Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks

US 20080098476A1
Filed: 03/30/2006
Published: 04/24/2008
Est. Priority Date: 04/04/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for protecting a real deployed network against zero-day worm-based attacks using infected data packets, comprising the steps of:

forward-deploying a virtual network that operates similarly to the real network it is to protect, the virtual network coupled to a communications network;

providing the virtual network with a honey pot algorithm designed to attract zero day-based worm attacks in which the honey pot application detects the presence of infected packets from a zero-day worm and provides raw data as to the operation of the virtual network;

upon detection of activity within the virtual network that is unexpected, analyzing the raw data to generate threat data; and

, deploying an advanced perimeter security device coupled between the real network and the communications network to utilize the threat data to configure itself to block infected packets, whereby the real network is protected from zero day-based worm attacks.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Honey pots are used to attract computer attacks to a virtual operating system that is a virtual instantiation of a typical deployed operational system. Honey nets are a collection of these virtual systems assembled to create a virtual network. The subject system uses a forward deployed honey net combined with a parallel monitoring system collecting data into and from the honey net, leveraging the controlled environment to identify malicious behavior and new attacks. This honey net/monitoring pair is placed ahead of the real deployed operational network and the data it uncovers is used to reconfigure network protective devices in real time to prevent zero-day based attacks from entering the real network. The forward network protection system analyzes the data gathered by the honey pots and generates signatures and new rules for protection that are coupled to both advanced perimeter network security devices and to the real network itself so that these devices can be reconfigured with threat data and new rules to prevent infected packets from entering the real network and from propagating to other machines. Note the subject system applies to both zero-day exploit-based worms and also manual attacks conducted by an individual who is leveraging novel attack methods.

Citations

33 Claims

1. A method for protecting a real deployed network against zero-day worm-based attacks using infected data packets, comprising the steps of:
- forward-deploying a virtual network that operates similarly to the real network it is to protect, the virtual network coupled to a communications network;
  
  providing the virtual network with a honey pot algorithm designed to attract zero day-based worm attacks in which the honey pot application detects the presence of infected packets from a zero-day worm and provides raw data as to the operation of the virtual network;
  
  upon detection of activity within the virtual network that is unexpected, analyzing the raw data to generate threat data; and
  
  , deploying an advanced perimeter security device coupled between the real network and the communications network to utilize the threat data to configure itself to block infected packets, whereby the real network is protected from zero day-based worm attacks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, and further including the step of providing the real network with at least one protection application and coupling the threat data to, the protection application to reconfigure the protection application to block infected data packets that get through the advanced perimeter security device, thereby to offer a further layer of protection to the real network.
  - 3. The method of claim 1, and further including the step of pre-processing the data from the communications network utilizing a simple perimeter detection device that outputs partially filtered data and couples the partially filtered data to the virtual network.
  - 4. The method of claim 3, and further including the step of providing threat data from the virtual network to the simple perimeter protection device to configure the perimeter protection device to block infected data packets.
  - 5. The method of claim 1, wherein the threat data is taken from the class consisting of new rules, settings, tables, signatures and patterns that characterize infected data packets.
  - 6. The method of claim 1, wherein the advanced perimeter security device includes a firewall and further including the step of setting the firewall parameters to block infected data packets based on the threat data.
  - 7. The method of claim 1, wherein the honey pot application attracts zero-day worm infected data packets by supplying the honey pot application with IP addresses that are not used by the real network, the detection of data packets addressing an unused IP address indicating a worm attack.
  - 8. The method of claim 7, wherein the number of unused IP addresses is at least an order of magnitude greater in number than the number of IP addresses used in the real network, whereby the probability in an automatic zero-day worm attack involving scanning IP addresses is that it is more likely that the scanning will generate an unused IP address than to generate a used IP address, thereby to permit the forward-based virtual network to detect a zero-based worm attack prior to the processing of infected data packets by the real network.

9. A system for protecting a deployed operational network from a worm attack involving infected data packets, comprising:
- a forward network protection system coupled to the Internet, said forward network protection system including a honey net-based exploit detection protection system, said honey net-based system at least partially instantiating said real network;
  
  a network worm detection module within said forward network protection system for detecting a worm attack and for generating threat data based on the detected worm attack; and
  
  , an advanced perimeter security device coupled to said Internet and to said threat data for blocking infected data packets from reaching said real network based on the generation of said threat data, whereby said forward network protection system detects a worm attack prior to infected data packets being coupled to said real network.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein said advanced perimeter security device includes a firewall and wherein said threat data is used to set said firewall to block infected data packets from the Internet from reaching said real network.
  - 11. The system of claim 10, wherein said real network includes a protection application and wherein said threat data is coupled to said protection application to reconfigure said protection application to block the corresponding infected data packets.
  - 12. The system of claim 11, and further including a perimeter protection device interposed between the Internet and said forward network protection system for at least partially filtering data from the Internet prior to coupling said filtered data to said forward network protection system, thereby to reduce the workload on said forward network protection system.
  - 13. The system of claim 12, and further including a circuit for coupling said threat data to said perimeter protection device to configure said perimeter protection device to block infected data packets.
  - 14. The system of claim 9, and further including a number of unused IP addresses coupled to said honey net-based system and a monitor coupled to the output of said honey net-based system for analyzing the raw data therefrom when an unused address is accessed by incoming data packets, and for generating said threat data responsive thereto.
  - 15. The system of claim 14, wherein said real network has a number of used addresses and wherein said number of unused addresses is at least on an order of magnitude larger in number than the number of said used addresses.

16. A false alarm-free system for protecting a deployed operational real network against a zero day-based worm attack, comprising:
- a forward network protection system including a virtual network that is at least a partial instantiation of said real network;
  
  a module within said forward network protection system that upon detection of infected data indicating the presence of a zero day-based worm, outputs threat data, said module operational to detect unexpected activity in said virtual network for detecting the presence of the zero-day worm attack; and
  
  , a perimeter security device coupled to said threat data and to the Internet to block infected data packets associated with the detected zero-day worm from reaching said real network, whereby said forward network protection system relies on detection of unexpected activity in said virtual network that, because it is an instantiation of the real network, provides false alarm-free zero-day worm protection.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein said forward network protection system provides a controlled environment for the analysis of data packets from the Internet.
  - 18. The system of claim 17, wherein said controlled environment consists of the running of processes within said virtual network, the results of which are used only to generate said threat data.
  - 19. The system of claim 16, wherein said threat data is taken from the group consisting of new rules, settings, tables, signatures and patterns that characterize infected data packets.

20. A method for protecting a network from a zero-day worm attack, comprising the steps of:
- deploying a forward network protection system including a virtual network that is at least a partial instantiation of the real network;
  
  detecting processes running on the virtual network;
  
  analyzing the results of the processes run on the virtual network to detect unexpected activity;
  
  generating threat data to be used in blocking the infected packets that caused the unexpected activity; and
  
  , responsive to the threat data, blocking the infected packets to prevent the infected packets from entering the real network.

21. A method for protecting computer networks against attacks including zero-day exploits and self-propagating worms, comprising the steps of:
- forward-deploying a virtual network that operates similarly to a real network it is to protect, the virtual network coupled to a communications network;
  
  configuring the virtual network as a honey net representative of the real network and designing the honey net representation to attract attacks;
  
  providing an adjacent monitoring system to detect the fact that a successful attack has occurred in the representative honey net;
  
  upon detection of activity within the virtual network that is unexpected, analyzing the raw data to generate threat data and defensive network device settings;
  
  providing the threat data and defensive network device settings to subscribing devices in the real network; and
  
  , deploying an advanced perimeter security device coupled ahead of the real network to be protected to utilize the threat data or device settings provided by the honey net and monitoring system to configure itself to block infected packets, thereby protecting the real network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method of claim 21, wherein the subscribing devices include at least one protection application, and further including the step of coupling the threat data to the protection application to reconfigure the protection application to block infected data packets that get through the advanced perimeter security device, thereby to offer a further layer of protection to the real network.
  - 23. The method of claim 21, and further including the step of pre-processing the data from the communications network utilizing a simple perimeter detection device that outputs partially filtered data and couples the partially filtered data to the virtual network.
  - 24. The method of claim 23, wherein the perimeter security device is taken from the group consisting of intrusion detection/prevention systems, firewalls and routers.
  - 25. The method of claim 21, wherein the threat data is taken from the class consisting of new rules, settings, tables, signatures and patterns that characterize infected data packets.
  - 26. The method of claim 21, wherein the advanced perimeter security device includes devices taken from the group of firewalls, packet-inspection systems and intrusion detection/prevention systems, and further including the step of setting the device parameters to block infected data packets based on the threat data.
  - 27. The method of claim 21, wherein the honey net attracts zero-day worm infected data packets by supplying the honey net with IP addresses that are not used by the real network, thereby to attract attackers to the virtual network.
  - 28. The method of claim 27, wherein the number of unused IP addresses is at least an order of magnitude greater in number than the number of IP addresses used in the real network.

29. A system with radically reduced or eliminated false alarms alarm for protecting a deployed operational real network against a zero day-based worm attack arriving over the Internet, comprising:
- a forward network protection system including a virtual network that is at least a partial instantiation of said real network;
  
  a module within said forward network protection system that upon detection of infected data indicating the presence of a zero day-based worm, outputs threat data and device settings, said module operational to detect unexpected activity in said virtual network for detecting the presence of the zero-day worm attack; and
  
  , a perimeter security device coupled to said threat data and to the Internet to block infected data packets associated with the detected zero-day worm from reaching said real network, whereby said forward network protection system relies on detection of unexpected activity in said virtual network that, because it is an instantiation of the real network, provides reduced or eliminated false alarm zero-day worm protection.
- View Dependent Claims (30, 31, 32)
- - 30. The system of claim 29, wherein said forward network protection system provides a controlled environment for the analysis of data packets from the Internet.
  - 31. The system of claim 30, wherein said controlled environment consists of the monitoring of processes, ports, file system activity, input/output data, account information, memory and processor loading, code branching, signatures, statistics, and other relevant data useful for recognizing malicious activity within said virtual network, the results of which are used to generate said threat data and derive defensive device settings.
  - 32. The system of claim 29, wherein said threat data is taken from the group consisting of attacker IP address, packet size, packet type, payload type, patterns, signature data, activity on compromised system, identified obfuscation techniques, targeted process/service/port, and wherein provided device settings are taken from the group consisting of new rules, settings, tables, signatures and patterns that are used to prevent access to the network from manual or automated attacks leveraging the identified attack vector.

33. A method for protecting a network from a zero-day worm attack, comprising the steps of:
- deploying a forward network protection system including a virtual network that is at least a partial instantiation of the real network and an adjacent monitoring system;
  
  monitoring activity of processes running on the virtual network;
  
  analyzing incoming/outgoing traffic and the state of the virtual network to detect unauthorized activity; and
  
  , responsive to the detection of unauthorized activity, blocking the associated infected packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BAE Systems Information and Electronic Systems Integration Incorporated (BAE Systems Plc)
Original Assignee
BAE Systems Information and Electronic Systems Integration Incorporated (BAE Systems Plc)
Inventors
Syversen, Jason

Application Number

US11/632,669
Publication Number

US 20080098476A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links