Detecting network intrusion using a decoy cryptographic key

US 8,719,938 B2
Filed: 04/09/2012
Issued: 05/06/2014
Est. Priority Date: 04/09/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing a first network device and a second network device of a data network, each of the first network device and the second network device having a decoy cryptographic key and an authentic cryptographic key, wherein the decoy cryptographic key is used to detect unauthorized data being transmitted in the data network, wherein the authentic cryptographic key is used to encrypt authorized data being transmitted in the data network, wherein providing the first network device and the second network device comprises, for each of the first network device and the second network device;

identifying a respective first region of a respective computer-readable medium as having respective high entropy data based on the respective high entropy data having greater variance than respective low entropy data in a respective second region of the respective computer-readable medium, andstoring the decoy cryptographic key in the respective first region based on the respective high entropy data having the greater variance than the respective low entropy data;

receiving, by the first network device, data from the second network device, wherein the data is encrypted using the decoy cryptographic key;

determining, by the first network device, that the data is encrypted using the decoy cryptographic key by determining that the authentic cryptographic key cannot be used to decrypt the data and decrypting the data using the decoy cryptographic key; and

discarding, by the first network device, the data encrypted using the decoy cryptographic key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting intrusion into a data network are disclosed. Such intrusion can be detected, for example, by providing at least two network devices in a data network. Each of the network devices has a decoy cryptographic key that is used to detect unauthorized data and an authentic cryptographic key that is used to encrypt authorized data. The first network device receives data from the second network device that is encrypted using the decoy cryptographic key. The first network device determines that the data is encrypted using the decoy cryptographic key. The first network device deletes or otherwise discards the data encrypted using the decoy cryptographic key. The first network device can generate an alert message instructing other network devices that the second network device is generating the unauthorized data. The alert message also instructs the other network devices to ignore data originating from the second network device.

252 Citations

20 Claims

1. A method comprising:
- providing a first network device and a second network device of a data network, each of the first network device and the second network device having a decoy cryptographic key and an authentic cryptographic key, wherein the decoy cryptographic key is used to detect unauthorized data being transmitted in the data network, wherein the authentic cryptographic key is used to encrypt authorized data being transmitted in the data network, wherein providing the first network device and the second network device comprises, for each of the first network device and the second network device;
  
  identifying a respective first region of a respective computer-readable medium as having respective high entropy data based on the respective high entropy data having greater variance than respective low entropy data in a respective second region of the respective computer-readable medium, andstoring the decoy cryptographic key in the respective first region based on the respective high entropy data having the greater variance than the respective low entropy data;
  
  receiving, by the first network device, data from the second network device, wherein the data is encrypted using the decoy cryptographic key;
  
  determining, by the first network device, that the data is encrypted using the decoy cryptographic key by determining that the authentic cryptographic key cannot be used to decrypt the data and decrypting the data using the decoy cryptographic key; and
  
  discarding, by the first network device, the data encrypted using the decoy cryptographic key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20)
- - 2. The method of claim 1, wherein providing the first network device and the second network device further comprises, for each of the first network device and the second network device:
    - generating the decoy cryptographic key using additional high entropy data;
      
      storing decoy code capable of being used with the decoy cryptographic key in the respective computer-readable medium;
      
      storing the respective low entropy data in the respective second region of the respective computer-readable medium, wherein the respective low entropy data comprises operational code controlling the operation of a network device;
      
      storing the authentic cryptographic key in the respective second region of the respective computer-readable medium, wherein the authentic cryptographic key is obfuscated in the operational code.
  - 3. The method of claim 1, further comprising generating, by the first network device, an alert message instructing one or more additional network devices that the second network device is generating the unauthorized data and to ignore data originating from the second network device.
  - 4. The method of claim 3, wherein generating the alert message comprises providing a device identifier associated with the second network device to a network controller.
  - 5. The method of claim 3, further comprising providing, by the first network device, the alert message to the one or more additional network devices, wherein the alert message comprises an instruction to the one or more additional network devices to cease routing one or more data originating from the second network device.
  - 6. The method of claim 5, further comprising, prior to providing the alert message to the one or more additional network devices:
    - comparing, by the first network device, a plurality of data received from the second network device to a data profile associated with the second network device; and
      
      determining, by the first network device, that the plurality of data differs from expected data determined from the data profile;
      
      wherein the alert message to the one or more additional network devices is based in part on determining that the plurality of data differs from the expected data and on the use of the decoy cryptographic key by the second network device.
  - 7. The method of claim 1, further comprising determining, by the first network device, a geographic location of the second network device.
  - 8. The method of claim 7, wherein determining the geographic location of the second network device comprises:
    - determining, by the first network device, a distance from the second network device to each of a plurality of additional network devices; and
      
      determining, by the first network device, the geographic location based on a respective geographic location of each of the plurality of additional network devices and the distance from the second network device to each of the plurality of additional network devices.
  - 19. The method of claim 1, wherein the data is discarded based on the data being successfully decrypted using the decoy cryptographic key rather than the authentic cryptographic key.
  - 20. The method of claim 2, further comprising generating the decoy code, wherein the decoy code comprises executable code for performing an operation that performs at least one encryption or decryption operation using the decoy cryptographic key.

9. A non-transitory computer-readable medium embodying program code executable by a computer system, the non-transitory computer-readable medium comprising:
- program code for providing a decoy cryptographic key to each of a first network device and a second network device of a data network, wherein the decoy cryptographic key is used to detect unauthorized data being transmitted in the data network, wherein providing the decoy cryptographic key comprises, for each of the first network device and the second network device;
  
  identifying a respective first region of a respective computer-readable medium as having respective high entropy data based on the respective high entropy data having greater variance than respective low entropy data in a respective second region of the respective computer-readable medium, andstoring the decoy cryptographic key in the respective first region based on the respective high entropy data having the greater variance than the respective low entropy data;
  
  program code for receiving, by the first network device, data from the second network device, wherein the data is encrypted using a decoy cryptographic key, wherein the decoy cryptographic key is used to detect unauthorized data;
  
  program code for determining that the data is encrypted using the decoy cryptographic key by determining that the authentic cryptographic key cannot be used to decrypt the data and decrypting the data using the decoy cryptographic key; and
  
  program code for generating an alert message instructing one or more additional network devices that the second network device is generating the unauthorized data and to ignore data originating from the second network device.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The non-transitory computer-readable medium of claim 9, wherein the program code for generating the alert message comprises program code for providing a device identifier associated with the second network device to a network controller.
  - 11. The non-transitory computer-readable medium of claim 9, further comprising program code for providing the alert message to one or more additional network devices, wherein the alert message comprises an instruction to the one or more additional network devices to cease routing one or more data originating from the second network device.
  - 12. The non-transitory computer-readable medium of claim 11, further comprising:
    - program code for, prior to providing the alert message to the one or more additional network devices;
      
      comparing a plurality of data received from the second network device to a data profile associated with the second network device; and
      
      determining that the plurality of data differs from expected data determined from the data profile;
      
      wherein the alert message to the one or more additional network devices is based in part on determining that the plurality of data differs from the expected data and on the use of the decoy cryptographic key by the second network device.
  - 13. The non-transitory computer-readable medium of claim 12, wherein the plurality of data comprises power consumption data associated with the second network device, wherein the data profile comprises historical power consumption data associated with the second network device, and wherein the expected data comprises an expected power usage for the second network device.
  - 14. The non-transitory computer-readable medium of claim 9, further comprising program code for determining a geographic location of the second network device.
  - 15. The non-transitory computer-readable medium of claim 9, wherein the program code for determining a geographic location of the second network device comprises:
    - program code for determining a distance from the second network device to each of a plurality of additional network devices; and
      
      program code for determining the geographic location based on a respective geographic location of each of the plurality of additional network devices and the distance from the second network device to each of the plurality of additional network devices.

16. A system comprising:
- a first network device having a decoy cryptographic key and an authentic cryptographic key, wherein the decoy cryptographic key is used to detect unauthorized data being transmitted in a data network, wherein the authentic cryptographic key is used to encrypt authorized data being transmitted in the data network, wherein the first network device is configured for;
  
  determining that data received from a second network device is encrypted using the decoy cryptographic key by determining that the authentic cryptographic key cannot be used to decrypt the data and decrypting the data using the decoy cryptographic key, andtransmitting an alert message that the second network device is using the decoy cryptographic key;
  
  a network controller comprising;
  
  a network interface configured to communicate with the first network device via the data network;
  
  a processor configured to execute instructions stored in a non-transitory computer-readable medium providing an intrusion detection application, wherein the intrusion detection application comprises one or more modules configured to perform operations comprising;
  
  receiving the alert message from the first network device that the second network device is using the decoy cryptographic key, andbased on receiving the alert message, configuring one or more additional network devices of the data network to cease communicating with the second network device; and
  
  at least one device configured for providing the decoy cryptographic key to each of the first network device and the second network device, wherein providing the decoy cryptographic key comprises, for each of the first network device and the second network device;
  
  identifying a respective first region of a respective computer-readable medium as having respective high entropy data based on the respective high entropy data having greater variance than respective low entropy data in a respective second region of the respective computer-readable medium, andstoring the decoy cryptographic key in the respective first region based on the respective high entropy data having the greater variance than the respective low entropy data.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, wherein the one or more modules of the network controller are configured to perform additional operations comprising:
    - providing a data profile associated with the second network device to the first network device;
      
      configuring the first network device to compare a plurality of data received from the second network device to the data profile; and
      
      configuring the first network device to determine that the plurality of data differs from expected data determined from the data profile;
      
      wherein the alert message to the one or more additional network devices is generated responsive to determining that the plurality of data differs from the data profile.
  - 18. The system of claim 16, wherein the one or more modules are configured to perform additional operations comprising configuring a plurality of network devices in communication with the network controller to execute a denial-of-service attack directed to the second network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Landis+Gyr Technology, Inc. (Landis+Gyr Group AG)
Original Assignee
Landis+Gyr Innovations Incorporated (Landis+Gyr Group AG)
Inventors
Chasko, Stephen, Demeter, Michael
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
LE, KHOI V

Application Number

US13/442,256
Publication Number

US 20130269032A1
Time in Patent Office

757 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G01D 4/002   Remote reading of utility m...

H04L 63/06   for supporting key manageme...

H04L 63/1491   using deception as counterm...

Y02B 90/20   Smart grids as enabling tec...

Y04S 20/30   Smart metering, e.g. specia...

Detecting network intrusion using a decoy cryptographic key

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

252 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Detecting network intrusion using a decoy cryptographic key

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

252 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others