System and method for providing a network host decoy using a pseudo network protocol stack implementation

US 6,687,833 B1
Filed: 09/24/1999
Issued: 02/03/2004
Est. Priority Date: 09/24/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A system for providing a network host decoy on a virtual host using a pseudo implementation of a network protocol stack, wherein the network protocol stack comprises an Internet Protocol (IP) layer, comprising:

a hierarchical network protocol stack comprising a plurality of communicatively interfaced protocol layers, each protocol layer performing a set of defined functions on data segments exchanged therebetween;

an input buffer receiving a request frame originating from a remote host, the request frame comprising a plurality of recursively encapsulated data segments which each correspond to a successive protocol layer in the network protocol stack, further comprising;

the IP layer interpreting an IP datagram encapsulated as a data segment within the request frame; and

a pseudo IP layer modifying a checksum field in a header of the IP datagram and including the modified checksum field in a reply IP datagram formed as a pseudo data segments; and

a packet formatter, comprising;

each protocol layer demultiplexing each encapsulated data segment in the request frame by processing a header associated with the encapsulated data segment, performing any requested network service and forwarding any recursively encapsulated portion to the next successive protocol layer;

a plurality of pseudo protocol layers corresponding to each of the protocol layers in the network protocol stack, each pseudo protocol layer forming a pseudo data segment comprising a header and data portion with the header including network protocol stack characteristics for a pseudo host different than the network protocol stack characteristics for the virtual host and recursively encapsulating each of the pseudo data segments within a response frame and inserting into the response frame a network address for the pseudo host different than the network address for the virtual host; and

an output buffer sending the response frame to the remote host.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing a network host decoy on a virtual host using a pseudo implementation of a network protocol stack are described. A hierarchical network protocol stack is functionally defined and includes a plurality of communicatively interfaced protocol layers. A request frame originating from a remote host is received. The request frame includes a plurality of recursively encapsulated data segments which each correspond to a successive protocol layer in the network protocol stack. At each protocol layer, processing a header associated with the encapsulated data segment demultiplexs each encapsulated data segment in the request frame. Any requested network service is performed and any recursively encapsulated portion is forwarded to the next successive protocol layer. A plurality of pseudo data segments corresponding to each of the protocol layers in the network protocol stack is formed. Each pseudo data segment includes a header and data portion. The header includes network protocol stack characteristics for a pseudo host different than the network protocol stack characteristics for the virtual host. Each of the pseudo data segments within a response frame is recursively encapsulated. A network address for the pseudo host different than the network address for the virtual host is inserted into the response frame. The response frame is sent to the remote host.

Citations

33 Claims

1. A system for providing a network host decoy on a virtual host using a pseudo implementation of a network protocol stack, wherein the network protocol stack comprises an Internet Protocol (IP) layer, comprising:
- a hierarchical network protocol stack comprising a plurality of communicatively interfaced protocol layers, each protocol layer performing a set of defined functions on data segments exchanged therebetween;
  
  an input buffer receiving a request frame originating from a remote host, the request frame comprising a plurality of recursively encapsulated data segments which each correspond to a successive protocol layer in the network protocol stack, further comprising;
  
  the IP layer interpreting an IP datagram encapsulated as a data segment within the request frame; and
  
  a pseudo IP layer modifying a checksum field in a header of the IP datagram and including the modified checksum field in a reply IP datagram formed as a pseudo data segments; and
  
  a packet formatter, comprising;
  
  each protocol layer demultiplexing each encapsulated data segment in the request frame by processing a header associated with the encapsulated data segment, performing any requested network service and forwarding any recursively encapsulated portion to the next successive protocol layer;
  
  a plurality of pseudo protocol layers corresponding to each of the protocol layers in the network protocol stack, each pseudo protocol layer forming a pseudo data segment comprising a header and data portion with the header including network protocol stack characteristics for a pseudo host different than the network protocol stack characteristics for the virtual host and recursively encapsulating each of the pseudo data segments within a response frame and inserting into the response frame a network address for the pseudo host different than the network address for the virtual host; and
  
  an output buffer sending the response frame to the remote host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A system according to claim 1, wherein the network protocol stack comprises an Internet Protocol (IP) layer and an Internet Control Message Protocol (ICMP) layer, further comprising:
3. A system according to claim 1, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- the IP layer interpreting an IP datagram encapsulated as a data segment within the request frame; and
  
  a pseudo IP layer forming an IP datagram as a pseudo data segment in response to the IP datagram being invalid.
4. A system according to claim 1, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- the IP layer interpreting an IP datagram encapsulated as a data segment within the request frame; and
  
  a pseudo IP layer modifying an options field in a header of the IP datagram and including the modified options field in a reply IP datagram formed as a pseudo data segment.
5. A system according to claim 1, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- the IP layer interpreting an IP datagram encapsulated as a data segment within the request frame; and
  
  a pseudo IP layer modifying at least one of a header length field and a total length field in a header of the IP datagram and including the modified header length field and total length field in a reply IP datagram formed as a pseudo data segment.
6. A system according to claim 1, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- the IP layer interpreting an IP datagram encapsulated as a data segment within the request frame; and
  
  a pseudo IP layer modifying a type of service field in a header for each of a series of packet fragments collectively comprising the IP datagram and including the modified type of service field in a reply IP datagram formed as a series of pseudo data segments, each corresponding to one of the packet fragments.
7. A system according to claim 1, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- the TCP layer interpreting a TCP segment encapsulated as a data segment within the request frame; and
  
  an pseudo TCP layer modifying at least one of a source port number field and a destination port number field in a header of the TCP segment and including the modified at least one of a source port number field and a destination port number field in a reply TCP segment formed as a pseudo data segment.
8. A system according to claim 1, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- the TCP layer interpreting a TCP segment encapsulated as a data segment within the request frame; and
  
  a pseudo TCP layer modifying an options field in a header of the TCP segment and including the modified options field in a reply TCP segment formed as a pseudo data segment.
9. A system according to claim 1, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- the TCP layer interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  a pseudo TCP layer modifying a flags field in a header of the TCP segment and including the modified flags field in a synchronize TCP segment formed as a pseudo data segment;
  
  the TCP layer interpreting a second TCP segment encapsulated as a data segment within a subsequent request frame; and
  
  the pseudo TCP layer modifying a flags field in a header of the second TCP segment and including the modified flags field in an acknowledgement TCP segment formed as a pseudo data segment.
10. A system according to claim 1, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- the TCP layer interpreting a TCP segment encapsulated as a data segment within the request frame; and
  
  a pseudo TCP layer modifying at least one field in a header of the TCP segment selected from the group consisting of a sequence number field, an acknowledgement number field, a reserved field, and a window size field and including the modified at least one field in a reply TCP segment formed as a pseudo data segment.
11. A system according to claim 1, wherein the network protocol stack comprises a User Datagram Protocol (UDP) layer, further comprising:
- the UDP layer interpreting a UDP datagram encapsulated as a data segment within the request frame; and
  
  a pseudo UDP layer modifying at least one of a source port number field and a destination port number field in a header of the UDP datagram and including the modified at least one of a source port number field and a destination port number field in a reply UDP datagram formed as a pseudo data segment.

12. A method for providing a network host decoy on a virtual host using a pseudo implementation of a network protocol stack, wherein the network protocol stack comprises an Internet Protocol (IP) layer, comprising:
- functionally defining a hierarchical network protocol stack comprising a plurality of communicatively interfaced protocol layers;
  
  receiving a request frame originating from a remote host the request frame comprising a plurality of recursively encapsulated data segments which each correspond to a successive protocol layer in the network protocol stack, further comprising;
  
  interpreting an IP datagram encapsulated as a data segment within the request frame;
  
  modifying a checksum field in a header of the IP datagram; and
  
  including the modified checksum field in a reply IP datagram formed as a pseudo data segment; and
  
  demultiplexing, at each protocol layer, each encapsulated data segment in the request frame by processing a header associated with the encapsulated data segment, performing any requested network service and forwarding any recursively encapsulated portion to the next successive protocol layer;
  
  forming a plurality of pseudo data segments corresponding to each of the protocol layers in the network protocol stack, each pseudo data segment comprising a header and data portion with the header including network protocol stack characteristics for a pseudo host different than the network protocol stack characteristics for the virtual host;
  
  recursively encapsulating each of the pseudo data segments within a response frame and inserting into the response frame a network address for the pseudo host different than the network address for the virtual host; and
  
  sending the response frame to the remote host.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. A method according to claim 12, wherein the network protocol stack comprises an Internet Protocol (IP) layer and an Internet Control Message Protocol (ICMP) layer, further comprising:
14. A method according to claim 12, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- interpreting an IP datagram encapsulated as a data segment within the request frame; and
  
  forming an IP datagram as a pseudo data segment in response to the IP datagram being invalid.
15. A method according to claim 12, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- interpreting an IP datagram encapsulated as a data segment within the request frame;
  
  modifying an options field in a header of the IP datagram; and
  
  including the modified options field in a reply IP datagram formed as a pseudo data segment.
16. A method according to claim 12, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- interpreting an IP datagram encapsulated as a data segment within the request frame;
  
  modifying at least one of a header length field and a total length field in a header of the IP datagram; and
  
  including the modified header length field and total length field in a reply IP datagram formed as a pseudo data segment.
17. A method according to claim 12, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- interpreting an IP datagram encapsulated as a data segment within the request frame;
  
  modifying a type of service field in a header for each of a series of packet fragments collectively comprising the IP datagram; and
  
  including the modified type of service field in a reply IP datagram formed as a series of pseudo data segments, each corresponding to one of the packet fragments.
18. A method according to claim 12, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  modifying at least one of a source port number field and a destination port number field in a header of the TCP segment; and
  
  including the modified at least one of a source port number field and a destination port number field in a reply TCP segment formed as a pseudo data segment.
19. A method according to claim 12, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  modifying an options field in a header of the TCP segment; and
  
  including the modified options field in a reply TCP segment formed as a pseudo data segment.
20. A method according to claim 12, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  modifying a flags field in a header of the TCP segment;
  
  including the modified flags field in a synchronize TCP segment formed as a pseudo data segment;
  
  interpreting a second TCP segment encapsulated as a data segment within a subsequent request frame;
  
  modifying a flags field in a header of the second TCP segment; and
  
  including the modified flags field in an acknowledgement TCP segment formed as a pseudo data segment.
21. A method according to claim 12, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  modifying at least one field in a header of the TCP segment selected from the group consisting of a sequence number field, an acknowledgement number field, a reserved field, and a window size field; and
  
  including the modified at least one field in a reply TCP segment formed as a pseudo data segment.
22. A method according to claim 12, wherein the network protocol stack comprises a User Datagram Protocol (UDP) layer, further comprising:
- interpreting a UDP datagram encapsulated as a data segment within the request frame;
  
  modifying at least one of a source port number field and a destination port number field in a header of the UDP datagram; and
  
  including the modified at least one of a source port number field and a destination port number field in a reply UDP datagram formed as a pseudo data segment.

23. A computer-readable storage medium holding code for providing a network host decoy on a virtual host using a pseudo implementation of a network protocol stack, wherein the network protocol stack comprises an Internet Protocol (IP) layer, comprising:
- functionally defining a hierarchical network protocol stack comprising a plurality of communicatively interfaced protocol layers;
  
  receiving a request frame originating from a remote host, the request frame comprising a plurality of recursively encapsulated data segments which each correspond to a successive protocol layer in the network protocol stack, further comprising;
  
  interpreting an IP datagram encapsulated as a data segment within the request frame;
  
  modifying a checksum field in a header of the IP datagram; and
  
  including the modified checksum field in a reply IP datagram formed as a pseudo data segment; and
  
  demultiplexing, at each protocol layer, each encapsulated data segment in the request frame by processing a header associated with the encapsulated data segment, performing any requested network service and forwarding any recursively encapsulated portion to the next successive protocol layer;
  
  forming a plurality of pseudo data segments corresponding to each of the protocol layers in the network protocol stack, each pseudo data segment comprising a header and data portion with the header including network protocol stack characteristics for a pseudo host different than the network protocol stack characteristics for the virtual host;
  
  recursively encapsulating each of the pseudo data segments within a response frame and inserting into the response frame a network address for the pseudo host different than the network address for the virtual host; and
  
  sending the response frame to the remote host.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. A storage medium according to claim 23, wherein the network protocol stack comprises an Internet Protocol (IP) layer and an Internet Control Message Protocol (ICMP) layer, further comprising:
25. A storage medium according to claim 23, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- interpreting an IP datagram encapsulated as a data segment within the request frame; and
  
  forming an IP datagram as a pseudo data segment in response to the IP datagram being invalid.
26. A storage medium according to claim 23, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- interpreting an IP datagram encapsulated as a data segment within the request frame;
  
  modifying an options field in a header of the IP datagram; and
  
  including the modified options field in a reply IP datagram formed as a pseudo data segment.
27. A storage medium according to claim 23, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- interpreting an IP datagram encapsulated as a data segment within the request frame;
  
  modifying at least one of a header length field and a total length field in a header of the IP datagram; and
  
  including the modified header length field and total length field in a reply IP datagram formed as a pseudo data segment.
28. A storage medium according to claim 23, wherein the network protocol stack comprises an Internet Protocol (IP) layer, further comprising:
- interpreting an IP datagram encapsulated as a data segment within the request frame;
  
  modifying a type of service field in a header for each of a series of packet fragments collectively comprising the IP datagram; and
  
  including the modified type of service field in a reply IP datagram formed as a series of pseudo data segments, each corresponding to one of the packet fragments.
29. A storage medium according to claim 23, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  modifying at least one of a source port number field and a destination port number field in a header of the TCP segment; and
  
  including the modified at least one of a source port number field and a destination port number field in a reply TCP segment formed as a pseudo data segment.
30. A storage medium according to claim 23, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  modifying an options field in a header of the TCP segment; and
  
  including the modified options field in a reply TCP segment formed as a pseudo data segment.
31. A storage medium according to claim 23, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  modifying a flags field in a header of the TCP segment;
  
  including the modified flags field in a synchronize TCP segment formed as a pseudo data segment;
  
  interpreting a second TCP segment encapsulated as a data segment within a subsequent request frame;
  
  modifying a flags field in a header of the second TCP segment; and
  
  including the modified flags field in an acknowledgement TCP segment formed as a pseudo data segment.
32. A storage medium according to claim 23, wherein the network protocol stack comprises a Transmission Control Protocol (TCP) layer, further comprising:
- interpreting a TCP segment encapsulated as a data segment within the request frame;
  
  modifying at least one field in a header of the TCP segment selected from the group consisting of a sequence number field, an acknowledgement number field, a reserved field, and a window size field; and
  
  including the modified at least one field in a reply TCP segment formed as a pseudo data segment.
33. A storage medium according to claim 23, wherein the network protocol stack comprises a User Datagram Protocol (UDP) layer, further comprising:
- interpreting a UDP datagram encapsulated as a data segment within the request frame;
  
  modifying at least one of a source port number field and a destination port number field in a header of the UDP datagram; and
  
  including the modified at least one of a source port number field and a destination port number field in a reply UDP datagram formed as a pseudo data segment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Networks Associates, Inc. (McAfee, LLC)
Inventors
Leidl, Bruce Robert, Villa, Andrea Emilio, Osborne, Anthony Charles, Eschelbeck, Gerhard
Primary Examiner(s)
Darrow, Justin T.
Assistant Examiner(s)
Zand, Kambiz

Application Number

US09/405,652
Time in Patent Office

1,593 Days
Field of Search

713/152, 713/154, 713/166, 713/151, 713/201, 380/256
US Class Current

726/23
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

System and method for providing a network host decoy using a pseudo network protocol stack implementation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing a network host decoy using a pseudo network protocol stack implementation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links