Systems and methods for providing network security monitoring

US 9,240,976 B1
Filed: 01/06/2015
Issued: 01/19/2016
Est. Priority Date: 01/06/2015
Status: Active Grant

First Claim

Patent Images

1. A system for providing security monitoring in a computer network, comprising:

one or more computing devices;

a network device element configured to receive a data packet;

a ghost network, implemented on the one or more computing devices, configured to replicate functionality of one or more network nodes in the computer network; and

a security monitoring device, implemented on the one or more computing devices, comprising;

a data collector configured to gather and process network configuration data, wherein the ghost network is generated automatically based on the gathered network configuration data, and wherein the network configuration data comprises network addresses, subnets of interfaces of the one or more network nodes, access control lists, and routing tables;

a configuration manager configured to;

identify a service accessible via a network port of a network node in the computer network;

change configuration of the identified service based on the gathered network configuration data; and

configure a trap for network traffic directed to the identified service including one or more criterion, the one or more criterion selected based on the gathered network configuration data; and

a monitor configured to;

determine whether the data packet meets the one or more criterion of the trap; and

redirect the data packet to the ghost network when the data packet meets the one or more criterion of the trap.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for providing security monitoring in a computer network, in an embodiment, a service accessible via a network port of a network node within the network is identified. The assigned port number for the identified service is changed to a second port number and a trap is configured including one or more criterion. A trap may be configured to capture network traffic that meets the one or more criterion of the trap. A data packet is then received. It is determined whether data packet meets the one or more criterion of the configured trap, and if so, the data packet is redirected to a ghost network. The ghost network may replicate network services, applications, and infrastructure in the computer network. The ghost network may additionally gather activity data based on the redirected data packet.

Citations

29 Claims

1. A system for providing security monitoring in a computer network, comprising:
- one or more computing devices;
  
  a network device element configured to receive a data packet;
  
  a ghost network, implemented on the one or more computing devices, configured to replicate functionality of one or more network nodes in the computer network; and
  
  a security monitoring device, implemented on the one or more computing devices, comprising;
  
  a data collector configured to gather and process network configuration data, wherein the ghost network is generated automatically based on the gathered network configuration data, and wherein the network configuration data comprises network addresses, subnets of interfaces of the one or more network nodes, access control lists, and routing tables;
  
  a configuration manager configured to;
  
  identify a service accessible via a network port of a network node in the computer network;
  
  change configuration of the identified service based on the gathered network configuration data; and
  
  configure a trap for network traffic directed to the identified service including one or more criterion, the one or more criterion selected based on the gathered network configuration data; and
  
  a monitor configured to;
  
  determine whether the data packet meets the one or more criterion of the trap; and
  
  redirect the data packet to the ghost network when the data packet meets the one or more criterion of the trap.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the ghost network is further configured to gather activity data based on the redirected data packet.
  - 3. The system of claim 1, wherein the data packet includes a destination address and a destination port, wherein the one or more criterion include a destination address and a destination port, and wherein the determining is based on at least whether the destination address and the destination port of the data packet match the destination address and the destination port of the one or more criterion.
  - 4. The system of claim 1, wherein the data packet includes a payload, and wherein the determining is based on analyzing the payload.
  - 5. The system of claim 1, wherein the ghost network is further configured to:
    - group one or more redirected data packets into a flow of data packets; and
      
      provide an alert based on the flow of data packets.
  - 6. The system of claim 1, wherein the configuration manager is further configured to change the configuration of the identified service automatically based on one or more configuration rules.
  - 7. The system of claim 6, wherein the one or more configuration rules are created via a graphical user interface.
  - 8. The system of claim 1, wherein the configuration manager is further configured to change the configuration of the identified service at the network node that provides the identified service.
  - 9. The system of claim 1, wherein the configuration manager is further configured to change the configuration of the identified service at the network device element.
  - 10. The system of claim 1, further comprising:
    - an analyzer configured to analyze data gathered by the ghost network;
      
      wherein the ghost network is further configured to;
      
      group one or more redirected data packets into a flow of data packets; and
      
      aggregate gathered activity data based on the flow of data packets; and
      
      wherein the analyzer is further configured to analyze the aggregated activity data to identify targeted resources.
  - 11. The system of claim 10, wherein the ghost network includes decoy data, wherein the analyzer is further configured to determine the decoy data that the aggregated activity data is directed toward.
  - 12. The system of claim 11, wherein the decoy data include one or more decoy network nodes and one or more decoy network device elements.
  - 13. The system of claim 1, wherein the network node further comprises an agent, wherein the agent is configured to record system administration activity on the network node.
  - 14. The system of claim 1, wherein the data collector is further configured to gather the network configuration data at least in part via a software defined networking (SDN) application programming interface (API), andwherein the configuration manager is further configured to configure the trap for network traffic directed to the identified service via the SDN API.

15. A method for providing security monitoring in a computer network, comprising:
- gathering and processing network configuration data, wherein the network configuration data comprises network addresses, subnets of interfaces of one or more network nodes, access control lists, and routing tables;
  
  identifying a service accessible via a network port of a network node;
  
  changing configuration of the identified service based on the gathered network configuration data;
  
  configuring a trap for network traffic directed to the identified service including one or more criterion, the one or more criterion selected based on the gathered network configuration data;
  
  receiving a data packet at a monitor;
  
  determining whether the data packet meets the one or more criterion of the trap; and
  
  redirecting the data packet to a ghost network when the data packet meets the one or more criterion of the trap, wherein the ghost network replicates functionality provided by the network node, and wherein the ghost network is generated automatically based on the gathered network configuration data.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The method of claim 15, further comprising:
    - gathering, by the ghost network, activity data based on the redirected data packet.
  - 17. The method of claim 15, wherein the data packet includes a destination address and a destination port, wherein the one or more criterion include a destination address and a destination port, and wherein the determining is based on at least whether the destination address and the destination port of the data packet match the destination address and the destination port of the one or more criterion.
  - 18. The method of claim 15, wherein the data packet includes a payload, and wherein the determining is based on analyzing the payload.
  - 19. The method of claim 15, further comprising:
    - grouping one or more redirected data packets into a flow of data packets; and
      
      providing an alert based on the flow of data packets.
  - 20. The method of claim 15, the changing further comprising:
    - automatically changing the configuration of the identified service based on one or more configuration rules.
  - 21. The method of claim 20, wherein the one or more configuration rules are created via a graphical user interface.
  - 22. The method of claim 15, wherein changing the configuration of the identified service comprises changing the configuration of the identified service on the network node that provides the identified service.
  - 23. The method of claim 15, wherein changing the configuration of the identified service comprises changing the configuration of the identified service at one or more network device elements directing traffic to the identified service.
  - 24. The method of claim 15, further comprising:
    - grouping one or more redirected data packets into a flow of data packets;
      
      aggregating, by the ghost network, gathered activity data based on the flow of data packets; and
      
      analyzing the aggregated activity data to identify targeted resources.
  - 25. The method of claim 24, wherein the ghost network includes decoy data, and wherein the analyzing further comprises determining the decoy data that the aggregated activity data is directed toward.
  - 26. The method of claim 24, wherein the decoy data include one or more decoy network nodes and one or more decoy network device elements.
  - 27. The method of claim 15, further comprising:
    - recording system administration activity on the network node;
      
      determining whether the recorded activity is potentially malicious; and
      
      providing an alert when the recorded activity is determined to be potentially malicious.
  - 28. The method of claim 15, wherein the network configuration data is gathered at least in part via a software defined networking (SDN) application programming interface (API), andwherein the trap for network traffic directed to the identified service is configured via the SDN API.

29. A non-transitory computer-readable storage device having instructions stored thereon that, when executed by at least one computing device, causes the at least one computing device to perform operations comprising:
- gathering and processing network configuration data, wherein the network configuration data comprises network addresses, subnets of interfaces of one or more network nodes, access control lists, and routing tables;
  
  identifying a service accessible via a network port of a network node;
  
  changing configuration of the identified service based on the gathered network configuration data;
  
  configuring a trap including one or more criterion;
  
  receiving a data packet at a monitor;
  
  determining whether the data packet meets the one or more criterion of the trap; and
  
  redirecting the data packet to a ghost network when the data packet meets the one or more criterion of the trap, wherein the ghost network replicates functionality provided by the network node, and wherein the ghost network is generated automatically based on the gathered network configuration data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blackpoint Holdings, LLC
Original Assignee
Blackpoint Holdings, LLC
Inventors
Murchison, Jon
Primary Examiner(s)
SHAW, BRIAN F

Application Number

US14/590,818
Time in Patent Office

378 Days
Field of Search

726/23, 726/12, 726/13, 726/22, 370/235
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Systems and methods for providing network security monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing network security monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links