Mechanism for concealing application and operation system identity

US 10,412,116 B1
Filed: 05/25/2017
Issued: 09/10/2019
Est. Priority Date: 12/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initializing, by a computing system comprising one or more processors, a virtual machine (VM), wherein initializing the VM comprises;

obtaining, by the computing system, an unmodified operating system that is compatible with a first computing device and a second computing device of the computing system;

modifying, by the computing system, in a first manner, unmodified version of the operating system to form a first modified version of the operating system;

modifying, by the computing system, in a second manner, the unmodified version of the operating system to form a second modified version of the operating system, wherein;

(1) each of the first modified version of the operating system, the second modified version of the operating system, and the unmodified version of the operating system sets a respective implementation-dependent parameter of response messages, which conform to a communication protocol, to a different value under same conditions, and/or(2) each of the first modified version of the operating system, the second modified version of the operating system, and the unmodified version of the operating system produces respective response messages in which same sets of two or more implementation-dependent parameters are sequenced in a different order;

installing, by the computing system, the first modified version of the operating system in a first instance of the VM; and

installing, by the computing system, the second modified version of the operating system in a second instance of the VM;

deploying, by the computing system, the first instance of the VM on the first computing device of the computing system;

deploying, by the computing system, the second instance of the VM on the second computing device of the computing system;

setting, by the first modified version of the operating system deployed on the first computing device of the computing system, the implementation-dependent parameter to a first value;

setting, by the second modified version of the operating system deployed on the second computing device of the computing system, the implementation-dependent parameter to a second value that is different from the first value;

generating, by the first modified version of the operating system deployed on the first computing device of the computing system, a first message that conforms to the communication protocol, the first message including the first value of the implementation-dependent parameter;

generating, by the second modified version of the operating system deployed on the second computing device of the computing system, a second message that conforms to the communication protocol, the second message including the second value of the implementation-dependent parameter;

sending, by the first modified version of the operating system, from the first computing device of the computing system, the first message to a remote device; and

sending, by the second modified version of the operating system, from the second computing device of the computing system, the second message to the remote device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes providing, by a computing system, first randomized configuration information, generating, by the computing system and based on the first randomized configuration information, a first unique instance of a software component, providing second randomized configuration information, wherein the second randomized configuration information is different from the first randomized configuration information, and generating, based on the second randomized configuration information, a second unique instance of the software component that is executable on the runtime computing system. The first and second unique instances of the software component comprise different instances of the same software component that each are configured to have uniquely different operating characteristics during execution on the runtime computing system, and the first and second unique instances of the software component are each further configured, during execution on the runtime computing system, to output false information to an external computing system.

58 Citations

View as Search Results

18 Claims

1. A method comprising:
- initializing, by a computing system comprising one or more processors, a virtual machine (VM), wherein initializing the VM comprises;
  
  obtaining, by the computing system, an unmodified operating system that is compatible with a first computing device and a second computing device of the computing system;
  
  modifying, by the computing system, in a first manner, unmodified version of the operating system to form a first modified version of the operating system;
  
  modifying, by the computing system, in a second manner, the unmodified version of the operating system to form a second modified version of the operating system, wherein;
  
  (1) each of the first modified version of the operating system, the second modified version of the operating system, and the unmodified version of the operating system sets a respective implementation-dependent parameter of response messages, which conform to a communication protocol, to a different value under same conditions, and/or(2) each of the first modified version of the operating system, the second modified version of the operating system, and the unmodified version of the operating system produces respective response messages in which same sets of two or more implementation-dependent parameters are sequenced in a different order;
  
  installing, by the computing system, the first modified version of the operating system in a first instance of the VM; and
  
  installing, by the computing system, the second modified version of the operating system in a second instance of the VM;
  
  deploying, by the computing system, the first instance of the VM on the first computing device of the computing system;
  
  deploying, by the computing system, the second instance of the VM on the second computing device of the computing system;
  
  setting, by the first modified version of the operating system deployed on the first computing device of the computing system, the implementation-dependent parameter to a first value;
  
  setting, by the second modified version of the operating system deployed on the second computing device of the computing system, the implementation-dependent parameter to a second value that is different from the first value;
  
  generating, by the first modified version of the operating system deployed on the first computing device of the computing system, a first message that conforms to the communication protocol, the first message including the first value of the implementation-dependent parameter;
  
  generating, by the second modified version of the operating system deployed on the second computing device of the computing system, a second message that conforms to the communication protocol, the second message including the second value of the implementation-dependent parameter;
  
  sending, by the first modified version of the operating system, from the first computing device of the computing system, the first message to a remote device; and
  
  sending, by the second modified version of the operating system, from the second computing device of the computing system, the second message to the remote device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the communication protocol is a Transport Control Protocol (TCP), and wherein the implementation-dependent parameter is one of:
    - an initial packet size parameter, an initial time to live parameter, a window size parameter, a maximum segment size parameter, a window scaling value parameter, a ‘
      
      don'"'"'t fragment’
      
      flag parameter, a ‘
      
      sackOK’
      
      flag parameter, or a ‘
      
      nop’
      
      flag parameter.
  - 3. The method of claim 1, wherein modifying the unmodified version of the operating system in the first manner to form the first modified version of the operating system comprises:
    - selecting, by the computing system, from a plurality of available software modules for the communication protocol, a particular software module; and
      
      configuring, by the computing system, the first modified version of the operating system to use the particular software module for the communication protocol instead of a default software module used by the unmodified version of the operating system for the communication protocol.
  - 4. The method of claim 1, wherein modifying the unmodified version of the operating system in the first manner to form the first modified version of the operating system comprises determining, by the computing system, a value on a pseudorandom basis, andwherein setting the value of the implementation-dependent parameter comprises determining, by the first modified version of the operating system, the value of the implementation-dependent parameter based on the value determined by the computing system on the pseudorandom basis.
  - 5. The method of claim 1, further comprising:
    - receiving, by the first instance of the VM deployed on the first computing device, from the remote device, a request conforming to the communication protocol; and
      
      in response to receiving the request, setting, by the first modified version of the operating system, the value of the implementation-dependent parameter.
  - 6. The method of claim 1, wherein generating the first message comprises generating, by the first modified version of the operating system, the first message such that the message includes the implementation-dependent parameter at a position relative to other implementation-dependent parameters different from a position at which the unmodified version of the operating system generates the implementation-dependent parameter relative to the other implementation-dependent parameters.

7. A computing system comprising:
- a development computing system comprising a first set of one or more processors; and
  
  a runtime computing system comprising a second set of one or more processors configured to implement a plurality of environments,wherein the first set of one or more processors of the development computing system is configured to;
  
  initialize a virtual machine (VM), wherein to initialize the VM, the first set of one or more processors being configured to;
  
  obtain an unmodified operating system that is compatible with a first environment and a second environment of the plurality of environments implemented by the runtime computing system;
  
  modify, in a first manner, unmodified version of an operating system to form a first modified version of the operating system;
  
  modify, in a second manner the unmodified version of the operating system, to form a second modified version of the operating system, wherein;
  
  (1) each of the first modified version of the operating system, the second modified version of the operating system and the unmodified version of the operating system sets a respective implementation-dependent parameter of response messages, which conform to a communication protocol, to a different value under same conditions, and/or(2) each of the first modified version of the operating system, the second modified version of the operating system, and the unmodified version of the operating system produces respective response messages in which same sets of two or more implementation-dependent parameters are sequenced in a different order;
  
  install the modified version of the operating system in the VM; and
  
  install the second modified version of the operating system in a second instance of the VM;
  
  deploy the first instance of the VM on the first environment of the plurality of environments implemented on the runtime computing system;
  
  deploy the second instance of the VM on the second environment of the plurality of environments implemented on the runtime computing system,wherein the first modified version of the operating system deployed on the first environment implemented on the runtime computing system is configured to cause the second set of one or more processors to;
  
  set the implementation-dependent parameter to a first value;
  
  generate a first message that conforms to the communication protocol, the first message including the first value of the implementation-dependent parameter; and
  
  send the first message to a remote device, andwherein the second modified version of the operating system deployed on the second environment implemented on the runtime computing system is configured to cause the second set of one or more processors to;
  
  set the implementation-dependent parameter to a second value that is different from the first value;
  
  generate a second message that conforms to the communication protocol, the second message including the second value of the implementation-dependent parameter; and
  
  send the second message to the remote device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computing system of claim 7, wherein the communication protocol is a Transport Control Protocol (TCP), and wherein the implementation-dependent parameter is one of:
    - an initial packet size parameter, an initial time to live parameter, a window size parameter, a maximum segment size parameter, a window scaling value parameter, a ‘
      
      don'"'"'t fragment’
      
      flag parameter, a ‘
      
      sackOK’
      
      flag parameter, or a ‘
      
      nop’
      
      flag parameter.
  - 9. The computing system of claim 7, wherein the development computing system is configured such that, as part of modifying the unmodified version of the operating system to form the first modified version of the operating system, the development computing system:
    - selects, from a plurality of available software modules for the communication protocol, a particular software module; and
      
      configures the first modified version of the operating system to use the particular software module for the communication protocol instead of a default software module used by the unmodified version of the operating system for the communication protocol.
  - 10. The computing system of claim 7, wherein:
    - the development computing system is configured such that, as part of modifying the unmodified version of the operating system in first manner to form the first modified version of the operating system, the development computing system determines a value on a pseudorandom basis, andthe first modified version of the operating system running on the first environment implemented on the runtime computing system is configured to determine the value of the implementation-dependent parameter based on the value determined on the pseudorandom basis.
  - 11. The computing system of claim 7, wherein:
    - the first modified version of the operating system is configured to receive, from the remote device, a request conforming to the communication protocol, andin response to receiving the request, the first modified version of the operating system sets the value of the implementation-dependent parameter.
  - 12. The computing system of claim 7, wherein the first modified version of the operating system is configured such that, as part of generating the first message, the first modified version of the operating system includes, in the first message, the implementation-dependent parameter at a position relative to other implementation-dependent parameters different from a position at which the unmodified version of the operating system generates the implementation-dependent parameter relative to the other implementation-dependent parameters.

13. A non-transitory computer-readable data storage medium having instructions stored thereon that, when executed, cause one or more processors of a computing system to:
- initialize a virtual machine (VM), wherein as part of causing the computing system to initialize the VM, the instructions cause the one or more processors of the computing system to;
  
  obtain an unmodified operating system that is compatible with a first computing device and a second computing device of the computing system;
  
  modify the unmodified version of the operating system in a first manner to form a first modified version of the operating system;
  
  modify, in a second manner, the unmodified version of the operating system to form a second modified version of the operating system, wherein;
  
  (1) each of the first modified version of the operating system, the second modified version of the operating system and the unmodified version of the operating system sets a respective implementation-dependent parameter of response messages, which conform to a communication protocol, to a different value under same conditions, and/or(2) each of the first modified version of the operating system, the second modified version of the operating system, and the unmodified version of the operating system produces respective response messages in which same sets of two or more implementation-dependent parameters are sequenced in a different order;
  
  install the first modified version of the operating system in a first instance of the VM;
  
  install the first modified version of the operating system in a first instance of the VM; and
  
  deploy the first instance of the VM on first computing device of the computing system;
  
  deploy the second instance of the VM on the second computing device of the computing system;
  
  set, by the first modified version of the operating system deployed on the first computing device of the computing system, the implementation-dependent parameter to a first value;
  
  set, by the second modified version of the operating system deployed on the second computing device of the computing system, the implementation-dependent parameter to a second value that is different from the first value;
  
  generate, by the first modified version of the operating system deployed on the first computing device of the computing system, a first message that conforms to the communication protocol, the first message including the first value of the implementation-dependent parameter;
  
  generate, by the second modified version of the operating system deployed on the second computing device of the computing system, a second message that conforms to the communication protocol, the second message including the second value of the implementation-dependent parameter;
  
  send, by the first modified version of the operating system, from the first computing device of the computing system, the first message to a remote device; and
  
  send, by the second modified version of the operating system, from the second computing device of the computing system, the second message to the remote device.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable data storage medium of claim 13, wherein the communication protocol is a Transport Control Protocol (TCP), and wherein the implementation-dependent parameter is one of:
    - an initial packet size parameter, an initial time to live parameter, a window size parameter, a maximum segment size parameter, a window scaling value parameter, a ‘
      
      don'"'"'t fragment’
      
      flag parameter, a ‘
      
      sackOK’
      
      flag parameter, or a ‘
      
      nop’
      
      flag parameter.
  - 15. The non-transitory computer-readable data storage medium of claim 13, wherein as part of causing the computing system to modify the unmodified version of the operating system to form the first modified version of the operating system, the instructions cause the one or more processors of the computing system to:
    - select, from a plurality of available software modules for the communication protocol, a particular software module; and
      
      configure the first modified version of the operating system to use the particular software module for the communication protocol instead of a default software module used by the unmodified version of the operating system for the communication protocol.
  - 16. The non-transitory computer-readable data storage medium of claim 13, wherein:
    - as part of causing the computing system to modify the unmodified version of the operating system to form the modified version of the operating system, the instructions cause the one or more processors of the computing system to determine a value on a pseudorandom basis, andthe first modified version of the operating system is configured to determine the value of the implementation-dependent parameter based on the value determined on the pseudorandom basis.
  - 17. The non-transitory computer-readable data storage medium of claim 13, wherein:
    - the first modified version of the operating system is configured to receive, from the remote device, a request conforming to the communication protocol; and
      
      in response to receiving the request, the first modified version of the operating system sets the value of the implementation-dependent parameter.
  - 18. The non-transitory computer-readable data storage medium of claim 13, wherein the first modified version of the operating system is configured such that, as part of generating the first message, the first modified version of the operating system includes, in the first message, the implementation-dependent parameter at a position relative to other implementation-dependent parameters different from a position at which the unmodified version of the operating system generates the implementation-dependent parameter relative to the other implementation-dependent parameters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Powers, Judson, Joyce, Robert A., McArdle, Daniel
Primary Examiner(s)
Truong, Lechi

Application Number

US15/604,973
Time in Patent Office

838 Days
Field of Search

719313
US Class Current
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45595   Network integration; Enabli...

G06F 8/60   Software deployment

G06F 9/445   Program loading or initiati...

G06F 9/44505   Configuring for program ini...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/546   Message passing systems or ...

H04L 63/1491   using deception as counterm...

H04L 67/34   involving the movement of s...

Mechanism for concealing application and operation system identity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Mechanism for concealing application and operation system identity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others