Methods and Systems for Network Attack Detection and Prevention Through Redirection

US 20110154494A1
Filed: 03/03/2011
Published: 06/23/2011
Est. Priority Date: 04/16/2003
Status: Active Grant

First Claim

Patent Images

1. A processor-implemented method of detecting unauthorized access attempts to a network, comprising:

provisioning a block of addresses;

determining a current used address of the block of addresses;

changing the current used address to a new used address of the block of addresses;

changing the current used address of the block of addresses into an unused address in a group of unused addresses; and

detecting an unauthorized attempt to access the network when an attempted address corresponds with any address of the group of unused addresses.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detection and/or prevention of network attacks can include the use of multiple and/or time-dependent addresses coupled with filtering by the directory or naming service. The directory service can respond to requests for the address of a resource by returning an address that can be relocated over time by coordinating the directory service entry with the host and network address configuration data and/or by returning an address specific to the requestor. Thus, the directory service can track and build profiles of matches between requestors and accesses. The methods and systems can use the time dependent addresses and profiles to distinguish legitimate accesses from unauthorized or malicious ones. Requests for non-valid addresses can be misdirected to “empty” addresses or to detection devices.

Citations

21 Claims

1. A processor-implemented method of detecting unauthorized access attempts to a network, comprising:
- provisioning a block of addresses;
  
  determining a current used address of the block of addresses;
  
  changing the current used address to a new used address of the block of addresses;
  
  changing the current used address of the block of addresses into an unused address in a group of unused addresses; and
  
  detecting an unauthorized attempt to access the network when an attempted address corresponds with any address of the group of unused addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16)
- - 2. The method according to claim 1, further comprises:
    - determining a time period for changing the current used address of the block of addresses; and
      
      changing the current used address to a new address at the determined time period.
  - 3. The method according to claim 2, wherein determining the time period comprises using a pre-selected time period.
  - 4. The method according to claim 2, wherein determining the time period comprises generating a random time period.
  - 5. The method according to claim 1, wherein changing said current used address of the block of addresses comprises randomly choosing the new address from the block of addresses.
  - 6. The method according to claim 1, wherein detecting comprises tracing a user when said attempted address corresponds to said group of unused addresses.
  - 7. The method according to claim 6, comprising blocking additional unauthorized attempts when said attempted address corresponds to said group of unused addresses.
  - 8. The method according to claim 6, wherein the unused addresses correspond to attack detectors.
  - 9. The method according to claim 1 wherein changing the current used address comprises coordinating changes in a name-to-address database and a host identity-to-address database.
  - 10. The method according to claim 1, wherein the current used address is user specific.
  - 11. The method according to claim 1, wherein the group of unused addresses is user specific.
  - 12. The method according to claim 1, wherein provisioning the block of addresses comprises selecting a range of addresses according to an attack prevention effectiveness level.
  - 14. The non-transitory computer-readable medium of claim 1, further comprising instructions for controlling the processor to:
    - determine a time period for changing the unused address of the block of addresses; and
      
      change the current used address to a new address at the determined time period.
  - 15. The non-transitory computer-readable medium of claim 14, comprising instructions for controlling the processor to determine the time period by using a pre-selected time period.
  - 16. The non-transitory computer-readable medium of claim 14, comprising instructions for controlling the processor to determine the time period by generating a random time period.

13. A non-transitory computer-readable medium containing instructions for controlling a processor to detect unauthorized access attempts to a network, by:
- provisioning a block of addresses;
  
  determining a current used address of the block of addresses;
  
  changing the current used address to a new used address of the block of addresses;
  
  changing the current used address of the block of addresses into an unused address in a group of unused addresses; and
  
  detecting an unauthorized attempt to access the network when an attempted address corresponds with any address of the group of unused addresses.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable medium of claim 13, further comprising instructions for controlling the processor to change said used address of the block of addresses by randomly choosing the new address from the block of addresses.
  - 18. The non-transitory computer-readable medium of claim 13, further comprising instructions for controlling the processor to detect said unauthorized attempt by tracing a user when said attempted address corresponds to said group of unused addresses.
  - 19. The non-transitory computer-readable medium of claim 18, further comprising instructions for controlling the processor to detect said unauthorized attempt by blocking additional unauthorized attempts when said attempted address corresponds to said group of unused addresses.
  - 20. The non-transitory computer-readable medium of claim 13, further comprising instructions for controlling the processor to change said used address by coordinating changes in a name-to-address database and a host identity-to-address database.

21. A system for detecting unauthorized access attempts to a network, comprising:
- a memory;
  
  a processor disposed in communication with said memory, and configured to issue a plurality of processing instructions stored in the memory, wherein the processor issues instructions to;
  
  provision a block of addresses;
  
  determine a current used address of the block of addresses;
  
  change the current used address to a new used address of the block of addresses;
  
  change the current used address of the block of addresses into an unused address in a group of unused addresses; and
  
  detect an unauthorized attempt to access the network when an attempted address corresponds with any address of the group of unused addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon BBN Technologies Corp. (Rtx Corporation), Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Milliken, Walter C., Sundaram, Ravi

Granted Patent

US 8,719,937 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 61/45   Network directories; Name-t...

H04L 61/4505   using standardised director...

H04L 61/50   Address allocation

H04L 61/5014   using dynamic host configur...

H04L 63/0227   Filtering policies mail mes...

H04L 63/108   when the policy decisions a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

H04L 63/16   Implementing security featu...

Methods and Systems for Network Attack Detection and Prevention Through Redirection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and Systems for Network Attack Detection and Prevention Through Redirection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links