NETWORK ATTACK DETECTION AND PREVENTION BASED ON EMULATION OF SERVER RESPONSE AND VIRTUAL SERVER CLONING

US 20140101724A1
Filed: 10/10/2012
Published: 04/10/2014
Est. Priority Date: 10/10/2012
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

in a computer network, receiving a service request directed to an unauthorized access point; and

providing a decoy response.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network attacks can be evaluated to determine typical responses provided by networks configured to provide services. Typically, service requests directed to a selected address are associated with data or a data streams responsive to requests to selected addresses. These responses are used to define scripts that can be executed by decoy nodes responsive to service requests at the selected addresses. Receipt of a request for services at an unused IP address and port number can trigger playback of the associated script, typically as a data stream mimicking that produced by an operational network.

Citations

25 Claims

1. A method, comprising:
- in a computer network, receiving a service request directed to an unauthorized access point; and
  
  providing a decoy response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the unauthorized access point is associated with an IP address and a particular TCP port, and the decoy response is based on the particular TCP port.
  - 3. The method of claim 1, wherein the decoy response is provided as a predetermined data stream.
  - 4. The method of claim 3, wherein the decoy response is selected based on a data stream associated with the service request.
  - 5. The method of claim 4, wherein the decoy response is selected based on a number of bytes in the data stream associated with the service request.
  - 6. The method of claim 1, further comprising providing decoy responses to service requests directed to a plurality of unauthorized access points, wherein the decoy responses are selected based on the associated service requests.
  - 7. The method of claim 6, wherein the decoy responses are selected based on the data streams associated with the service requests.
  - 8. The method of claim 7, wherein the decoy responses are selected based on TCP/IP port numbers associated with the service requests.

9. A computing device, comprising a processor configured to implement a plurality of decoy nodes based on computer executable instructions stored in a computer storage device, wherein each of the decoy nodes is associated with a response script based on a decoy node address.
- View Dependent Claims (10, 11, 12)
- - 10. The computing device of claim 9, wherein the decoy node addresses are IP addresses and port numbers.
  - 11. The computing device of claim 10, wherein at least one of a number of nodes in the plurality of nodes or the addresses associated with the nodes is varied.
  - 12. The computing device of claim 10, wherein the number of nodes is varied based on a number of received unauthorized requests.

13. A method, comprising:
- establishing a data sequence associated with a response to a request for services; and
  
  defining a response script based on the established data sequence.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, further comprising establishing data sequences associated with a plurality of requests for services, and defining a corresponding plurality of response scripts.
  - 15. The method of claim 14, wherein the response scripts are defined based in part on TCP/IP port numbers to which the requests for services are directed.
  - 16. The method of claim 15, further comprising stored the response scripts in a computer-readable medium.
  - 17. The method of claim 13, further comprising scanning a plurality of network nodes with requests for services, and recording network node responses, wherein the response scripts are based on the data sequences in the network node responses.
  - 18. The method of claim 17, wherein the response scripts are defined as respective series of bytes associated with the network node responses.
  - 19. At least one computer readable device, comprising computer-executable instructions for the method of claim 13.

20. A computing system, comprising at least one computing device configured to execute computer readable instructions to:
- determine a data sequence associated with a request for services directed to a selected network address; and
  
  based on the determined data sequence, define a decoy script responsive to corresponding requests for service.
- View Dependent Claims (21, 22, 23)
- - 21. The computing system of claim 20, wherein the selected network address comprises an IP address and a port number.
  - 22. The computing system of claim 21, wherein the computer-executable instructions further comprise defining a plurality of decoy scripts for the selected network address.
  - 23. The computing system of claim 20, further comprising computer executable instructions to establish a communications log that includes data streams associated with a plurality of requests for services and associated data streams responsive to the requests for services, wherein the determined data sequence is based on at least one of the associated data streams.

24. A computing device, configured to execute computer executable instructions to:
- scan at least a plurality of network nodes and record scan responses;
  
  associate a plurality of response data streams with scan requests directed to corresponding nodes;
  
  based on the response data streams, define decoy responses associated with corresponding nodes; and
  
  activate decoy nodes configured to provide corresponding decoy responses.
- View Dependent Claims (25)
- - 25. The computing device of claim 24, wherein at least one of the decoy responses includes an operating system specific response portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Galois, Inc.
Original Assignee
Galois, Inc.
Inventors
Wick, Adam, Elliott, Trevor

Application Number

US13/648,868
Publication Number

US 20140101724A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/30 Authentication, i.e. establ...

H04L 63/1491 using deception as counterm...

NETWORK ATTACK DETECTION AND PREVENTION BASED ON EMULATION OF SERVER RESPONSE AND VIRTUAL SERVER CLONING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK ATTACK DETECTION AND PREVENTION BASED ON EMULATION OF SERVER RESPONSE AND VIRTUAL SERVER CLONING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links