Network infrastructure obfuscation

US 9,021,092 B2
Filed: 10/18/2013
Issued: 04/28/2015
Est. Priority Date: 10/19/2012
Status: Active Grant

First Claim

Patent Images

1. A method of obfuscating physical computers on a computer network from hackers, the method comprising:

capturing packets on a computer network of physical computers;

monitoring the captured packets to ascertain a schedule of a plurality of connection activations and deactivations of the physical computers on the network;

surveying a logical topology of the computer network;

instantiating and initializing a plurality of software-based host emulators, each host emulator configured to respond to an Internet control message protocol (ICMP) echo request packet;

obtaining an Internet protocol (IP) address for each host emulator based on the surveyed topology; and

connecting the host emulators to the base computer network over time based on the ascertained schedule and a random number generator, the connecting substantially interleaving the connecting of the host emulators with the plurality of connection activations of the physical computers.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A shadow network, which can be a virtual reproduction of a real, physical, base computer network, is described. Shadow networks duplicate the topology, services, host, and network traffic of the base network using shadow hosts, which are low interaction, minimal-resource-using host emulators. The shadow networks are connected to the base network through virtual switches, etc. in order to form a large obfuscated network. When a hacker probes into a host emulator, a more resource-intensive virtual machine can be swapped in to take its place. When a connection is attempted from a host emulator to a physical computer, the a host emulator can step in to take the place of the physical computer, and software defined networking (SDN) can prevent collisions between the duplicated IP addresses. Replicating the shadow networks within the network introduces problems for hackers and allows a system administrator easier ways to identify intrusions.

Citations

20 Claims

1. A method of obfuscating physical computers on a computer network from hackers, the method comprising:
- capturing packets on a computer network of physical computers;
  
  monitoring the captured packets to ascertain a schedule of a plurality of connection activations and deactivations of the physical computers on the network;
  
  surveying a logical topology of the computer network;
  
  instantiating and initializing a plurality of software-based host emulators, each host emulator configured to respond to an Internet control message protocol (ICMP) echo request packet;
  
  obtaining an Internet protocol (IP) address for each host emulator based on the surveyed topology; and
  
  connecting the host emulators to the base computer network over time based on the ascertained schedule and a random number generator, the connecting substantially interleaving the connecting of the host emulators with the plurality of connection activations of the physical computers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
    - identifying an operating system used by at least one of the physical computers;
      
      initializing a virtual machine that emulates portions of the identified operating system;
      
      receiving, by a first host emulator of the host emulators, a request to establish a connection;
      
      replacing the first host emulator with the virtual machine by;
      
      assigning the IP address of the first host emulator to the virtual machine; and
      
      establishing, using the virtual machine, a connection in response to the request, or responding, using the virtual machine, to traffic associated with an established connection.
  - 3. The method of claim 2 wherein the initializing of the virtual machine occurs before the receiving of the request to establish the connection, the virtual machine kept on warm standby until the replacing.
  - 4. The method of claim 2 further comprising:
    - receiving, by a second host emulator, a second request to establish a second connection;
      
      re-tasking the virtual machine by;
      
      assigning the IP address of the second host emulator to the virtual machine; and
      
      establishing, using the virtual machine, a connection in response to the second request, or responding, using the virtual machine, to traffic associated with a connection established by the second request.
  - 5. The method of claim 2 wherein the initializing of the virtual machine occurs based on an alert received from a security product, a network communication anomaly, or an event triggered by a user-defined rule.
  - 6. The method of claim 2 further comprising:
    - identifying a patch level of the operating system; and
      
      initializing the virtual machine to emulate portions of the identified operating system in accordance with the identified patch level.
  - 7. The method of claim 2 wherein the virtual machine is configured to emulate an operating system selected from the group consisting of a Microsoft Windows®
    - operating system, Mac OS®
      
      , Linux®
      
      operating system, Unix operating system, iOS operating system, and Android®
      
      operating system.
  - 8. The method of claim 2 wherein the virtual machine is configured to emulate an application executing on the operating system, the application being selected from the group consisting of a database server, a file server, and a web server.
  - 9. The method of claim 1 wherein the IP address is obtained from a dynamic host configuration protocol (DHCP) server.
  - 10. The method of claim 1 wherein each host emulator is configured to establish a connection using a SYN, SYN-ACK, and ACK handshake.
  - 11. The method of claim 1 further comprising:
    - assigning a media access control (MAC) address to each host emulator, wherein each host emulator is configured to respond to an ICMP echo request packet with the assigned MAC address.
  - 12. The method of claim 1 wherein a number of the host emulators exceeds a number of the physical computers by a factor of 5.

13. A method of containing a hacker within a shadow portion of a computer network, the method comprising:
- instantiating and initializing a plurality of software-based host emulators, each host emulator configured to respond to an Internet control message protocol (ICMP) echo request packet;
  
  obtaining an Internet protocol (IP) address for each host emulator;
  
  connecting the host emulators to a computer network having physical computers;
  
  intercepting a request to establish a connection between a first host emulator of the host emulators and a first physical computer of the physical computers;
  
  determining an IP address of the first physical computer;
  
  assigning the IP address of the first physical computer to a second host emulator, the first physical computer keeping its IP address;
  
  routing, using software defined networking (SDN), the intercepted request to the second host emulator; and
  
  establishing a connection between the first and second host emulators using the routing.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13 further comprising:
    - identifying an operating system used by at least one of the physical computers;
      
      initializing a virtual machine that emulates portions of the identified operating system before the request is intercepted, wherein the virtual machine is on warm standby until the request is intercepted;
      
      ascertaining that the identified operating system is the same as an operating system of the first physical computer; and
      
      assigning the IP address of the first physical computer to the virtual machine.
  - 15. The method of claim 14 further comprising:
    - identifying a patch level of the operating system; and
      
      initializing the virtual machine to emulate portions of the identified operating system in accordance with the identified patch level.
  - 16. The method of claim 13 further comprising:
    - providing host emulators on a second computer network having physical computers;
      
      intercepting a second request to establish a connection between the second host emulator and a second physical computer on the second computer network;
      
      determining an IP address of the second physical computer;
      
      assigning the IP address of the second physical computer to a third host emulator of the second computer network, the second physical computer keeping its IP address;
      
      routing, using SDN, the intercepted second request to the third host emulator; and
      
      establishing a connection between the second and third host emulators.
  - 17. The method of claim 13 further comprising:
    - capturing packets on the computer network of the physical computers;
      
      monitoring the captured packets to ascertain a schedule of connection activations and deactivations of the physical computers; and
      
      connecting the host emulators to the computer network over time based on the ascertained schedule and a random number generator, the connecting substantially interleaving the connecting of the host emulators with connection activations of the physical computers.
  - 18. The method of claim 13 further comprising:
    - determining a media access control (MAC) address, host name, or workgroup name of the first physical computer; and
      
      associating the second host emulator with the determined MAC address, host name, or workgroup name.
  - 19. The method of claim 13 wherein the IP address is obtained from a dynamic host configuration protocol (DHCP) server.

20. A method of setting up a computer network to obfuscate hackers, the method comprising:
- mapping physical hosts on a base computer network, including identifying a type and Internet protocol (IP) address of each physical host on the base network;
  
  determining a topology of the base network from the mapping;
  
  determining one or more services available on the base network from the mapping;
  
  capturing packets on the base network;
  
  identifying, from the captured packets, a network traffic pattern, the network traffic pattern including a frequency of communication, communication protocol, connection time, or source and destination IP address for a communication on the network;
  
  generating instructions for creating a shadow network from the topology, available services, and network traffic pattern, the shadow network having substantially the same topology, available services, and network traffic pattern as the base network;
  
  creating at least one shadow network using the generated instructions; and
  
  connecting the at least one shadow network to the base network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acalvio Technologies, Inc.
Original Assignee
Shadow Networks, Inc. (Acalvio Technologies, Inc.)
Inventors
Silva, Steven M., Zhang, Yadong, Winsborrow, Eric, Wu, Johnson L., Schultz, Craig A.
Primary Examiner(s)
Feild, Lynn
Assistant Examiner(s)
BUI, JONATHAN A

Application Number

US14/058,034
Publication Number

US 20140115706A1
Time in Patent Office

557 Days
Field of Search

709/223, 709/224, 709/225
US Class Current

709/224
CPC Class Codes

G06F 9/45533   Hypervisors; Virtual machin...

H04L 41/12   Discovery or management of ...

H04L 63/0209   Architectural arrangements,...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1491   using deception as counterm...

Network infrastructure obfuscation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network infrastructure obfuscation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links