METHODS AND APPARATUS FOR REDIRECTING ATTACKS ON A NETWORK

US 20150128246A1
Filed: 11/07/2013
Published: 05/07/2015
Est. Priority Date: 11/07/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an internal network including a plurality of computing devices;

a firewall module connecting the network to an external network, the firewall configured to block a blocked portion of traffic between the internal and external networks;

an inspector module configured to detect the blocked portion and take a predetermined action with respect to the blocked portion.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed for protecting a network against malicious attacks or attempts for unauthorized access. A network is connected to an external network by a number of firewalls. Inspectors detect packets blocked by the firewalls and some or all of the packets are detected to a labyrinth configured to emulated an operational network and response to the packets in order to engage an attacker. Blocked packets may be detected by comparing packets entering and exiting a firewall. Packets for which a corresponding packets are not received within a transit delay may be identified as blocked. Entering and exiting packets may be compared by comparing only header information. A central module may receive information from the inspectors and generate statistical information and generate instructions for the inspectors, such as blacklists of addresses known to be used by attackers.

Citations

20 Claims

1. A system comprising:
- an internal network including a plurality of computing devices;
  
  a firewall module connecting the network to an external network, the firewall configured to block a blocked portion of traffic between the internal and external networks;
  
  an inspector module configured to detect the blocked portion and take a predetermined action with respect to the blocked portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the inspector module is configured to detect the blocked portion by comparing first packets entering the firewall module to second packets leaving the firewall module to identify blocked packets of the first packets.
  - 3. The system of claim 2, wherein the inspector module is configured to compare the first packets to the second packets by:
    - comparing first headers of the first packets to second headers of the second packets without examining payload data of the first and second packets;
      
      determining that a portion of the first headers are not found among the second headers;
      
      identifying as blocked packets at least a portion of those packets of the first packets for which the first headers thereof are determined not to be found among the second headers.
  - 4. The system of claim 3, wherein the inspector module is configured to compare the first headers to the second headers by comparing at least one of source internet protocol (IP) address fields, destination IP address fields, source port fields, and destination port fields of the first and second headers.
  - 5. The system of claim 4, wherein:
    - the firewall module is further configured to perform network address translation (NAT) with respect to addresses of the computing devices in the internal network;
      
      the inspector is further configured to compare only source IP address and source port fields of those of the first and second headers corresponding to traffic from the external network to the internal network;
      
      the inspector is further configured to compare only destination IP address and destination port fields of those of the first and second headers corresponding to traffic from the internal network to the external network.
  - 6. The system of claim 2, wherein the inspector module is configured to compare the first packets to the second packets by:
    - buffering the first packets;
      
      determining that a first portion of the first packets each match one of the second packets;
      
      determining that each first packet of a second portion of the first packets does not match any of the second packets received within a predetermined delay following receipt of the each first packet; and
      
      identifying at least a portion of the second portion of the first packets as the blocked portion in response to the determining that the each first packet of the second portion of the first packets does not match any of the second packets received within the predetermined delay following receipt of the each first packet.
  - 7. The system of claim 6, further comprising a transit delay module configured to determine the predetermined delay by:
    - measuring transit delays between the first packets and the second packets;
      
      identifying a first maximum delay among the transit delays during a first time window; and
      
      using the first maximum delay to set the predetermined delay.
  - 8. The system of claim 7, further comprising:
    - identifying a second maximum delay different from the first maximum delay among the transit delays during a second time window subsequent to the first time window; and
      
      using the second maximum delay to set the predetermined delay subsequent to the second time window.
  - 9. The system of claim 2, wherein the firewall module is one of a plurality of firewall modules and the inspector module is one of a plurality of inspector modules each inspector module of the plurality of inspector modules being associated with a firewall module of the plurality of firewall modules, the system further comprising:
    - a central module, the plurality of inspectors configured to report to the central module regarding at least a part of the blocked portions detected thereby.
  - 10. The system of claim 9, wherein the plurality of inspector modules are further configured to:
    - identify one or more first sessions represented by the blocked packets;
      
      transmit first subsequent packets of the first packets received subsequent to the blocked packets to the central module as the at least the part of the blocked portion without comparing the first subsequent packets to the second packets.
  - 11. The system of claim 10, wherein the plurality of inspector modules are further configured to:
    - identify one or more second sessions represented by non-blocked packets of first packets, the non-blocked packets including packets other than the blocked packets;
      
      refraining from transmitting second subsequent packets of the first packets received subsequent to the non-blocked packets to the central module as the at least the part of the blocked portion without comparing the second subsequent packets to the second packets.
  - 12. The system of claim 9, wherein central module is further configured to:
    - identify an address associated with blocked packets of one or more first firewall modules of the plurality of firewall modules;
      
      determine that one or more second firewall modules did not block first packets corresponding to the address; and
      
      in response to determining that one or more second firewall modules of the plurality of firewall modules did not block first packets corresponding to the address, instructing inspector modules of the plurality of inspector modules associated with the one or more second firewall modules to block first packets corresponding to the address.
  - 13. The system of claim 9, wherein the inspector module is configured to transmit at least part of the blocked portion to a labyrinth module by transmitting the blocked portion to the central module;
    - wherein the central module is configured to identify the at least the part of the blocked portion and transmit the at least the part of the blocked portion to the labyrinth modulewherein the labyrinth module configured to receive the at least the part of the blocked portion and generate a simulated response, the simulated response corresponding to that of an operational network.
  - 14. The system of claim 1, further comprising a labyrinth module configured to receive the at least the part of the blocked portion and generate a simulated response, the simulated response corresponding to that of an operational network;
    - wherein the inspector module is configured to take the predetermined action with respect to the blocked portion by transmitting the at least a part of the blocked portion to the labyrinth module.

15. A system comprising:
- an internal network including a plurality of computing devices;
  
  a plurality of firewall modules each connecting the network to an external network, each firewall configured to block a blocked portion of traffic between the internal and external networks;
  
  a central module; and
  
  a plurality of inspector modules configured to detect the blocked portion and transmit at least part of the blocked portion to the central module;
  
  wherein the central module is configured to—
  
  receive the at least the parts of the blocked portions from the plurality of inspector modules;
  
  analyze the at least the parts of the blocked portions; and
  
  perform a predetermined action based on the analyzing of the at least the parts of the blocked portions.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, further comprising a labyrinth module configured to receive the at least the parts of the blocked portions and generate simulated responses, the simulated responses corresponding to those of an operational network;
    - wherein the central module is configured to perform the predetermined action by transmitting the at least the parts of the blocked portions to the labyrinth.
  - 17. The system of claim 15, wherein the central module is further configured to transmit a whitelist and a blacklist to the plurality of inspector modules;
    - wherein the plurality of inspector modules are configured to refrain from detecting as included in the blocked portion traffic corresponding to the whitelist;
      
      wherein the plurality of inspector modules are configured to identify as part of the blocked portion traffic corresponding to the blacklist regardless of whether the traffic corresponding to the blacklist is actually blocked by the plurality of firewall modules.
  - 18. The system of claim 15, wherein central module is further configured to:
    - identify an address associated with blocked packets of one or more first firewall modules of the plurality of firewall modules;
      
      determine that one or more second firewalls of the plurality of firewalls did not block first packets corresponding to the address; and
      
      in response to determining that one or more second firewall modules of the plurality of firewall modules did not block first packets corresponding to the address, instructing inspector modules of the plurality of inspector modules associated with the one or more second firewall modules to block first packets corresponding to the address.
  - 19. The system of claim 15, wherein the central module is configured to perform the predetermined action by determining statistics based on the at least the parts of the blocked portions.
  - 20. The system of claim 15, wherein the plurality of inspector modules are each configured to detect the blocked portion by comparing first packets entering the firewall module to second packets leaving the firewall module to identify blocked packets of the first packets;
    - andwherein the plurality of inspector modules are each configured to compare the first packets to the second packets by;
      
      comparing first headers of the first packets to second headers of the second packets without examining payload data of the first and second packets;
      
      determining that a portion of the first headers are not found among the second headers;
      
      identifying as blocked packets at least a portion of those packets of the first packets for which the first headers thereof are determined not to be found among the second headers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SentinelOne Inc.
Original Assignee
Attivo Networks, Inc.
Inventors
Young, Albert, Murthy, Mano, Mahesh, Harihara, Feghali, Marc, Wakerly, John F., Shrivastava, Atul

Granted Patent

US 9,407,602 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/0209 Architectural arrangements,...

METHODS AND APPARATUS FOR REDIRECTING ATTACKS ON A NETWORK

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR REDIRECTING ATTACKS ON A NETWORK

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links