Device, system and method for defending a computer network

US 9,800,548 B2
Filed: 09/15/2014
Issued: 10/24/2017
Est. Priority Date: 11/17/2003
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory including code;

a processor communicatively coupled to the memory; and

logic communicatively coupled to the processor to;

receive a network communication from an external network via a traffic filter,transmit a first synchronization signal to determine if the network communication is to be handled by a service that does not exist within a network associated with the traffic filter,if the first synchronization signal times out, route the network communication to a virtual space engine, and generate a first response to the network communication including information about the network associated with the traffic filter that is not discernable from the first response,determine whether a match of content of a payload of the network communication exists at least partially based on a validation of a cyclical redundancy check (CRC) of the payload, andperform network address translation at least partially based on a determination that the match is a known good packet.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device, system, and method for defending a computer network are described, network communications are received by a traffic filter, which dynamically determines whether the communications include an anomaly (i.e., are “anomalous” communications), or whether the communications are normal, and do not include an anomaly. The traffic filter routes normal communications to the correct device within its network for servicing he service requested by the communications. The traffic filter routes any anomalous communications to a virtual space engine, which is configured to fake a requested service (e.g., to entice deployment of a malicious payload). Anomalous communications are analyzed using an analytical engine, which can dynamically develop rules for handling anomalous communications in-line, and the rules developed by the analytical engine can be employed by the traffic filter against future received communications.

Citations

21 Claims

1. An apparatus, comprising:
- a memory including code;
  
  a processor communicatively coupled to the memory; and
  
  logic communicatively coupled to the processor to;
  
  receive a network communication from an external network via a traffic filter,transmit a first synchronization signal to determine if the network communication is to be handled by a service that does not exist within a network associated with the traffic filter,if the first synchronization signal times out, route the network communication to a virtual space engine, and generate a first response to the network communication including information about the network associated with the traffic filter that is not discernable from the first response,determine whether a match of content of a payload of the network communication exists at least partially based on a validation of a cyclical redundancy check (CRC) of the payload, andperform network address translation at least partially based on a determination that the match is a known good packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the logic removes network traits from internet protocol (IP) datagrams of the first response before a communication of the first response.
  - 3. The apparatus of claim 1, wherein the logic generates a second response to a second network communication for a service, the second response being similar to a third response to a third network communication for the service on another device in the network associated with the traffic filter.
  - 4. The apparatus of claim 1, wherein the logic generates the first response at least partially based on a comparison of the received network communication and a previously received communication handled by a service that exists within the network.
  - 5. The apparatus of claim 1, wherein the logic modifies a payload of a packet to remove traits of the network and to provide apparent traits.
  - 6. The apparatus of claim 5, wherein the apparent traits appear to provide a honeypot within the network associated with the traffic filter.
  - 7. The apparatus of claim 1, wherein, if the network communication is to be handled by a service that exists within the network associated with the traffic filter, the logic acknowledges a second synchronization signal from an internal network device.

8. A method implemented by a device, the method comprising:
- receiving a network communication from an external network via a traffic filter;
  
  transmitting a first synchronization signal to determine, with the device, if the network communication is to be handled by a service that does not exist within a network associated with the traffic filter;
  
  if the first synchronization signal times out, routing the network communication to a virtual space engine, and generating a first response to the network communication including information about the network associated with the traffic filter that is not discernable from the first response;
  
  determining whether a match of content of a payload of the network communication exists at least partially based on a validation of a cyclical redundancy check (CRC) of the payload; and
  
  performing network address translation at least partially based on a determination that the match is a known good packet.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the generating removes network traits from internet protocol (IP) datagrams of the first response before a communication of the first response.
  - 10. The method of claim 8, wherein the generating generates a second response to a second network communication for a service, the second response being similar to a third response to a third network communication for the service on another device in the network associated with the traffic filter.
  - 11. The method of claim 8, wherein the generating generates the first response at least partially based on a comparison of the received network communication and a previously received communication handled by a service that exists within the network.
  - 12. The method of claim 8, further comprising:
    - modifying a payload of a packet to remove traits of the network and to provide apparent traits.
  - 13. The method of claim 8, further comprising:
    - if the network communication is to be handled by a service that exists within the network associated with the traffic filter, acknowledging a second synchronization signal from an internal network device.

14. A non-transitory, processor-readable medium comprising code representing instructions to cause a processor to perform:
- receiving a network communication from an external network via a traffic filter;
  
  transmitting a first synchronization signal to determine if the network communication is to be handled by a service that does not exist within a network associated with the traffic filter;
  
  if the first synchronization signal times out, routing the network communication to a virtual space engine, and generating a first response to the network communication including information about the network associated with the traffic filter that is not discernable from the first response;
  
  determining whether a match of content of a payload of the network communication exists at least partially based on a validation of a cyclical redundancy check (CRC) of the payload; and
  
  performing network address translation at least partially based on a determination that the match is a known good packet.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory, processor-readable medium of claim 14, wherein the generating removes network traits from internet protocol (IP) datagrams of the first response before a communication of the first response.
  - 16. The non-transitory, processor-readable medium of claim 14, wherein the generating generates a second response to a second network communication for a service, the second response being similar to a third response to a third network communication for the service on another device in the network associated with the traffic filter.
  - 17. The non-transitory, processor-readable medium of claim 14, wherein the generating generates the first response at least partially based on a comparison of the received network communication and a previously received communication handled by a service that exists within the network.
  - 18. The non-transitory, processor-readable medium of claim 14, the code further representing instructions to cause the processor to perform:
    - modifying a payload of a packet to remove traits of the network and to provide apparent traits.
  - 19. The non-transitory, processor-readable medium of claim 18, wherein the apparent traits appear to provide a honeypot within the network associated with the traffic filter.
  - 20. The non-transitory, processor-readable medium of claim 14, the code comprising representing instructions to cause the processor to perform:
    - if the network communication is to be handled by a service that exists within the network associated with the traffic filter, acknowledging a second synchronization signal from an internal network device.
  - 21. The non-transitory, processor-readable medium of claim 14, the code further representing instructions to cause the processor to perform:
    - informing a device on the network to which the network communication was previously transmitted, if the network communication is determined to be malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Jordan, Christopher J.
Primary Examiner(s)
LWIN, MAUNG T

Application Number

US14/486,740
Publication Number

US 20160366099A1
Time in Patent Office

1,135 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

Device, system and method for defending a computer network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system and method for defending a computer network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links