Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks
First Claim
1. A method for protecting a real deployed network against zero-day worm-based attacks using infected data packets, comprising the steps of:
- forward-deploying a virtual network that operates similarly to the real network it is to protect, the virtual network coupled to a communications network;
providing the virtual network with a honey pot algorithm designed to attract zero day-based worm attacks in which the honey pot application detects the presence of infected packets from a zero-day worm and provides raw data as to the operation of the virtual network;
upon detection of activity within the virtual network that is unexpected, analyzing the raw data to generate threat data; and
, deploying an advanced perimeter security device coupled between the real network and the communications network to utilize the threat data to configure itself to block infected packets, whereby the real network is protected from zero day-based worm attacks.
1 Assignment
0 Petitions
Accused Products
Abstract
Honey pots are used to attract computer attacks to a virtual operating system that is a virtual instantiation of a typical deployed operational system. Honey nets are a collection of these virtual systems assembled to create a virtual network. The subject system uses a forward deployed honey net combined with a parallel monitoring system collecting data into and from the honey net, leveraging the controlled environment to identify malicious behavior and new attacks. This honey net/monitoring pair is placed ahead of the real deployed operational network and the data it uncovers is used to reconfigure network protective devices in real time to prevent zero-day based attacks from entering the real network. The forward network protection system analyzes the data gathered by the honey pots and generates signatures and new rules for protection that are coupled to both advanced perimeter network security devices and to the real network itself so that these devices can be reconfigured with threat data and new rules to prevent infected packets from entering the real network and from propagating to other machines. Note the subject system applies to both zero-day exploit-based worms and also manual attacks conducted by an individual who is leveraging novel attack methods.
-
Citations
33 Claims
-
1. A method for protecting a real deployed network against zero-day worm-based attacks using infected data packets, comprising the steps of:
-
forward-deploying a virtual network that operates similarly to the real network it is to protect, the virtual network coupled to a communications network;
providing the virtual network with a honey pot algorithm designed to attract zero day-based worm attacks in which the honey pot application detects the presence of infected packets from a zero-day worm and provides raw data as to the operation of the virtual network;
upon detection of activity within the virtual network that is unexpected, analyzing the raw data to generate threat data; and
,deploying an advanced perimeter security device coupled between the real network and the communications network to utilize the threat data to configure itself to block infected packets, whereby the real network is protected from zero day-based worm attacks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for protecting a deployed operational network from a worm attack involving infected data packets, comprising:
-
a forward network protection system coupled to the Internet, said forward network protection system including a honey net-based exploit detection protection system, said honey net-based system at least partially instantiating said real network;
a network worm detection module within said forward network protection system for detecting a worm attack and for generating threat data based on the detected worm attack; and
,an advanced perimeter security device coupled to said Internet and to said threat data for blocking infected data packets from reaching said real network based on the generation of said threat data, whereby said forward network protection system detects a worm attack prior to infected data packets being coupled to said real network. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A false alarm-free system for protecting a deployed operational real network against a zero day-based worm attack, comprising:
-
a forward network protection system including a virtual network that is at least a partial instantiation of said real network;
a module within said forward network protection system that upon detection of infected data indicating the presence of a zero day-based worm, outputs threat data, said module operational to detect unexpected activity in said virtual network for detecting the presence of the zero-day worm attack; and
,a perimeter security device coupled to said threat data and to the Internet to block infected data packets associated with the detected zero-day worm from reaching said real network, whereby said forward network protection system relies on detection of unexpected activity in said virtual network that, because it is an instantiation of the real network, provides false alarm-free zero-day worm protection. - View Dependent Claims (17, 18, 19)
-
-
20. A method for protecting a network from a zero-day worm attack, comprising the steps of:
-
deploying a forward network protection system including a virtual network that is at least a partial instantiation of the real network;
detecting processes running on the virtual network;
analyzing the results of the processes run on the virtual network to detect unexpected activity;
generating threat data to be used in blocking the infected packets that caused the unexpected activity; and
,responsive to the threat data, blocking the infected packets to prevent the infected packets from entering the real network.
-
-
21. A method for protecting computer networks against attacks including zero-day exploits and self-propagating worms, comprising the steps of:
-
forward-deploying a virtual network that operates similarly to a real network it is to protect, the virtual network coupled to a communications network;
configuring the virtual network as a honey net representative of the real network and designing the honey net representation to attract attacks;
providing an adjacent monitoring system to detect the fact that a successful attack has occurred in the representative honey net;
upon detection of activity within the virtual network that is unexpected, analyzing the raw data to generate threat data and defensive network device settings;
providing the threat data and defensive network device settings to subscribing devices in the real network; and
,deploying an advanced perimeter security device coupled ahead of the real network to be protected to utilize the threat data or device settings provided by the honey net and monitoring system to configure itself to block infected packets, thereby protecting the real network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
-
29. A system with radically reduced or eliminated false alarms alarm for protecting a deployed operational real network against a zero day-based worm attack arriving over the Internet, comprising:
-
a forward network protection system including a virtual network that is at least a partial instantiation of said real network;
a module within said forward network protection system that upon detection of infected data indicating the presence of a zero day-based worm, outputs threat data and device settings, said module operational to detect unexpected activity in said virtual network for detecting the presence of the zero-day worm attack; and
,a perimeter security device coupled to said threat data and to the Internet to block infected data packets associated with the detected zero-day worm from reaching said real network, whereby said forward network protection system relies on detection of unexpected activity in said virtual network that, because it is an instantiation of the real network, provides reduced or eliminated false alarm zero-day worm protection. - View Dependent Claims (30, 31, 32)
-
-
33. A method for protecting a network from a zero-day worm attack, comprising the steps of:
-
deploying a forward network protection system including a virtual network that is at least a partial instantiation of the real network and an adjacent monitoring system;
monitoring activity of processes running on the virtual network;
analyzing incoming/outgoing traffic and the state of the virtual network to detect unauthorized activity; and
,responsive to the detection of unauthorized activity, blocking the associated infected packets.
-
Specification