NETWORK INTRUSION DIVERSION USING A SOFTWARE DEFINED NETWORK

US 20160080415A1
Filed: 09/08/2015
Published: 03/17/2016
Est. Priority Date: 09/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method of diverting an intruder in a computer network, the method comprising:

receiving an indication that a first connection from a user'"'"'s computer is suspicious, the first connection being between the user'"'"'s computer and a production host computer through a physical switch, wherein Internet Protocol (IP) packets associated with the first connection have a user IP address associated with the user'"'"'s computer, a host IP address associated with the production host computer, and a host port associated with the production host computer;

instantiating and initializing a software-based host emulator behind a virtual switch, the host emulator configured to respond to an address resolution protocol (ARP) request for the host IP address;

commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port between the user'"'"'s computer and the virtual switch;

instructing the virtual switch to allow packets with the user IP address, the host IP address, and the host port to flow to the physical switch;

forwarding, through the virtual switch, a request for a second connection to the host emulator; and

establishing, at the host emulator, the second connection between the user'"'"'s computer and the host emulator, the second connection flowing through the production and virtual switches.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices, and systems are described for diverting a computer hacker from a physical or other targeted production computer to a decoy software-based host emulator that emulates the physical computer. The decoy has the exact same IP address as the physical computer. In order to avoid packet collisions, a programmable physical switch and a virtual networking switch are employed, both of which can use software-defined networking (SDN). The virtual switch prevents packets from the decoy from flowing out of its virtual network until commanded. Upon a command, the physical switch redirects specific flows to the virtual switch, and the virtual switch opens specific flows from the decoy. The specific flows are those with packets containing the hacker'"'"'s computer IP address, production computer IP address, and production computer port. The packets are associated with TCP connections or UDP sessions. The decoy host emulator can be a virtual machine (VM) running alongside many other VMs in a single computer. If the hacker performs a horizontal scan of the network, additional flows are diverted to other decoy host emulators.

Citations

20 Claims

1. A method of diverting an intruder in a computer network, the method comprising:
- receiving an indication that a first connection from a user'"'"'s computer is suspicious, the first connection being between the user'"'"'s computer and a production host computer through a physical switch, wherein Internet Protocol (IP) packets associated with the first connection have a user IP address associated with the user'"'"'s computer, a host IP address associated with the production host computer, and a host port associated with the production host computer;
  
  instantiating and initializing a software-based host emulator behind a virtual switch, the host emulator configured to respond to an address resolution protocol (ARP) request for the host IP address;
  
  commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port between the user'"'"'s computer and the virtual switch;
  
  instructing the virtual switch to allow packets with the user IP address, the host IP address, and the host port to flow to the physical switch;
  
  forwarding, through the virtual switch, a request for a second connection to the host emulator; and
  
  establishing, at the host emulator, the second connection between the user'"'"'s computer and the host emulator, the second connection flowing through the production and virtual switches.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein the receiving, instantiating and initializing, commanding, instructing, forwarding, and establishing occur within a single server.
  - 3. The method of claim 1 wherein the instantiating and initializing of the software-based host emulator is triggered by receiving the indication.
  - 4. The method of claim 1 wherein the instantiating and initializing of the software-based host emulator includes a instantiating and initializing a virtual machine.
  - 5. The method of claim 4 further comprising:
    - identifying an operating system (OS) used by the production host computer; and
      
      configuring the virtual machine to emulate portions of the identified operating system.
  - 6. The method of claim 5 further comprising:
    - ascertaining an enterprise software service provided by the production host computer; and
      
      configuring the virtual machine to emulate portions of the ascertained enterprise software service.
  - 7. The method of claim 1 further comprising:
    - receiving an indication that the user'"'"'s computer is legitimate;
      
      commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port to the production host computer; and
      
      instructing the virtual switch to block packets with the user IP address, the host IP address, and the host port from flowing to the production switch.
  - 8. The method of claim 1 further comprising:
    - ascertaining IP addresses of other host computers on a local area network (LAN) on which the production host computer is connected; and
      
      instantiating and initializing additional software-based host emulators behind the virtual switch, the additional software-based host emulators configured to respond to an ARP requests for IP addresses of the other host computers.
  - 9. The method of claim 8 further comprising:
    - detecting, by a security information and event management (SIEM), a horizontal scan of the other host computers on the LAN;
      
      commanding the physical switch to redirect requests for connections from the user IP address to the virtual switch; and
      
      instructing the virtual switch to allow packets with the user IP address from the additional software-based host emulators to flow to the physical switch.
  - 10. The method of claim 1 further comprising:
    - detecting, by a security information and event management (SIEM), a vertical scan of ports of the host emulator;
      
      commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and other host ports between the user'"'"'s computer and the virtual switch; and
      
      instructing the virtual switch to allow packets with the user IP address, the host IP address, and other host ports to flow to the physical switch.
  - 11. The method of claim 1 further comprising:
    - classifying as suspicious, by a security information and event management (SIEM), at least one interaction in the first connection; and
      
      logging the user IP address to a database based on the classifying.
  - 12. The method of claim 1 wherein the physical switch and the virtual switch are software defined networking (SDN) capable switches.
  - 13. The method of claim 1 wherein the commanding and instructing are implemented using virtual local area network (VLAN) tagging.
  - 14. The method of claim 1 wherein the production computer includes a physical computer.
  - 15. The method of claim 1 wherein the production computer includes a virtual machine.
  - 16. The method of claim 1 further comprising:
    - ascertaining whether the first connection was terminated by the production host computer; and
      
      sending a transmission control protocol (TCP) reset to the user'"'"'s computer based on the ascertaining
  - 17. The method of claim 1 wherein the first connection is a transmission control protocol (TCP) connection or a user datagram protocol (UDP) session.
  - 18. The method of claim 1 further comprising:
    - receiving, at the physical switch, a request for the second connection from the user'"'"'s computer to the production host computer;
      
      redirecting, through the physical switch, the request for the second connection to the virtual switch based on the commanding, the physical switch inhibiting the request for the second connection from proceeding to the production host computer.

19. A non-transitory computer-readable medium with computer executable instructions stored thereon for diverting an intruder in a computer network, instructions comprising:
- receiving an indication that a first connection from a user'"'"'s computer is suspicious, the first connection being between the user'"'"'s computer and a production host computer through a physical switch, wherein Internet Protocol (IP) packets associated with the first connection have a user IP address associated with the user'"'"'s computer, a host IP address associated with the production host computer, and a host port associated with the production host computer;
  
  instantiating and initializing a software-based host emulator behind a virtual switch, the host emulator configured to respond to an address resolution protocol (ARP) request for the host IP address;
  
  commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port between the user'"'"'s computer and the virtual switch;
  
  instructing the virtual switch to allow packets with the user IP address, the host IP address, and the host port to flow to the physical switch;
  
  forwarding, through the virtual switch, a request for a second connection to the host emulator; and
  
  establishing, at the host emulator, the second connection between the user'"'"'s computer and the host emulator, the second connection flowing through the production and virtual switches.

20. A computer system executing instructions in a computer program, the system comprising:
- at least one processor; and
  
  a memory operatively coupled with the at least one processor, the at least one processor executing program code from the memory comprising;
  
  program code for receiving an indication that a first connection from a user'"'"'s computer is suspicious, the first connection being between the user'"'"'s computer and a production host computer through a physical switch, wherein Internet Protocol (IP) packets associated with the first connection have a user IP address associated with the user'"'"'s computer, a host IP address associated with the production host computer, and a host port associated with the production host computer;
  
  program code for instantiating and initializing a software-based host emulator behind a virtual switch, the host emulator configured to respond to an address resolution protocol (ARP) request for the host IP address;
  
  program code for commanding the physical switch to redirect subsequent flows with the user IP address, the host IP address, and the host port between the user'"'"'s computer and the virtual switch;
  
  program code for instructing the virtual switch to allow packets with the user IP address, the host IP address, and the host port to flow to the physical switch;
  
  program code for forwarding, through the virtual switch, a request for a second connection to the host emulator; and
  
  program code for establishing, at the host emulator, the second connection between the user'"'"'s computer and the host emulator, the second connection flowing through the production and virtual switches.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acalvio Technologies, Inc.
Original Assignee
Shadow Networks, Inc. (Acalvio Technologies, Inc.)
Inventors
Wu, Johnson L., Hart, Catherine V., Versola, Leo R., Winsborrow, Eric

Granted Patent

US 10,193,924 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1491 using deception as counterm...

NETWORK INTRUSION DIVERSION USING A SOFTWARE DEFINED NETWORK

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK INTRUSION DIVERSION USING A SOFTWARE DEFINED NETWORK

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links