System and method for analyzing unauthorized intrusion into a computer network

US 20080016570A1
Filed: 04/20/2007
Published: 01/17/2008
Est. Priority Date: 05/22/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for analyzing unauthorized intrusion into a computer network, the method comprising:

allowing access to an apparently vulnerable virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device;

using an introspection module comprising a virtual-machine-based rootkit module and its associated userland processes running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and

generating forensic data on the network attack from the attack-identifying information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The method analyzes unauthorized intrusion into a computer network. Access is allowed through one or more open ports to one or more virtualized decoy operating systems running on a hypervisor operating system hosted on a decoy network device. This may be done by opening a port on one of the virtualized decoy operating systems. A network attack on the virtualized operating system is then intercepted by an introspection module running on the hypervisor operating system. The attack-identifying information is communicated through a private network interface channel and stored on a database server as forensic data. A signature-generation engine uses this forensic data to generate a signature of the attack. An intrusion prevention system then uses the attack signature to identify and prevent subsequent attacks. A web-based visualization interface facilitates configuration of the system and analysis of (and response to) forensic data generated by the introspection module and the signature generation engine, as well as that stored in the processing module'"'"'s relational databases.

282 Citations

23 Claims

1. A method for analyzing unauthorized intrusion into a computer network, the method comprising:
- allowing access to an apparently vulnerable virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device;
  
  using an introspection module comprising a virtual-machine-based rootkit module and its associated userland processes running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and
  
  generating forensic data on the network attack from the attack-identifying information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - generating an attack signature from the forensic data; and
      
      providing the attack signature to an intrusion prevention system configured to control access to a protected network using the attack signature to identify subsequent attacks.
  - 3. The method of claim 2, further comprising controlling access to the protected network using the attack signature.
  - 4. The method of claim 2, wherein the attack signature is automatically generated by the system without human intervention.
  - 5. The method of claim 1, further comprising, before the allowing, opening a port on the virtualized decoy operating system through which the network attack is made.
  - 6. The method of claim 1, further comprising:
    - allowing access to an additional virtualized decoy operating system running on the hypervisor operating system;
      
      using the virtual-machine-based rootkit module to intercept an additional network attack on the additional virtualized operating system, wherein the additional network attack includes additional attack-identifying information; and
      
      generating additional forensic data on the additional network attack from the additional attack-identifying information.
  - 7. The method of claim 6, further comprising:
    - generating an additional attack signature from the additional forensic data; and
      
      providing the additional attack signature to an intrusion prevention system configured to control access to a protected network using the attack-identifying information.
  - 8. The method of claim 1, wherein the virtualized decoy operating system and the additional virtualized decoy operating system are different types of operating systems.
  - 9. The method of claim 1, wherein said forensic data is generated based on an attack payload including keystrokes, ASCII, or binary files.
  - 10. The method of claim 1, wherein the attack forensics are generated if an attacker is able to successfully gain access to the virtualized decoy operating system.
  - 11. The method of claim 1, further comprising providing a report of said network attack to a network administrator.
  - 12. The method of claim 1, further comprising storing the attack forensics in a database.

13. A system for analyzing unauthorized intrusion into a computer network, the system comprising:
- a virtualized operating system module comprising;
  
  a hypervisor operating system comprising;
  
  at least one virtualized decoy operating system;
  
  a virtual-machine-based rootkit configured to intercept a network attack on the virtualized operating system, wherein the network attack includes transmission of attack-identifying information; and
  
  a processing module electrically coupled to the introspection module via a network interface communication channel, wherein the processing module comprises;
  
  a database configured to store forensic data on the network attack.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The system of claim 13, wherein the processing module further comprises an attack signature-generation engine configured to generate an attack signature from the forensic data on the network attack, wherein attack signatures may be generated on a timescale ranging from near-immediate to several minutes after initiation of an attack.
  - 15. The system of claim 14, wherein the processing module further comprises a web-based visualization interface that facilitates configuration of the system and forensic analysis of captured attack information by administrators.
  - 16. The system of claim 15, further comprising an intrusion prevention system electrically coupled to the signature-generation engine.
  - 17. The system of claim 13, wherein the intrusion detection system is configured to prevent unauthorized intrusion into a protected computer network.
  - 18. The system of claim 13, wherein the network interface communication channel is a private channel.
  - 19. The system of claim 13, wherein the virtualized operating system module includes multiple virtualized decoy operating systems on the hypervisor operating system.
  - 20. The system of claim 13, wherein the attack forensics are based on an attack payload including keystrokes or ASCII or binary files.
  - 21. The system of claim 13, wherein the virtualized operating system module and the processing module are contained in memory on the same or separate computing devices that each includes a processor.

22. A computing device configured for analyzing unauthorized intrusion into a computer network, the device comprising:
- a processor; and
  
  memory coupled to the processor, wherein the memory comprises procedures for;
  
  allowing access to a virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device;
  
  using an introspection module running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and
  
  generating forensic data on the network attack from the attack-identifying information.
- View Dependent Claims (23)
- - 23. The computing device of claim 22, further comprising a web-based visualization module comprising procedures for:
    - analyzing forensic data generated by the introspection module and the signature generation engine, as well as that stored in the processing module'"'"'s relational databases; and
      
      configuring the system, wherein an administrator can tune the system'"'"'s behavior, including its pattern matching facilities, as well as automate the system'"'"'s response to attack-identifying information captured by the introspection module and automate its response to forensic data generated by the signature-generation engine and any information stored on the processing module'"'"'s relational databases.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alen Capalik
Original Assignee
Alen Capalik
Inventors
Capalik, Alen

Application Number

US11/788,795
Publication Number

US 20080016570A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2123   Dummy operation

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method for analyzing unauthorized intrusion into a computer network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

282 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for analyzing unauthorized intrusion into a computer network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

282 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links