Deception-based network security using false positive responses to unauthorized access requests

US 8,925,080 B2
Filed: 12/20/2011
Issued: 12/30/2014
Est. Priority Date: 12/20/2011
Status: Active Grant

First Claim

Patent Images

1. A computer system including instructions recorded on a non-transitory computer-readable medium and readable by at least one processor, the system comprising:

a deception manager configured to cause the at least one processor to detect an attack on an application server, the deception manager being implemented at a firewall associated with the application server, the deception manager including,a first request handler configured to receive an access request for access to application server resources of the application server from a computer, the access request being related to a port among a plurality of available ports associated with the application server, the plurality of available ports including at least one port configured as an unauthorized port and at least one port configured as an authorized port, the first request handler configured to determine whether the access request is unauthorized including determining whether the port associated with the access request is the unauthorized port or the authorized port using a knowledge base;

a first response manager configured to provide a false positive response to the computer if the port associated with the access request is determined as the unauthorized port, the false positive response indicating that the unauthorized port is open for legitimate communication to the application server, the first response manager configured to re-route access to the application server resources to a decoy server configured to mimic an appearance and function of the requested application server resources;

a deceiver library agent configured to detect an application-level attack on an application associated with the application server, the deceiver library agent being implemented on the application server, the deceiver library agent including,a second request handler configured to subsequently determine whether the access request is unauthorized if the first request handler determines that the access request is authorized including determining whether the access request is associated with at least one application-level attack, the at least one application-level attack including a directory traversal attack, a client-side scripting attack, or a structured query language (SQL) attack, the access request including input data corresponding to the at least one application-level attack;

a second response manager configured to instruct the first request handler to re-route the access request and subsequent communications from the computer to the decoy server when the access request is determined an unauthorized by the second request handler such that input validation or sanitization techniques are not applied to the input data; and

a logging engine configured to monitor and store interactions of the computer with the decoy server in a logging database, the logging engine configured to update the knowledge base based on the stored interactions in the logging database such that an updated version of the knowledge base is maintained for use in determining whether a subsequent access request is unauthorized.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request handler may receive an access request for access to application server resources of an application server and determine that the access request is unauthorized. A response manager may provide a false positive response including apparent access to the application server resources.

49 Citations

View as Search Results

14 Claims

1. A computer system including instructions recorded on a non-transitory computer-readable medium and readable by at least one processor, the system comprising:
- a deception manager configured to cause the at least one processor to detect an attack on an application server, the deception manager being implemented at a firewall associated with the application server, the deception manager including,a first request handler configured to receive an access request for access to application server resources of the application server from a computer, the access request being related to a port among a plurality of available ports associated with the application server, the plurality of available ports including at least one port configured as an unauthorized port and at least one port configured as an authorized port, the first request handler configured to determine whether the access request is unauthorized including determining whether the port associated with the access request is the unauthorized port or the authorized port using a knowledge base;
  
  a first response manager configured to provide a false positive response to the computer if the port associated with the access request is determined as the unauthorized port, the false positive response indicating that the unauthorized port is open for legitimate communication to the application server, the first response manager configured to re-route access to the application server resources to a decoy server configured to mimic an appearance and function of the requested application server resources;
  
  a deceiver library agent configured to detect an application-level attack on an application associated with the application server, the deceiver library agent being implemented on the application server, the deceiver library agent including,a second request handler configured to subsequently determine whether the access request is unauthorized if the first request handler determines that the access request is authorized including determining whether the access request is associated with at least one application-level attack, the at least one application-level attack including a directory traversal attack, a client-side scripting attack, or a structured query language (SQL) attack, the access request including input data corresponding to the at least one application-level attack;
  
  a second response manager configured to instruct the first request handler to re-route the access request and subsequent communications from the computer to the decoy server when the access request is determined an unauthorized by the second request handler such that input validation or sanitization techniques are not applied to the input data; and
  
  a logging engine configured to monitor and store interactions of the computer with the decoy server in a logging database, the logging engine configured to update the knowledge base based on the stored interactions in the logging database such that an updated version of the knowledge base is maintained for use in determining whether a subsequent access request is unauthorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer system of claim 1, wherein the second response manager is configured to transmit a false positive providing a response code in response to a directory traversal of the directory traversal attack.
  - 3. The computer system of claim 1, wherein the first request handler and the first response manager are configured to utilize one or more application programming interfaces (APIs) to access the knowledge base.
  - 4. The computer system of claim 1, further comprising:
    - at least one support tool configured to update the knowledge base such that the knowledge base includes up-to-date information regarding existing attack techniques.
  - 5. The computer system of claim 1, wherein the first request handler is also configured to store a plurality of false passwords in the knowledge base, the first request handler being configured to determine whether the access request is unauthorized by determining that a password associated with the access request corresponds to at least one of the plurality of false passwords stored in the knowledge base, the first response manager being configured to transmit a false positive to the computer and re-route the access request to the decoy server when the first request handler determines that the password associated with the access request corresponds to the at least one false password.
  - 6. The computer system of claim 5, further comprising:
    - at least one support tool configured to generate a plurality of potential false passwords to gain access to the application and update the knowledge base with one or more of the potential false passwords.
  - 7. The computer system of claim 1, wherein the deception manager is implemented at a common entry point for all access requests and other communications from external network devices, the external network devices including the computer.
  - 8. The computer system of claim 1, wherein the at least one port configured as the unauthorized port includes a plurality of open unauthorized ports, and the at least one port configured as the authorized port includes a plurality of open authorized ports, the plurality of open unauthorized ports representing false positives.
  - 9. The computer system of claim 1, wherein the first response manager is configured to execute as a reverse proxy to re-route the unauthorized access request to the decoy server.

10. A computer-implemented method for causing at least one processor to execute instructions recorded on a non-transitory computer-readable medium, the method comprising:
- detecting, by a deception manager, an attack on an application server, the deception manager being implemented at a firewall associated with the application server, the detecting including,receiving, by a first request handler, an access request for access to application server resources of the application server from a computer, the access request being related to a port among a plurality of available ports associated with the application server, the plurality of available ports including at least one port configured as an unauthorized port and at least one port configured as an authorized port;
  
  determining, by the first request handler, whether the access request is unauthorized using a knowledge base including determining whether the port associated with the access request is the unauthorized port or the authorized port using the knowledge base;
  
  providing, by a first response manager, a false positive response to the computer if the port associated with the access request is the unauthorized port, the false positive response indicating that the unauthorized port is open for legitimate communication to the application server;
  
  re-routing, by the first response manager, access to the application server to a decoy server configured to mimic an appearance and function of the requested application server resources;
  
  detecting, by a deceiver library agent, an application-level attack on an application associated with the application server, the deceiver library agent being implemented on the application server, the detecting including,determining, by the deceiver library agent, whether the access request is unauthorized if the first request handler determines that the access request is authorized including determining whether the access request is associated with at least one application-level attack, the at least one application-level attack including a directory traversal attack, a client-side scripting attack, or a structured query language (SQL) attack, the access request including input data corresponding to the at least one application-level attack;
  
  instructing, by the deceiver library agent, the first request handler to re-route the access request and subsequent communications from the computer to the decoy server when the access request is determined as unauthorized by the deceiver library agent such that input validation or sanitization techniques are not applied to the input data;
  
  monitoring and storing interactions of the computer with the decoy server in a logging database; and
  
  updating the knowledge base based on the stored interactions in the logging database such that an updated version of the knowledge base is maintained for use in determining whether a subsequent access request is unauthorized.
- View Dependent Claims (11)
- - 11. The computer-implemented method of claim 10, further comprising:
    - storing a plurality of false passwords in the knowledge base;
      
      determining, by the first request handler, whether the access request is unauthorized by determining that a password associated with the access request corresponds to at least one of the plurality of false passwords stored in the knowledge base; and
      
      transmitting a false positive to the computer and re-routing the access request to the decoy server when the password associated with the access request is the at least one false password.

12. A computer program product, the computer program product being tangibly embodied on a non-transitory computer-readable medium and comprising instructions that, when executed, are configured to cause at least one processor to:
- detect, by a deception manager, an attack on an application server, the deception manager being implemented at a firewall associated with the application server, the detect including,receive, by a first request handler, an access request for access to application server resources of the application server from a computer, the access request being related to a port among a plurality of available ports associated with the application server, the plurality of available ports including at least one port configured as an unauthorized port and at least one port configured as an authorized port;
  
  determine, by the first request handler, whether the access request is unauthorized using a knowledge base including determining whether the port associated with the access request is the unauthorized port or the authorized port using the knowledge base; and
  
  provide, by a first response manager, a false positive response to the computer if the port associated with the access request is the unauthorized port, the false positive response indicating that the unauthorized port is open for legitimate communication to the application server;
  
  re-route, by the first response manager, access to the application server to a decoy server configured to mimic an appearance and function of the requested application server resources;
  
  detect, by a deceiver library agent, an application-level attack on an application associated with the application server, the deceiver library agent being implemented on the application server, the detect including,determine, by the deceiver library agent, whether the access request is unauthorized if the first request handler determines that the access request is authorized including determine whether the access request is associated with at least one application-level attack, the at least one application-level attack including a directory traversal attack, a client-side scripting attack, or a structured query language (SQL) attack, the access request including input data corresponding to the at least one application-level attack;
  
  instruct, by the deceiver library agent, the first request handler to re-route the access request and subsequent communications from the computer to the decoy server when the access request is determined an unauthorized by the deceiver library agent such that input validation or sanitization techniques are not applied to the input data;
  
  monitor and store interactions of the computer with the decoy server in a logging database; and
  
  update the knowledge base based on the stored interactions in the logging database such that an updated version of the knowledge base is maintained for use in determining whether a subsequent access request is unauthorized.
- View Dependent Claims (13, 14)
- - 13. The computer program product of claim 12, further comprising:
    - store a plurality of false passwords in the knowledge base;
      
      determine, by the first request handler, whether the access request is unauthorized by determining that a password associated with the access request corresponds to at least one of the plurality of false passwords stored in the knowledge base;
      
      transmit a false positive to the computer and re-route the access request to the decoy server when the password associated with the access request is the at least one false password.
  - 14. The computer program product of claim 13, wherein the instructions, when executed, are configured to cause the at least one processor to implement at least one support tool, the at least one support tool configured to generate a plurality of potential false passwords to gain access to the application and update the knowledge base with one or more of the potential false passwords.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Hebert, Cedric
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
KANAAN, SIMON P

Application Number

US13/331,972
Publication Number

US 20130160079A1
Time in Patent Office

1,106 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/145 the attack involving the pr...

H04L 63/1491 using deception as counterm...

Deception-based network security using false positive responses to unauthorized access requests

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Deception-based network security using false positive responses to unauthorized access requests

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links