mechanism; determining an intent associated with the second packet, wherein the intent includes an interaction with the network device emulated by the deception mechanism, wherein the interaction includes responding to the second packet or a subsequent packet; and modifying a configuration of the deception mechanism according to the intent, wherein modifying enables the deception mechanism to perform the interaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A network deception system on a network, comprising:
-
one or more processors; and a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including; configuring a network interface of the network deception system with a list of Media Access Control (MAC) and Internet Protocol (IP) addresses wherein each MAC address in the list is associated with an IP address in the list, wherein each MAC address and associated IP address represents an address deception, and wherein, when responding to a request for information about a MAC address or an IP address from the list, the network deception system adopts the IP address and the MAC address at the network interface in order to respond to the request; receiving a packet from the network, wherein the packet is addressed to a particular address deception represented in the list; determining that a response to the packet requires more than information about a particular MAC address or a particular IP address that represents the particular address deception; identifying a deception mechanism from a plurality of deception mechanisms hosted by the network deception system, wherein the deception mechanism emulates a network device; starting up the deception mechanism, wherein a running deception mechanism that can respond to the packet is not available until the deception mechanism is started up; configuring the deception mechanism to respond to the packet, wherein configuring includes; providing the packet to the deception mechanism; transmitting a response generated by the deception mechanism onto the network; receiving a second packet from the network, wherein the second packet is addressed to the deception mechanism; determining an intent associated with the second packet, wherein the intent includes an interaction with the network device emulated by the deception mechanism, wherein the interaction includes responding to the second packet or a subsequent packet; and modifying a configuration of the deception mechanism according to the intent, wherein modifying enables the deception mechanism to perform the interaction. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors of a deception system on a network, cause the one or more processors to:
-
configure a network interface of the deception system with a list of Media Access Control (MAC) addresses and Internet Protocol (IP) addresses, wherein each MAC address in the list is associated with an IP address in the list, wherein each MAC address and associated IP address represents an address deception, and wherein, when responding to a request for information about a MAC address or an IP address from the list, the deception system adopts the IP address and the MAC address at the network interface in order to respond to the request; receive a packet from the network, wherein the packet is addressed to a particular address deception represented in the list; determine that a response to the packet requires more than information about a particular MAC address or a particular IP address that represents the particular address deception; identify a deception mechanism from a plurality of deception mechanisms hosted by the deception system, wherein the deception mechanism emulates a network device; start up the deception mechanism, wherein a running deception mechanism that can respond to the packet is not available until the deception mechanism is started up; configure the deception mechanism to respond to the packet, wherein configuring includes; provide the packet to the deception mechanism; transmit a response generated by the deception mechanism onto the network; receive a second packet from the network, wherein the second packet is addressed to the deception mechanism; determine an intent associated with the second packet, wherein the intent includes an interaction with the network device emulated by the deception mechanism, wherein the interaction includes responding to the second packet or a subsequent packet; and modify a configuration of the deception mechanism according to the intent, wherein modifying enables the deception mechanism to perform the interaction. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
Specification