NETWORK INTRUSION DIVERSION USING A SOFTWARE DEFINED NETWORK
First Claim
1. A method of diverting an intruder in a computer network, the method comprising:
- receiving an indication that a first connection from a user'"'"'s computer is suspicious, the first connection being between the user'"'"'s computer and a production host computer through a physical switch, wherein Internet Protocol (IP) packets associated with the first connection have a user IP address associated with the user'"'"'s computer, a host IP address associated with the production host computer, and a host port associated with the production host computer;
instantiating and initializing a software-based host emulator behind a virtual switch, the host emulator configured to respond to an address resolution protocol (ARP) request for the host IP address;
commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port between the user'"'"'s computer and the virtual switch;
instructing the virtual switch to allow packets with the user IP address, the host IP address, and the host port to flow to the physical switch;
forwarding, through the virtual switch, a request for a second connection to the host emulator; and
establishing, at the host emulator, the second connection between the user'"'"'s computer and the host emulator, the second connection flowing through the production and virtual switches.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, devices, and systems are described for diverting a computer hacker from a physical or other targeted production computer to a decoy software-based host emulator that emulates the physical computer. The decoy has the exact same IP address as the physical computer. In order to avoid packet collisions, a programmable physical switch and a virtual networking switch are employed, both of which can use software-defined networking (SDN). The virtual switch prevents packets from the decoy from flowing out of its virtual network until commanded. Upon a command, the physical switch redirects specific flows to the virtual switch, and the virtual switch opens specific flows from the decoy. The specific flows are those with packets containing the hacker'"'"'s computer IP address, production computer IP address, and production computer port. The packets are associated with TCP connections or UDP sessions. The decoy host emulator can be a virtual machine (VM) running alongside many other VMs in a single computer. If the hacker performs a horizontal scan of the network, additional flows are diverted to other decoy host emulators.
-
Citations
20 Claims
-
1. A method of diverting an intruder in a computer network, the method comprising:
-
receiving an indication that a first connection from a user'"'"'s computer is suspicious, the first connection being between the user'"'"'s computer and a production host computer through a physical switch, wherein Internet Protocol (IP) packets associated with the first connection have a user IP address associated with the user'"'"'s computer, a host IP address associated with the production host computer, and a host port associated with the production host computer; instantiating and initializing a software-based host emulator behind a virtual switch, the host emulator configured to respond to an address resolution protocol (ARP) request for the host IP address; commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port between the user'"'"'s computer and the virtual switch; instructing the virtual switch to allow packets with the user IP address, the host IP address, and the host port to flow to the physical switch; forwarding, through the virtual switch, a request for a second connection to the host emulator; and establishing, at the host emulator, the second connection between the user'"'"'s computer and the host emulator, the second connection flowing through the production and virtual switches. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable medium with computer executable instructions stored thereon for diverting an intruder in a computer network, instructions comprising:
-
receiving an indication that a first connection from a user'"'"'s computer is suspicious, the first connection being between the user'"'"'s computer and a production host computer through a physical switch, wherein Internet Protocol (IP) packets associated with the first connection have a user IP address associated with the user'"'"'s computer, a host IP address associated with the production host computer, and a host port associated with the production host computer; instantiating and initializing a software-based host emulator behind a virtual switch, the host emulator configured to respond to an address resolution protocol (ARP) request for the host IP address; commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port between the user'"'"'s computer and the virtual switch; instructing the virtual switch to allow packets with the user IP address, the host IP address, and the host port to flow to the physical switch; forwarding, through the virtual switch, a request for a second connection to the host emulator; and establishing, at the host emulator, the second connection between the user'"'"'s computer and the host emulator, the second connection flowing through the production and virtual switches.
-
-
20. A computer system executing instructions in a computer program, the system comprising:
-
at least one processor; and a memory operatively coupled with the at least one processor, the at least one processor executing program code from the memory comprising; program code for receiving an indication that a first connection from a user'"'"'s computer is suspicious, the first connection being between the user'"'"'s computer and a production host computer through a physical switch, wherein Internet Protocol (IP) packets associated with the first connection have a user IP address associated with the user'"'"'s computer, a host IP address associated with the production host computer, and a host port associated with the production host computer; program code for instantiating and initializing a software-based host emulator behind a virtual switch, the host emulator configured to respond to an address resolution protocol (ARP) request for the host IP address; program code for commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port between the user'"'"'s computer and the virtual switch; program code for instructing the virtual switch to allow packets with the user IP address, the host IP address, and the host port to flow to the physical switch; program code for forwarding, through the virtual switch, a request for a second connection to the host emulator; and program code for establishing, at the host emulator, the second connection between the user'"'"'s computer and the host emulator, the second connection flowing through the production and virtual switches.
-
Specification