Invented by Johnson Wu, Sreenivas Gukal, Rammohan Varadarajan, Acalvio Technologies Inc
The Acalvio Technologies Inc invention works as followsSystems, methods and computer-programs are provided for providing network deceptions by using a tunnel. A network device in a first networking can be configured to act as a projector point. A network tunnel can have a projection point configured as its endpoint. The network tunnel’s other end can be terminated at a deception farming. The deception farms can host a secondary network that includes network devices configured to be deception mechanisms. The network address of the first network is assigned to a deception device, and this network address along with the network tunnel allows the deception machine to appear as a new node within the first network.
Background for Tunneling for network deceptions
Provided” are methods including computer-implemented or methods implemented by network devices. Also provided are devices including network devices and computer-program-products for providing network deceptions through tunneling. A network device may be configured to act as a projector in various implementations. A network tunnel can have a projection point as its endpoint. The network tunnel’s other end can be terminated at a deception centre. The deception centre can host network devices configured to act as deception mechanisms.
In various implementations, a network device configured as an projection point can be used to determine a network’s address. The network address is determined by the available network addresses of a first networking, which is the network that the network device is attached to. The network device may configure a tunnel for a second network. The second network may include one or several deception mechanisms. For example, it could be located at a deception farming. The network device may select one deception mechanism amongst the other deception mechanisms. The network device may assign the network address for the deception mechanism selected. The network address, and the network tunnel will allow the deception device to be a network node in the first network.
In various implementations the network device configured as a projector point can determine the configuration of other network devices in the first network. The configuration can be used to select the deception mechanism in these implementations.
In various implementations, a network device can determine the configuration of one of more network devices in the first network and configure the deception mechanism selected using the configuration of those other network devices.
In various implementations, a network device may select a second network among a plurality deception networks that host deception mechanisms.
The network device may receive further network traffic from the initial network. This traffic will be addressed to the deception mechanism selected. The network device may then transmit the traffic through the network tunnel.
In various implementations, a network device may receive further network traffic from the initial network. The network traffic will request information about the address of the first network. The network device may then respond, using, for instance, the network address.
In various implementations, the device can hide the device further from the first network. Hide the network device by not responding to traffic directed to it.
In various implementations, a network device may decide to add a second deception mechanism to the initial network. The network device will then configure a network tunnel that connects to a third, deceptive network. The network device then selects the additional deception from the one or more deception mechanisms.
In various implementations, a second network is linked to a deception farming, which includes network devices configured as a deception mechanism. In some implementations, the deception mechanism can be an emulated or physical network device.
Network deception devices, also known as “honeypots”, are a common form of network deception. ?honey tokens,? Honey nets and honey tokens are two of the many ways to defend a network from threats. Other methods of protecting a network include distracting the threat or diverting it. Honeypot-type deception devices can be installed on a network to deceive a specific site, like a business office. Honeypot-type mechanisms are usually configured so that they can’t be distinguished from the active production systems within the network. Deception mechanisms of this type are also configured to appear vulnerable and/or attractive to network threats by having data that appears valuable. Deception mechanisms may look like legitimate components of a site network. However, they are not a part of normal network operation and cannot be accessed by normal users. Deception mechanisms are not used or accessed by normal site users. Therefore, they are suspected of being a network threat.
?Normal? Operation of a Network includes, in general, network activity that is consistent with the purpose of the network. Normal or legitimate network activities can include, for example, the operation of an educational institution, a medical facility, a government office or a home. Normal network activity can also include the non-business-related, casual activity of users of a network, such as accessing personal email and visiting websites on personal time, or using network resources for personal use. Normal network activity includes the operation of security devices such as firewalls and anti-virus software, intrusion detection, intrusion prevention, email filters, adware blocking, etc. Normal operations exclude deception mechanisms because they are not meant to be used in casual or business activities. Deceptions are not usually used by network users or network systems, except for perhaps the most basic administrative tasks. “Access to a deception tool, which is not part of routine network administration tasks, can indicate a network threat.
Threats against a network include active attacks where an attacker interacts with or engages systems within the network in order to steal information or harm the network. The attacker can be either a human or an automated system. Active attacks can include denial-of-service (DoS), distributed-denial-of-service (DDoS), spoofing, and “man-in the-middle” attacks. Attacks involving malformed requests to networks (e.g. Address Resolution Protocol (ARP), pinging of death? etc. Other attacks include buffer, heap or stack overflows, format string attacks and others. Malicious software that is self-replicating or self-triggering can be a threat to a network. The malicious software can be innocuous, until it is activated. Once activated, the software will try to steal data from the network or cause harm to the network. Malicious software spreads itself by infecting other computers on a network. Malicious software includes ransomware, viruses and Trojan horses. It also includes spyware, keyloggers, rootkits and rogue software.
Honeypot deception mechanisms” are usually installed on the network of a specific site to serve as decoys. Honeypot-based systems can be made to look like legitimate network devices by using decoys that are indistinguishable. Deception mechanisms can be authenticated by using a network address (such as an Internet Protocol address) that is within the same domain as legitimate devices on the site’s networks.
Deception mechanisms can be installed to give a network address in the domain of one site network. For example, network devices that are configured as deceptions mechanisms can be attached to switches, routers or other infrastructure in the site networks. Installing deception mechanisms on a site network can be difficult and/or inefficient in some cases. In some cases, there is not enough space or logic in a network to accommodate more than a handful of deception mechanisms. Another example is that the configuration of deceptions may have to be decided in advance and it can be difficult to increase, decrease, or modify deceptions directly installed in a network. “Another example is the difficulty of centralizing administration of deception mechanisms spread across multiple sites networks. This includes coordination of activities for multiple deceptions and monitoring of possible intrusions.
In some cases it is not possible to integrate a deception device directly into the site network. A customer’s network, for example, may be partly or completely “in the cloud”;? Cloud services providers may host part or all of a site’s network on behalf of customers. It may be impossible to access the cloud portion of a network in such cases to install deception devices.
An alternative to installing deception devices in a network site is to host them at a remote location. Deception mechanisms may, however, have local network addresses at the remote site rather than the site network. This makes them more likely to be identified as decoys. Deception mechanisms can have their network addresses spoof or masked. However, once a network attack gains access to the deception, they may find out the actual network address.
Network Tunnels are a great way to connect networks and network devices over other networks. Tunneling protocols allow a remote device to connect to a secure private network via other networks. These networks can be public or private, and they may not be secure. Virtual private networks (VPN) are a common example of tunnels being used. A VPN tunnel allows remote users to connect their computer to a network located in a different physical location. The VPN tunnel is a way to connect the computer of the remote user with the network at the office. Tunnels can be secured so that network traffic from remote users cannot be intercepted while it travels over public networks. The remote user can access the network of the office as if it were physically present at the office.
In various implementations, network deception systems can use tunnels to project false information from a remote location into a site’s network. The deceptions will protect the site network against network threats. In some implementations, the network device within the site network may be configured to act as a projector, which is an endpoint of a tunnel. A network device may be further connected to a deception farm remotely using a network tunnel. In some implementations the deception farm may host a network simulator that can emulate multiple devices. In these implementations the network addresses of the emulated devices can be taken from the domain of the site network. The projected emulated network device can be projected into the site network by the projection point. “The emulated network devices appear in the network site in the same way as the legitimate devices.
In various implementations, deception farms can host physical or emulated network devices. Virtual machines configured to look like devices in a network can be used, for example, to generate simulated network devices. Physical network devices may include difficult-to-emulate devices, such as computers, machines, or control systems. Deception farms can include simulated network devices or physical network devices.
In various implementations, the network tunnels of a projecting point can lead to more than one deception farms. These implementations allow the projection point to select from a variety of deception mechanisms that are hosted by different deception farms.
Click here to view the patent on Google Patents.