Revival and redirection of blocked connections for intention inspection in computer networks

US 9,491,189 B2
Filed: 04/27/2014
Issued: 11/08/2016
Est. Priority Date: 08/26/2013
Status: Active Grant

First Claim

Patent Images

1. A method for network security, comprising:

monitoring traffic exchanged over a computer network;

identifying in the monitored traffic that an attempt of an initiating computer to communicate with a target computer has failed, by performing one or more of;

(i) identifying that one or more requests of the initiating computer to communicate with the target computer were not acknowledged; and

(ii) identifying a packet that was sent to the initiating computer and notifies the initiating computer that the attempt has failed;

causing the initiating computer to regard the failed attempt as successful, by;

(i) sending from a security system to the initiating computer a fake acknowledgment to one or more of the requests to communicate with the target computer, wherein the fake acknowledgement comprises a positive reply that appears to originate from the target computer; and

(ii) preventing the packet that notifies the initiating computer that the attempt has failed from reaching the initiating computer;

redirecting the identified failed attempt to the security system, which continues to communicate with the initiating computer over an investigation connection while impersonating the target computer; and

verifying whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection.

Citations

22 Claims

1. A method for network security, comprising:
- monitoring traffic exchanged over a computer network;
  
  identifying in the monitored traffic that an attempt of an initiating computer to communicate with a target computer has failed, by performing one or more of;
  
  (i) identifying that one or more requests of the initiating computer to communicate with the target computer were not acknowledged; and
  
  (ii) identifying a packet that was sent to the initiating computer and notifies the initiating computer that the attempt has failed;
  
  causing the initiating computer to regard the failed attempt as successful, by;
  
  (i) sending from a security system to the initiating computer a fake acknowledgment to one or more of the requests to communicate with the target computer, wherein the fake acknowledgement comprises a positive reply that appears to originate from the target computer; and
  
  (ii) preventing the packet that notifies the initiating computer that the attempt has failed from reaching the initiating computer;
  
  redirecting the identified failed attempt to the security system, which continues to communicate with the initiating computer over an investigation connection while impersonating the target computer; and
  
  verifying whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein identifying the failed attempt comprises detecting that the attempt has been blocked by a network security system.
  - 3. The method according to claim 1, wherein identifying the failed attempt comprises detecting that the attempt has failed for attempting to access a nonexistent destination.
  - 4. The method according to claim 1, wherein identifying the failed attempt comprises detecting that the one or more requests were not acknowledged within a predefined time period.
  - 5. The method according to claim 1, wherein identifying the failed attempt comprises detecting that the attempt has been retried.
  - 6. The method according to claim 1, wherein identifying the packet sent to the initiating computer comprises detecting a connection-reset or port-unreachable message that has been sent in response to the attempt.
  - 7. The method according to claim 1, wherein identifying that the one or more requests were not acknowledged comprises detecting an unanswered Address Resolution Protocol (ARP) request by the initiating computer.
  - 8. The method according to claim 7, wherein redirecting the identified failed attempt comprises replying to the ARP request with an address of the security system that carries out the investigation connection.
  - 9. The method according to claim 1, wherein identifying the failed attempt comprises receiving a notification of the failed attempt from a network security or management system of the computer network.
  - 10. The method according to claim 1, wherein identifying the failed attempt comprises predicting that the attempt will fail before actual failure of the attempt.

11. A security system, comprising:
- one or more interfaces, which are configured to connect to a computer network; and
  
  one or more hardware processors, which are configured;
  
  to monitor traffic exchanged over the computer network;
  
  to identify in the monitored traffic that an attempt of an initiating computer to communicate with a target computer has failed, by performing one or more of;
  
  (i) identifying that one or more requests of the initiating computer to communicate with the target computer were not acknowledged; and
  
  (ii) identifying a packet that was sent to the initiating computer and notifies the initiating computer that the attempt has failed;
  
  to cause the initiating computer to regard the failed attempt as successful, by;
  
  (i) sending from the security system to the initiating computer a fake acknowledgment to one or more of the requests to communicate with the target computer, wherein the fake acknowledgement comprises a positive reply that appears to originate from the target computer; and
  
  (ii) preventing the packet that notifies the initiating computer that the attempt has failed from reaching the initiating computer;
  
  to redirect the identified failed attempt to the security system, which continues to communicate with the initiating computer over an investigation connection while impersonating the target computer; and
  
  to verify whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 12. The system according to claim 11, wherein the processors comprise one or more Detection and Redirection Modules (DRMs) and an Investigation module (IVG), wherein the DRMs are configured to monitor the traffic, to identify the failed attempt and to redirect the identified attempt to the IVG, and wherein the IVG is configured to establish the investigation connection with the initiating computer, and to verify whether the failed attempt was malicious or innocent.
  - 13. The system according to claim 12, wherein the one or more DRMs comprise a plurality of DRMs that are coupled to respective switches of the computer network.
  - 14. The system according to claim 11, wherein the processors are configured to identify the failed attempt by detecting that the attempt has been blocked by a network security system.
  - 15. The system according to claim 11, wherein the processors are configured to identify the failed attempt by detecting that the attempt has failed for attempting to access a nonexistent destination.
  - 16. The system according to claim 11, wherein the processors are configured to identify the failed attempt by detecting that the one or more requests were not acknowledged within a predefined time period.
  - 17. The system according to claim 11, wherein the processors are configured to identify the failed attempt by detecting that the attempt has been retried.
  - 18. The system according to claim 11, wherein the processors are configured to identify the packet sent to the initiating computer by identifying a connection-reset or port-unreachable message that has been sent in response to the attempt.
  - 19. The system according to claim 11, wherein the processors are configured to identify that the one or more requests were not acknowledged by detecting an unanswered Address Resolution Protocol (ARP) request by the initiating computer.
  - 20. The system according to claim 19, wherein the processors are configured to redirect the identified failed attempt by replying to the ARP request with an address of an investigation unit that carries out the investigation connection.
  - 21. The system according to claim 11, wherein the processors are configured to identify the failed attempt by receiving a notification of the failed attempt from a network security or management system of the computer network.
  - 22. The system according to claim 11, wherein the processors are configured to predict that the attempt will fail before actual failure of the attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
GuardiCore Ltd. (Akamai Technologies, Inc.)
Inventors
Zeitlin, Ariel, Gurvich, Pavel
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
Lakhia, Viral

Application Number

US14/262,750
Publication Number

US 20150058983A1
Time in Patent Office

926 Days
Field of Search

726 22- 23, 726/11, 713185-187, 370/390
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Revival and redirection of blocked connections for intention inspection in computer networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Revival and redirection of blocked connections for intention inspection in computer networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links