REVIVAL AND REDIRECTION OF BLOCKED CONNECTIONS FOR INTENTION INSPECTION IN COMPUTER NETWORKS

US 20150058983A1
Filed: 04/27/2014
Published: 02/26/2015
Est. Priority Date: 08/26/2013
Status: Active Grant

First Claim

Patent Images

1. A method for network security, comprising:

monitoring traffic exchanged over a computer network;

identifying in the monitored traffic a failed attempt by an initiating computer to communicate with a target computer;

reviving the identified failed attempt by establishing an investigation connection with the initiating computer while impersonating the target computer; and

verifying whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection.

90 Citations

View as Search Results

28 Claims

1. A method for network security, comprising:
- monitoring traffic exchanged over a computer network;
  
  identifying in the monitored traffic a failed attempt by an initiating computer to communicate with a target computer;
  
  reviving the identified failed attempt by establishing an investigation connection with the initiating computer while impersonating the target computer; and
  
  verifying whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein identifying the failed attempt comprises detecting that the attempt has been blocked by a security system.
  - 3. The method according to claim 1, wherein identifying the failed attempt comprises detecting that the attempt has failed for attempting to access a nonexistent destination.
  - 4. The method according to claim 1, wherein reviving the identified failed attempt comprises detecting a packet that is sent to the initiating computer and declines the attempt, and preventing the detected packet from reaching the initiating computer.
  - 5. The method according to claim 1, wherein reviving the identified failed attempt comprises redirecting the revived attempt to an investigation module that establishes the investigation connection and impersonates the target computer.
  - 6. The method according to claim 1, wherein identifying the failed attempt comprises detecting that no reply was sent in response to the attempt within a predefined time period.
  - 7. The method according to claim 1, wherein identifying the failed attempt comprises detecting that the attempt has been retried.
  - 8. The method according to claim 1, wherein identifying the failed attempt comprises detecting that a connection-reset or port-unreachable message has been sent in response to the attempt.
  - 9. The method according to claim 1, wherein identifying the failed attempt comprises detecting an unanswered Address Resolution Protocol (ARP) request by the initiating computer.
  - 10. The method according to claim 9, wherein reviving the identified failed attempt comprises replying to the ARP request with an address of an investigation unit that carries out the investigation connection.
  - 11. The method according to claim 1, wherein identifying the failed attempt comprises receiving a notification of the failed attempt from a security or management system of the computer network.
  - 12. The method according to claim 1, wherein identifying the failed attempt comprises predicting that the attempt will fail before actual failure of the attempt.
  - 13. The method according to claim 1, wherein reviving the identified failed attempt comprises sending to the initiating computer a positive reply that appears to originate from the target computer.

14. A system for network security, comprising:
- one or more interfaces, which are configured to connect to a computer network; and
  
  one or more processors, which are configured to monitor traffic exchanged over the computer network, to identify in the monitored traffic a failed attempt by an initiating computer to communicate with a target computer, to revive the identified failed attempt by establishing an investigation connection with the initiating computer while impersonating the target computer, and to verify whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 15. The system according to claim 14, wherein the processors comprise one or more Detection and Redirection Modules (DRMs) and an Investigation module (IVG), wherein the DRMs are configured to monitor the traffic, to identify the failed attempt, to revive the failed attempt and to redirect the revived attempt to the IVG, and wherein the IVG is configured to establish the investigation connection with the initiating computer, and to verify whether the failed attempt was malicious or innocent.
  - 16. The system according to claim 15, wherein the one or more DRMs comprise a plurality of DRMs that are coupled to respective switches of the computer network.
  - 17. The system according to claim 14, wherein the processors are configured to identify the failed attempt by detecting that the attempt has been blocked by a security system.
  - 18. The system according to claim 14, wherein the processors are configured to identify the failed attempt by detecting that the attempt has failed for attempting to access a nonexistent destination.
  - 19. The system according to claim 14, wherein the processors are configured to revive the identified failed attempt by detecting a packet that is sent to the initiating computer and declines the attempt, and preventing the detected packet from reaching the initiating computer.
  - 20. The system according to claim 14, wherein the processors are configured to redirect the revived attempt to an investigation module that establishes the investigation connection and impersonates the target computer.
  - 21. The system according to claim 14, wherein the processors are configured to identify the failed attempt by detecting that no reply was sent in response to the attempt within a predefined time period.
  - 22. The system according to claim 14, wherein the processors are configured to identify the failed attempt by detecting that the attempt has been retried.
  - 23. The system according to claim 14, wherein the processors are configured to identify the failed attempt by detecting that a connection-reset or port-unreachable message has been sent in response to the attempt.
  - 24. The system according to claim 14, wherein the processors are configured to identify the failed attempt by detecting an unanswered Address Resolution Protocol (ARP) request by the initiating computer.
  - 25. The system according to claim 24, wherein the processors are configured to revive the identified failed attempt by replying to the ARP request with an address of an investigation unit that carries out the investigation connection.
  - 26. The system according to claim 14, wherein the processors are configured to identify the failed attempt by receiving a notification of the failed attempt from a security or management system of the computer network.
  - 27. The system according to claim 14, wherein the processors are configured to predict that the attempt will fail before actual failure of the attempt.
  - 28. The system according to claim 14, wherein the processors are configured to revive the identified failed attempt by sending to the initiating computer a positive reply that appears to originate from the target computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
GuardiCore Ltd. (Akamai Technologies, Inc.)
Inventors
Zeitlin, Ariel, Gurvich, Pavel

Granted Patent

US 9,491,189 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

REVIVAL AND REDIRECTION OF BLOCKED CONNECTIONS FOR INTENTION INSPECTION IN COMPUTER NETWORKS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

REVIVAL AND REDIRECTION OF BLOCKED CONNECTIONS FOR INTENTION INSPECTION IN COMPUTER NETWORKS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links