System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via VLAN trunking

US 8,528,092 B2
Filed: 03/08/2012
Issued: 09/03/2013
Est. Priority Date: 10/17/2007
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:

identifying, by a network device, unwanted activity associated with an access request from a source device, the network device in communication with the source device via a virtual local area network (VLAN) of a local area network (LAN), wherein the unwanted activity is associated with one or more packets from the source device including a time to live (TTL) value indicating that the unwanted activity is only capable of being directly communicated from the source device to a single destination device within the LAN;

identifying the source device associated with the unwanted activity; and

isolating the source device from the LAN in response to the source device being associated with the unwanted activity.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for identifying unwanted activity utilizing a honeypot accessible via virtual local area network (VLAN) trunking. In use, a honeypot device is allowed to be accessed via VLAN trunking. Furthermore, unwanted data is identified, utilizing the honeypot device.

19 Citations

20 Claims

1. A computer program product embodied on a non-transitory computer readable medium for performing operations, comprising:
- identifying, by a network device, unwanted activity associated with an access request from a source device, the network device in communication with the source device via a virtual local area network (VLAN) of a local area network (LAN), wherein the unwanted activity is associated with one or more packets from the source device including a time to live (TTL) value indicating that the unwanted activity is only capable of being directly communicated from the source device to a single destination device within the LAN;
  
  identifying the source device associated with the unwanted activity; and
  
  isolating the source device from the LAN in response to the source device being associated with the unwanted activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer program product of claim 1, wherein the one or more packets include a time to live (TTL) value of one.
  - 3. The computer program product of claim 1, wherein isolating the source from the LAN includes preventing communication with the source device via the LAN.
  - 4. The computer program product of claim 3, wherein preventing communication with the source device via the LAN includes dropping frames communicated to or from the source device.
  - 5. The computer program product of claim 1, wherein the network device is configured to emulate a network entity vulnerable to the unwanted activity.
  - 6. The computer program product of claim 5, wherein the network entity includes at least one of a resource, a service, a system, and a database.
  - 7. The computer program product of claim 1, further comprising:
    - applying a tag to one or more frames communicated from the source device over the VLAN.
  - 8. The computer program product of claim 7, wherein the tag identifies the source device.
  - 9. The computer program product of claim 1, wherein the network device comprises a honeypot device.
  - 10. The computer program product of claim 1, wherein the network device is a server.
  - 11. The computer program product of claim 1, wherein the network device is unprotected by a security system with respect to activity within the local area network.
  - 12. The computer program product of claim 1, wherein the network device is configured via virtual local area network trunking to be accessible by a plurality of other devices located across multiple virtual local area networks.
  - 13. The computer program product of claim 12, wherein the multiple virtual local area networks are included in the local area network on which the network device is located.
  - 14. The computer program product of claim 12, wherein the virtual local area network trunking is facilitated utilizing at least one virtual local area network capable switch.
  - 15. The computer program product of claim 1, wherein the unwanted activity includes at least one of malware, a virus, a worm, spam, or spyware.
  - 16. The computer program product of claim 1, wherein identifying the unwanted activity by the network device includes identifying a type of access associated by the network device as unwanted activity.
  - 17. The computer program product of claim 1, wherein identifying the unwanted activity by the network device includes comparing activity associated with the network device with known unwanted activity.
  - 18. The computer program product of claim 1, further comprising:
    - removing the source device from isolation from the LAN in response to a determination that a component of the source device responsible for the unwanted activity has been removed.

19. A method comprising:
- identifying, by a network device, unwanted activity associated with an access request from a source device, the network device in communication with the source device via a virtual local area network (VLAN) of a local area network (LAN), wherein the unwanted activity is associated with one or more packets from the source device including a time to live (TTL) value indicating that the unwanted activity is only capable of being directly communicated from the source device to a single destination device within the LAN;
  
  identifying the source device associated with the unwanted activity; and
  
  isolating the source device from the LAN in response to the source device being associated with the unwanted activity.

20. A system, comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the system is configured for;
  
  identifying, by a network device, unwanted activity associated with an access request from a source device, the network device in communication with the source device via a virtual local area network (VLAN) of a local area network (LAN), wherein the unwanted activity is associated with one or more packets from the source device including a time to live (TTL) value indicating that the unwanted activity is only capable of being directly communicated from the source device to a single destination device within the LAN;
  
  identifying the source device associated with the unwanted activity; and
  
  isolating the source device from the LAN in response to the source device being associated with the unwanted activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Thomas, Vinoo, Jyoti, Nitin
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US13/415,418
Publication Number

US 20120180131A1
Time in Patent Office

544 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

H04L 63/1491 using deception as counterm...

System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via VLAN trunking

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via VLAN trunking

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links