Distributed network security deception system
First Claim
1. A method for providing security on a computer-network, comprising the steps of:
- providing a deception to a network intruder on the computer-network;
monitoring a response of the network intruder to the deception;
detecting the network intruder based upon the response of the network intruder to the deception;
collecting data regarding the network intruder; and
acting on the data regarding the network intruder to protect the computer-network.
0 Assignments
0 Petitions
Accused Products
Abstract
A computer-network security system and method including the steps of providing a deception to a network intruder on the computer-network, monitoring a response of the network intruder to the deception, detecting the network intruder based upon the response of the network intruder to the deception, collecting data regarding the network intruder; and acting on the data regarding the network intruder to protect the computer-network. This system includes a deception unit, an interception unit, a detection unit, a notification unit, a receiving unit, a database unit, a watching unit and a management unit. Also disclosed are deception methods for protecting a network, and a graphical display system which permits operators to rapidly assess an attack and take corrective action.
444 Citations
54 Claims
-
1. A method for providing security on a computer-network, comprising the steps of:
-
providing a deception to a network intruder on the computer-network;
monitoring a response of the network intruder to the deception;
detecting the network intruder based upon the response of the network intruder to the deception;
collecting data regarding the network intruder; and
acting on the data regarding the network intruder to protect the computer-network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26)
-
-
21. A method for detecting an intruder on a computer-network with access to a public network comprising the step of:
-
deceiving the intruder regarding the function, designation or data contents of a deception unit;
gathering data on the intruder as the intruder attempts to access the function, designation or data contents of the deception unit; and
outputting the data on the intruder to a receiving unit.
-
-
22. A method for protecting a computer-network once an intruder has been detected, comprising the steps of:
-
deceiving the intruder regarding the function, designation or data contents of a deception unit;
permitting the intruder to access the deceptive function, designation or data contents of the deception unit; and
gathering data on the intruder as the intruder accesses the deceptive function, designation or data contents of the deception unit. - View Dependent Claims (28, 29, 30, 31)
-
-
27. A system for protecting a computer-network connected to a public network from network intruders, comprising:
-
a management unit;
a sub-network connected to the management unit, the sub-network being separate from the protected computer-network and configured to communicate commands and data to and from the management unit;
a deception unit coupled to the management unit by the sub-network and accessible from the public network;
an interception unit coupled to the computer-network and coupled to the management unit by the sub-network;
a database management unit coupled to the protected computer-network and configured to store data regarding network intruders;
a receiver unit coupled to the management unit by the sub-network and configured to receive data from any one or all of the deception unit, interception unit, and notification unit, and communicate received data to the database management unit for storage; and
a reconnaissance unit coupled to the public network outside the computer-network and coupled to the management unit by the sub-network.
-
-
32. A security system for protecting a computer-network connected to a public network from intruders, comprising:
-
means for deceiving intruders as to the function, designation or content of a machine and providing an output of information regarding intruders'"'"' interactions with the means for deceiving, the means for deceiving being coupled to the computer-network and accessible by the public network;
means for detecting intruders based upon information provided in the output of the means for deceiving intruders, the means for detecting intruders being coupled to the computer network and configured to provide an output of data regarding detected intruders;
means for receiving the output of data regarding detected intruders provided by the means for detecting intruders;
means for storing data coupled to the means for receiving the output of data regarding detected intruders; and
means for managing the security system coupled to each of the means for deceiving intruders, detecting intruders, receiving the output of data and storing data. - View Dependent Claims (33, 34, 36, 37, 38, 39, 40)
-
-
35. A computer readable data storage medium having program code recorded thereon for the automated detection of a network intruder on a computer-network connected to a public network, the program code comprising:
-
a first program code that masquerades as a device or network function which the network intruder is likely to seek out, detects the network intruder by monitoring attempts to access the masqueraded device or network function, gathers information on the network intruder and outputs the information on the network intruder;
a second program code that receives the outputted information on the network intruder, and acts upon the outputted information on the network intruder by issuing commands to protect the computer-network; and
a third program code that receives and executes the commands from the second program code.
-
-
41. A system for providing security on a computer-network, comprising:
-
a management component for managing the system;
a deception component for deceiving network intruders and providing an output comprising data on actions taken by the network intruder, the deception component being coupled to the management unit and to the computer network;
a receiving component for receiving the output from the deception component and providing an output of data, the receiving component being coupled to the deception component, and the management component; and
a data collection component for receiving the data output from the receiving component, storing data and providing stored data to the receiving component and/or the management component, the data collection component being coupled to the receiving unit and to the management component. - View Dependent Claims (42, 43, 44, 45, 47, 48, 49, 50)
-
-
46. A method for providing security for a computer network against network intruders, comprising the steps of:
-
monitoring the network for intruder activities;
calculating a threat level for the computer network based on the monitored intruder activities; and
acting on the calculated threat level to protect the computer network.
-
-
51. A method for providing security for a computer network against network intruders, comprising the steps of:
-
monitoring the computer network for an intruder'"'"'s activities;
providing a visual display of the intruder'"'"'s activities that permits interaction between the network security operator and the intruder; and
providing a graphical display of the intruder'"'"'s current activities and historical activities collected over a period of time. - View Dependent Claims (52, 53, 54)
-
Specification