Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-09-24
2004-02-03
Darrow, Justin T. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S151000, C713S152000, C713S154000, C713S162000
Reexamination Certificate
active
06687833
ABSTRACT:
CROSS-REFERENCE TO RELATED APPLICATION
This patent application is related to a commonly-assigned U.S. patent application, entitled “System And Method For Remotely Identifying An Operating System Based On A Network Layer Stack Implementation,” filed on Sep. 24, 1999, pending, the disclosure of which is incorporated herein by reference.
FIELD OF THE INVENTION
The present invention relates in general to providing a network host decoy, and, in particular, to a system and method for providing a network host decoy using a pseudo network protocol stack implementation.
BACKGROUND OF THE INVENTION
Data information networks interconnecting a wide range of computational resources have become a mainstay of corporate computing environments. Most major corporations presently maintain numerous host computer systems that are interconnected internally over an intranetwork to which individual workstations and network resources are connected. These intranetworks make legacy databases and information resources widely available for access and utilization throughout the corporation. These same corporate resources can also be interconnected to a wide area public information internetwork, such as the Internet, to enable outside users to remotely access select corporate resources for the purpose of completing limited transactions or data transfer.
Due to the inherent risks of making such internal corporate systems available to a wider audience of internal and external users, maintaining network security has become a paramount concern. Network security is particularly crucial where the host systems are accessible by, and therefore vulnerable to, both internal workstations and external systems gaining access through the various intra- and internetwork connections. Protecting a network against attack by illicit users is extremely difficult due to the various machine types, operating systems, software patch levels, and system configurations. The complexity increases dramatically as the number of interconnected systems grows.
One source of complexity arises as a result of the various network protocol implementations used by each system and network device. Most current internetworks and intranetworks are based on the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, “TCP/IP Illustrated,” Vol. 1, Ch. 1, Addison-Wesley (1994), the disclosure of which is incorporated herein by reference. Computer systems and network devices employing the TCP/IP suite implement a network protocol stack, which includes a hierarchically structured set of protocol layers. Each protocol layer performs a set of pre-defined functions as specified by the official TCP/IP standards set forth in applicable Requests for Comment (RFC). Numerous network security concerns arise due to the basic structuring of and differences in how each protocol layer has been implemented.
For instance, firewalls situated between the internal intranetwork and the external internetwork provide some level of active security against externally originating network “attacks.” Typically, these systems monitor and detect signature patterns in individual packets in the incoming data stream to identify a potential security threat. However, due to the separation of functionality between the individual network layers, an attack signature can be disguised or distributed over a series of packets to evade detection and thereby defeat the security provided the firewall. Moreover, active security begins to fail as network traffic increases and the active security monitors become overwhelmed and saturated by packet data.
Therefore, there is a need for a passive network security system capable of diverting and tracking potential attacks for use in a system implementing a network protocol stack. Such a system should be capable of intercepting attacks originating from both external sources and illicit internal systems and be capable of simulating the network protocol stack implementation of a plurality of virtual hosts and network devices.
SUMMARY OF THE INVENTION
The present invention provides a system and method for providing a network host decoy using a pseudo network protocol stack implementation. Individual nuances particular to a given platform and operating system are introduced in a protocol stack specific manner.
An embodiment of the present invention is a system and method for providing a network host decoy on a virtual host using a pseudo implementation of a network protocol stack. A hierarchical network protocol stack is functionally defined and includes a plurality of communicatively interfaced protocol layers. A request frame originating from a remote host is received. The request frame includes a plurality of recursively encapsulated data segments which each correspond to a successive protocol layer in the network protocol stack. At each protocol layer, processing a header associated with the encapsulated data segment demultiplexes each encapsulated data segment in the request frame. Any requested network service is performed and any recursively encapsulated portion is forwarded to the next successive protocol layer. A plurality of pseudo data segments corresponding to each of the protocol layers in the network protocol stack is formed. Each pseudo data segment includes a header and data portion. The header includes network protocol stack characteristics for a pseudo host different than the network protocol stack characteristics for the virtual host. Each of the pseudo data segments within a response frame is recursively encapsulated. A network address for the pseudo host different than the network address for the virtual host is inserted into the response frame. The response frame is sent to the remote host.
One benefit of the present invention is a better deception. By analyzing the type of destination host sought, the invention provides a network host or device decoy which appears more convincing and realistic to the would-be attacker. Consequently, detection of the pseudo host is minimized.
REFERENCES:
patent: 5432932 (1995-07-01), Chen et al.
patent: 5655081 (1997-08-01), Bonnell et al.
patent: 5781550 (1998-07-01), Templin et al.
patent: 5870550 (1999-02-01), Wesinger et al.
patent: 5878231 (1999-03-01), Baehr et al.
patent: 5913024 (1999-06-01), Green et al.
patent: 5924127 (1999-07-01), Kawamoto et al.
patent: 5958010 (1999-09-01), Agarwal et al.
patent: 6332163 (2001-12-01), Bowman-Amuah
patent: 6381646 (2002-04-01), Zhang et al.
M. Pietrek, “Learn System-Level Win32 coding Techniques by Writing an API Spy Program,” vol. 9, No. 12, Microsoft Systems Journal, Microsoft Press (Dec. 1994).
T. Fraser et al., “Hardening COTS Software with Generic Software Wrappers,” Proc. Of the 1999 IEEE Symp. On Security and Privacy, IEEE, Inc. (1999).
A. Osborne & J.D. Myers, “A Methodical Approach to Remote IP Stack Identification,” Network Associates, Inc., Santa Clara, California (1999).
Eschelbeck Gerhard
Leidl Bruce Robert
Osborne Anthony Charles
Villa Andrea Emilio
Darrow Justin T.
Hamaty Christopher J.
Inouye Patrick J. S.
Networks Associates Inc.
Zand Kambiz
LandOfFree
System and method for providing a network host decoy using a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for providing a network host decoy using a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for providing a network host decoy using a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3328580