Device, system and method for defending a computer network

US 8,839,417 B1
Filed: 11/17/2004
Issued: 09/16/2014
Est. Priority Date: 11/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a first device, the method comprising:

receiving a first network communication from a second device, the first network communication requesting a service;

responding to the second device by mangling a communication received from within a network, in response to a determination that the service is available on the network;

modifying a payload of a packet to remove traits of the network and to provide apparent traits;

responding to the second device that the service is available and mimicking protocols for the service, in response to a determination that the service is not available on the network;

receiving a second network communication from the second device; and

identifying whether existing rules are present for performing a pattern recognition for the second network communication, wherein if the existing rules are not present at the first device, at least a portion of the second network communication is copied to generate new rules for pattern recognition activities.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device, system, and method for defending a computer network are described. network communications are received by a traffic filter, which dynamically determines whether the communications include an anomaly (i.e., are “anomalous” communications), or whether the communications are normal, and do not include an anomaly. The traffic filter routes normal communications to the correct device within its network for servicing he service requested by the communications. The traffic filter routes any anomalous communications to a virtual space engine, which is configured to fake a requested service (e.g., to entice deployment of a malicious payload). Anomalous communications are analyzed using an analytical engine, which can dynamically develop rules for handling anomalous communications in-line, and the rules developed by the analytical engine can be employed by the traffic filter against future received communications.

118 Citations

View as Search Results

17 Claims

1. A method implemented by a first device, the method comprising:
- receiving a first network communication from a second device, the first network communication requesting a service;
  
  responding to the second device by mangling a communication received from within a network, in response to a determination that the service is available on the network;
  
  modifying a payload of a packet to remove traits of the network and to provide apparent traits;
  
  responding to the second device that the service is available and mimicking protocols for the service, in response to a determination that the service is not available on the network;
  
  receiving a second network communication from the second device; and
  
  identifying whether existing rules are present for performing a pattern recognition for the second network communication, wherein if the existing rules are not present at the first device, at least a portion of the second network communication is copied to generate new rules for pattern recognition activities.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - determining if the first network communication has a characteristic previously identified as malicious; and
      
      if the first network communication has the characteristic previously identified as malicious, routing the first network communication to a predetermined network component.
  - 3. The method of claim 1, further comprising:
    - determining if the first network communication corresponds to a previously generated rule; and
      
      if the first network communication corresponds to the previously generated rule, routing the first network communication according to the rule.
  - 4. The method of claim 1, further comprising:
    - masking the network topology, wherein a same service responds in a similar manner on a plurality of components within the network.
  - 5. The method of claim 1, further comprising:
    - masking the network topology, wherein all services respond for a plurality of components within the network.
  - 6. The method of claim 1, further comprising:
    - application masking, wherein every communication from devices within the network to devices external to the network portrays a same subset of attributes.

7. An apparatus, comprising:
- a network interface that receives, from a device, a first network communication requesting a service, responds to the device by mangling a communication received from within a network, in response to a determination that the service is available on the network, responds to the device that the service is available and mimics protocols for the service, in response to a determination that the service is not available on the network, and receives a second network communication from the device; and
  
  a processing unit that modifies a payload of a packet to remove traits of the network and to provide apparent traits, identifies whether existing rules are present for performing a pattern recognition for the second network communication, and copies at least a portion of the second network communication to generate new rules for pattern recognition activities, if the existing rules are not present at the apparatus.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the processing unit is configured to determine if the first network communication has a characteristic previously identified as malicious, and to route the first network communication to a predetermined network component if the first network communication has the characteristic previously identified as malicious.
  - 9. The apparatus of claim 7, wherein the processing unit is configured to determine if the first network communication corresponds to a previously generated rule and to route the first network communication according to the rule if the first network communication corresponds to the previously generated rule.
  - 10. The apparatus of claim 7, wherein the processing unit is configured to mask the network topology, wherein a same service responds in a similar manner on a plurality of components within the network.
  - 11. The apparatus of claim 7, wherein the processing unit is configured to mask the network topology, wherein all services respond for a plurality of components within the network.
  - 12. The apparatus of claim 7, wherein the processing unit is configured to mask an application, wherein every communication from devices within the network to devices external to the network portrays a same subset of attributes.

13. Logic encoded in one or more non-transitory media that includes code for execution and, when executed by a first device, operable to perform operations comprising:
- receiving a first network communication from a second device, the first network communication requesting a service;
  
  responding to the second device by mangling a communication received from within a network, in response to a determination that the service is available on the network;
  
  modifying a payload of a packet to remove traits of the network and to provide apparent traits;
  
  responding to the second device that the service is available and mimicking protocols for the service, in response to a determination that the service is not available on the network;
  
  receiving a second network communication from the second device; and
  
  identifying whether existing rules are present for performing a pattern recognition for the second network communication, wherein if the existing rules are not present at the first device, at least a portion of the second network communication is copied to generate new rules for pattern recognition activities.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The logic of claim 13, the operations further comprising:
    - determining if the first network communication has a characteristic previously identified as malicious; and
      
      if the first network communication has the characteristic previously identified as malicious, routing the first network communication to a predetermined network component.
  - 15. The logic of claim 13, the operations further comprising:
    - determining if the first network communication corresponds to a previously generated rule; and
      
      if the first network communication corresponds to the previously generated rule, routing the first network communication according to the rule.
  - 16. The logic of claim 13, the operations further comprising:
    - masking the network topology, wherein a same service responds in a similar manner on a plurality of components within the network, or all services respond for a plurality of components within the network.
  - 17. The logic of claim 13, the operations further comprising:
    - application masking, wherein every communication from devices within the network to devices external to the network portrays a same subset of attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Jordan, Christopher J.
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US10/990,329
Time in Patent Office

3,590 Days
Field of Search

726/22, 726/23
US Class Current

726/22
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

Device, system and method for defending a computer network

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Device, system and method for defending a computer network

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links