System and method for analyzing unauthorized intrusion into a computer network
First Claim
1. A method for analyzing unauthorized intrusion into a computer network, the method comprising:
- allowing access to an apparently vulnerable virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device;
using an introspection module comprising a virtual-machine-based rootkit module and its associated userland processes running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and
generating forensic data on the network attack from the attack-identifying information.
0 Assignments
0 Petitions
Accused Products
Abstract
The method analyzes unauthorized intrusion into a computer network. Access is allowed through one or more open ports to one or more virtualized decoy operating systems running on a hypervisor operating system hosted on a decoy network device. This may be done by opening a port on one of the virtualized decoy operating systems. A network attack on the virtualized operating system is then intercepted by an introspection module running on the hypervisor operating system. The attack-identifying information is communicated through a private network interface channel and stored on a database server as forensic data. A signature-generation engine uses this forensic data to generate a signature of the attack. An intrusion prevention system then uses the attack signature to identify and prevent subsequent attacks. A web-based visualization interface facilitates configuration of the system and analysis of (and response to) forensic data generated by the introspection module and the signature generation engine, as well as that stored in the processing module'"'"'s relational databases.
282 Citations
23 Claims
-
1. A method for analyzing unauthorized intrusion into a computer network, the method comprising:
-
allowing access to an apparently vulnerable virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device;
using an introspection module comprising a virtual-machine-based rootkit module and its associated userland processes running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and
generating forensic data on the network attack from the attack-identifying information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for analyzing unauthorized intrusion into a computer network, the system comprising:
-
a virtualized operating system module comprising;
a hypervisor operating system comprising;
at least one virtualized decoy operating system;
a virtual-machine-based rootkit configured to intercept a network attack on the virtualized operating system, wherein the network attack includes transmission of attack-identifying information; and
a processing module electrically coupled to the introspection module via a network interface communication channel, wherein the processing module comprises;
a database configured to store forensic data on the network attack. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computing device configured for analyzing unauthorized intrusion into a computer network, the device comprising:
-
a processor; and
memory coupled to the processor, wherein the memory comprises procedures for;
allowing access to a virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device;
using an introspection module running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and
generating forensic data on the network attack from the attack-identifying information. - View Dependent Claims (23)
-
Specification