Methods and systems for network attack detection and prevention through redirection

US 8,719,937 B2
Filed: 03/03/2011
Issued: 05/06/2014
Est. Priority Date: 04/16/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting an unauthorized access attempt to a network, comprising:

provisioning a network address block for the network;

determining, based on an identification scheme, a return address from the network address block in response to an address request;

monitoring the network address block by electronically comparing a source address associated with an access attempt to the return address;

blocking the access attempt when the source address does not match the return address;

hashing a time and an initial address associated with the address request to generate a value; and

mapping the value to the network address block to produce the return address,wherein the identification scheme includes assigning to the return address a utilization time period in which the return address can be used to access to the network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detection and/or prevention of network attacks can include the use of multiple and/or time-dependent addresses coupled with filtering by the directory or naming service. The directory service can respond to requests for the address of a resource by returning an address that can be relocated over time by coordinating the directory service entry with the host and network address configuration data and/or by returning an address specific to the requestor. Thus, the directory service can track and build profiles of matches between requestors and accesses. The methods and systems can use the time dependent addresses and profiles to distinguish legitimate accesses from unauthorized or malicious ones. Requests for non-valid addresses can be misdirected to “empty” addresses or to detection devices.

Citations

15 Claims

1. A method for detecting an unauthorized access attempt to a network, comprising:
- provisioning a network address block for the network;
  
  determining, based on an identification scheme, a return address from the network address block in response to an address request;
  
  monitoring the network address block by electronically comparing a source address associated with an access attempt to the return address;
  
  blocking the access attempt when the source address does not match the return address;
  
  hashing a time and an initial address associated with the address request to generate a value; and
  
  mapping the value to the network address block to produce the return address,wherein the identification scheme includes assigning to the return address a utilization time period in which the return address can be used to access to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the identification scheme includes selecting a random address from the network address block as the return address.
  - 3. The method of claim 1, wherein the identification scheme generates the utilization time period based on a pre-determined time.
  - 4. The method of claim 1, wherein the identification scheme generates the utilization time period to be greater than a query-access time period associated with the address request.
  - 5. The method of claim 1, wherein the identification scheme generates the utilization time period based on an application associated with the address request.
  - 6. The method of claim 1, wherein the identification scheme generates the utilization time period based on a random time.
  - 7. The method of claim 1, further comprising:
    - denying subsequent access attempts to the return address after the utilization time period expires.
  - 8. The method of claim 1, further comprising:
    - tracing the access attempt when the source address does not match the return address.
  - 9. The method of claim 1, further comprising:
    - assigning at least one unused address of the network address block to an attack detector;
      
      detaining, by the attack detector, the access attempt when the source address matches the at least one unused address.
  - 10. The method of claim 1, further comprising altering a directory record to include the return address determined from the network address block.

11. A system comprising at least one processor coupled to a memory with instructions for detecting an unauthorized access attempt to a network and configured to:
- provision a network address block for the network;
  
  utilize an identification scheme to determine a return address from the network address block in response to an address request;
  
  monitor the network address block by electronically comparing a source address associated with an access attempt to the return address;
  
  block the access attempt when the source address does not match the return address;
  
  hash a time and an initial address associated with the address request to generate a value; and
  
  map the value to the network address block to produce the return address,wherein the identification scheme is configured to assign to the return address a utilization time period in which the return address can be used to access to the network.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein the identification scheme is configured to select a random address from the network address block as the return address.
  - 13. The system of claim 11, wherein the system is further configured to trace the access attempt when the source address does not match the return address.
  - 14. The system of claim 11, wherein the system is further configured to:
    - assign at least one unused address of the network address block to an attack detector;
      
      utilize the attack detector to detain the access attempt when the source address matches the at least one unused address.

15. A non-transitory computer readable medium storing instructions for detecting an unauthorized access attempt to a network that when executed cause a processor to perform operations, comprising:
- provisioning a network address block for the network;
  
  determining, based on an identification scheme, a return address from the network address block in response to an address request;
  
  monitoring the network address block by electronically comparing a source address associated with an access attempt to the return address;
  
  blocking the access attempt when the source address does not match the return address;
  
  hashing a time and an initial address associated with the address request to generate a value; and
  
  mapping the value to the network address block to produce the return address,wherein the identification scheme includes assigning to the return address a utilization time period in which the return address can be used to access to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon BBN Technologies Corp. (Rtx Corporation), Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
Sundaram, Ravi, Milliken, Walter Clark
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US13/040,030
Publication Number

US 20110154494A1
Time in Patent Office

1,160 Days
Field of Search

726/23, 713/151, 713/162, 709/245
US Class Current

726/23
CPC Class Codes

H04L 61/45   Network directories; Name-t...

H04L 61/4505   using standardised director...

H04L 61/50   Address allocation

H04L 61/5014   using dynamic host configur...

H04L 63/0227   Filtering policies mail mes...

H04L 63/108   when the policy decisions a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

H04L 63/16   Implementing security featu...

Methods and systems for network attack detection and prevention through redirection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for network attack detection and prevention through redirection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links