Responsive deception mechanisms

US 10,348,763 B2
Filed: 04/25/2017
Issued: 07/09/2019
Est. Priority Date: 04/26/2016
Status: Active Grant

First Claim

Patent Images

1. A method performed by a deception system on a network, comprising:

configuring a network interface of the deception system with a list of Media Access Control (MAC) addresses and Internet Protocol (IP) addresses, wherein each MAC address in the list is associated with an IP address in the list, wherein each IP address and associated MAC address represents an address deception, and wherein, when responding to a request for information about a MAC address or an IP address from the list, the deception system adopts the IP address and the MAC address at the network interface in order to respond to the request;

receiving a packet from the network, wherein the packet is addressed to a particular address deception represented in the list;

determining that a response to the packet requires more than information about a particular MAC address or a particular IP address that represents the particular address deception;

identifying a deception mechanism from a plurality of deception mechanisms hosted by the deception system, wherein the deception mechanism emulates a network device;

starting up the deception mechanism, wherein a running deception mechanism that can respond to the packet is not available until the deception mechanism is started up;

configuring the deception mechanism to respond to the packet;

providing the packet to the deception mechanism;

transmitting a response generated by the deception mechanism onto the network;

receiving a second packet from the network, wherein the second packet is addressed to the deception mechanism;

determining an intent associated with the second packet, wherein the intent includes an interaction with the network device emulated by the deception mechanism, wherein the interaction includes responding to the second packet or a subsequent packet; and

modifying a configuration of the deception mechanism according to the intent, wherein modifying enables the deception mechanism to perform the interaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods, network devices, and computer-program products for dynamically configuring a deception mechanism in response to network traffic from a possible network threat. In various implementations, a network deception system can receive a packet from a network. The network deception system can determine an intent associated with the packet by examining the contents of the packet. The network deception system can further configure a deception mechanism to respond to the intent, for example with the appropriate network communications, software or hardware configuration, and/or data.

31 Citations

View as Search Results

36 Claims

1. A method performed by a deception system on a network, comprising:
- configuring a network interface of the deception system with a list of Media Access Control (MAC) addresses and Internet Protocol (IP) addresses, wherein each MAC address in the list is associated with an IP address in the list, wherein each IP address and associated MAC address represents an address deception, and wherein, when responding to a request for information about a MAC address or an IP address from the list, the deception system adopts the IP address and the MAC address at the network interface in order to respond to the request;
  
  receiving a packet from the network, wherein the packet is addressed to a particular address deception represented in the list;
  
  determining that a response to the packet requires more than information about a particular MAC address or a particular IP address that represents the particular address deception;
  
  identifying a deception mechanism from a plurality of deception mechanisms hosted by the deception system, wherein the deception mechanism emulates a network device;
  
  starting up the deception mechanism, wherein a running deception mechanism that can respond to the packet is not available until the deception mechanism is started up;
  
  configuring the deception mechanism to respond to the packet;
  
  providing the packet to the deception mechanism;
  
  transmitting a response generated by the deception mechanism onto the network;
  
  receiving a second packet from the network, wherein the second packet is addressed to the deception mechanism;
  
  determining an intent associated with the second packet, wherein the intent includes an interaction with the network device emulated by the deception mechanism, wherein the interaction includes responding to the second packet or a subsequent packet; and
  
  modifying a configuration of the deception mechanism according to the intent, wherein modifying enables the deception mechanism to perform the interaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the intent is associated with a network protocol, and wherein configuring the deception mechanism includes enabling the network protocol.
  - 3. The method of claim 1, wherein the intent is associated with an operating system, and wherein configuring the deception mechanism includes initiating the operating system.
  - 4. The method of claim 1, wherein the intent is associated with an application, and wherein configuring the deception mechanism includes making the application available.
  - 5. The method of claim 1, wherein the intent is associated with a process, and wherein configuring the deception mechanism includes initiating the process.
  - 6. The method of claim 1, wherein the intent is associated with data, and wherein configuring the deception mechanism includes generating the data.
  - 7. The method of claim 1, wherein the intent is associated with a vulnerability, wherein configuring the deception mechanism includes configuring the deception mechanism to include the vulnerability.
  - 8. The method of claim 1, wherein responding to the packet includes enabling a connection with a source of the packet.
  - 9. The method of claim 1, further comprising:
    - configuring the deception mechanism to include a an asset; and
      
      monitoring the deception mechanism to determine whether an additional packet is received that is directed at the asset.
  - 10. The method of claim 1, wherein the deception mechanism is a low-interaction deception, wherein a low-interaction deception emulates one or more network devices, and wherein a low-interaction deception avoids granting connection requests.
  - 11. The method of claim 1, wherein the deception mechanism is a high-interaction deception, wherein a high-interaction deception emulates only one network device, and wherein a high-interaction deception accepts connection requests.
  - 12. The method of claim 1, wherein the intent is associated with specific user credentials, and wherein configuring the deception mechanism includes generating and enabling the specific user credentials on the deception mechanism.

13. A network deception system on a network, comprising:
- one or more processors; and
  
  a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including;
  
  configuring a network interface of the network deception system with a list of Media Access Control (MAC) and Internet Protocol (IP) addresses wherein each MAC address in the list is associated with an IP address in the list, wherein each MAC address and associated IP address represents an address deception, and wherein, when responding to a request for information about a MAC address or an IP address from the list, the network deception system adopts the IP address and the MAC address at the network interface in order to respond to the request;
  
  receiving a packet from the network, wherein the packet is addressed to a particular address deception represented in the list;
  
  determining that a response to the packet requires more than information about a particular MAC address or a particular IP address that represents the particular address deception;
  
  identifying a deception mechanism from a plurality of deception mechanisms hosted by the network deception system, wherein the deception mechanism emulates a network device;
  
  starting up the deception mechanism, wherein a running deception mechanism that can respond to the packet is not available until the deception mechanism is started up;
  
  configuring the deception mechanism to respond to the packet, wherein configuring includes;
  
  providing the packet to the deception mechanism;
  
  transmitting a response generated by the deception mechanism onto the network;
  
  receiving a second packet from the network, wherein the second packet is addressed to the deception mechanism;
  
  determining an intent associated with the second packet, wherein the intent includes an interaction with the network device emulated by the deception mechanism, wherein the interaction includes responding to the second packet or a subsequent packet; and
  
  modifying a configuration of the deception mechanism according to the intent, wherein modifying enables the deception mechanism to perform the interaction.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The network deception system of claim 13, wherein the non-transitory computer-readable medium further comprises instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - configuring the deception mechanism to include a an asset; and
      
      monitoring the deception mechanism to determine whether an additional packet is received that is directed at the asset.
  - 15. The network deception system of claim 13, wherein the deception mechanism is a low-interaction deception, wherein a low-interaction deception emulates one or more network devices, and wherein a low-interaction deception avoids granting connection requests.
  - 16. The network deception system of claim 13, wherein the deception mechanism is a high-interaction deception, wherein a high-interaction deception emulates only one network device, and wherein a high-interaction deception accepts connection requests.
  - 17. The network deception system of claim 13, wherein the intent is associated with a network protocol, and wherein configuring the deception mechanism includes enabling the network protocol.
  - 18. The network deception system of claim 13, wherein the intent is associated with an operating system, and wherein configuring the deception mechanism includes initiating the operating system.
  - 19. The network deception system of claim 13, wherein the intent is associated with an application, and wherein configuring the deception mechanism includes making the application available.
  - 20. The network deception system of claim 13, wherein the intent is associated with a process, and wherein configuring the deception mechanism includes initiating the process.
  - 21. The network deception system of claim 13, wherein the intent is associated with data, and wherein configuring the deception mechanism includes generating the data.
  - 22. The network deception system of claim 13, wherein the intent is associated with a vulnerability, wherein configuring the deception mechanism includes configuring the deception mechanism to include the vulnerability.
  - 23. The network deception system of claim 13, wherein responding to the packet includes enabling a connection with a source of the packet.
  - 24. The network deception system of claim 13, wherein the intent is associated with specific user credentials, and wherein configuring the deception mechanism includes generating and enabling the specific user credentials on the deception mechanism.

25. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors of a deception system on a network, cause the one or more processors to:
- configure a network interface of the deception system with a list of Media Access Control (MAC) addresses and Internet Protocol (IP) addresses, wherein each MAC address in the list is associated with an IP address in the list, wherein each MAC address and associated IP address represents an address deception, and wherein, when responding to a request for information about a MAC address or an IP address from the list, the deception system adopts the IP address and the MAC address at the network interface in order to respond to the request;
  
  receive a packet from the network, wherein the packet is addressed to a particular address deception represented in the list;
  
  determine that a response to the packet requires more than information about a particular MAC address or a particular IP address that represents the particular address deception;
  
  identify a deception mechanism from a plurality of deception mechanisms hosted by the deception system, wherein the deception mechanism emulates a network device;
  
  start up the deception mechanism, wherein a running deception mechanism that can respond to the packet is not available until the deception mechanism is started up;
  
  configure the deception mechanism to respond to the packet, wherein configuring includes;
  
  provide the packet to the deception mechanism;
  
  transmit a response generated by the deception mechanism onto the network;
  
  receive a second packet from the network, wherein the second packet is addressed to the deception mechanism;
  
  determine an intent associated with the second packet, wherein the intent includes an interaction with the network device emulated by the deception mechanism, wherein the interaction includes responding to the second packet or a subsequent packet; and
  
  modify a configuration of the deception mechanism according to the intent, wherein modifying enables the deception mechanism to perform the interaction.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The computer-program product of claim 25, wherein the intent is associated with a network protocol, and wherein configuring the deception mechanism includes enabling the network protocol.
  - 27. The computer-program product of claim 25, wherein the intent is associated with an operating system, and wherein configuring the deception mechanism includes initiating the operating system.
  - 28. The computer-program product of claim 25, wherein the intent is associated with an application, and wherein configuring the deception mechanism includes making the application available.
  - 29. The computer-program product of claim 25, wherein the intent is associated with a process, and wherein configuring the deception mechanism includes initiating the process.
  - 30. The computer-program product of claim 25, wherein the intent is associated with data, and wherein configuring the deception mechanism includes generating the data.
  - 31. The computer-program product of claim 25, wherein the intent is associated with a vulnerability, wherein configuring the deception mechanism includes configuring the deception mechanism to include the vulnerability.
  - 32. The computer-program product of claim 25, wherein the instructions for responding to the packet include instructions that, when executed by one or more processors, cause the one or more processors to:
    - enable a connection with a source of the packet.
  - 33. The computer-program product of claim 25, further comprising instructions that, when executed by the one or more processors, cause the one or more processors to:
    - configure the deception mechanism to include a an asset; and
      
      monitor the deception mechanism to determine whether an additional packet is received that is directed at the asset.
  - 34. The computer-program product of claim 25, wherein the deception mechanism is a low-interaction deception, wherein a low-interaction deception emulates one or more network devices, and wherein a low-interaction deception avoids granting connection requests.
  - 35. The computer-program product of claim 25, wherein the deception mechanism is a high-interaction deception, wherein a high-interaction deception emulates only one network device, and wherein a high-interaction deception accepts connection requests.
  - 36. The computer-program product of claim 25, wherein the intent is associated with specific user credentials, and wherein configuring the deception mechanism includes generating and enabling the specific user credentials on the deception mechanism.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acalvio Technologies, Inc.
Original Assignee
Acalvio Technologies, Inc.
Inventors
Gopalakrishna, Rajendra A., Wu, Johnson, Gukal, Sreenivas, Varadarajan, Rammohan
Primary Examiner(s)
Turchen, James R

Application Number

US15/496,724
Publication Number

US 20170310705A1
Time in Patent Office

805 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0816   the condition being an adap...

H04L 41/0886   Fully automatic configuration

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

Responsive deception mechanisms

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Responsive deception mechanisms

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links