Detecting network intrusion using a decoy cryptographic key
First Claim
1. A method comprising:
- providing a first network device and a second network device of a data network, each of the first network device and the second network device having a decoy cryptographic key and an authentic cryptographic key, wherein the decoy cryptographic key is used to detect unauthorized data being transmitted in the data network, wherein the authentic cryptographic key is used to encrypt authorized data being transmitted in the data network, wherein providing the first network device and the second network device comprises, for each of the first network device and the second network device;
identifying a respective first region of a respective computer-readable medium as having respective high entropy data based on the respective high entropy data having greater variance than respective low entropy data in a respective second region of the respective computer-readable medium, andstoring the decoy cryptographic key in the respective first region based on the respective high entropy data having the greater variance than the respective low entropy data;
receiving, by the first network device, data from the second network device, wherein the data is encrypted using the decoy cryptographic key;
determining, by the first network device, that the data is encrypted using the decoy cryptographic key by determining that the authentic cryptographic key cannot be used to decrypt the data and decrypting the data using the decoy cryptographic key; and
discarding, by the first network device, the data encrypted using the decoy cryptographic key.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for detecting intrusion into a data network are disclosed. Such intrusion can be detected, for example, by providing at least two network devices in a data network. Each of the network devices has a decoy cryptographic key that is used to detect unauthorized data and an authentic cryptographic key that is used to encrypt authorized data. The first network device receives data from the second network device that is encrypted using the decoy cryptographic key. The first network device determines that the data is encrypted using the decoy cryptographic key. The first network device deletes or otherwise discards the data encrypted using the decoy cryptographic key. The first network device can generate an alert message instructing other network devices that the second network device is generating the unauthorized data. The alert message also instructs the other network devices to ignore data originating from the second network device.
252 Citations
20 Claims
-
1. A method comprising:
-
providing a first network device and a second network device of a data network, each of the first network device and the second network device having a decoy cryptographic key and an authentic cryptographic key, wherein the decoy cryptographic key is used to detect unauthorized data being transmitted in the data network, wherein the authentic cryptographic key is used to encrypt authorized data being transmitted in the data network, wherein providing the first network device and the second network device comprises, for each of the first network device and the second network device; identifying a respective first region of a respective computer-readable medium as having respective high entropy data based on the respective high entropy data having greater variance than respective low entropy data in a respective second region of the respective computer-readable medium, and storing the decoy cryptographic key in the respective first region based on the respective high entropy data having the greater variance than the respective low entropy data; receiving, by the first network device, data from the second network device, wherein the data is encrypted using the decoy cryptographic key; determining, by the first network device, that the data is encrypted using the decoy cryptographic key by determining that the authentic cryptographic key cannot be used to decrypt the data and decrypting the data using the decoy cryptographic key; and discarding, by the first network device, the data encrypted using the decoy cryptographic key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20)
-
-
9. A non-transitory computer-readable medium embodying program code executable by a computer system, the non-transitory computer-readable medium comprising:
-
program code for providing a decoy cryptographic key to each of a first network device and a second network device of a data network, wherein the decoy cryptographic key is used to detect unauthorized data being transmitted in the data network, wherein providing the decoy cryptographic key comprises, for each of the first network device and the second network device; identifying a respective first region of a respective computer-readable medium as having respective high entropy data based on the respective high entropy data having greater variance than respective low entropy data in a respective second region of the respective computer-readable medium, and storing the decoy cryptographic key in the respective first region based on the respective high entropy data having the greater variance than the respective low entropy data; program code for receiving, by the first network device, data from the second network device, wherein the data is encrypted using a decoy cryptographic key, wherein the decoy cryptographic key is used to detect unauthorized data; program code for determining that the data is encrypted using the decoy cryptographic key by determining that the authentic cryptographic key cannot be used to decrypt the data and decrypting the data using the decoy cryptographic key; and program code for generating an alert message instructing one or more additional network devices that the second network device is generating the unauthorized data and to ignore data originating from the second network device. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
a first network device having a decoy cryptographic key and an authentic cryptographic key, wherein the decoy cryptographic key is used to detect unauthorized data being transmitted in a data network, wherein the authentic cryptographic key is used to encrypt authorized data being transmitted in the data network, wherein the first network device is configured for; determining that data received from a second network device is encrypted using the decoy cryptographic key by determining that the authentic cryptographic key cannot be used to decrypt the data and decrypting the data using the decoy cryptographic key, and transmitting an alert message that the second network device is using the decoy cryptographic key; a network controller comprising; a network interface configured to communicate with the first network device via the data network; a processor configured to execute instructions stored in a non-transitory computer-readable medium providing an intrusion detection application, wherein the intrusion detection application comprises one or more modules configured to perform operations comprising; receiving the alert message from the first network device that the second network device is using the decoy cryptographic key, and based on receiving the alert message, configuring one or more additional network devices of the data network to cease communicating with the second network device; and at least one device configured for providing the decoy cryptographic key to each of the first network device and the second network device, wherein providing the decoy cryptographic key comprises, for each of the first network device and the second network device; identifying a respective first region of a respective computer-readable medium as having respective high entropy data based on the respective high entropy data having greater variance than respective low entropy data in a respective second region of the respective computer-readable medium, and storing the decoy cryptographic key in the respective first region based on the respective high entropy data having the greater variance than the respective low entropy data. - View Dependent Claims (17, 18)
-
Specification