Device, system and method for defending a computer network
First Claim
1. A method implemented by a first device, the method comprising:
- receiving a first network communication from a second device, the first network communication requesting a service;
responding to the second device by mangling a communication received from within a network, in response to a determination that the service is available on the network;
modifying a payload of a packet to remove traits of the network and to provide apparent traits;
responding to the second device that the service is available and mimicking protocols for the service, in response to a determination that the service is not available on the network;
receiving a second network communication from the second device; and
identifying whether existing rules are present for performing a pattern recognition for the second network communication, wherein if the existing rules are not present at the first device, at least a portion of the second network communication is copied to generate new rules for pattern recognition activities.
11 Assignments
0 Petitions
Accused Products
Abstract
A device, system, and method for defending a computer network are described. network communications are received by a traffic filter, which dynamically determines whether the communications include an anomaly (i.e., are “anomalous” communications), or whether the communications are normal, and do not include an anomaly. The traffic filter routes normal communications to the correct device within its network for servicing he service requested by the communications. The traffic filter routes any anomalous communications to a virtual space engine, which is configured to fake a requested service (e.g., to entice deployment of a malicious payload). Anomalous communications are analyzed using an analytical engine, which can dynamically develop rules for handling anomalous communications in-line, and the rules developed by the analytical engine can be employed by the traffic filter against future received communications.
118 Citations
17 Claims
-
1. A method implemented by a first device, the method comprising:
-
receiving a first network communication from a second device, the first network communication requesting a service; responding to the second device by mangling a communication received from within a network, in response to a determination that the service is available on the network; modifying a payload of a packet to remove traits of the network and to provide apparent traits; responding to the second device that the service is available and mimicking protocols for the service, in response to a determination that the service is not available on the network; receiving a second network communication from the second device; and identifying whether existing rules are present for performing a pattern recognition for the second network communication, wherein if the existing rules are not present at the first device, at least a portion of the second network communication is copied to generate new rules for pattern recognition activities. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus, comprising:
-
a network interface that receives, from a device, a first network communication requesting a service, responds to the device by mangling a communication received from within a network, in response to a determination that the service is available on the network, responds to the device that the service is available and mimics protocols for the service, in response to a determination that the service is not available on the network, and receives a second network communication from the device; and a processing unit that modifies a payload of a packet to remove traits of the network and to provide apparent traits, identifies whether existing rules are present for performing a pattern recognition for the second network communication, and copies at least a portion of the second network communication to generate new rules for pattern recognition activities, if the existing rules are not present at the apparatus. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. Logic encoded in one or more non-transitory media that includes code for execution and, when executed by a first device, operable to perform operations comprising:
-
receiving a first network communication from a second device, the first network communication requesting a service; responding to the second device by mangling a communication received from within a network, in response to a determination that the service is available on the network; modifying a payload of a packet to remove traits of the network and to provide apparent traits; responding to the second device that the service is available and mimicking protocols for the service, in response to a determination that the service is not available on the network; receiving a second network communication from the second device; and identifying whether existing rules are present for performing a pattern recognition for the second network communication, wherein if the existing rules are not present at the first device, at least a portion of the second network communication is copied to generate new rules for pattern recognition activities. - View Dependent Claims (14, 15, 16, 17)
-
Specification