Logical / physical address state lifecycle management
First Claim
1. A method comprising:
- capturing, by executing an instruction with a processor, a data packet from a network;
determining, by executing an instruction with the processor, whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats;
when the data packet is not associated with the known threat;
processing, by executing an instruction with the processor, the data packet to generate processed information, the data packet including a source address, a target address, and a target hardware address, the source address including an Internet Protocol (IP) address and a port;
updating, by executing an instruction with the processor, at least one record in a frequency table based on at least the processed information, the at least one record indicating a number of packets sent by the source address;
comparing, by executing an instruction with the processor, the processed information to at least one of a behavioral rule and a reconnaissance rule, at least one of the behavioral rule and the reconnaissance rule generated or modified based on an update of the frequency table;
determining, by executing an instruction with the processor, that the data packet is associated with a new threat if the processed information violates at least one of the behavioral rule and the reconnaissance rule;
in response to determining that the data packet is associated with the new threat, generating, by executing an instruction with the processor, an address resolution protocol (ARP) packet using a false hardware address;
transmitting, by executing an instruction with the processor, the ARP packet to a gateway to invoke a defense mechanism; and
in response to receiving an additional data packet from the source address and addressed to the false physical address, dropping, by executing an instruction with the processor, the additional packet.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method for managing logical and physical address state lifecycles. A state of unknown can be assigned to an address when the state has not been assigned. The state of the address is changed when communication is targeted to the address. The state can be changed to unfulfilled when the communication includes an address resolution protocol request sent to a device having the address when a time limit for a response to the address resolution protocol request has not expired. The state can be changed to virtual when the communication is received at the address when the state of the address is unfulfilled, and a time limit for responding to the communication expires before a response is sent. The state can be changed to unknown when the state of the address is not unknown, and the address does not participate in the communication within a time limit.
76 Citations
19 Claims
-
1. A method comprising:
-
capturing, by executing an instruction with a processor, a data packet from a network; determining, by executing an instruction with the processor, whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats; when the data packet is not associated with the known threat; processing, by executing an instruction with the processor, the data packet to generate processed information, the data packet including a source address, a target address, and a target hardware address, the source address including an Internet Protocol (IP) address and a port; updating, by executing an instruction with the processor, at least one record in a frequency table based on at least the processed information, the at least one record indicating a number of packets sent by the source address; comparing, by executing an instruction with the processor, the processed information to at least one of a behavioral rule and a reconnaissance rule, at least one of the behavioral rule and the reconnaissance rule generated or modified based on an update of the frequency table; determining, by executing an instruction with the processor, that the data packet is associated with a new threat if the processed information violates at least one of the behavioral rule and the reconnaissance rule; in response to determining that the data packet is associated with the new threat, generating, by executing an instruction with the processor, an address resolution protocol (ARP) packet using a false hardware address; transmitting, by executing an instruction with the processor, the ARP packet to a gateway to invoke a defense mechanism; and in response to receiving an additional data packet from the source address and addressed to the false physical address, dropping, by executing an instruction with the processor, the additional packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
one or more processors;
one or more memory that stores instructions that, when executed by the one or more processors cause;a data analyzer to capture a data packet from a network, determine whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats; a data processor to, in response to the data analyzer determining that the data packet is not associated with the known threat; process the data packet to generate processed information, the data packet including a source address, a target address, and a target physical address, the source address including an Internet Protocol (IP) address and a port; update at least one record in a frequency table based on at least the processed information, the at least one record indicating a number of packets sent by the source address; a rules analyzer to, in response to the data analyzer determining that the data packet is not associated with the known threat; compare the processed information to at least one of a behavioral rule and a reconnaissance rule, including at least one of the behavioral rule and the reconnaissance rule generated or modified based on an update of the frequency table; and determine that the data packet is associated with a new threat if the processed information violates at least one of the behavioral rule and the reconnaissance rule; a packet generator to, in response to determining that the data packet is associated with the new threat; generate an address resolution protocol (ARP) packet using a false physical address; transmit the ARP packet to a gateway to invoke a defense mechanism; and a defender to invoke the defense mechanism, the defense mechanism to include dropping an additional packet when receiving the additional packet from the source address addressed to the false physical address. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A storage device comprising:
-
one or more processors;
one or more memory that stores instructions that, when executed by the one or more processors, cause the storage device to at least;capture a data packet from a network; determine whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats; when the data packet is not associated with the known threat; process the data packet to generate processed information, the data packet including a source address, a target address, and a target physical address, the source address including an Internet Protocol (IP) address and a port; update at least one record in a frequency table based on at least the processed information, the at least one record indicating a number of packets sent by the source address; compare the processed information to at least one of a behavioral rule and a reconnaissance rule, at least one of the behavioral rule and the reconnaissance rule generated or modified based on an update of the frequency table; determine that the data packet is associated with a new threat if the processed information violates at least one of the behavioral rule and the reconnaissance rule; in response to determining that the data packet is associated with the new threat, generate an address resolution protocol (ARP) packet using a false physical address transmit the ARP packet to a gateway to invoke a defense mechanism; and drop an additional packet when receiving the additional packet from the source address addressed to the false physical address. - View Dependent Claims (16, 17, 18, 19)
-
Specification