Revival and redirection of blocked connections for intention inspection in computer networks
First Claim
Patent Images
1. A method for network security, comprising:
- monitoring traffic exchanged over a computer network;
identifying in the monitored traffic that an attempt of an initiating computer to communicate with a target computer has failed, by performing one or more of;
(i) identifying that one or more requests of the initiating computer to communicate with the target computer were not acknowledged; and
(ii) identifying a packet that was sent to the initiating computer and notifies the initiating computer that the attempt has failed;
causing the initiating computer to regard the failed attempt as successful, by;
(i) sending from a security system to the initiating computer a fake acknowledgment to one or more of the requests to communicate with the target computer, wherein the fake acknowledgement comprises a positive reply that appears to originate from the target computer; and
(ii) preventing the packet that notifies the initiating computer that the attempt has failed from reaching the initiating computer;
redirecting the identified failed attempt to the security system, which continues to communicate with the initiating computer over an investigation connection while impersonating the target computer; and
verifying whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection.
-
Citations
22 Claims
-
1. A method for network security, comprising:
-
monitoring traffic exchanged over a computer network; identifying in the monitored traffic that an attempt of an initiating computer to communicate with a target computer has failed, by performing one or more of; (i) identifying that one or more requests of the initiating computer to communicate with the target computer were not acknowledged; and (ii) identifying a packet that was sent to the initiating computer and notifies the initiating computer that the attempt has failed; causing the initiating computer to regard the failed attempt as successful, by; (i) sending from a security system to the initiating computer a fake acknowledgment to one or more of the requests to communicate with the target computer, wherein the fake acknowledgement comprises a positive reply that appears to originate from the target computer; and (ii) preventing the packet that notifies the initiating computer that the attempt has failed from reaching the initiating computer; redirecting the identified failed attempt to the security system, which continues to communicate with the initiating computer over an investigation connection while impersonating the target computer; and verifying whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A security system, comprising:
-
one or more interfaces, which are configured to connect to a computer network; and one or more hardware processors, which are configured; to monitor traffic exchanged over the computer network; to identify in the monitored traffic that an attempt of an initiating computer to communicate with a target computer has failed, by performing one or more of; (i) identifying that one or more requests of the initiating computer to communicate with the target computer were not acknowledged; and (ii) identifying a packet that was sent to the initiating computer and notifies the initiating computer that the attempt has failed; to cause the initiating computer to regard the failed attempt as successful, by; (i) sending from the security system to the initiating computer a fake acknowledgment to one or more of the requests to communicate with the target computer, wherein the fake acknowledgement comprises a positive reply that appears to originate from the target computer; and (ii) preventing the packet that notifies the initiating computer that the attempt has failed from reaching the initiating computer; to redirect the identified failed attempt to the security system, which continues to communicate with the initiating computer over an investigation connection while impersonating the target computer; and to verify whether the failed attempt was malicious or innocent by communicating with the initiating computer over the investigation connection. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification