Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems

US 20070271614A1
Filed: 07/17/2006
Published: 11/22/2007
Est. Priority Date: 05/22/2006
Status: Active Grant

First Claim

Patent Images

1. A method for a protecting a primary computer network with automatic signature generation for intrusion detection and intrusion prevention systems, comprising:

providing a decoy network connection on a primary computer network to a decoy operating system comprising a functional operating system hosted on a monitoring/intercept module;

intercepting a network attack on said primary computer network using a sentinel kernal driver coupled with said functional operating system wherein said network attack comprises attack-identifying information;

processing said attack identifying information using a processing module in a second computer network to identify said network attack and generate an attack signature; and

,applying said attack signature to a library of signatures contained in an intrusion detection system or intrusion prevention system on said primary computer network to control access to said primary computer network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved methods and systems for decoy networks with automatic signature generation for intrusion detection and intrusion prevention systems. A modular decoy network with front-end monitor/intercept module(s) with a processing back-end that is separate from the protected network. The front-end presents a standard fully functional operating system that is a decoy so that the instigator of an attack is lead to believe a connection has been made to the protected network. The front-end includes a hidden sentinel kernal driver that monitors connections to the system and captures attack-identifying information. The captured information is sent to the processing module for report generation, data analysis and generation of an attack signature. The generated attack signature can then be applied to the library of signatures of the intrusion detection system or intrusion prevention system of the protected network to defend against network based attacks including zero-day attacks.

Citations

20 Claims

1. A method for a protecting a primary computer network with automatic signature generation for intrusion detection and intrusion prevention systems, comprising:
- providing a decoy network connection on a primary computer network to a decoy operating system comprising a functional operating system hosted on a monitoring/intercept module;
  
  intercepting a network attack on said primary computer network using a sentinel kernal driver coupled with said functional operating system wherein said network attack comprises attack-identifying information;
  
  processing said attack identifying information using a processing module in a second computer network to identify said network attack and generate an attack signature; and
  
  ,applying said attack signature to a library of signatures contained in an intrusion detection system or intrusion prevention system on said primary computer network to control access to said primary computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - providing a second decoy network connection on said primary computer network to a second decoy operating system wherein said decoy operating system and said second decoy operating system are different operating systems and wherein said second decoy operating system comprises a second functional operating system hosted on a second monitoring/intercept module.
  - 3. The method of claim 1 wherein said attack signature is generated based on an attack payload including keystrokes or ASCII or binary files.
  - 4. The method of claim 1 wherein the said attack signature is generated if an attacker communicates with a port.
  - 5. The method of claim 1 wherein the said attack signature is generated if an attacker is able to successfully gain access to said decoy operating system.
  - 6. The method of claim 1 providing a report of said network attack to an administrator.
  - 7. The method of claim 1 wherein said attack signature is maintained in a database.

8. A system for a protecting a primary computer network with automatic signature generation for intrusion detection and intrusion prevention systems, comprising:
- a decoy hosted on a primary computer network wherein said decoy is configured to provide a decoy operating system over a decoy network connection and wherein said decoy operating system comprises a functional operating system hosted on a monitoring/intercept module;
  
  a sentinel kernal driver coupled with said functional operating system wherein said sentinel is configured to intercept a network attack on said primary computer network wherein said network attack comprises attack identifying information;
  
  a processing module comprising a processor wherein said processing module is hosted in a second computer network and wherein said processing module is configured to identify an attack and generate an attack signature from said attack identifying information; and
  
  ,said processing module further configured to apply said attack signature to a library of signatures contained in an intrusion detection system or intrusion prevention system on said primary computer network to control access to said primary computer network.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8 further comprising:
    - a second decoy operating system on said primary computer network wherein said decoy operating system and said second decoy operating system are different operating systems and wherein said second decoy operating system comprises a second functional operating system hosted on a second monitoring/intercept module.
  - 10. The system of claim 8 wherein said attack signature is generated based on an attack payload including keystrokes or ASCII or binary files.
  - 11. The system of claim 8 wherein said attack signatures are maintained in a database.
  - 12. The system of claim 8 where the primary network comprises one or more protected network devices comprising at least one server.
  - 13. The system of claim 8 where said attack signature is automatically generated based on said attack identifying information.

14. A system for protecting a primary computer network having a library of signatures comprising:
- means for providing a decoy network connection on a primary computer network to a decoy operating system comprising a functional operating system hosted on a monitoring/intercept module;
  
  means for intercepting a network attack on said primary computer network using a sentinel kernal driver coupled with said functional operating system wherein said network attack comprises attack-identifying information;
  
  means for processing said attack identifying information using a processing module in a second computer network to identify said network attack and generate an attack signature; and
  
  ,means for applying said attack signature to a library of signatures contained in an intrusion detection system or intrusion prevention system on said primary computer network to control access to said primary computer network.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14 further comprising:
    - means for providing a second decoy network connection on said primary computer network to a second decoy operating system wherein said decoy operating system and said second decoy operating system are different operating systems and wherein said second decoy operating system comprises a second functional operating system hosted on a second monitoring/intercept module.
  - 16. The system of claim 14 wherein said attack signature is generated based on an attack payload including keystrokes or ASCII or binary files.
  - 17. The system of claim 14 wherein said attack signature is maintained in a database.
  - 18. The system of claim 14 wherein the said attack signature is generated if an attacker communicates with a port.
  - 19. The system of claim 14 wherein the said attack signature is generated if an attacker is able to successfully gain access to said decoy operating system.
  - 20. The system of claim 14 providing a report of said network attack to an administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GoSecure, Inc.
Original Assignee
Countertack Incorporated
Inventors
Capalik, Alen

Granted Patent

US 8,429,746 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

H04L 63/1491 using deception as counterm...

Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links