US20220231987A1 - Network anti-tampering system - Google Patents
Network anti-tampering system Download PDFInfo
- Publication number
- US20220231987A1 US20220231987A1 US17/707,794 US202217707794A US2022231987A1 US 20220231987 A1 US20220231987 A1 US 20220231987A1 US 202217707794 A US202217707794 A US 202217707794A US 2022231987 A1 US2022231987 A1 US 2022231987A1
- Authority
- US
- United States
- Prior art keywords
- network
- information processing
- processing system
- address
- tampering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000010365 information processing Effects 0.000 claims description 56
- 238000000034 method Methods 0.000 abstract description 27
- 238000004891 communication Methods 0.000 description 9
- 238000001514 detection method Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 6
- 238000003909 pattern recognition Methods 0.000 description 5
- 230000001010 compromised effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000002950 deficient Effects 0.000 description 3
- 102100029272 5-demethoxyubiquinone hydroxylase, mitochondrial Human genes 0.000 description 2
- 101000770593 Homo sapiens 5-demethoxyubiquinone hydroxylase, mitochondrial Proteins 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H04L61/6022—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Definitions
- the present invention relates generally to information processing systems and methods, and more particularly to the preventing or discouraging of tampering with computer networks by unauthorized persons or computer programs.
- These unwanted intrusions into or tampering with computer networks are also referred to as, for example, hacking, cracking, breaking into, penetrating, breaching, exploiting, and compromising.
- Pattern recognition is based on checking for the validity of the input data using finite state automata.
- Signal detection is based on checking for the validity of input data using statistical methods.
- Virtual execution is processing the input data in a facsimile environment and watching for unexpected outputs.
- Pattern recognition is the detection of valid input by using a finite state automaton. Input data are compared to previously defined patterns. Matches between input data and patterns result in some action being taken, such as discarding the input data or sending an alert to a monitoring service. Pattern recognition is deficient as an anti-tampering method because it requires comparisons to be made to a necessarily finite set of predefined patterns. However, there are a practically infinite number of arrangements of malicious data that can evade a given finite number of patterns.
- Signal detection is the detection of valid input by means of statistical methods.
- a person or program selects a set of statistical features to analyze in potential input data. Those selected features are then measured as input data arrives and features that exceed certain variances are marked as indicative of unacceptable input data. For example, a very weak radio signal (i.e., one of low amplitude) may be seen as an unacceptable signal, while a very strong radio signal (i.e., one of high amplitude) may be seen as an acceptable signal.
- Signal detection is deficient as an anti-tampering method because classifiers operate according to receiver operating characteristic (ROC) curves, which always require an engineering tradeoff between false positives (i.e., false alarms) and false negatives (i.e., unacceptable or unwanted data).
- ROC receiver operating characteristic
- Virtual execution sometimes called sandboxing, is the processing of input in a safe, facsimile environment and watching for unexpected outputs. Malicious computer programs are sometimes encrypted or delivered by seemingly non-malicious loader programs. These methods of delivery can be used to evade pattern matching systems.
- any potentially malicious computer program is isolated in an ephemeral virtual execution environment. The program is then run and the environment is monitored for exceptional conditions such as the deletion of files or privilege escalation. These exceptional conditions can be indicative of the presence of an undesirable computer program, which may then be subsequently rejected.
- Virtual execution is deficient as an anti-tampering method because malicious data and programs can be camouflaged to evade detection as being executable, or can be engineered to manipulate the virtual execution environment in ways that prevent the production of exceptional conditions, for example, by detecting that they are being executed in a virtual environment and altering their behavior.
- the present invention is directed to a system and method to detect or prevent tampering of computer networks.
- the invention is directed to a system and method that alters a computer network in such a way that it becomes very difficult for an attacker to use the computer network as a means for one information processing system to attack another information processing systems.
- the systems or methods may handle requests for network resources, such as Address Resolution Protocol (ARP) messages, and may provide fabricated information to a potential attacker to disrupt an attack on an information system.
- ARP Address Resolution Protocol
- FIG. 1 is a diagram illustrating lateral movement by an unauthorized user from one information processing system to another.
- FIG. 2 is a diagram illustrating how ARP messages are used.
- FIG. 3 is a diagram illustrating attachment of a network anti-tampering system to a network.
- FIG. 4 is a diagram illustrating how a network anti-tampering system may respond to ARP messages from a potential adversary.
- the present invention is directed to systems and methods to detect or prevent tampering or unauthorized access of information processing systems.
- Information processing systems such as personal computers or servers, can be compromised, or controlled, by unauthorized persons or programs. Once one information processing system has been compromised, it is very common for the unauthorized user or program to attempt to spread its control to other information processing systems on the same network as the compromised information processing system. Since information processing systems are most commonly connected via computer networks, the unauthorized person or program will read and write data from and to a computer network in an attempt to break into another information processing system. This modality of attack is commonly known as lateral movement.
- FIG. 1 demonstrates lateral movement by an adversary from one information processing system to another.
- a network 100 may comprise two or more information processing systems, such as systems 110 and 120 .
- Information processing systems 110 and 120 may be, for example, desktops, laptops, tablets, cellular phones, internet-of-things devices, virtual machines, or any other system capable of processing information electronically.
- These systems are connected by links, such as links 210 and 220 , to one or more switches, such as switch 310 .
- the links may, for example, comprise a wired network connection using CAT5, CAT6, fiber optic cable, other types of network cable, or a wireless connection using Wi-Fi, Bluetooth, 3G, 4G, or LTE, or other types of wireless communications.
- the links may also include various permutations of wired and wireless network connections and may pass through one or more intermediate information processing systems.
- the switch may be a network switch designed to filter and forward packets between segments of a local area network.
- systems 110 and 120 may be connected through means instead of or in addition to switch 310 , such as a router, VPN, or other type of physical or virtual network connection.
- the network 100 may use the IPV 4 protocol at OSI layer 3 and the Address Resolution protocol at OSI layer 2.
- Other protocols such IPV6 or PPP, may be substituted by the systems and methods described herein in similar fashion to the examples described below.
- the sending information processing system In order for data to be sent through a local Ethernet network to an information processing system with an assigned IP address, the sending information processing system must first determine the local MAC address associated with the destination IP address.
- FIG. 2 demonstrates an example Address Request Protocol request used in a system using the IPV4 and Address Resolution protocols.
- the sending system 110 learns the IP-MAC pairing by sending an ARP request message 410 across the network and listening for a reply.
- the ARP request message 410 will include the destination IP address that the sending system 110 wishes to access, but the destination MAC address will be unset, uninitialized, or otherwise undefined.
- ARP request message 410 passes through link 210 to switch 310 .
- Switch 310 then routes the ARP message to destination system 120 through link 220 . If the destination system 120 is able to receive the ARP request message, then it may respond with an ARP reply message 420 .
- ARP reply message 420 both the destination systems 120 's IP address and system 120 's MAC address are included.
- the ARP reply message 420 returns to sending system 110 through link 220 , switch 310 , and link 210 .
- This method of identifying the low-level address of a target system is a common method information processing systems use to initiate communication through Ethernet networks.
- FIG. 3 represents such an example network 100 .
- Network 100 may be a wireless or wired local or wide area network having two or more information processing systems 110 and 120 .
- Information processing systems 110 and 120 may be, for example, desktops, laptops, tablets, cellular phones, internet-of-things devices, virtual machines, or any other system capable of processing information electronically. These systems are connected by links, such as links 210 and 220 , to one or more switches, such as switch 310 .
- the links may comprise a wired network connection using CAT5, CAT6, fiber optic, or other types of network cable, or a wireless connection using Wi-Fi, Bluetooth, 3G, 4G, or LTE, or other types of wireless communications.
- the links may also include various permutations of wired and wireless network connections and may pass through one or more intermediate information processing systems.
- the switch may be a network switch designed to filter and forward packets between segments of a local area network.
- systems 110 and 120 may be connected through means instead of or in addition to switch 310 , such as a router, VPN, or other type of physical or virtual network connection.
- Anti-tampering system 510 is also connected to the network via a link 230 and is connected to switch 310 .
- the system and method may be configured to allow anti-tampering system 510 to respond to address messages, such as if the ARP request messages, transmitted on network 100 . If an ARP message is for an IP address that is not in use by any information processing systems present on network 100 , the anti-tampering system 510 may be configured to respond to such messages. Anti-tampering system 510 may also be configured to monitor network traffic that passes through a specific piece of network equipment, such as switch 310 , and respond to all messages for IP addresses not identified as valid for the network or any subset of the network. The anti-tampering system may also respond to requests corresponding to specific addresses where it determines that a system 110 sending an address message is not authorized to access the information system corresponding to a specific address.
- the anti-tampering system 510 responds to a message, for example, an ARP request message, then the system will transmit a reply, for example an ARP reply message, that includes the IP address from the ARP request message and a fabricated MAC address that is not in use on the local Ethernet network.
- a reply for example an ARP reply message, that includes the IP address from the ARP request message and a fabricated MAC address that is not in use on the local Ethernet network.
- FIG. 4 demonstrates an example Address Request Protocol request intercepted by anti-tampering system 510 in a system using the IPV4 and Address Resolution protocols.
- the sending system 110 sends an ARP request message 430 across the network.
- the ARP request message 430 may include a destination IP address that the sending system 110 wishes to access, but that destination IP address may correspond to a system not present on the network or a system that the sending system 110 is not authorized to access and the destination MAC address will be unset, uninitialized, or otherwise undefined.
- ARP request message 410 passes through link 210 to switch 310 .
- Switch 310 then routes the ARP message to anti-tampering system 510 through link 230 .
- Anti-tampering system 510 may then respond to request 430 with a reply, for example ARP reply message 440 .
- ARP reply message 440 the requested IP address is included, and a MAC address that does not correspond to an information system using requested IP address is included.
- the MAC address may instead correspond to anti-tampering system 510 , correspond to a system configured to receive potentially unauthorized requests, or be a MAC address that does not correspond to any physical system on the network.
- the ARP reply message 420 returns to sending system 110 through link 230 , switch 310 , and link 210 .
- the end result is that the unauthorized person or program attempting to identify resources on a network by, for example, iterating address requests through all possible addresses or a subset of possible addresses, will receive ARP reply messages indicating that unused addresses are in use on the network.
- the system can flag the activity and the IP or MAC address of the requesting information processing system. The system may then take steps to remove the flagged information processing system from the network, disable its ability to communicate with selected other information processing systems on the network, or send a communication including the IP or MAC address of the flagged information processing system to network administrators or third parties.
- the system and method do not require prior knowledge of the network addresses in use or the topology of the network, and do not require the network or information processing systems being protected to be reconfigured in any way.
- the system and method provide utility of network security and insight into network behavior.
- the network anti-tampering systems and methods thus may prevent criminals from tampering with computer systems.
- a criminal or other unauthorized person or program will necessarily need to understand the topology of the local network in order to launch an efficient and effective attack on other information processing systems attached to the same network.
- the systems and methods will interfere with the criminal's attempts to understand the network topology, limiting the criminal's ability to access information on information processing systems present in the network.
- the system and method may also detect misconfigured information processing systems. Sometimes an information processing system will be configured to contact network addresses not in use on the network.
- the invention makes obvious when an information processing system is attempting to send messages to local network addresses that are not in use, and can flag the particular information processing system as making such requests.
- the system may send communications to a network administrator or third party indicating the flagged information processing system, or may automatically take steps to remove the information processing system from the network or reconfigure the information processing system.
- the system and method further provide visibility into which systems are communicating with each other on a particular network. This is possible because the systems and methods may listen to all address messages, for example ARP request messages at a specific network location (e.g., switch 310 ), and thus have a record of all communications between information processing systems on the network. The system and method may use this record of communications between information processing systems to generate patterns of normal communication within the network. If the system then detects aberrations or changes in the normal communication patters, it can provide an alert to a network administrator or third party, or automatically take action with respect to the information processing units determined to be communicating outside of the normal pattern.
- ARP request messages at a specific network location (e.g., switch 310 )
- the system and method may use this record of communications between information processing systems to generate patterns of normal communication within the network. If the system then detects aberrations or changes in the normal communication patters, it can provide an alert to a network administrator or third party, or automatically take action with respect to the information processing units determined to be communicating outside of the normal pattern
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
A system and method detects or prevents tampering of computer networks by transmitting address messages indicating that unused network addresses are in use. The systems and method handles requests for network resources, such as Address Resolution Protocol (ARP) messages, and provides fabricated information to a potential attacker to disrupt an attack on an information system.
Description
- The present application is a divisional application of U.S. patent application Ser. No. 16/212,270, filed Dec. 6, 2018 which claims priority to U.S. Provisional Patent Application Ser. No. 62/595,836, filed Dec. 7, 2017, which is incorporated herein by reference in its entirety.
- The present invention relates generally to information processing systems and methods, and more particularly to the preventing or discouraging of tampering with computer networks by unauthorized persons or computer programs. These unwanted intrusions into or tampering with computer networks are also referred to as, for example, hacking, cracking, breaking into, penetrating, breaching, exploiting, and compromising.
- Detecting and preventing the tampering with computer networks used by information processing systems can be extremely difficult. The complexity of modern information processing systems is such that there almost always exist any number of software flaws or unexpected combinations of input that would allow a malicious person or specially designed computer program to gain unauthorized access to an information processing system. Although various security mechanisms, such as password authentication or encryption, can be placed in front of an information processing system, it is almost always the case that either there exist methods to circumvent the security mechanisms or the security mechanisms themselves have exploitable flaws.
- In order to combat this problem, it is necessary to be able to detect tampering and unwanted access to computer networks. Three methods are already in use to detect tampering include pattern recognition, signal detection, and virtual execution, though none of the three produce satisfactory results in the face of determined attackers. Pattern recognition is based on checking for the validity of the input data using finite state automata. Signal detection is based on checking for the validity of input data using statistical methods. Virtual execution is processing the input data in a facsimile environment and watching for unexpected outputs.
- Pattern recognition, or pattern matching, is the detection of valid input by using a finite state automaton. Input data are compared to previously defined patterns. Matches between input data and patterns result in some action being taken, such as discarding the input data or sending an alert to a monitoring service. Pattern recognition is deficient as an anti-tampering method because it requires comparisons to be made to a necessarily finite set of predefined patterns. However, there are a practically infinite number of arrangements of malicious data that can evade a given finite number of patterns.
- Signal detection is the detection of valid input by means of statistical methods. A person or program selects a set of statistical features to analyze in potential input data. Those selected features are then measured as input data arrives and features that exceed certain variances are marked as indicative of unacceptable input data. For example, a very weak radio signal (i.e., one of low amplitude) may be seen as an unacceptable signal, while a very strong radio signal (i.e., one of high amplitude) may be seen as an acceptable signal. Signal detection is deficient as an anti-tampering method because classifiers operate according to receiver operating characteristic (ROC) curves, which always require an engineering tradeoff between false positives (i.e., false alarms) and false negatives (i.e., unacceptable or unwanted data).
- Virtual execution, sometimes called sandboxing, is the processing of input in a safe, facsimile environment and watching for unexpected outputs. Malicious computer programs are sometimes encrypted or delivered by seemingly non-malicious loader programs. These methods of delivery can be used to evade pattern matching systems. In a virtual execution process, any potentially malicious computer program is isolated in an ephemeral virtual execution environment. The program is then run and the environment is monitored for exceptional conditions such as the deletion of files or privilege escalation. These exceptional conditions can be indicative of the presence of an undesirable computer program, which may then be subsequently rejected. Virtual execution is deficient as an anti-tampering method because malicious data and programs can be camouflaged to evade detection as being executable, or can be engineered to manipulate the virtual execution environment in ways that prevent the production of exceptional conditions, for example, by detecting that they are being executed in a virtual environment and altering their behavior.
- One problem with all three of the common tamper-detection methods—pattern recognition, signal detection, and virtual execution—is that they are relatively static and non-adaptive. That is, a malicious person or computer program is free to try many combinations of malformed input, mapping out which input data will or will not pass through the security mechanism.
- For the foregoing reasons, there exists a need for an adaptive or otherwise non-static system that prevents or discourages the tampering with information processing systems.
- The present invention is directed to a system and method to detect or prevent tampering of computer networks. In particular, the invention is directed to a system and method that alters a computer network in such a way that it becomes very difficult for an attacker to use the computer network as a means for one information processing system to attack another information processing systems. For example, the systems or methods may handle requests for network resources, such as Address Resolution Protocol (ARP) messages, and may provide fabricated information to a potential attacker to disrupt an attack on an information system.
-
FIG. 1 is a diagram illustrating lateral movement by an unauthorized user from one information processing system to another. -
FIG. 2 is a diagram illustrating how ARP messages are used. -
FIG. 3 is a diagram illustrating attachment of a network anti-tampering system to a network. -
FIG. 4 is a diagram illustrating how a network anti-tampering system may respond to ARP messages from a potential adversary. - The present invention is directed to systems and methods to detect or prevent tampering or unauthorized access of information processing systems. Information processing systems, such as personal computers or servers, can be compromised, or controlled, by unauthorized persons or programs. Once one information processing system has been compromised, it is very common for the unauthorized user or program to attempt to spread its control to other information processing systems on the same network as the compromised information processing system. Since information processing systems are most commonly connected via computer networks, the unauthorized person or program will read and write data from and to a computer network in an attempt to break into another information processing system. This modality of attack is commonly known as lateral movement.
-
FIG. 1 demonstrates lateral movement by an adversary from one information processing system to another. Anetwork 100, for example, a wireless or wired local or wide area network, may comprise two or more information processing systems, such assystems Information processing systems links switch 310. The links may, for example, comprise a wired network connection using CAT5, CAT6, fiber optic cable, other types of network cable, or a wireless connection using Wi-Fi, Bluetooth, 3G, 4G, or LTE, or other types of wireless communications. The links may also include various permutations of wired and wireless network connections and may pass through one or more intermediate information processing systems. The switch may be a network switch designed to filter and forward packets between segments of a local area network. Optionally,systems - For illustrative purposes and without limitation, the
network 100 may use the IPV4 protocol at OSI layer 3 and the Address Resolution protocol at OSI layer 2. Other protocols, such IPV6 or PPP, may be substituted by the systems and methods described herein in similar fashion to the examples described below. In order for data to be sent through a local Ethernet network to an information processing system with an assigned IP address, the sending information processing system must first determine the local MAC address associated with the destination IP address. -
FIG. 2 demonstrates an example Address Request Protocol request used in a system using the IPV4 and Address Resolution protocols. The sendingsystem 110 learns the IP-MAC pairing by sending anARP request message 410 across the network and listening for a reply. TheARP request message 410 will include the destination IP address that thesending system 110 wishes to access, but the destination MAC address will be unset, uninitialized, or otherwise undefined.ARP request message 410 passes throughlink 210 to switch 310. Switch 310 then routes the ARP message todestination system 120 throughlink 220. If thedestination system 120 is able to receive the ARP request message, then it may respond with an ARP reply message 420. In ARP reply message 420, both thedestination systems 120's IP address andsystem 120's MAC address are included. The ARP reply message 420 returns to sendingsystem 110 throughlink 220,switch 310, and link 210. This method of identifying the low-level address of a target system is a common method information processing systems use to initiate communication through Ethernet networks. - When an unauthorized person or program tries to spread its control of one
information processing system 110 to otherinformation processing systems 120 connected via an Ethernet network, the person or program will necessarily use messages like the ARP messages described inFIG. 2 to understand what other information processing systems exist. For example, in an IPV4/ARP network, Unicast Ethernet messages can only be transmitted to a system whose MAC address is known by the sending system. If an unauthorized person or program does not reliably receive accurate information from ARP reply messages, then the unauthorized person or program will not be able to efficiently or effectively transmit data through the Ethernet network. - The proposed system and method listens for address request messages, for example ARP request messages, transmitted across a network.
FIG. 3 represents such anexample network 100.Network 100 may be a wireless or wired local or wide area network having two or moreinformation processing systems Information processing systems links switch 310. The links may comprise a wired network connection using CAT5, CAT6, fiber optic, or other types of network cable, or a wireless connection using Wi-Fi, Bluetooth, 3G, 4G, or LTE, or other types of wireless communications. The links may also include various permutations of wired and wireless network connections and may pass through one or more intermediate information processing systems. The switch may be a network switch designed to filter and forward packets between segments of a local area network. Optionally,systems switch 310, such as a router, VPN, or other type of physical or virtual network connection.Anti-tampering system 510 is also connected to the network via alink 230 and is connected to switch 310. - The system and method may be configured to allow
anti-tampering system 510 to respond to address messages, such as if the ARP request messages, transmitted onnetwork 100. If an ARP message is for an IP address that is not in use by any information processing systems present onnetwork 100, theanti-tampering system 510 may be configured to respond to such messages.Anti-tampering system 510 may also be configured to monitor network traffic that passes through a specific piece of network equipment, such asswitch 310, and respond to all messages for IP addresses not identified as valid for the network or any subset of the network. The anti-tampering system may also respond to requests corresponding to specific addresses where it determines that asystem 110 sending an address message is not authorized to access the information system corresponding to a specific address. If theanti-tampering system 510 responds to a message, for example, an ARP request message, then the system will transmit a reply, for example an ARP reply message, that includes the IP address from the ARP request message and a fabricated MAC address that is not in use on the local Ethernet network. -
FIG. 4 demonstrates an example Address Request Protocol request intercepted byanti-tampering system 510 in a system using the IPV4 and Address Resolution protocols. The sendingsystem 110 sends an ARP request message 430 across the network. The ARP request message 430 may include a destination IP address that the sendingsystem 110 wishes to access, but that destination IP address may correspond to a system not present on the network or a system that the sendingsystem 110 is not authorized to access and the destination MAC address will be unset, uninitialized, or otherwise undefined.ARP request message 410 passes throughlink 210 to switch 310. Switch 310 then routes the ARP message toanti-tampering system 510 throughlink 230.Anti-tampering system 510 may then respond to request 430 with a reply, for exampleARP reply message 440. InARP reply message 440, the requested IP address is included, and a MAC address that does not correspond to an information system using requested IP address is included. The MAC address may instead correspond toanti-tampering system 510, correspond to a system configured to receive potentially unauthorized requests, or be a MAC address that does not correspond to any physical system on the network. The ARP reply message 420 returns to sendingsystem 110 throughlink 230,switch 310, and link 210. The end result is that the unauthorized person or program attempting to identify resources on a network by, for example, iterating address requests through all possible addresses or a subset of possible addresses, will receive ARP reply messages indicating that unused addresses are in use on the network. This disrupts hacking activities and greatly enhances the probability of detecting unauthorized persons or programs attempting to break into other information processing systems by using the attached Ethernet network. For example, if the system detects a series of requests for non-existent MAC or IP addresses, it can determine that the requests are coming from an information processing system on the network that has been compromised. Similarly, if the system detects a predetermined number of requests for unauthorized requests, or a predetermined number of requests for MAC or IP addresses that are not present on the network, the system can flag the activity and the IP or MAC address of the requesting information processing system. The system may then take steps to remove the flagged information processing system from the network, disable its ability to communicate with selected other information processing systems on the network, or send a communication including the IP or MAC address of the flagged information processing system to network administrators or third parties. - The system and method do not require prior knowledge of the network addresses in use or the topology of the network, and do not require the network or information processing systems being protected to be reconfigured in any way. The system and method provide utility of network security and insight into network behavior.
- The network anti-tampering systems and methods thus may prevent criminals from tampering with computer systems. A criminal or other unauthorized person or program will necessarily need to understand the topology of the local network in order to launch an efficient and effective attack on other information processing systems attached to the same network. The systems and methods will interfere with the criminal's attempts to understand the network topology, limiting the criminal's ability to access information on information processing systems present in the network.
- The system and method may also detect misconfigured information processing systems. Sometimes an information processing system will be configured to contact network addresses not in use on the network. The invention makes obvious when an information processing system is attempting to send messages to local network addresses that are not in use, and can flag the particular information processing system as making such requests. The system may send communications to a network administrator or third party indicating the flagged information processing system, or may automatically take steps to remove the information processing system from the network or reconfigure the information processing system.
- The system and method further provide visibility into which systems are communicating with each other on a particular network. This is possible because the systems and methods may listen to all address messages, for example ARP request messages at a specific network location (e.g., switch 310), and thus have a record of all communications between information processing systems on the network. The system and method may use this record of communications between information processing systems to generate patterns of normal communication within the network. If the system then detects aberrations or changes in the normal communication patters, it can provide an alert to a network administrator or third party, or automatically take action with respect to the information processing units determined to be communicating outside of the normal pattern.
Claims (6)
1. A system to detect and prevent network tampering that receives ARP request messages and transmits ARP reply messages for any IP address not in use on the local Ethernet network, comprising: an information processing system, an Ethernet network interface connecting the information processing system to the Ethernet network, and a software program that receives and transmits ARP messages.
2. The system of claim 1 , wherein the information processing system is a custom programmed FPGA.
3. The system of claim 1 , wherein the information processing system is a custom programmed ASIC.
4. The system of claim 1 , wherein the information processing system is a custom
5. The system of claim 1 , wherein the information processing system is a virtual machine running under the control of a hypervisor.
6. The system of claim 1 , wherein the information processing system is a virtual machine running under the control of a hypervisor and the software program is a network device driver.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/707,794 US20220231987A1 (en) | 2017-12-07 | 2022-03-29 | Network anti-tampering system |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201762595836P | 2017-12-07 | 2017-12-07 | |
US16/212,270 US11310190B2 (en) | 2017-12-07 | 2018-12-06 | Network anti-tampering system |
US17/707,794 US20220231987A1 (en) | 2017-12-07 | 2022-03-29 | Network anti-tampering system |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/212,270 Division US11310190B2 (en) | 2017-12-07 | 2018-12-06 | Network anti-tampering system |
Publications (1)
Publication Number | Publication Date |
---|---|
US20220231987A1 true US20220231987A1 (en) | 2022-07-21 |
Family
ID=66750385
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/212,270 Active US11310190B2 (en) | 2017-12-07 | 2018-12-06 | Network anti-tampering system |
US17/707,794 Pending US20220231987A1 (en) | 2017-12-07 | 2022-03-29 | Network anti-tampering system |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/212,270 Active US11310190B2 (en) | 2017-12-07 | 2018-12-06 | Network anti-tampering system |
Country Status (2)
Country | Link |
---|---|
US (2) | US11310190B2 (en) |
WO (1) | WO2019113324A1 (en) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11159420B2 (en) * | 2019-04-17 | 2021-10-26 | Cloudflare, Inc. | Method and apparatus of automatic route optimization in a private virtual network for client devices of a local network |
US11374964B1 (en) | 2021-06-24 | 2022-06-28 | Airgap Networks Inc. | Preventing lateral propagation of ransomware using a security appliance that dynamically inserts a DHCP server/relay and a default gateway with point-to-point links between endpoints |
US11695799B1 (en) | 2021-06-24 | 2023-07-04 | Airgap Networks Inc. | System and method for secure user access and agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11916957B1 (en) | 2021-06-24 | 2024-02-27 | Airgap Networks Inc. | System and method for utilizing DHCP relay to police DHCP address assignment in ransomware protected network |
US11722519B1 (en) | 2021-06-24 | 2023-08-08 | Airgap Networks Inc. | System and method for dynamically avoiding double encryption of already encrypted traffic over point-to-point virtual private networks for lateral movement protection from ransomware |
US11252183B1 (en) | 2021-06-24 | 2022-02-15 | Airgap Networks Inc. | System and method for ransomware lateral movement protection in on-prem and cloud data center environments |
US11711396B1 (en) | 2021-06-24 | 2023-07-25 | Airgap Networks Inc. | Extended enterprise browser blocking spread of ransomware from alternate browsers in a system providing agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11303673B1 (en) | 2021-06-24 | 2022-04-12 | Airgap Networks Inc. | System and method for preventing lateral propagation of ransomware using a security appliance that functions as a DHCP relay on a shared network |
US11736520B1 (en) | 2021-06-24 | 2023-08-22 | Airgap Networks Inc. | Rapid incidence agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11757933B1 (en) | 2021-06-24 | 2023-09-12 | Airgap Networks Inc. | System and method for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11323474B1 (en) * | 2021-07-28 | 2022-05-03 | Airgap Networks, Inc. | System and method for determining endpoint compatibility with subnet prefix of all-ones for lateral propagation prevention of ransomware |
US11757934B1 (en) | 2021-06-24 | 2023-09-12 | Airgap Networks Inc. | Extended browser monitoring inbound connection requests for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11303669B1 (en) | 2021-06-24 | 2022-04-12 | Airgap Networks Inc. | System and method for tunneling endpoint traffic to the cloud for ransomware lateral movement protection |
US11979431B1 (en) * | 2023-07-24 | 2024-05-07 | Airgap Networks Inc. | System and method for prevention of lateral propagation of ransomware using ARP control on network switches to create point-to-point links between endpoints |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040103314A1 (en) * | 2002-11-27 | 2004-05-27 | Liston Thomas F. | System and method for network intrusion prevention |
JP2005210451A (en) * | 2004-01-23 | 2005-08-04 | Fuji Electric Holdings Co Ltd | Unauthorized access preventing apparatus and program |
US20170026387A1 (en) * | 2015-07-21 | 2017-01-26 | Attivo Networks Inc. | Monitoring access of network darkspace |
JP2019041176A (en) * | 2017-08-23 | 2019-03-14 | 株式会社ソフトクリエイト | Unauthorized connection blocking device and unauthorized connection blocking method |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6195688B1 (en) * | 1998-05-07 | 2001-02-27 | International Business Machines Corporation | Computer system, program product and method of communicating internetworking data over a master-slave communication link |
US7523485B1 (en) * | 2003-05-21 | 2009-04-21 | Foundry Networks, Inc. | System and method for source IP anti-spoofing security |
US9058573B2 (en) | 2011-11-21 | 2015-06-16 | Facebook, Inc. | Network traffic-analysis-based suggestion generation |
US9794219B2 (en) * | 2012-06-15 | 2017-10-17 | Citrix Systems, Inc. | Systems and methods for ARP resolution over an asynchronous cluster network |
-
2018
- 2018-12-06 US US16/212,270 patent/US11310190B2/en active Active
- 2018-12-06 WO PCT/US2018/064262 patent/WO2019113324A1/en active Application Filing
-
2022
- 2022-03-29 US US17/707,794 patent/US20220231987A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040103314A1 (en) * | 2002-11-27 | 2004-05-27 | Liston Thomas F. | System and method for network intrusion prevention |
JP2005210451A (en) * | 2004-01-23 | 2005-08-04 | Fuji Electric Holdings Co Ltd | Unauthorized access preventing apparatus and program |
US20170026387A1 (en) * | 2015-07-21 | 2017-01-26 | Attivo Networks Inc. | Monitoring access of network darkspace |
JP2019041176A (en) * | 2017-08-23 | 2019-03-14 | 株式会社ソフトクリエイト | Unauthorized connection blocking device and unauthorized connection blocking method |
Also Published As
Publication number | Publication date |
---|---|
US11310190B2 (en) | 2022-04-19 |
US20190312836A1 (en) | 2019-10-10 |
WO2019113324A1 (en) | 2019-06-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220231987A1 (en) | Network anti-tampering system | |
US11102233B2 (en) | Detection of vulnerable devices in wireless networks | |
KR100952350B1 (en) | Intelligent network interface controller | |
US7506360B1 (en) | Tracking communication for determining device states | |
Litoussi et al. | IoT security: challenges and countermeasures | |
US7596808B1 (en) | Zero hop algorithm for network threat identification and mitigation | |
Kumari et al. | Cross-layer based intrusion detection and prevention for network | |
Bdair et al. | Brief of intrusion detection systems in detecting ICMPv6 attacks | |
Lobanchykova et al. | Analysis and protection of IoT systems: Edge computing and decentralized decision-making | |
Abbas et al. | Subject review: Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) | |
Lobanchykova et al. | Analysis of attacks on components of IoT systems and cybersecurity technologies. | |
Alsadhan et al. | Detecting NDP distributed denial of service attacks using machine learning algorithm based on flow-based representation | |
Pareek et al. | Different type network security threats and solutions, a review | |
KR101343693B1 (en) | Network security system and method for process thereof | |
US20160149933A1 (en) | Collaborative network security | |
KR20170109949A (en) | Method and apparatus for enhancing network security in dynamic network environment | |
CN113411296B (en) | Situation awareness virtual link defense method, device and system | |
KR101663935B1 (en) | System and method for protecting against phishing and pharming | |
WO2020176066A1 (en) | Multi-dimensional visualization of cyber threats serving as a base for operator guidance | |
Hnamte et al. | Enhancing security in Software-Defined Networks: An approach to efficient ARP spoofing attacks detection and mitigation | |
Yadav et al. | A security model for intrusion detection and prevention over wireless network | |
Mishra et al. | Intrusion detection systems for high performance computing environment | |
Nasser et al. | An Effective Approach to Detect and Prevent ARP Spoofing Attacks on WLAN. | |
Kamal et al. | Analysis of network communication attacks | |
US20240098118A1 (en) | Systems and Methods for Decentralized Security Against Defined and Undefined Threats |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: RIDGEBACK NETWORK DEFENSE, INC., MARYLAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PHILLIPS, THOMAS SHEPPARD;REEL/FRAME:059509/0432 Effective date: 20191104 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |