Logical / physical address state lifecycle management

US 9,667,589 B2
Filed: 09/04/2012
Issued: 05/30/2017
Est. Priority Date: 10/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing, by executing an instruction with a processor, a data packet from a network;

determining, by executing an instruction with the processor, whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats;

when the data packet is not associated with the known threat;

processing, by executing an instruction with the processor, the data packet to generate processed information, the data packet including a source address, a target address, and a target hardware address, the source address including an Internet Protocol (IP) address and a port;

updating, by executing an instruction with the processor, at least one record in a frequency table based on at least the processed information, the at least one record indicating a number of packets sent by the source address;

comparing, by executing an instruction with the processor, the processed information to at least one of a behavioral rule and a reconnaissance rule, at least one of the behavioral rule and the reconnaissance rule generated or modified based on an update of the frequency table;

determining, by executing an instruction with the processor, that the data packet is associated with a new threat if the processed information violates at least one of the behavioral rule and the reconnaissance rule;

in response to determining that the data packet is associated with the new threat, generating, by executing an instruction with the processor, an address resolution protocol (ARP) packet using a false hardware address;

transmitting, by executing an instruction with the processor, the ARP packet to a gateway to invoke a defense mechanism; and

in response to receiving an additional data packet from the source address and addressed to the false physical address, dropping, by executing an instruction with the processor, the additional packet.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing logical and physical address state lifecycles. A state of unknown can be assigned to an address when the state has not been assigned. The state of the address is changed when communication is targeted to the address. The state can be changed to unfulfilled when the communication includes an address resolution protocol request sent to a device having the address when a time limit for a response to the address resolution protocol request has not expired. The state can be changed to virtual when the communication is received at the address when the state of the address is unfulfilled, and a time limit for responding to the communication expires before a response is sent. The state can be changed to unknown when the state of the address is not unknown, and the address does not participate in the communication within a time limit.

76 Citations

19 Claims

1. A method comprising:
- capturing, by executing an instruction with a processor, a data packet from a network;
  
  determining, by executing an instruction with the processor, whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats;
  
  when the data packet is not associated with the known threat;
  
  processing, by executing an instruction with the processor, the data packet to generate processed information, the data packet including a source address, a target address, and a target hardware address, the source address including an Internet Protocol (IP) address and a port;
  
  updating, by executing an instruction with the processor, at least one record in a frequency table based on at least the processed information, the at least one record indicating a number of packets sent by the source address;
  
  comparing, by executing an instruction with the processor, the processed information to at least one of a behavioral rule and a reconnaissance rule, at least one of the behavioral rule and the reconnaissance rule generated or modified based on an update of the frequency table;
  
  determining, by executing an instruction with the processor, that the data packet is associated with a new threat if the processed information violates at least one of the behavioral rule and the reconnaissance rule;
  
  in response to determining that the data packet is associated with the new threat, generating, by executing an instruction with the processor, an address resolution protocol (ARP) packet using a false hardware address;
  
  transmitting, by executing an instruction with the processor, the ARP packet to a gateway to invoke a defense mechanism; and
  
  in response to receiving an additional data packet from the source address and addressed to the false physical address, dropping, by executing an instruction with the processor, the additional packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method per claim 1, further including updating the table of addresses to indicate that the address is associated with the new threat when the processed information violates at least one of the behavioral rule and the reconnaissance rule.
  - 3. A method per claim 1, wherein invoking the defense mechanism includes sending a reply to the source address to represent that a computer is accessible via the target address, the reply to entice an attacking computer to continue communication with the target address without spreading the new threat to the network.
  - 4. A method per claim 1, further including, when at least one of the source address or the target address is determined to be associated with the new threat, and when the target physical address is not associated with a physical device, dropping the data packet.
  - 5. A method per claim 4, further including:
    - in response to determining that the target physical address is not associated with a physical device, replacing the target physical address in the data packet with a real address of a target device; and
      
      sending the data packet with the real address of the target device.
  - 6. A method per claim 1, wherein invoking the defense mechanism includes:
    - when the source address is determined to be associated with the new threat, determining whether the source address is located within the network;
      
      generating an address control reply packet using a false physical address;
      
      sending the address control reply packet to a default gateway when the source address is not located within the network; and
      
      sending the address control reply packet to the source address when the source address is located within the network.
  - 7. A method per claim 1, wherein updating the record in the frequency table includes:
    - in response to detecting that the protocol is an address resolution protocol and the data packet is a first request that is not within a queue;
      
      adding the first request to the queue;
      
      recording the target address of the data packet to an unfulfilled state in an IP state table;
      
      adding the source address to a frequency table;
      
      adding the target address to the frequency table;
      
      updating data packet frequency values based on the frequency table; and
      
      identifying a threat based on the source address, the target address, and the data packet frequency values.
  - 8. A method per claim 1, wherein updating the record in the frequency table includes:
    - in response to detecting the protocol is an address resolution protocol and the data packet is a reply;
      
      determining that a second request corresponding to the reply exists within a queue; and
      
      removing the second request from the queue;
      
      adding the source address to a frequency table;
      
      adding the target address to the frequency table;
      
      updating data packet frequency values based on the frequency table; and
      
      identifying a threat based on the source address, the target address, and the data packet frequency values.

9. An apparatus comprising:
- one or more processors;
  
  one or more memory that stores instructions that, when executed by the one or more processors cause;
  
  a data analyzer to capture a data packet from a network, determine whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats;
  
  a data processor to, in response to the data analyzer determining that the data packet is not associated with the known threat;
  
  process the data packet to generate processed information, the data packet including a source address, a target address, and a target physical address, the source address including an Internet Protocol (IP) address and a port;
  
  update at least one record in a frequency table based on at least the processed information, the at least one record indicating a number of packets sent by the source address;
  
  a rules analyzer to, in response to the data analyzer determining that the data packet is not associated with the known threat;
  
  compare the processed information to at least one of a behavioral rule and a reconnaissance rule, including at least one of the behavioral rule and the reconnaissance rule generated or modified based on an update of the frequency table; and
  
  determine that the data packet is associated with a new threat if the processed information violates at least one of the behavioral rule and the reconnaissance rule;
  
  a packet generator to, in response to determining that the data packet is associated with the new threat;
  
  generate an address resolution protocol (ARP) packet using a false physical address;
  
  transmit the ARP packet to a gateway to invoke a defense mechanism; and
  
  a defender to invoke the defense mechanism, the defense mechanism to include dropping an additional packet when receiving the additional packet from the source address addressed to the false physical address.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. An apparatus per claim 9, further including a table updater to update the table of addresses to indicate that the address is associated with the new threat when the processed information violates at least one of the behavioral rule and the reconnaissance rule.
  - 11. An apparatus per claim 9, wherein the defender invokes the defense mechanism by sending a reply to the source address to represent that a computer is accessible via the target address, the reply to entice an attacking computer to continue communication with the target address without spreading the new threat to the network.
  - 12. An apparatus per claim 9, wherein, when at least one of the source address or target address is determined to be associated with a threat and when the target physical address is not associated with a physical device, the defender is to drop the data packet.
  - 13. An apparatus per claim 12, wherein the defender, in response to determining that the target physical address is not associated with a physical device, is to replace the target physical address in the data packet with a real physical address of the target, and is to send the data packet with the real physical address of the target.
  - 14. An apparatus according to claim 9, wherein the defender, in response to determining the source address is associated with the new threat, is further to determine whether the source address is located within the network, generate an address control reply packet using a false physical address, send the address control reply packet to a default gateway when the source address is not located within the network, and send the address control reply packet to the source address when the source address is located within the network.

15. A storage device comprising:
- one or more processors;
  
  one or more memory that stores instructions that, when executed by the one or more processors, cause the storage device to at least;
  
  capture a data packet from a network;
  
  determine whether the data packet is associated with a known threat based on whether an address in the data packet is in a table of addresses associated with known threats;
  
  when the data packet is not associated with the known threat;
  
  process the data packet to generate processed information, the data packet including a source address, a target address, and a target physical address, the source address including an Internet Protocol (IP) address and a port;
  
  update at least one record in a frequency table based on at least the processed information, the at least one record indicating a number of packets sent by the source address;
  
  compare the processed information to at least one of a behavioral rule and a reconnaissance rule, at least one of the behavioral rule and the reconnaissance rule generated or modified based on an update of the frequency table;
  
  determine that the data packet is associated with a new threat if the processed information violates at least one of the behavioral rule and the reconnaissance rule;
  
  in response to determining that the data packet is associated with the new threat, generate an address resolution protocol (ARP) packet using a false physical addresstransmit the ARP packet to a gateway to invoke a defense mechanism; and
  
  drop an additional packet when receiving the additional packet from the source address addressed to the false physical address.
- View Dependent Claims (16, 17, 18, 19)
- - 16. A storage device per claim 15, wherein the instructions, when executed, further cause the storage device to:
    - update the table of addresses to indicate that the address is associated with the new threat when the processed information violates at least one of the behavioral rule and the reconnaissance rule.
  - 17. A storage device per claim 15, wherein the instructions, when executed, further cause the storage device to:
    - invoke the defense mechanism by sending a reply to the source address to represent that a computer is accessible via the target address, the reply to entice an attacking computer to continue communication with the target address without spreading the threat to the network.
  - 18. A storage device per claim 15, wherein the instructions, when executed, further cause the storage device to:
    - in response to determining that the target physical address is not associated with a physical device, replace the target physical address with a real physical address of the target in the data packet; and
      
      send the data packet with the real physical address of the target.
  - 19. A storage device per claim 15, wherein, when the source address is determined to be associated with a threat, the instructions, when executed, further cause the storage device to:
    - determine whether the source address is located within the network;
      
      generate an address control reply packet using a false physical address;
      
      send the address control reply packet to a default gateway when the source address is not located within the network; and
      
      send the address control reply packet to the source address when the source address is located within the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sysxnet Ltd.
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Wilkinson, Mark L., Miller, Ronald J., McDaniels, Michael J.
Primary Examiner(s)
ABU ROUMI, MAHRAN Y

Application Number

US13/603,388
Publication Number

US 20130311676A1
Time in Patent Office

1,729 Days
Field of Search

709226
US Class Current
CPC Class Codes

H04L 61/10   of different types

H04L 61/103   across network layers, e.g....

H04L 63/1433   Vulnerability analysis

Logical / physical address state lifecycle management

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Logical / physical address state lifecycle management

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links