LOGICAL / PHYSICAL ADDRESS STATE LIFECYCLE MANAGEMENT

US 20130311676A1
Filed: 09/04/2012
Published: 11/21/2013
Est. Priority Date: 10/01/2002
Status: Active Grant

First Claim

Patent Images

1-6. -6. (canceled)

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing logical and physical address state lifecycles. A state of unknown can be assigned to an address when the state has not been assigned. The state of the address is changed when communication is targeted to the address. The state can be changed to unfulfilled when the communication includes an address resolution protocol request sent to a device having the address when a time limit for a response to the address resolution protocol request has not expired. The state can be changed to virtual when the communication is received at the address when the state of the address is unfulfilled, and a time limit for responding to the communication expires before a response is sent. The state can be changed to unknown when the state of the address is not unknown, and the address does not participate in the communication within a time limit.

12 Citations

View as Search Results

26 Claims

1-6. -6. (canceled)

7. A method comprising:
- capturing a data packet from a network;
  
  determining whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats;
  
  processing the data packet when the data packet is not associated with one of the known threats based on a protocol of the data packet to generate processed information;
  
  comparing the processed information to a set of reconnaissance rules; and
  
  determining that the data packet is associated with a new threat if the processed information violates one of the set of reconnaissance rules.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. A method according to claim 7, further comprising updating the table of addresses to indicate that the address is associated with the new threat when the processed information violates the one of the set of reconnaissance rules.
  - 9. A method according to claim 7, further comprising testing the address to determine that the data packet is associated with the new threat, the address comprising at least one of a source internet protocol (IP) address, a target IP address, or a target physical address when the processed information violates one of the set of reconnaissance rules;
    - andinvoking a defense mechanism against the threat.
  - 10. A method according to claim 9, wherein invoking the defense mechanism comprises sending a reply to the source IP address to represent that a computer is accessible via the target IP address, the reply to entice an attacking computer to continue communication with the target IP address without spreading the new threat to the network.
  - 11. A method according to claim 9, further comprising, when at least one of the source IP address or the target IP address is determined to be associated with the new threat, dropping the data packet when the target physical address is synthetic.
  - 12. A method according to claim 9, further comprising:
    - in response to determining that the target physical address is synthetic, replacing the target physical address in the data packet with a real address of a target device; and
      
      sending the data packet with the real address of the target device.
  - 13. A method according to claim 9, wherein invoking the defense mechanism comprises:
    - when the source IP address is determined to be associated with the new threat, determining whether the source IP address is located within the network;
      
      generating an address control reply packet using a false physical address;
      
      sending the address control reply packet to a default gateway when the source IP address is not located within the network; and
      
      sending the address control reply packet to the source IP address when the source IP address is located within the network.

14. An apparatus comprising:
- a data analyzer to capture a data packet from a network, determine whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats;
  
  a data processor to process the data packet when the data packet is not associated with a known threat based on a protocol of the data packet to generate process information;
  
  a rules analyzer to compare the processed information to a set of reconnaissance rules and determine that the data packet is associated with a new threat if the processed information violates one of the set of rules.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. An apparatus according to claim 14, further comprising a table updater to update the table of addresses to indicate that the address is associated with the new threat when the processed information violates the one of the reconnaissance rules.
  - 16. An apparatus according to claim 14, further comprising:
    - a tester to test the address to determine that the packet is associated with the new threat, the address comprising at least one of a source internet protocol (IP) address, a target IP address, or a target physical address; and
      
      a defender to invoke a defense mechanism against the new threat.
  - 17. An apparatus according to claim 16, wherein the defender invokes the defense mechanism by sending a reply to the source IP address to represent that a computer is accessible via the target IP address, the reply to entice an attacking computer to continue communication with the target IP address without spreading the new threat to the network.
  - 18. An apparatus according to claim 16, wherein, when at least one of the source IP address or target IP address is determined to be associated with a threat, the defender is to drop the data packet when the target physical address is synthetic.
  - 19. An apparatus according to claim 16, wherein the defender, in response to determining that the target physical address is synthetic, is to replace the target physical address in the data packet with a real physical address of the target, and is to send the data packet with the real physical address of the target.
  - 20. An apparatus according to claim 16, wherein the defender, in response to determining the source IP address is associated with the new threat, is further to determine whether the source IP address is located within the network, generate an address control reply packet using a false physical address, send the address control reply packet to a default gateway when the source IP address is not located within the network, and send the address control reply packet to the source IP address when the source IP address is located within the network.

21. A storage device or storage disc comprising instructions that, when executed, cause a machine to at least:
- capture a data packet from a network;
  
  determine whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats;
  
  process the data packet when the data packet is not associated with a known threat based on a protocol of the data packet to generate processed information;
  
  compare the processed information to a set of reconnaissance rules; and
  
  determine that the data packet is associated with a new threat if the processed information violates one of the set of reconnaissance rules.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. A storage device or storage disc according to claim 21, wherein the instructions, when executed, further cause the machine to:
    - update the table of addresses to indicate that the address is associated with the new threat when the processed information violates the one of the set of reconnaissance rules.
  - 23. A storage device or storage disc according to claim 21, wherein the instructions, when executed, further cause the machine to:
    - test the address to determine that the data packet is associated with the new threat, the address comprising at least one of a source internet protocol (IP) address, a target IP address, or a target physical address when the processed information violates one of the set of reconnaissance rules; and
      
      invoke a defense mechanism against the threat.
  - 24. A storage device or storage disc according to claim 23, wherein the instructions, when executed, further cause the machine to:
    - invoke the defense mechanism by sending a reply to the source IP address to represent that a computer is accessible via the target IP address, the reply to entice an attacking computer to continue communication with the target IP address without spreading the threat to the network.
  - 25. A storage device or storage disc according to claim 23, wherein the instructions, when executed, further cause the machine to:
    - in response to determining that the whether the target physical address is synthetic, replace the target physical address with a real physical address of the target in the data packet; and
      
      send the data packet with the real physical address of the target.
  - 26. A storage device or storage disc according to claim 23, wherein, when the source IP address is determined to be associated with a threat, the instructions, when executed, further cause the machine to:
    - determine whether the source IP address is located within the network;
      
      generate an address control reply packet using a false physical address;
      
      send the address control reply packet to a default gateway when the source IP address is not located within the network; and
      
      send the address control reply packet to the source IP address when the source IP address is located within the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sysxnet Ltd.
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Wilkinson, Mark L., Miller, Ronald J., McDaniels, Michael J.

Granted Patent

US 9,667,589 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/245
CPC Class Codes

H04L 61/10   of different types

H04L 61/103   across network layers, e.g....

H04L 63/1433   Vulnerability analysis

LOGICAL / PHYSICAL ADDRESS STATE LIFECYCLE MANAGEMENT

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

LOGICAL / PHYSICAL ADDRESS STATE LIFECYCLE MANAGEMENT

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links