Method and apparatus for security management via vicarious network devices

US 20020184528A1
Filed: 04/12/2002
Published: 12/05/2002
Est. Priority Date: 04/12/2001
Status: Active Grant

First Claim

Patent Images

1. An apparatus for security management in a data, voice, or video network comprising, in combination:

at least one vicarious device capable of automatically simulating at least one corresponding real device or transmission medium in said network;

at least one monitor for detecting when said network may be being attacked; and

at least one trigger for substituting at least one of said vicarious devices for said corresponding real device or transmission medium.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment of a method and apparatus for protecting data, voice, and video networks from individuals with malicious intent, a real network or network device has a vicarious simulated counterpart that may take the place of the real device or network upon appropriate triggering. The simulated counterpart behaves like the real device, but records the suspect transactions. The integrity of the real network or device is therefore continuously maintained because the suspect is isolated from the real network and the suspect transactions are not passed on to the actual device or network. The recorded transactions may then be analyzed for purposes of exposing the perpetrator, discovering perpetrator behavior patterns, and identifying device or network security weaknesses.

379 Citations

36 Claims

1. An apparatus for security management in a data, voice, or video network comprising, in combination:
- at least one vicarious device capable of automatically simulating at least one corresponding real device or transmission medium in said network;
  
  at least one monitor for detecting when said network may be being attacked; and
  
  at least one trigger for substituting at least one of said vicarious devices for said corresponding real device or transmission medium.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36)
- - 2. The apparatus of claim 1, wherein said monitor and said trigger are part of a control agent.
  - 3. The apparatus of claim 1, wherein said vicarious network device stores at least some received data into a perpetrator file.
  - 4. The apparatus of claim 3, further comprising an analysis agent for analyzing said stored data.
  - 5. The apparatus of claim 4, wherein said analysis agent looks for information useful in determining one or more sources of the attack.
  - 6. The apparatus of claim 4, wherein said analysis agent looks for information useful in determining one or mechanisms used in the attack.
  - 7. The apparatus of claim 1, wherein all traffic is diverted to said vicarious device.
  - 8. The apparatus of claim 7, further comprising a buffer to retain said traffic while said vicarious device is in operation and wherein said buffered traffic is sent from said buffer to said corresponding real device or transmission medium when said corresponding real device or transmission medium is returned to operation.
  - 9. The apparatus of claim 7, further comprising a mechanism to signal upstream devices to re-send said traffic when said corresponding real device or transmission medium is returned to operation.
  - 10. The apparatus of claim 1, wherein only suspect traffic is diverted to said vicarious device.
  - 11. The apparatus of claim 10, wherein suspect traffic is further defined as traffic falling into one or more specific traffic categories.
  - 12. The apparatus of claim 1, wherein said vicarious device is derived from, in combination:
    - a device dataset containing one or more variables having one or more instance values describing the behavior of said corresponding real device or transmission medium over time; and
      
      a characterization file created from said device dataset based on correlations among said variables and said instance values and used to generate one or more predicted instance values for said vicarious device.
  - 13. The apparatus of claim 12, wherein said device dataset contains only those variables and instance values actually used when said corresponding real device or transmission medium is under attack.
  - 14. The apparatus of claim 1, wherein said vicarious device and said corresponding real device or transmission medium are integrated with a management system.
  - 15. The apparatus of claim 1, wherein said vicarious device queries said corresponding real device or transmission medium for at least one actual device value or response for use in providing at least one value or response from said vicarious device.
  - 16. The apparatus of claim 1, wherein at least one command is sent to said corresponding real device or transmission medium from said vicarious device.
  - 17. The apparatus of claim 16, further comprising a trusted device that relays said at least one command from said vicarious network device to said corresponding real device or transmission medium.
  - 19. The method of claim 18, further comprising the step of storing at least some data received by said vicarious device.
  - 20. The method of claim 19, further comprising the step of examining said stored data.
  - 21. The method of claim 20, wherein said stored data is analyzed for information useful in identifying at least one source for the attack.
  - 22. The method of claim 20, wherein said stored data is analyzed for information useful in identifying at least one mechanism used in the attack.
  - 23. The apparatus of claim 18, wherein all traffic is diverted to said vicarious device.
  - 24. The apparatus of claim 23, further comprising the steps, in combination, of:
    - buffering said traffic while said vicarious device is in operation; and
      
      sending said buffered traffic to said corresponding real device or transmission medium when said corresponding real device or transmission medium is returned to operation.
  - 25. The apparatus of claim 23, further comprising the step of signaling upstream devices to re-send said traffic when said corresponding real device or transmission medium is returned to operation.
  - 26. The apparatus of claim 18, wherein only suspect traffic is diverted to said vicarious device.
  - 27. The apparatus of claim 26, further comprising the step of defining suspect traffic as traffic falling into at least one specific traffic category.
  - 28. The apparatus of claim 18, wherein said vicarious device is derived from a device dataset containing one or more variables having one or more instance values describing the behavior of said corresponding real device or transmission medium over time.
  - 29. The apparatus of claim 28, further comprising the steps, in combination of:
    - reducing a full device dataset to only those variables and instance values actually used when said corresponding real device or transmission medium is under attack; and
      
      creating said vicarious device from said reduced device dataset.
  - 30. The apparatus of claim 18, further comprising the step of integrating said vicarious device and said corresponding real device or transmission medium with a management system.
  - 31. The apparatus of claim 18, further comprising the steps, in combination, of:
    - sending at least one query from said simulated device to said corresponding real device or transmission medium to obtain at least one actual device value or response; and
      
      using at least one of said actual device values or responses to provide at least one value or response from said vicarious device.
  - 32. The apparatus of claim 18, further comprising the step of sending at least one command from said vicarious device to said corresponding real device or transmission medium.
  - 33. The apparatus of claim 32, further comprising the step of relaying said at least one command via a trusted device.
  - 35. The method of claim 34, wherein said step of capturing is performed by a management system.
  - 36. The method of claim 34, wherein said step of capturing is performed by capturing management packets with a network analyzer.

18. A method for security management in a data, voice, or video network comprising the steps, in combination, of:
- detecting when said network is being attacked; and
  
  substituting for said real device at least one vicarious device capable of automatically simulating at least one corresponding real device in said network.

34. A method for creating a simulator suitable for use in network security management comprising the steps, in combination, of:
- creating a full simulated version of a real device, said simulated device having a dataset containing data values corresponding to attributes of the real device;
  
  running the simulated device under simulated attack conditions;
  
  capturing the simulated device'"'"'s activity;
  
  determining which attributes were used;
  
  eliminating data values corresponding to unused attributes from the simulated device dataset to create a reduced dataset containing only data values corresponding to used attributes; and
  
  creating a new simulated device having the reduced dataset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Graham, Richard W., Lewis, Lundy M., Shevenell, Michael P.

Granted Patent

US 7,770,223 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/12 Applying verification of th...

H04L 63/1416 Event detection, e.g. attac...

Method and apparatus for security management via vicarious network devices

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

379 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for security management via vicarious network devices

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

379 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links