US20220231987A1 - Network anti-tampering system - Google Patents

Network anti-tampering system Download PDF

Info

Publication number
US20220231987A1
US20220231987A1 US17/707,794 US202217707794A US2022231987A1 US 20220231987 A1 US20220231987 A1 US 20220231987A1 US 202217707794 A US202217707794 A US 202217707794A US 2022231987 A1 US2022231987 A1 US 2022231987A1
Authority
US
United States
Prior art keywords
network
information processing
processing system
address
tampering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US17/707,794
Inventor
Thomas Sheppard PHILLIPS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ridgeback Network Defense Inc
Original Assignee
Ridgeback Network Defense Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ridgeback Network Defense Inc filed Critical Ridgeback Network Defense Inc
Priority to US17/707,794 priority Critical patent/US20220231987A1/en
Assigned to Ridgeback Network Defense, Inc. reassignment Ridgeback Network Defense, Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PHILLIPS, Thomas Sheppard
Publication of US20220231987A1 publication Critical patent/US20220231987A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • H04L61/6022
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present invention relates generally to information processing systems and methods, and more particularly to the preventing or discouraging of tampering with computer networks by unauthorized persons or computer programs.
  • These unwanted intrusions into or tampering with computer networks are also referred to as, for example, hacking, cracking, breaking into, penetrating, breaching, exploiting, and compromising.
  • Pattern recognition is based on checking for the validity of the input data using finite state automata.
  • Signal detection is based on checking for the validity of input data using statistical methods.
  • Virtual execution is processing the input data in a facsimile environment and watching for unexpected outputs.
  • Pattern recognition is the detection of valid input by using a finite state automaton. Input data are compared to previously defined patterns. Matches between input data and patterns result in some action being taken, such as discarding the input data or sending an alert to a monitoring service. Pattern recognition is deficient as an anti-tampering method because it requires comparisons to be made to a necessarily finite set of predefined patterns. However, there are a practically infinite number of arrangements of malicious data that can evade a given finite number of patterns.
  • Signal detection is the detection of valid input by means of statistical methods.
  • a person or program selects a set of statistical features to analyze in potential input data. Those selected features are then measured as input data arrives and features that exceed certain variances are marked as indicative of unacceptable input data. For example, a very weak radio signal (i.e., one of low amplitude) may be seen as an unacceptable signal, while a very strong radio signal (i.e., one of high amplitude) may be seen as an acceptable signal.
  • Signal detection is deficient as an anti-tampering method because classifiers operate according to receiver operating characteristic (ROC) curves, which always require an engineering tradeoff between false positives (i.e., false alarms) and false negatives (i.e., unacceptable or unwanted data).
  • ROC receiver operating characteristic
  • Virtual execution sometimes called sandboxing, is the processing of input in a safe, facsimile environment and watching for unexpected outputs. Malicious computer programs are sometimes encrypted or delivered by seemingly non-malicious loader programs. These methods of delivery can be used to evade pattern matching systems.
  • any potentially malicious computer program is isolated in an ephemeral virtual execution environment. The program is then run and the environment is monitored for exceptional conditions such as the deletion of files or privilege escalation. These exceptional conditions can be indicative of the presence of an undesirable computer program, which may then be subsequently rejected.
  • Virtual execution is deficient as an anti-tampering method because malicious data and programs can be camouflaged to evade detection as being executable, or can be engineered to manipulate the virtual execution environment in ways that prevent the production of exceptional conditions, for example, by detecting that they are being executed in a virtual environment and altering their behavior.
  • the present invention is directed to a system and method to detect or prevent tampering of computer networks.
  • the invention is directed to a system and method that alters a computer network in such a way that it becomes very difficult for an attacker to use the computer network as a means for one information processing system to attack another information processing systems.
  • the systems or methods may handle requests for network resources, such as Address Resolution Protocol (ARP) messages, and may provide fabricated information to a potential attacker to disrupt an attack on an information system.
  • ARP Address Resolution Protocol
  • FIG. 1 is a diagram illustrating lateral movement by an unauthorized user from one information processing system to another.
  • FIG. 2 is a diagram illustrating how ARP messages are used.
  • FIG. 3 is a diagram illustrating attachment of a network anti-tampering system to a network.
  • FIG. 4 is a diagram illustrating how a network anti-tampering system may respond to ARP messages from a potential adversary.
  • the present invention is directed to systems and methods to detect or prevent tampering or unauthorized access of information processing systems.
  • Information processing systems such as personal computers or servers, can be compromised, or controlled, by unauthorized persons or programs. Once one information processing system has been compromised, it is very common for the unauthorized user or program to attempt to spread its control to other information processing systems on the same network as the compromised information processing system. Since information processing systems are most commonly connected via computer networks, the unauthorized person or program will read and write data from and to a computer network in an attempt to break into another information processing system. This modality of attack is commonly known as lateral movement.
  • FIG. 1 demonstrates lateral movement by an adversary from one information processing system to another.
  • a network 100 may comprise two or more information processing systems, such as systems 110 and 120 .
  • Information processing systems 110 and 120 may be, for example, desktops, laptops, tablets, cellular phones, internet-of-things devices, virtual machines, or any other system capable of processing information electronically.
  • These systems are connected by links, such as links 210 and 220 , to one or more switches, such as switch 310 .
  • the links may, for example, comprise a wired network connection using CAT5, CAT6, fiber optic cable, other types of network cable, or a wireless connection using Wi-Fi, Bluetooth, 3G, 4G, or LTE, or other types of wireless communications.
  • the links may also include various permutations of wired and wireless network connections and may pass through one or more intermediate information processing systems.
  • the switch may be a network switch designed to filter and forward packets between segments of a local area network.
  • systems 110 and 120 may be connected through means instead of or in addition to switch 310 , such as a router, VPN, or other type of physical or virtual network connection.
  • the network 100 may use the IPV 4 protocol at OSI layer 3 and the Address Resolution protocol at OSI layer 2.
  • Other protocols such IPV6 or PPP, may be substituted by the systems and methods described herein in similar fashion to the examples described below.
  • the sending information processing system In order for data to be sent through a local Ethernet network to an information processing system with an assigned IP address, the sending information processing system must first determine the local MAC address associated with the destination IP address.
  • FIG. 2 demonstrates an example Address Request Protocol request used in a system using the IPV4 and Address Resolution protocols.
  • the sending system 110 learns the IP-MAC pairing by sending an ARP request message 410 across the network and listening for a reply.
  • the ARP request message 410 will include the destination IP address that the sending system 110 wishes to access, but the destination MAC address will be unset, uninitialized, or otherwise undefined.
  • ARP request message 410 passes through link 210 to switch 310 .
  • Switch 310 then routes the ARP message to destination system 120 through link 220 . If the destination system 120 is able to receive the ARP request message, then it may respond with an ARP reply message 420 .
  • ARP reply message 420 both the destination systems 120 's IP address and system 120 's MAC address are included.
  • the ARP reply message 420 returns to sending system 110 through link 220 , switch 310 , and link 210 .
  • This method of identifying the low-level address of a target system is a common method information processing systems use to initiate communication through Ethernet networks.
  • FIG. 3 represents such an example network 100 .
  • Network 100 may be a wireless or wired local or wide area network having two or more information processing systems 110 and 120 .
  • Information processing systems 110 and 120 may be, for example, desktops, laptops, tablets, cellular phones, internet-of-things devices, virtual machines, or any other system capable of processing information electronically. These systems are connected by links, such as links 210 and 220 , to one or more switches, such as switch 310 .
  • the links may comprise a wired network connection using CAT5, CAT6, fiber optic, or other types of network cable, or a wireless connection using Wi-Fi, Bluetooth, 3G, 4G, or LTE, or other types of wireless communications.
  • the links may also include various permutations of wired and wireless network connections and may pass through one or more intermediate information processing systems.
  • the switch may be a network switch designed to filter and forward packets between segments of a local area network.
  • systems 110 and 120 may be connected through means instead of or in addition to switch 310 , such as a router, VPN, or other type of physical or virtual network connection.
  • Anti-tampering system 510 is also connected to the network via a link 230 and is connected to switch 310 .
  • the system and method may be configured to allow anti-tampering system 510 to respond to address messages, such as if the ARP request messages, transmitted on network 100 . If an ARP message is for an IP address that is not in use by any information processing systems present on network 100 , the anti-tampering system 510 may be configured to respond to such messages. Anti-tampering system 510 may also be configured to monitor network traffic that passes through a specific piece of network equipment, such as switch 310 , and respond to all messages for IP addresses not identified as valid for the network or any subset of the network. The anti-tampering system may also respond to requests corresponding to specific addresses where it determines that a system 110 sending an address message is not authorized to access the information system corresponding to a specific address.
  • the anti-tampering system 510 responds to a message, for example, an ARP request message, then the system will transmit a reply, for example an ARP reply message, that includes the IP address from the ARP request message and a fabricated MAC address that is not in use on the local Ethernet network.
  • a reply for example an ARP reply message, that includes the IP address from the ARP request message and a fabricated MAC address that is not in use on the local Ethernet network.
  • FIG. 4 demonstrates an example Address Request Protocol request intercepted by anti-tampering system 510 in a system using the IPV4 and Address Resolution protocols.
  • the sending system 110 sends an ARP request message 430 across the network.
  • the ARP request message 430 may include a destination IP address that the sending system 110 wishes to access, but that destination IP address may correspond to a system not present on the network or a system that the sending system 110 is not authorized to access and the destination MAC address will be unset, uninitialized, or otherwise undefined.
  • ARP request message 410 passes through link 210 to switch 310 .
  • Switch 310 then routes the ARP message to anti-tampering system 510 through link 230 .
  • Anti-tampering system 510 may then respond to request 430 with a reply, for example ARP reply message 440 .
  • ARP reply message 440 the requested IP address is included, and a MAC address that does not correspond to an information system using requested IP address is included.
  • the MAC address may instead correspond to anti-tampering system 510 , correspond to a system configured to receive potentially unauthorized requests, or be a MAC address that does not correspond to any physical system on the network.
  • the ARP reply message 420 returns to sending system 110 through link 230 , switch 310 , and link 210 .
  • the end result is that the unauthorized person or program attempting to identify resources on a network by, for example, iterating address requests through all possible addresses or a subset of possible addresses, will receive ARP reply messages indicating that unused addresses are in use on the network.
  • the system can flag the activity and the IP or MAC address of the requesting information processing system. The system may then take steps to remove the flagged information processing system from the network, disable its ability to communicate with selected other information processing systems on the network, or send a communication including the IP or MAC address of the flagged information processing system to network administrators or third parties.
  • the system and method do not require prior knowledge of the network addresses in use or the topology of the network, and do not require the network or information processing systems being protected to be reconfigured in any way.
  • the system and method provide utility of network security and insight into network behavior.
  • the network anti-tampering systems and methods thus may prevent criminals from tampering with computer systems.
  • a criminal or other unauthorized person or program will necessarily need to understand the topology of the local network in order to launch an efficient and effective attack on other information processing systems attached to the same network.
  • the systems and methods will interfere with the criminal's attempts to understand the network topology, limiting the criminal's ability to access information on information processing systems present in the network.
  • the system and method may also detect misconfigured information processing systems. Sometimes an information processing system will be configured to contact network addresses not in use on the network.
  • the invention makes obvious when an information processing system is attempting to send messages to local network addresses that are not in use, and can flag the particular information processing system as making such requests.
  • the system may send communications to a network administrator or third party indicating the flagged information processing system, or may automatically take steps to remove the information processing system from the network or reconfigure the information processing system.
  • the system and method further provide visibility into which systems are communicating with each other on a particular network. This is possible because the systems and methods may listen to all address messages, for example ARP request messages at a specific network location (e.g., switch 310 ), and thus have a record of all communications between information processing systems on the network. The system and method may use this record of communications between information processing systems to generate patterns of normal communication within the network. If the system then detects aberrations or changes in the normal communication patters, it can provide an alert to a network administrator or third party, or automatically take action with respect to the information processing units determined to be communicating outside of the normal pattern.
  • ARP request messages at a specific network location (e.g., switch 310 )
  • the system and method may use this record of communications between information processing systems to generate patterns of normal communication within the network. If the system then detects aberrations or changes in the normal communication patters, it can provide an alert to a network administrator or third party, or automatically take action with respect to the information processing units determined to be communicating outside of the normal pattern

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system and method detects or prevents tampering of computer networks by transmitting address messages indicating that unused network addresses are in use. The systems and method handles requests for network resources, such as Address Resolution Protocol (ARP) messages, and provides fabricated information to a potential attacker to disrupt an attack on an information system.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • The present application is a divisional application of U.S. patent application Ser. No. 16/212,270, filed Dec. 6, 2018 which claims priority to U.S. Provisional Patent Application Ser. No. 62/595,836, filed Dec. 7, 2017, which is incorporated herein by reference in its entirety.
    • TECHNICAL FIELD
  • The present invention relates generally to information processing systems and methods, and more particularly to the preventing or discouraging of tampering with computer networks by unauthorized persons or computer programs. These unwanted intrusions into or tampering with computer networks are also referred to as, for example, hacking, cracking, breaking into, penetrating, breaching, exploiting, and compromising.
    • BACKGROUND OF THE INVENTION
  • Detecting and preventing the tampering with computer networks used by information processing systems can be extremely difficult. The complexity of modern information processing systems is such that there almost always exist any number of software flaws or unexpected combinations of input that would allow a malicious person or specially designed computer program to gain unauthorized access to an information processing system. Although various security mechanisms, such as password authentication or encryption, can be placed in front of an information processing system, it is almost always the case that either there exist methods to circumvent the security mechanisms or the security mechanisms themselves have exploitable flaws.
  • In order to combat this problem, it is necessary to be able to detect tampering and unwanted access to computer networks. Three methods are already in use to detect tampering include pattern recognition, signal detection, and virtual execution, though none of the three produce satisfactory results in the face of determined attackers. Pattern recognition is based on checking for the validity of the input data using finite state automata. Signal detection is based on checking for the validity of input data using statistical methods. Virtual execution is processing the input data in a facsimile environment and watching for unexpected outputs.
  • Pattern recognition, or pattern matching, is the detection of valid input by using a finite state automaton. Input data are compared to previously defined patterns. Matches between input data and patterns result in some action being taken, such as discarding the input data or sending an alert to a monitoring service. Pattern recognition is deficient as an anti-tampering method because it requires comparisons to be made to a necessarily finite set of predefined patterns. However, there are a practically infinite number of arrangements of malicious data that can evade a given finite number of patterns.
  • Signal detection is the detection of valid input by means of statistical methods. A person or program selects a set of statistical features to analyze in potential input data. Those selected features are then measured as input data arrives and features that exceed certain variances are marked as indicative of unacceptable input data. For example, a very weak radio signal (i.e., one of low amplitude) may be seen as an unacceptable signal, while a very strong radio signal (i.e., one of high amplitude) may be seen as an acceptable signal. Signal detection is deficient as an anti-tampering method because classifiers operate according to receiver operating characteristic (ROC) curves, which always require an engineering tradeoff between false positives (i.e., false alarms) and false negatives (i.e., unacceptable or unwanted data).
  • Virtual execution, sometimes called sandboxing, is the processing of input in a safe, facsimile environment and watching for unexpected outputs. Malicious computer programs are sometimes encrypted or delivered by seemingly non-malicious loader programs. These methods of delivery can be used to evade pattern matching systems. In a virtual execution process, any potentially malicious computer program is isolated in an ephemeral virtual execution environment. The program is then run and the environment is monitored for exceptional conditions such as the deletion of files or privilege escalation. These exceptional conditions can be indicative of the presence of an undesirable computer program, which may then be subsequently rejected. Virtual execution is deficient as an anti-tampering method because malicious data and programs can be camouflaged to evade detection as being executable, or can be engineered to manipulate the virtual execution environment in ways that prevent the production of exceptional conditions, for example, by detecting that they are being executed in a virtual environment and altering their behavior.
  • One problem with all three of the common tamper-detection methods—pattern recognition, signal detection, and virtual execution—is that they are relatively static and non-adaptive. That is, a malicious person or computer program is free to try many combinations of malformed input, mapping out which input data will or will not pass through the security mechanism.
  • For the foregoing reasons, there exists a need for an adaptive or otherwise non-static system that prevents or discourages the tampering with information processing systems.
    • BRIEF SUMMARY OF THE INVENTION
  • The present invention is directed to a system and method to detect or prevent tampering of computer networks. In particular, the invention is directed to a system and method that alters a computer network in such a way that it becomes very difficult for an attacker to use the computer network as a means for one information processing system to attack another information processing systems. For example, the systems or methods may handle requests for network resources, such as Address Resolution Protocol (ARP) messages, and may provide fabricated information to a potential attacker to disrupt an attack on an information system.
    • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING
  • FIG. 1 is a diagram illustrating lateral movement by an unauthorized user from one information processing system to another.
  • FIG. 2 is a diagram illustrating how ARP messages are used.
  • FIG. 3 is a diagram illustrating attachment of a network anti-tampering system to a network.
  • FIG. 4 is a diagram illustrating how a network anti-tampering system may respond to ARP messages from a potential adversary.
    •  DETAILED DESCRIPTION OF THE INVENTION
  • The present invention is directed to systems and methods to detect or prevent tampering or unauthorized access of information processing systems. Information processing systems, such as personal computers or servers, can be compromised, or controlled, by unauthorized persons or programs. Once one information processing system has been compromised, it is very common for the unauthorized user or program to attempt to spread its control to other information processing systems on the same network as the compromised information processing system. Since information processing systems are most commonly connected via computer networks, the unauthorized person or program will read and write data from and to a computer network in an attempt to break into another information processing system. This modality of attack is commonly known as lateral movement.
  • FIG. 1 demonstrates lateral movement by an adversary from one information processing system to another. A network 100, for example, a wireless or wired local or wide area network, may comprise two or more information processing systems, such as systems 110 and 120. Information processing systems 110 and 120 may be, for example, desktops, laptops, tablets, cellular phones, internet-of-things devices, virtual machines, or any other system capable of processing information electronically. These systems are connected by links, such as links 210 and 220, to one or more switches, such as switch 310. The links may, for example, comprise a wired network connection using CAT5, CAT6, fiber optic cable, other types of network cable, or a wireless connection using Wi-Fi, Bluetooth, 3G, 4G, or LTE, or other types of wireless communications. The links may also include various permutations of wired and wireless network connections and may pass through one or more intermediate information processing systems. The switch may be a network switch designed to filter and forward packets between segments of a local area network. Optionally, systems 110 and 120 may be connected through means instead of or in addition to switch 310, such as a router, VPN, or other type of physical or virtual network connection.
  • For illustrative purposes and without limitation, the network 100 may use the IPV4 protocol at OSI layer 3 and the Address Resolution protocol at OSI layer 2. Other protocols, such IPV6 or PPP, may be substituted by the systems and methods described herein in similar fashion to the examples described below. In order for data to be sent through a local Ethernet network to an information processing system with an assigned IP address, the sending information processing system must first determine the local MAC address associated with the destination IP address.
  • FIG. 2 demonstrates an example Address Request Protocol request used in a system using the IPV4 and Address Resolution protocols. The sending system 110 learns the IP-MAC pairing by sending an ARP request message 410 across the network and listening for a reply. The ARP request message 410 will include the destination IP address that the sending system 110 wishes to access, but the destination MAC address will be unset, uninitialized, or otherwise undefined. ARP request message 410 passes through link 210 to switch 310. Switch 310 then routes the ARP message to destination system 120 through link 220. If the destination system 120 is able to receive the ARP request message, then it may respond with an ARP reply message 420. In ARP reply message 420, both the destination systems 120's IP address and system 120's MAC address are included. The ARP reply message 420 returns to sending system 110 through link 220, switch 310, and link 210. This method of identifying the low-level address of a target system is a common method information processing systems use to initiate communication through Ethernet networks.
  • When an unauthorized person or program tries to spread its control of one information processing system 110 to other information processing systems 120 connected via an Ethernet network, the person or program will necessarily use messages like the ARP messages described in FIG. 2 to understand what other information processing systems exist. For example, in an IPV4/ARP network, Unicast Ethernet messages can only be transmitted to a system whose MAC address is known by the sending system. If an unauthorized person or program does not reliably receive accurate information from ARP reply messages, then the unauthorized person or program will not be able to efficiently or effectively transmit data through the Ethernet network.
  • The proposed system and method listens for address request messages, for example ARP request messages, transmitted across a network. FIG. 3 represents such an example network 100. Network 100 may be a wireless or wired local or wide area network having two or more information processing systems 110 and 120. Information processing systems 110 and 120 may be, for example, desktops, laptops, tablets, cellular phones, internet-of-things devices, virtual machines, or any other system capable of processing information electronically. These systems are connected by links, such as links 210 and 220, to one or more switches, such as switch 310. The links may comprise a wired network connection using CAT5, CAT6, fiber optic, or other types of network cable, or a wireless connection using Wi-Fi, Bluetooth, 3G, 4G, or LTE, or other types of wireless communications. The links may also include various permutations of wired and wireless network connections and may pass through one or more intermediate information processing systems. The switch may be a network switch designed to filter and forward packets between segments of a local area network. Optionally, systems 110 and 120 may be connected through means instead of or in addition to switch 310, such as a router, VPN, or other type of physical or virtual network connection. Anti-tampering system 510 is also connected to the network via a link 230 and is connected to switch 310.
  • The system and method may be configured to allow anti-tampering system 510 to respond to address messages, such as if the ARP request messages, transmitted on network 100. If an ARP message is for an IP address that is not in use by any information processing systems present on network 100, the anti-tampering system 510 may be configured to respond to such messages. Anti-tampering system 510 may also be configured to monitor network traffic that passes through a specific piece of network equipment, such as switch 310, and respond to all messages for IP addresses not identified as valid for the network or any subset of the network. The anti-tampering system may also respond to requests corresponding to specific addresses where it determines that a system 110 sending an address message is not authorized to access the information system corresponding to a specific address. If the anti-tampering system 510 responds to a message, for example, an ARP request message, then the system will transmit a reply, for example an ARP reply message, that includes the IP address from the ARP request message and a fabricated MAC address that is not in use on the local Ethernet network.
  • FIG. 4 demonstrates an example Address Request Protocol request intercepted by anti-tampering system 510 in a system using the IPV4 and Address Resolution protocols. The sending system 110 sends an ARP request message 430 across the network. The ARP request message 430 may include a destination IP address that the sending system 110 wishes to access, but that destination IP address may correspond to a system not present on the network or a system that the sending system 110 is not authorized to access and the destination MAC address will be unset, uninitialized, or otherwise undefined. ARP request message 410 passes through link 210 to switch 310. Switch 310 then routes the ARP message to anti-tampering system 510 through link 230. Anti-tampering system 510 may then respond to request 430 with a reply, for example ARP reply message 440. In ARP reply message 440, the requested IP address is included, and a MAC address that does not correspond to an information system using requested IP address is included. The MAC address may instead correspond to anti-tampering system 510, correspond to a system configured to receive potentially unauthorized requests, or be a MAC address that does not correspond to any physical system on the network. The ARP reply message 420 returns to sending system 110 through link 230, switch 310, and link 210. The end result is that the unauthorized person or program attempting to identify resources on a network by, for example, iterating address requests through all possible addresses or a subset of possible addresses, will receive ARP reply messages indicating that unused addresses are in use on the network. This disrupts hacking activities and greatly enhances the probability of detecting unauthorized persons or programs attempting to break into other information processing systems by using the attached Ethernet network. For example, if the system detects a series of requests for non-existent MAC or IP addresses, it can determine that the requests are coming from an information processing system on the network that has been compromised. Similarly, if the system detects a predetermined number of requests for unauthorized requests, or a predetermined number of requests for MAC or IP addresses that are not present on the network, the system can flag the activity and the IP or MAC address of the requesting information processing system. The system may then take steps to remove the flagged information processing system from the network, disable its ability to communicate with selected other information processing systems on the network, or send a communication including the IP or MAC address of the flagged information processing system to network administrators or third parties.
  • The system and method do not require prior knowledge of the network addresses in use or the topology of the network, and do not require the network or information processing systems being protected to be reconfigured in any way. The system and method provide utility of network security and insight into network behavior.
  • The network anti-tampering systems and methods thus may prevent criminals from tampering with computer systems. A criminal or other unauthorized person or program will necessarily need to understand the topology of the local network in order to launch an efficient and effective attack on other information processing systems attached to the same network. The systems and methods will interfere with the criminal's attempts to understand the network topology, limiting the criminal's ability to access information on information processing systems present in the network.
  • The system and method may also detect misconfigured information processing systems. Sometimes an information processing system will be configured to contact network addresses not in use on the network. The invention makes obvious when an information processing system is attempting to send messages to local network addresses that are not in use, and can flag the particular information processing system as making such requests. The system may send communications to a network administrator or third party indicating the flagged information processing system, or may automatically take steps to remove the information processing system from the network or reconfigure the information processing system.
  • The system and method further provide visibility into which systems are communicating with each other on a particular network. This is possible because the systems and methods may listen to all address messages, for example ARP request messages at a specific network location (e.g., switch 310), and thus have a record of all communications between information processing systems on the network. The system and method may use this record of communications between information processing systems to generate patterns of normal communication within the network. If the system then detects aberrations or changes in the normal communication patters, it can provide an alert to a network administrator or third party, or automatically take action with respect to the information processing units determined to be communicating outside of the normal pattern.

Claims (6)

1. A system to detect and prevent network tampering that receives ARP request messages and transmits ARP reply messages for any IP address not in use on the local Ethernet network, comprising: an information processing system, an Ethernet network interface connecting the information processing system to the Ethernet network, and a software program that receives and transmits ARP messages.
2. The system of claim 1, wherein the information processing system is a custom programmed FPGA.
3. The system of claim 1, wherein the information processing system is a custom programmed ASIC.
4. The system of claim 1, wherein the information processing system is a custom
5. The system of claim 1, wherein the information processing system is a virtual machine running under the control of a hypervisor.
6. The system of claim 1, wherein the information processing system is a virtual machine running under the control of a hypervisor and the software program is a network device driver.
US17/707,794 2017-12-07 2022-03-29 Network anti-tampering system Pending US20220231987A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/707,794 US20220231987A1 (en) 2017-12-07 2022-03-29 Network anti-tampering system

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201762595836P 2017-12-07 2017-12-07
US16/212,270 US11310190B2 (en) 2017-12-07 2018-12-06 Network anti-tampering system
US17/707,794 US20220231987A1 (en) 2017-12-07 2022-03-29 Network anti-tampering system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US16/212,270 Division US11310190B2 (en) 2017-12-07 2018-12-06 Network anti-tampering system

Publications (1)

Publication Number Publication Date
US20220231987A1 true US20220231987A1 (en) 2022-07-21

Family

ID=66750385

Family Applications (2)

Application Number Title Priority Date Filing Date
US16/212,270 Active US11310190B2 (en) 2017-12-07 2018-12-06 Network anti-tampering system
US17/707,794 Pending US20220231987A1 (en) 2017-12-07 2022-03-29 Network anti-tampering system

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US16/212,270 Active US11310190B2 (en) 2017-12-07 2018-12-06 Network anti-tampering system

Country Status (2)

Country Link
US (2) US11310190B2 (en)
WO (1) WO2019113324A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11159420B2 (en) * 2019-04-17 2021-10-26 Cloudflare, Inc. Method and apparatus of automatic route optimization in a private virtual network for client devices of a local network
US11374964B1 (en) 2021-06-24 2022-06-28 Airgap Networks Inc. Preventing lateral propagation of ransomware using a security appliance that dynamically inserts a DHCP server/relay and a default gateway with point-to-point links between endpoints
US11695799B1 (en) 2021-06-24 2023-07-04 Airgap Networks Inc. System and method for secure user access and agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11916957B1 (en) 2021-06-24 2024-02-27 Airgap Networks Inc. System and method for utilizing DHCP relay to police DHCP address assignment in ransomware protected network
US11722519B1 (en) 2021-06-24 2023-08-08 Airgap Networks Inc. System and method for dynamically avoiding double encryption of already encrypted traffic over point-to-point virtual private networks for lateral movement protection from ransomware
US11252183B1 (en) 2021-06-24 2022-02-15 Airgap Networks Inc. System and method for ransomware lateral movement protection in on-prem and cloud data center environments
US11711396B1 (en) 2021-06-24 2023-07-25 Airgap Networks Inc. Extended enterprise browser blocking spread of ransomware from alternate browsers in a system providing agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11303673B1 (en) 2021-06-24 2022-04-12 Airgap Networks Inc. System and method for preventing lateral propagation of ransomware using a security appliance that functions as a DHCP relay on a shared network
US11736520B1 (en) 2021-06-24 2023-08-22 Airgap Networks Inc. Rapid incidence agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11757933B1 (en) 2021-06-24 2023-09-12 Airgap Networks Inc. System and method for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11323474B1 (en) * 2021-07-28 2022-05-03 Airgap Networks, Inc. System and method for determining endpoint compatibility with subnet prefix of all-ones for lateral propagation prevention of ransomware
US11757934B1 (en) 2021-06-24 2023-09-12 Airgap Networks Inc. Extended browser monitoring inbound connection requests for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links
US11303669B1 (en) 2021-06-24 2022-04-12 Airgap Networks Inc. System and method for tunneling endpoint traffic to the cloud for ransomware lateral movement protection
US11979431B1 (en) * 2023-07-24 2024-05-07 Airgap Networks Inc. System and method for prevention of lateral propagation of ransomware using ARP control on network switches to create point-to-point links between endpoints

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040103314A1 (en) * 2002-11-27 2004-05-27 Liston Thomas F. System and method for network intrusion prevention
JP2005210451A (en) * 2004-01-23 2005-08-04 Fuji Electric Holdings Co Ltd Unauthorized access preventing apparatus and program
US20170026387A1 (en) * 2015-07-21 2017-01-26 Attivo Networks Inc. Monitoring access of network darkspace
JP2019041176A (en) * 2017-08-23 2019-03-14 株式会社ソフトクリエイト Unauthorized connection blocking device and unauthorized connection blocking method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6195688B1 (en) * 1998-05-07 2001-02-27 International Business Machines Corporation Computer system, program product and method of communicating internetworking data over a master-slave communication link
US7523485B1 (en) * 2003-05-21 2009-04-21 Foundry Networks, Inc. System and method for source IP anti-spoofing security
US9058573B2 (en) 2011-11-21 2015-06-16 Facebook, Inc. Network traffic-analysis-based suggestion generation
US9794219B2 (en) * 2012-06-15 2017-10-17 Citrix Systems, Inc. Systems and methods for ARP resolution over an asynchronous cluster network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040103314A1 (en) * 2002-11-27 2004-05-27 Liston Thomas F. System and method for network intrusion prevention
JP2005210451A (en) * 2004-01-23 2005-08-04 Fuji Electric Holdings Co Ltd Unauthorized access preventing apparatus and program
US20170026387A1 (en) * 2015-07-21 2017-01-26 Attivo Networks Inc. Monitoring access of network darkspace
JP2019041176A (en) * 2017-08-23 2019-03-14 株式会社ソフトクリエイト Unauthorized connection blocking device and unauthorized connection blocking method

Also Published As

Publication number Publication date
US11310190B2 (en) 2022-04-19
US20190312836A1 (en) 2019-10-10
WO2019113324A1 (en) 2019-06-13

Similar Documents

Publication Publication Date Title
US20220231987A1 (en) Network anti-tampering system
US11102233B2 (en) Detection of vulnerable devices in wireless networks
KR100952350B1 (en) Intelligent network interface controller
US7506360B1 (en) Tracking communication for determining device states
Litoussi et al. IoT security: challenges and countermeasures
US7596808B1 (en) Zero hop algorithm for network threat identification and mitigation
Kumari et al. Cross-layer based intrusion detection and prevention for network
Bdair et al. Brief of intrusion detection systems in detecting ICMPv6 attacks
Lobanchykova et al. Analysis and protection of IoT systems: Edge computing and decentralized decision-making
Abbas et al. Subject review: Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
Lobanchykova et al. Analysis of attacks on components of IoT systems and cybersecurity technologies.
Alsadhan et al. Detecting NDP distributed denial of service attacks using machine learning algorithm based on flow-based representation
Pareek et al. Different type network security threats and solutions, a review
KR101343693B1 (en) Network security system and method for process thereof
US20160149933A1 (en) Collaborative network security
KR20170109949A (en) Method and apparatus for enhancing network security in dynamic network environment
CN113411296B (en) Situation awareness virtual link defense method, device and system
KR101663935B1 (en) System and method for protecting against phishing and pharming
WO2020176066A1 (en) Multi-dimensional visualization of cyber threats serving as a base for operator guidance
Hnamte et al. Enhancing security in Software-Defined Networks: An approach to efficient ARP spoofing attacks detection and mitigation
Yadav et al. A security model for intrusion detection and prevention over wireless network
Mishra et al. Intrusion detection systems for high performance computing environment
Nasser et al. An Effective Approach to Detect and Prevent ARP Spoofing Attacks on WLAN.
Kamal et al. Analysis of network communication attacks
US20240098118A1 (en) Systems and Methods for Decentralized Security Against Defined and Undefined Threats

Legal Events

Date Code Title Description
AS Assignment

Owner name: RIDGEBACK NETWORK DEFENSE, INC., MARYLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PHILLIPS, THOMAS SHEPPARD;REEL/FRAME:059509/0432

Effective date: 20191104

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED