WO2006092785A2 - Method and apparatus for the dynamic defensive masquerading of computing resources - Google Patents

Method and apparatus for the dynamic defensive masquerading of computing resources Download PDF

Info

Publication number
WO2006092785A2
WO2006092785A2 PCT/IL2006/000266 IL2006000266W WO2006092785A2 WO 2006092785 A2 WO2006092785 A2 WO 2006092785A2 IL 2006000266 W IL2006000266 W IL 2006000266W WO 2006092785 A2 WO2006092785 A2 WO 2006092785A2
Authority
WO
WIPO (PCT)
Prior art keywords
masquerading
scheme
computing resource
network
genuine
Prior art date
Application number
PCT/IL2006/000266
Other languages
French (fr)
Other versions
WO2006092785A3 (en
Inventor
Asaf Greiner
Asaf Tor
Original Assignee
Beefense Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beefense Ltd filed Critical Beefense Ltd
Publication of WO2006092785A2 publication Critical patent/WO2006092785A2/en
Publication of WO2006092785A3 publication Critical patent/WO2006092785A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the present invention relates to computer security systems in general, and more particularly to an apparatus and method for the dynamic masquerading of computing resources in a protected segment of a networked computer environment.
  • An intrusion attack is an illegal attempt to access and misuse a computer system and could involve something as severe as stealing or destroying confidential data, corrupt valuable data and programs, "defacing" Internet sites, or exploiting a legitimate e-mail system for the distribution of unsolicited electronic mail (colloquially referred to as "spam"). Intrusion attempts could be made either from a remote location or from local machines.
  • an intrusion attempt typically includes preliminary environmental probing or intelligence gathering, in order to enable the attacker to learn as much as possible about the targeted computer, its defenses, characteristics, vulnerabilities, and the like.
  • preliminary environmental probing or intelligence gathering in order to enable the attacker to learn as much as possible about the targeted computer, its defenses, characteristics, vulnerabilities, and the like.
  • an intrusion without pre-attack reconnaissance for the gathering of suitable target-specific intelligence is feasible, the probability of successful intrusion and the associated risk metrics to the targeted computer are significantly lower compared to an attack supported by sufficient intelligence.
  • a typical intrusion scenario could be conceptually divided into several phases.
  • the first phase involves preliminary environmental probing or non-intrusive information gathering, whereas the attacker is trying to gain as much information as possible on the targeted computer.
  • the attacker will want to be as undetectable as possible and will often make use of less direct methods. Some of these methods could include: performing a whois lookup, DNS zone transfers, normal browsing of websites garnering e-mail addresses and similar important information belonging to the target.
  • the second phase further information gathering is performed. In an attempt to collect more information an attacker will likely perform, for example, ping sweeps, port scanning and will want to check Web servers or other network platforms for vulnerable CGI scripts.
  • the intruder will also determine the versions of running applications and services on the host to be attacked, typically utilizing banner grabbing techniques. Subsequent to the information gathering phases, the main attacks are then launched. Having a list of possible security breaks, the intruder will begin the attack trying out different types of attacks on the computer. For example, a UNICODE attack could be launched if the attacker previously found that the target computer has Internet Information Server (IIS) installed. Apart from launching exploits for known vulnerable software, a typical attacker will also try to locate badly configured running services. For example the attacker will try to guess passwords for known users on the system. After a successful intrusion, attacker will typically install his own backdoors in the system and delete log files in order to conceal his tracks. The attacker may install "toolkits" such as rootkits that give him access, replace existing services with his own Trojan horses that have backdoor passwords, or create his own user accounts. From here an attacker will usually launch further attacks to other hosts especially those trusted by the compromised machine.
  • IIS Internet Information Server
  • Such a novel security device should provide dynamic and adaptive means to adjust automatically to configuration changes in the protected network, such as hardware additions, upgraded or new software, and known vulnerabilities.
  • the device should provide unobstructed access to legitimate users and at the same time distract, seduce and decoy illegal intruders.
  • One aspect of the present invention regards a method for the automatic dynamic and adaptive masquerading of a set of computing resources operating within a segment of a network computer environment.
  • the method is performed from an execution location in the environment.
  • the method comprises computing dynamically a masquerading scheme representing one or more non-genuine views of the set of computing resources based on the genuine characteristics of the computing resources within the networked computer environment or on one or more masquerading scheme-specific computational parameters, and implementing the generated masquerading scheme in order to provide the non- genuine view of the set of computing resources operating in the networked computer environment to users of the computing resources within the networked computer environment in order to masquerade the genuine characteristics of the computing resources.
  • the non-genuine view is consistent.
  • the segment of the network comprises the whole network or the segment is protected.
  • the method includes a step of verifying the masquerading scheme.
  • the verifying step comprises dynamically detecting changes to the genuine characteristics of the computing resources, or to one or more masquerading scheme-specific computational parameters, and triggering the computing and implementing of a masking scheme that generates a non-genuine view that represents the modified computing resource having modified characteristic, or the modified computational parameter.
  • the method wherein generating dynamically the masquerading scheme comprises obtaining the genuine characteristics of the computing resources, obtaining the one or more masquerading scheme-specific computational parameter and computing the masquerading scheme based on the genuine characteristics of the computing resources and on the computational parameters.
  • the user of the method is an illegitimate user or a legitimate user requesting information about a characteristic of the computing resources.
  • the method wherein implementing the masquerading scheme comprises obtaining the generated masquerading scheme, and generating the non-genuine view of the computing resources by selectively modifying the data traffic elements transmitted from the computing resources in the networked computer environment.
  • the generation of the non-genuine view of the computing resource comprises masquerading one or more operating systems on one or more existing hosts, or masquerading one or more services on one or more existing hosts, or addition of one or more virtual services on one or more free ports on one or more existing hosts, or addition of one or more virtual services on one or more occupied ports on one or more existing hosts, or addition of one or more virtual hosts with an operating system, or addition of one or more virtual services on one or more virtual hosts, or masquerading one or more services with one or more poisoned tokens, or masquerading one or more applications with one or more poisoned tokens.
  • the computing resource is a computing platform, an operating system, a computer-based service, a network based service, a web-based service, a web server, an e-mail server, an FTP-server, an application, data, one or more data structures having a relative order, file, directory, applicative behavior, a firewall, or a firewall access list.
  • the network computer segment is a Local Area Network, or a segment thereof, or a Wireless Local Area Network or a segment thereof.
  • the computational parameter is an exposed vulnerability associated with the computing resource, a list of available free IP addresses, the number of available free IP addresses, a list of available free logical ports utilized for communication with the network, the number of available free logical ports utilized for communication with the network, a list of service instances created for a service type, the number of service instances created for a service type, a list of service associated risks, a list of simulation abilities, a preference of an operator of the network computer environment, a host usability, a service usability, or an application usability.
  • the computational parameter can be associated with another computational parameter.
  • the method further comprises a step of discovering one or more genuine characteristic of the computing resource operating within the networked computer environment.
  • the discovering can be performed manually or automatically, in a passive or active manner by the reading, collection, and analysis of the data traffic elements transmitted between the networked computer environment and an external data communication network.
  • the method further comprises dynamically generating an at least one poisoned token.
  • the poisoned tokens misinform an unauthorized user by providing non-genuine applicative information.
  • the poisoned token is created at and obtained from an execution location within the networked computer environment.
  • a second aspect of the present invention regards an apparatus for the dynamic masquerading of one or more computing resources operating within a segment of a networked computer environment.
  • the apparatus is installed on an execution location within the networked computer environment.
  • the apparatus comprises a masquerading device having a processor device, a memory device, one or more network interface cards, linked to one or more computing resources in a networked computer environment and to a data communication network.
  • the masquerading device comprises a masquerading scheme computation component to generate dynamically a masquerading scheme representing a non-genuine view of a set of computing resources in the networked computer environment, based on the characteristics of the computing resources, a masquerading scheme implementer component to perform changes to the content of the data elements in the data traffic transmitted from the computing resource to the data communication network based on the masquerading scheme, in order to provide a non- genuine view of the computing resources.
  • the apparatus further comprises a masquerading scheme verification component for detecting modifications to one or more characteristics of one or more computing resources, or to one or more computational parameters, and triggering an update to the masquerading scheme in accordance with modifications in the real configuration of the network segment or in the computational parameters.
  • the segment of the networked computer environment comprises the whole network, or the segment is protected.
  • the apparatus wherein the masquerading scheme implementer component modifies data elements in the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme.
  • the apparatus wherein the masquerading scheme implementer component drops data elements from the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme.
  • the apparatus wherein the masquerading scheme implementer component adds data elements to the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme.
  • the apparatus wherein the networked computer environment comprises a firewall device, the firewall device linked to at least one computing resource.
  • the apparatus wherein the networked computer environment comprises a routing device.
  • the apparatus wherein the masquerading device further comprises a poisoned tokens handler component to generate one or more poisoned tokens from an execution location in the networked computer environment thereby.
  • the apparatus wherein the masquerading device further comprises a computer resources characteristics table to store the genuine characteristics of the computing resources.
  • the apparatus wherein the masquerading device further comprises an exposed vulnerabilities table to store known vulnerabilities associated with the at least one computing resource.
  • the apparatus wherein the masquerading device further comprises a masquerading scheme data structure to store the masquerading scheme.
  • the apparatus wherein the masquerading device further comprises a management interface to enable manual configuration of the computer resources characteristics table, the masquerading scheme table, and the rules table.
  • the apparatus wherein the masquerading device further comprises a data collector device to obtain, to collect, and to analyze data elements from data traffic flow transmitted between the networked computer environment and the data communications network.
  • the apparatus wherein the masquerading device further comprises a passive firewall access lists detector device to map firewalls access lists based on observed responses from the firewall device of the networked computer environment.
  • the apparatus wherein the masquerading device further comprises a firewall access lists parser device to map access lists obtained from the firewall on the masquerading device.
  • the third aspect of the present invention regards a computer program product.
  • the computer program product comprises a computer usable medium having computer readable program code embodied in the medium for causing an application program to execute on a computer that provides a system for use with the dynamic masquerading apparatus.
  • the computer readable program code comprises a first computer readable program code for causing the computer to dynamically generate a masquerading scheme based on characteristics of a set of computing resources, a second computer readable program code for causing a computer to implement the masquerading scheme, and a computer readable storage medium containing a set of instructions for a general purpose computer, the set of instructions comprising a dynamic masquerading scheme generator routine for generating a masquerading scheme based on characteristics of computer resources, and a dynamic masquerading scheme implementation routine for implementing the masquerading scheme.
  • the set of instructions further comprising a masquerading scheme verification routine for detecting changes to the real characteristics of the protected network segment and a change to one or more computational parameters, and calling the routines for updating and implementing the masquerading scheme in accordance with the real characteristics of the protected network segment and the computational parameters.
  • FIG. 1 is a semi-pictorial block diagram of an exemplary networked computer environment in which the present invention could be implemented, in accordance with a preferred embodiment of the present invention
  • FIG. 2 is a block diagram illustrating the architecture of a the masquerading device, in accordance with the preferred embodiment of the present invention
  • Fig. 3 is a flowchart representing the method of masquerading, in accordance with the preferred embodiment of the present invention.
  • Fig. 4 is a block diagram representing the activities taken by the masquerading scheme computation component, in accordance with the preferred embodiment of the present invention
  • Fig. 5 is a schematic block diagram representing a masquerading computation and implementation layers model, in accordance with the preferred embodiment of the present invention
  • Fig. 6 is a flow chart describing the operation of the real services and the real operating systems masquerading layer, in accordance with the preferred embodiment of the present invention.
  • Fig. 7A is a flow chart that describes the method of masquerading resources within the application, in accordance with the preferred embodiment of the present invention.
  • Figs. 7B and 8 are flow charts that describe the method of adding virtual services to real hosts, in accordance with the preferred embodiment of the present invention.
  • Masquerading - camouflaging available computer resources by concealing, removing, and changing the way an attacker perceives available computer resources, and deceiving the attacker to believe that non-existing resources do exist in the environment.
  • the present invention relates to an apparatus, method and computer program product for dynamically and defensively masquerading a set of computing resources, such as a protected segment of a computer network, in order to hide the resources and obscure the characteristics of the resources.
  • an entity such as a private or public corporation, organization or individual maintains the computer network which may include a combination of firewalls, servers, computer workstations, and other computing resources.
  • the present invention is directed to providing an apparatus, method and computer program product implementing a masquerading device designed for the obstruction of potential misuse of the computing system, by concealment of the available resources.
  • masquerading means camouflaging available computer resources by concealing, removing, and changing the way an attacker perceives available computer resources, and deceiving the attacker to believe that non-existing resources do exist in the environment.
  • the proposed apparatus, method, and program product augment the capabilities of currently employed security devices through masquerading the organization network, operating systems, services, applications, security policy, and the like.
  • the proposed apparatus, method, and program product generate a masquerading scheme which represents a non-genuine alternative consistent view of the organization network, which is presented to the users of the network as the genuine view.
  • the consistency of the non-genuine view is designed to satisfy an illegal intruder's initial purpose, such as collecting useful organization-specific intelligence prior to the performance of series of main intrusion attacks.
  • the view provided is based on non- genuine information.
  • the potential intruder is presented with an inaccurate or non- genuine view. It could be safely assumed that if attempting intrusion into a computer system without intelligence is difficult, then to attempt the same with the non-genuine information is substantially more difficult.
  • the proposed apparatus, method, and program product will render a compound attack on computing resources a substantially more difficult task.
  • the proposed method could be applied to all the network connections thus negating the need to distinguish between "good” and "bad” connections. Note should be taken that the non-genuine alternative view creates no threat to the legitimate users since the alternative view includes those genuine resources that enable the provisioning of the legitimately required services in the usual manner.
  • Fig. 1 is a block diagram of an exemplary computing environment 10 in which the present invention may be implemented. It should be understood that the particular environment 10 in Fig. 1 is shown for illustrative purposes only and does not limit the invention.
  • Network Environment 10 includes a computer network 11, an optional firewall 18, a masquerading device 16, a router device 14, a legitimate user 15, and an attacker 12.
  • computer network 11 represents a corporate local area network (LAN), hi other preferred embodiments of the present invention network 11 could be a WLAN network segment, a sub-network, or even a single computer platform.
  • Network 11 includes a network bus device 20, and several network elements 22, 24, 26, 28, 30, 32.
  • the network elements 22, 24, 26, 28, 30, 32 are computing platforms, with specific software installed thereon, such as Web servers, e-mail servers, FTP servers, data processing systems, and the like.
  • Optional firewall 18, where installed, serves as connection and separation between the local area network (LAN) 11 and the global data communication network 13, such as the Internet.
  • a firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks.
  • the term also implies the security policy that is used with the said programs.
  • a firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can reach directly at private network resources and usually includes network interface cards and public network ports connected to the external global network and one carefully monitored and controlled connection back to the internal network.
  • the typical data communications network 13 includes a router device 14, a legitimate user 15 and an attacker 12.
  • a router is a device, or in some cases a software routine that determines the next network point to which a packet should be forwarded toward its destination.
  • a router creates or maintains a table of the available routes and their conditions and uses this information along with distance and cost algorithms to determine the best route for a given packet.
  • the legitimate user 15 is an authorized network user that typically operates a computing platform (not shown).
  • the user 15 accesses information stored or generated by the local area network 11 and optionally processes and transfers information to the local area network 11 via the utilization of legitimate application and/or service software routines that were developed for legitimate use.
  • the attacker 12 is a malicious "hacker” that typically operates a computing platform (not shown).
  • the attacker 12 initiates and performs intrusion attacks utilizing in combination readily available or specifically developed malicious "hacking" software and legitimate network monitoring software such as for example ping sweep port scan, whois, network analyzers, and the like.
  • the attacks initiated by the attacker 12 are directed at the local area network 11 in order to achieve a surreptitious penetration of the network 11 defenses, to intrude into one or more computing machines within the network 11, to gain control of one or more machines, and to misuse the critical resources therein.
  • Instances of misuses could include, but are not limited to, illegal login, privileged root usage, and access to files within a protected directory.
  • the masquerading device 16 is preferably positioned inline in front of the network segment 11. If the network segment 11 is firewall-protected then masquerading device 16 could be located either in the front of or behind the firewall 18. Note should be taken that the masquerading device 16 could be partitioned such as to perfo ⁇ n certain masquerading functions behind the firewall 18 and other masquerading functions before the firewall 18.
  • Device 16 is a hardware computing device having a processor device (not shown), a memory device (not shown) and one or more devices to enable the connection both to the protected network and to the outside network, such as one or more network interface cards. From the side of the attacker masking device 16 has no Internet Protocol (IP) number, thus it is completely transparent for the attacker. Optionally, device 16 could have management IP on a network card facing the firewall 18. Some of the actions the device 16 executes are in bridge mode, while other actions are executed in transparent reverse proxy mode.
  • IP Internet Protocol
  • the masquerading device 51 includes a logically inter-related set of computer programs.
  • Computer programs are labels for entities that consist of computer-readable functional program code, or sets of machine-readable instructions having pre-determined functionality.
  • the computer programs are stored on a storage device of the masquerading device 51 and are loaded into a memory device of the device 51 prior to execution.
  • the device 51 includes a first computer program or a first computer readable program code referred to as the scheme computation component 52, and a second computer program or a second computer readable program code referred to as masquerading scheme implementer component 54.
  • the masquerading device 51 further includes a masquerading scheme verifier component 56, a poisoned tokens generator component 58, and a network discovery component 59.
  • the masquerading device 51 further includes a set of data structures associated with the computer programs. Data structures are ordered or organized sets of machine readable information.
  • the data structures on the masquerading device 51 include a computer resources characteristics table 60, a known vulnerabilities table 62, and a masquerading scheme table 64.
  • the components 52, 54, 56, 58, 59 perform masquerading of the computing resources in a co-operative manner. The operation of the components 52, 54, 56, 58 is based on and controlled by the specific data stored within the tables 60, 62, 64.
  • the architecture of the masquerading device 51 could be different, such as, for example, to employ alternative components and tables in order to accomplish substantially the same objectives of the invention.
  • Such other architectures will be apparent to one skilled in the relevant art based on the description contained herein.
  • masquerading scheme computation component 52 is responsible for generation of an alternative view of the network 11 of Fig. 1.
  • the concept "alternative view” refers to an artificially constructed non-genuine or inaccurate in whole or in part image of the network 11, designed to be presented to the user 15 and to the attacker 12 of Fig. 1.
  • the alternative view instigates the attacker 12 to perceive the alternative view as the genuine view of the network 11.
  • the view that is reflected to the attacker 12 is based on a computed set of data that includes non-genuine information concerning the characteristics of existing resources as well as information concerning the characteristics of non-existing or virtual resources.
  • the virtual resource types could include any of the common types of network elements, such as subnets, hosts, services, applications, and application-specific virtual data.
  • the alternative view is generated by a masquerading scheme table 64 the contents of which are computed by the masquerading scheme computation component 52 based on the genuine characteristics of the genuine network elements/computing resources, and on several masquerading input parameters.
  • the parameters are based on the characteristics of the network resources, on operating constraints, on environmental contingencies, on hardware configurations limitations, on system configurations limitations, and the like.
  • the parameters include, but are not limited to known vulnerabilities, available free internet protocol addresses, available free ports, number of service instances, service associated risks, simulation abilities, and preferences of a system administrator managing the network 11.
  • parameters that are related to any of the abovementioned parameters for example the allocated ports which complement the free ports, can be used as masquerading input parameters.
  • the masquerading scheme implementer component 54 is responsible for the execution of the masquerading based on a masquerading scheme data structures generated by the masquerading scheme computation component 52. In accordance with the content of the masquerading scheme data structures, the component 54 processes intercepted network traffic packets that were transmitted from the protected network 11 to the global data communication network 13. The processing of the network packets could involve the modification of packets, the dropping of packets and the addition of packets in order to reflect an alternative view of the local network to the attacker 12 operating in the global data communication network 13.
  • Masquerading scheme verifier component 56 is responsible for the ongoing discovery of modifications in the genuine characteristics of the computing resources, i.e.
  • the verifier component 56 continuously employs a network discovery component 59 in order to learn the characteristics of the network elements/computing resources 22, 24, 26, 28, 30, 32 of the local network 11.
  • the masquerading scheme computation component 52 is activated, or triggered, in order to generate a new or upgraded masquerading scheme based on the modifications that were discovered within the local network 11, and masquerading scheme implementer component 54 is activated in order to implement the newly generated or upgraded masquerading scheme.
  • Poisoned tokens generator component 58 is responsible for the construction of the poisoned tokens.
  • Poisoned tokens also referred to as honey tokens
  • Poisoned tokens as opposed to honey pots refer to non- genuine applicative data on real services.
  • the proposed apparatus, method, and program product generate poisoned tokens from an execution location on the network, such as the masquerading device 16 of Fig. 1, for various services and applications.
  • an execution location on the network such as the masquerading device 16 of Fig. 1
  • the method and program can generate poisoned tokens for the whole network or network segment, from each of the execution locations.
  • the tokens generated are not necessarily part of an information service, such as SNMP, that has information on other services.
  • the tokens are created as part of the service and the application.
  • the created poisoned tokens are added transparently to the end user and are maintaining the consistency of the alternate view of the local network 11.
  • Each poisoned token is generated according to its characteristics table (not shown) where some of the characteristics must be in a specific range.
  • a poisoned token expressed through a virtual file must have a name length that should not exceed a specific number of characters, a name extension that should match the service and operating system vendors, an application-matching location, a pre-defined size, a content type that should match the extension, a suitable access right, an environmentally consistent creation/access/modification date, and the like.
  • characteristics table could be built for each different resource. For example, a credit card record will have logically consistent fields, such as length, holder name, expiration date, and the like.
  • Network discovery component 59 is configured in a manual mode, an automatic mode or in a combined manual/automatic mode to learn the networked computer environment by the mapping of the network elements/computing resources 22, 24, 26, 28, 30, and 32.
  • the discovery process is designed to identify the characteristics of the network elements/computing resources in the initialization stage and then identify changes and/or additions to the local network 11 as they are made during the day-to-day activity of the network 11.
  • Identification and characterization of the network elements/computing resources are performed by the utilization of both active and passive monitoring methods. Active methods include intentional queries and probes to specific components while passive methods include packet sniffing or the monitoring and analysis of network traffic within the network 11 and the classifying of data obtained from the traffic elements in order to build a network map. Active mapping is performed on demand while passive mapping may be performed automatically in a continuous manner, which facilitates adapting the masquerading scheme to changes in the network or in the network segment.
  • the network elements/computing resources that are discovered could include protected network segments, hosts, ports, services, applications, patches, files, directories, and the like. If one or more firewalls are installed then the process of discovery could involve the mapping of firewall access lists.
  • the network discovery component 59 maps the signatures of other active devices, such as intrusion prevention systems.
  • the data generated by the network discovery component 59 is stored in the computer resources characteristics table 60 on a memory device. Periodically, in accordance with the changes detected in the network 11 the component 59 updates the table 60.
  • Known vulnerabilities table 62 includes a list of known components and their associated vulnerabilities. Vulnerability lists are typically utilized in vulnerability assessment tools, such as the Nessus security scanner, for example.
  • a matching analysis routine (not shown) is executed in order to perform matches between the network elements and the associated vulnerabilities. Referring now to Fig. 3 a simplified flowchart of the masquerading method
  • the method 40 is shown.
  • the method is performed via the pre-defined and ordered execution of a set of functionally inter-related computer programs.
  • the method is divided conceptually into three execution segments.
  • Li the network discovery segment 42 the apparatus automatically detects the protected network at all the network layers (layer 2 through layer 7) including the structure of the protecting firewalls and the access lists thereof.
  • the system is initialized in order to enter an environmental detecting mode. In the detecting mode all the network traffic is bridged via the masquerading device without interference.
  • the masquerading device detects the networked computer environment by monitoring and analyzing the passing network traffic and by utilizing additional techniques.
  • the device After a pre-determined network-specific amount of network traffic has passed through the masquerading device the device enters a protective mode. It should be noted that during the protective mode some detection activities are still carried out continuously.
  • the objective of the network discovery segment is to discover the type, number, and characteristics of network elements/computing resources constituting the protected network.
  • the results of the network discovery are collected into one or more data structures. Note should be taken that part or all of the network discovery could be performed manually.
  • the network elements/computing resources characteristics table 60 of Fig. 2 could be built manually by a system administrator via a specifically developed system management routine and associated user interface.
  • the automatic environment detection is performed.
  • the output structure of step 41 and step 43 is the same and is detailed below.
  • the automatic detection could be performed in a passive mode or in an active mode.
  • the passive mode the system performs passive fingerprinting of the packets transmitted through the masquerading device.
  • the passive fingerprinting could supply the following information on the machines of the protected network or network segment: a) media access control (MAC) addresses, b) internet protocol addresses, c) operating systems, d) machine-specific transmission control protocol (TCP) stack changes, e) open ports, f) running services, g) running applications, h) installed patches, I) files and directories, j) distance to protected machines, k) uptime of protected machines, and 1) firewalls and load balances presence, and the like.
  • MAC media access control
  • TCP machine-specific transmission control protocol
  • the passive fingerprinting generates a stateful sessions table that contains current sessions information, such as: a) a session state, such as "invalid", “new”, “related”, “established”, and the like, b) a source internet protocol and port, and c) destination internet protocol and port. If firewalls are installed the passive fingerprinting is also associated with passive access lists detection.
  • the masquerading device observes responses from the firewall protecting the network or the network segment and incrementally builds the actual access list used by the firewall.
  • the purpose of the passive active-list detector is to learn the rule base structure of the firewall behind it. The information is used by the later part of the method in order to create virtual services on real hosts. As opposed to passive fingerprinting active fingerprinting is performed on demand in accordance with the preferences of the system administrator.
  • Active fingerprinting includes scanning for open ports and running applications, web crawling-like activities, the discovery of target operating system, and the discovery of exposed vulnerabilities.
  • the data retrieved from the active fingerprinting is merged with the data detected by the passive mechanism in order to achieve a comprehensive and accurate image of the protected network or network segment structure, the associated vulnerabilities and the existing defenses.
  • the masquerading scheme is further detailed in association with the text below, referring to Fig. 4.
  • the masquerading scheme computation segment 44 is responsible for the computation of the masquerading scheme.
  • the masquerading scheme is based on the network elements/computing resources discovered, the vulnerabilities associated therewith, several masquerading input parameters, and the preferences of the system administrator. The types of the input parameters were described herein above.
  • the previously discovered network elements/computing resources types, number, and characteristics are obtained from the characteristics table.
  • the input parameters for the masquerading scheme computation are obtained from the characteristics table.
  • a compound multi-level analysis of the network elements and computing resources characteristics, of the exposed vulnerabilities, the masquerading input parameters, and the system administrator's preferences is performed.
  • a masquerading scheme is proposed that is operative in setting up virtual subnets, virtual hosts, services (both on real and virtual hosts) and applications.
  • the masquerading scheme further includes the masquerading of real operating systems, of applications and of real services, such that the proposed service characteristics will make the services appear different.
  • Resource identification could be assisted by the fact that many resources reveal information on a constant basis, such as repeating information in each and every packet.
  • the system Based on the computed masquerading scheme the system performs static masquerading, such that the resource will be misidentified in a typical masquerade-specific manner.
  • Static masquerading means that the masquerading scheme is consistent and does not change unless a change in the network or network segment configuration occurs.
  • Masquerading is performed from an execution location on the network, such as the masquerading device 16 of Fig. 1.
  • the masquerading is not limited in the number of servers that can be handled for masquerading.
  • the proposed method will dynamically perform changes to the content of the information transmitted to the attacker.
  • the changes include data omission, data modification, and new data additions, hi HTTP for example, the method could focus on changing headers order, handling of session cookies, banners modification within the packets and the like.
  • the changes could be applied, for example, to dynamic HTML pages generated and transmitted and omission of data may concern developer's comments, modifications of data may concern file names, such as CGI locations, and addition of new information may concern non-genuine comments meant to misinform the attacker or indicating specific non-existing files or directories.
  • masquerading could involve the addition of new information to the packets, the removal of existing information from packets, the generation of new packets, and the like.
  • Operating systems level masquerading of involves modifications to TCP stack parameters to match the pretended OS. When using service and OS masquerading there is a need for reacting properly to errors generated on purpose by the user in order to match the generated masquerade.
  • the masquerading scheme generation is further detailed in association with the text below, referring to Figs. 6, 7, and 8. Still referring to Fig. 3 some actions are typical of computing resources in specific situations. For example, different applications may react in a different manner to an identical error. Knowing how a server reacts, the attacker may deliberately perform a task resulting from an error where the output of the error output may define the server's type and the server's version. In order to frustrate the attacker's objectives the proposed method may manipulate the output result including changes and replacements of data. These changes could be done either by pre-defined actions set in a table generated in the masquerading computation stage or by an exterior mechanism. Note should be taken that the implementation of the same concepts could be different under other protocols. The proposed method provides advanced capabilities to interact with attempts to approach its non-genuine resources. These abilities could be determined by an external device.
  • the masquerading scheme implementation segment 48 is responsible for the activation of the masquerading scheme and the application of the masquerading to the network traffic. Subsequent to the activation the implementation segment 48 will operate at all times. At step 49 the computed masquerading scheme is obtained and at step 50 masquerading is generated. The masquerading will be performed based on the information within the masquerading scheme. The masquerading will modify the network traffic in order to reflect a non-genuine, alternative and consistent view of the protected network or network segment to the users. Program control will then proceed to the network discovery segment 41 in order to check for modifications performed in the network or network segment configuration.
  • the network elements/computer resources characteristics table will be modified and subsequently the masquerading scheme computation based on the characteristics table will dynamically generate a modified masquerading scheme.
  • the masquerading reaction to changes in the configuration of the network and in the vulnerabilities table is dynamic and the masquerading scheme will be modified, so as to provide logical consistency between the non-genuine or view of the network and the mapping image of the real network.
  • the masquerading scheme implementation 184 is based on the masquerading scheme 182.
  • the masquerading implementation to be executed in step 47 of Fig. 3, provides a multi-layer reaction to the detection of changes in the structure of the network.
  • the masquerading scheme implementation provides the following masquerading capabilities: A) Masquerading of operating system on existing host (186). By manipulating the TCP stack parameter of the real host and the responses thereof to various events at layer 4 the device can impersonate other operating system for the real host. B) Masquerading for real services on existing hosts (188). By masquerading real services the masquerading device makes the services appear different than their real nature. This ability is based on either static masquerading or half-static masquerading. Under the HTTP protocol or other text based protocols static masquerading focuses on changes of service banners and header order setting in a way typical to the service. Under binary protocols the changes implemented could be different. Static masquerading is functional in the generation of error messages by the attacker by deliberately introducing specific requests.
  • the attacker Since different servers and different operating systems respond in a different manner to certain error conditions consequent of the introduction of specific potentially error-raising requests the attacker is capable of deducing from the presence, structure and content of the error message various information concerning the target host, such as the OS, the type and the version of the server, the application, etc.
  • the masquerading device parses the requests and heuristically selects an error message that will match the non-genuine service identity declared in the service banners.
  • C) Addition of a new virtual host with a specified operating system (194). Utilizing internet protocol addresses that are not allocated to any host in the network, the proposed apparatus and method creates virtual hosts with any defined operating system. These virtual hosts can respond to Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) requests.
  • ARP Address Resolution Protocol
  • ICMP Internet Control Message Protocol
  • the apparatus and method could implement virtual services and applications even on real active ports. As a result, authorized users could see the real network and communicate therewith in a standard manner while non- authorized users will interact with the virtual system having advancing interaction capabilities during connection attempts.
  • the proposed method dynamically and adaptively applies modifications to the content of the information transmitted. Modification includes changing data, omitting data or adding new data. Such manipulations could concern, for example, changes in HTML developer's comments, hidden field names, adding of misleading comments, and the like.
  • the proposed apparatus and method supply poisoned tokens both on the service and application layers.
  • poisoned tokens are functional in providing access to non-existing directories on a server, in providing virtual directory content, in adding virtual files to an existing directory.
  • application level poisoned tokens can represent various components.
  • a poisoned token might be a virtual credit card number record in the database, whole virtual table in database, a virtual hidden field in HTML form, or even wrapping of existing HTTP session cookies with deliberately easy-to-break encryption. Innocent users should not notice the difference while an attacker may be tempted to handle the poisoned tokens.
  • Any other applicative token at any supported protocol and application could be generated to match the business logic of an organization associated with the protected network or network segment.
  • Poisoned tokens could also be used for supplying non- genuine information to various protocol requests. For example, in an environment based on the Microsoft software products non-genuine information could be supplied on domains, workgroups, internal servers protected by a firewall, shared resources, users, permissions, running applications protected by a firewall, various registry information, and the like.
  • Fig. 5 shows the masquerading layers model 202 in which the masquerading is computed and implemented.
  • the masquerading layers 216'- 216", 212, 208, and 204 are arranged in the bottom-top direction.
  • Each masquerading layer provides the required input 218, 214, 210, and 206 from the lower masquerading levels to the higher masquerading levels.
  • This input 218, 214, 210, 206 includes additional data that will be described herein below.
  • the input with the included additional data provides the means for the computation of the optimal masquerading.
  • the real services and real operating systems masquerading method 220 includes a series of execution steps.
  • Execution steps 222 through 228 represent a method for real services masquerading and for operating systems masquerading.
  • the method is implemented in the masquerading real services layer 216' in Fig. 5.
  • the steps 222 through 228 are performed for each real service implemented on a real computing machine.
  • a service-fingerprinting database is accessed.
  • the database includes many of the fingerprinting a potential attacker could utilize in order to discover the identity of the real service.
  • the database records include information concerning sets of resources typically associated with the real service where each service contains a plurality of resources.
  • Each set of resources (a set includes one or more resource) reveals something about the service, thus it has a "fingerprint" for the service.
  • a combination of resource A and resource B can reveal the service version, while resource C alone reveals the patch level applied to that service version.
  • Resources are not unique to one fingerprinting record, but might appear more than once, whereas the combination of different resources provides various fingerprints.
  • HTTP resources could be a banner, the relative order between headers, a session cookie, application behavior such as reaction to errors, grant or denial of access to resources, and the like.
  • the combination of the above mentioned HTTP resources could reveal service vendor, version, and the like. Note should be taken that certain services may have different database records where the number of records is created in accordance with potentially different usage of the real service. .
  • the masquerading device is able to generate alternative behavior for each of the above mentioned examples by: a) modifying the banners in order to reflect a different service vendor and/or a different service version, b) set the orders of the HTTP headers to match the presented banner, c) hide and/or generate session cookies to match the presented banner, and d) react to errors in the same manner the selected service vendor would.
  • the masquerading device is capable of handling any supported service, such as text based services (FTP, SMTP, POP, and the like) or binary based services (RPC, SNMP, and the like). Still referring to Fig. 6 at step 224 an alternative service-identities database is accessed.
  • the alternative service-identities database is indexed by the resource set inside the service, whereas each resource set has an alternative identities set.
  • the possible alternative identities sets are generated. The generation process is performed under the constraint that all service resources in a set, including their combinations with other resources, must display the same service identity. If no alternative service identity exists for the given resources set, then the masquerading of the real service is not possible.
  • all the possible identities sets per service, including the real identity are stored. Selection of the specific set to be used for masquerading will be performed only consequent to the computation of all possible alternative operating systems.
  • execution steps 230 through 234 represent a method for real operating system masquerading.
  • the method is implemented in the masquerading of real operating systems layer 216" in Fig. 5.
  • the steps 230 through 234 are performed for each real service implemented on a real computing machine.
  • the stored alternative identities set for the real service is obtained.
  • the possible alternative operating systems sets for each service identity are generated. Consequently at step 232 service identity tables are built that include identity records.
  • the identify records comprise a service identify identification field and a set of alternative operating systems for the identity.
  • the service tables built at step 232 are indexed by service and stored into a storage device.
  • a set of services identities for the whole machine, is built with common alternative operating system.
  • Each set should contain only one identity per service, but the same identity could participate in more than one set.
  • the sets of service identities with common alternative operating systems are stored into an alternative operating system-service identities set table.
  • the table includes alternative operating system-services identities sets records. The records comprise a combination of an alternative operating system identification and an alternative service identity for each real service that exists on the machine.
  • one alternative operating system and a matching services identities set is selected from the available options, whereas the selection is performed according to the following exemplary criteria: a) the selection will include minimum vulnerabilities as seen from the attacker side, b) priority will be given to the best match with combinations that already exist on other masqueraded machines, and c) if more than one combination exists then one of the combinations is selected in a random manner.
  • Fig. 7A in contrast to the masquerading of real service and real operating systems the purpose of which is hiding the characteristics and the nature of a service and/or an application, masquerading resources inside the application generates virtual resources inside the application.
  • virtual resources could be virtual files, virtual directories, virtual SQL tables, virtual fields, and the like.
  • Virtual resources are also referred to as poisoned tokens.
  • Some applications along with their vulnerabilities can be identified by the mere existence of specific directories and/or files on the server.
  • the masquerading devices could thus generate a non-genuine image of application or vulnerabilities by creating virtual files and directories. These virtual resources will be seen only by those users that will be looking for them specifically.
  • the purpose of the virtual resources or poisoned tokens is to "poison" or "mark” the attacker's database, such that the malicious intentions thereof will be identified during successive attack attempts.
  • the virtual resources are intentionally inserted into specific locations known to be the typical targets of an attacker during reconnaissance attempts into the application.
  • Execution steps 242 through 246 illustrate the procedure for the generation of the virtual resources. Execution steps 242 through 246 are executed for each real service at the application level.
  • an available resource type in the application is obtained, such as a file, a directory, a table, and the like.
  • the poisoned token types available for the application are obtained.
  • a specific number of poisoned tokens are generated where the number is based on the resource type characteristics table and on the preferences of the administrator. In many cases the number of poisoned tokens generated will not exceed the number of available real resources from this type in the application in order to prevent the attacker from realizing that he may be facing poisoned tokens.
  • a number of basic decisions must be taken, such as: a) which virtual services to open, b) how many services from a specific type will be opened, c) which services should be allocated to which hosts, and d) which ports to use for the virtual services.
  • the virtual services that will be opened will be the masqueraded duplicates of existing real services.
  • the device will not generate virtual services from a type that are not implemented in the network. However, in specific cases, such as where the attacker may expect to find services that are specifically designed to provide information of environment, such as SNMP, NetBIOS, and the like, the device may generate such services.
  • real services types lists in their masqueraded state are obtained.
  • the real service types are sorted where the values of the sort parameters are based on the preferences of the administrator, on the risks associated with the service, on the number of exposed vulnerabilities, and the like.
  • those services that the masquerading device is unable to simulate are eliminated from the service types lists.
  • the total number of service instances to be presented to an attacker is computed. In the preferred embodiment of the present invention, the number of service instances is computed from the actual number of service instances multiplied by some virtual factor value.
  • step 256 for each service type an iteration is performed on a real host is order to determine whether to clone the service type, and to set the appropriate running parameters for the running of the cloned service.
  • program control is passed to the iteration section of the method wherein the virtual services are selectively and controllably added to the real hosts.
  • the iteration section 243 of the method is activated by appropriate program instruction received at step 244.
  • the section attempts to clone a real matching service for each of the total number of service instances computed at step 254 of Fig. 7B.
  • the host has the service implemented. If the result is positive then the cloning of the service on the host is passed over.
  • a real matching service of identical type is cloned to the host.
  • a number of basic decisions must be taken, such as: a) how many virtual hosts to open, b) how to allocate the newly created virtual hosts to existing real hosts, c) how to locate the IP address of a virtual host in the available subnet.
  • the total number of virtual hosts to be opened is marked as "M”.
  • M is calculated by multiplying the number of the existing hosts marked as "N” with a host virtual factor.
  • the average number of real machine clones is M/N.
  • Each real host has a weight factor marked as "W”.
  • the value of "W” is between 1 and 0. This number is generated from a parameter table that includes parameters, such as host usability, exposed vulnerabilities on host, service usability, application usability, administrator preferences, and the like.
  • the first cloned host will be located, if practical, in the range "X" before (numerically smaller than) the IP address of the real host, where the precise location within the range will be selected in a random manner
  • the second cloned host will be located in practical on the range "Y” after (numerically higher than) the IP address of the real host, where the precise location within the range will be selected in a random manner
  • the third cloned host will be located, if practical, in the range "V", at the beginning of the range of the real host IP but before (numerically smaller than) the "X” range, where the precise location within the range will be selected in a random manner
  • the fourth cloned host will be located, if practical, in the range "Z", at the end of the range of the real host IP but after (numerically higher than) the "Y” range, where the precise location within the range will be selected in a random manner

Abstract

An apparatus and method for the masquerading of computing resources operating within a networked computer environment is disclosed. The apparatus and method are installed and performed, respectively, at an execution location in front of a protected segment of the environment. The apparatus comprises a masquerading device having a masquerading scheme computation component, a masquerading scheme implementer component, and a masquerading scheme verification component, thereby providing a consistent non-genuine view of the computing resources.

Description

METHOD AND APPARATUS FOR THE DYNAMIC DEFENSIVE MASQUERADING OF COMPUTING RESOURCES
BACKGROUND OF THE INVENTION FIELD OF THE INVENTION
The present invention relates to computer security systems in general, and more particularly to an apparatus and method for the dynamic masquerading of computing resources in a protected segment of a networked computer environment. DISCUSSION OF THE RELATED ART
The threat of unauthorized or malicious intrusive attacks by illegally operating intruders is growing exponentially. The financial consequences from these activities, whether in effort to prevent them or losses incurred because of them, is an unnecessary and often heavy burden on organizations today. An intrusion attack is an illegal attempt to access and misuse a computer system and could involve something as severe as stealing or destroying confidential data, corrupt valuable data and programs, "defacing" Internet sites, or exploiting a legitimate e-mail system for the distribution of unsolicited electronic mail (colloquially referred to as "spam"). Intrusion attempts could be made either from a remote location or from local machines. In order to be successful, an intrusion attempt typically includes preliminary environmental probing or intelligence gathering, in order to enable the attacker to learn as much as possible about the targeted computer, its defenses, characteristics, vulnerabilities, and the like. Although, an intrusion without pre-attack reconnaissance for the gathering of suitable target-specific intelligence is feasible, the probability of successful intrusion and the associated risk metrics to the targeted computer are significantly lower compared to an attack supported by sufficient intelligence.
A typical intrusion scenario could be conceptually divided into several phases. The first phase involves preliminary environmental probing or non-intrusive information gathering, whereas the attacker is trying to gain as much information as possible on the targeted computer. In the first phase the attacker will want to be as undetectable as possible and will often make use of less direct methods. Some of these methods could include: performing a whois lookup, DNS zone transfers, normal browsing of websites garnering e-mail addresses and similar important information belonging to the target. In the second phase further information gathering is performed. In an attempt to collect more information an attacker will likely perform, for example, ping sweeps, port scanning and will want to check Web servers or other network platforms for vulnerable CGI scripts. The intruder will also determine the versions of running applications and services on the host to be attacked, typically utilizing banner grabbing techniques. Subsequent to the information gathering phases, the main attacks are then launched. Having a list of possible security breaks, the intruder will begin the attack trying out different types of attacks on the computer. For example, a UNICODE attack could be launched if the attacker previously found that the target computer has Internet Information Server (IIS) installed. Apart from launching exploits for known vulnerable software, a typical attacker will also try to locate badly configured running services. For example the attacker will try to guess passwords for known users on the system. After a successful intrusion, attacker will typically install his own backdoors in the system and delete log files in order to conceal his tracks. The attacker may install "toolkits" such as rootkits that give him access, replace existing services with his own Trojan horses that have backdoor passwords, or create his own user accounts. From here an attacker will usually launch further attacks to other hosts especially those trusted by the compromised machine.
In order to summarize a typical attack scenario: A) the initial stages involve non-intrusive intelligence gathering activities that are usually undetected by the network security sensors. B) during the subsequent progress of the attack and the consequent stages the intrusiveness level of the attempts steadily increases. At these stages most attacks leave "footprints" to the various security sensors of the organization associated with the networked computer environment. This could effect the identification and optionally the termination of the attack by suitable security devices. It should be noted, however, that even failed attacks, such as exploits identified by an intrusion detection system and terminated manually by a system administrator or automatically by an intrusion prevention system could generate useful intelligence for the attacker concerning the security policy of the organization. Thus, a pre-attack reconnaissance is useful to the attacker even if the attack fails. C) In the late stages of the attack a security vulnerability is found and a final trial is performed to accomplish the intrusion.
There is a need for a new and improved security device for filling the gap in the detection abilities at the early steps of the attack by hiding or obscuring the structure of the organization network, services, applications, and security posture. Such a novel security device should provide dynamic and adaptive means to adjust automatically to configuration changes in the protected network, such as hardware additions, upgraded or new software, and known vulnerabilities. The device should provide unobstructed access to legitimate users and at the same time distract, seduce and decoy illegal intruders.
SUMMARY OF THE PRESENT INVENTION
One aspect of the present invention regards a method for the automatic dynamic and adaptive masquerading of a set of computing resources operating within a segment of a network computer environment. The method is performed from an execution location in the environment. The method comprises computing dynamically a masquerading scheme representing one or more non-genuine views of the set of computing resources based on the genuine characteristics of the computing resources within the networked computer environment or on one or more masquerading scheme-specific computational parameters, and implementing the generated masquerading scheme in order to provide the non- genuine view of the set of computing resources operating in the networked computer environment to users of the computing resources within the networked computer environment in order to masquerade the genuine characteristics of the computing resources. The non-genuine view is consistent. The segment of the network comprises the whole network or the segment is protected. The method includes a step of verifying the masquerading scheme. The verifying step comprises dynamically detecting changes to the genuine characteristics of the computing resources, or to one or more masquerading scheme-specific computational parameters, and triggering the computing and implementing of a masking scheme that generates a non-genuine view that represents the modified computing resource having modified characteristic, or the modified computational parameter. The method wherein generating dynamically the masquerading scheme comprises obtaining the genuine characteristics of the computing resources, obtaining the one or more masquerading scheme-specific computational parameter and computing the masquerading scheme based on the genuine characteristics of the computing resources and on the computational parameters. The user of the method is an illegitimate user or a legitimate user requesting information about a characteristic of the computing resources. The method wherein implementing the masquerading scheme comprises obtaining the generated masquerading scheme, and generating the non-genuine view of the computing resources by selectively modifying the data traffic elements transmitted from the computing resources in the networked computer environment. The generation of the non-genuine view of the computing resource comprises masquerading one or more operating systems on one or more existing hosts, or masquerading one or more services on one or more existing hosts, or addition of one or more virtual services on one or more free ports on one or more existing hosts, or addition of one or more virtual services on one or more occupied ports on one or more existing hosts, or addition of one or more virtual hosts with an operating system, or addition of one or more virtual services on one or more virtual hosts, or masquerading one or more services with one or more poisoned tokens, or masquerading one or more applications with one or more poisoned tokens. The computing resource is a computing platform, an operating system, a computer-based service, a network based service, a web-based service, a web server, an e-mail server, an FTP-server, an application, data, one or more data structures having a relative order, file, directory, applicative behavior, a firewall, or a firewall access list. The network computer segment is a Local Area Network, or a segment thereof, or a Wireless Local Area Network or a segment thereof. The computational parameter is an exposed vulnerability associated with the computing resource, a list of available free IP addresses, the number of available free IP addresses, a list of available free logical ports utilized for communication with the network, the number of available free logical ports utilized for communication with the network, a list of service instances created for a service type, the number of service instances created for a service type, a list of service associated risks, a list of simulation abilities, a preference of an operator of the network computer environment, a host usability, a service usability, or an application usability. The computational parameter can be associated with another computational parameter. The method further comprises a step of discovering one or more genuine characteristic of the computing resource operating within the networked computer environment. The discovering can be performed manually or automatically, in a passive or active manner by the reading, collection, and analysis of the data traffic elements transmitted between the networked computer environment and an external data communication network. The method further comprises dynamically generating an at least one poisoned token. The poisoned tokens misinform an unauthorized user by providing non-genuine applicative information. The poisoned token is created at and obtained from an execution location within the networked computer environment.
A second aspect of the present invention regards an apparatus for the dynamic masquerading of one or more computing resources operating within a segment of a networked computer environment. The apparatus is installed on an execution location within the networked computer environment. The apparatus comprises a masquerading device having a processor device, a memory device, one or more network interface cards, linked to one or more computing resources in a networked computer environment and to a data communication network. The masquerading device comprises a masquerading scheme computation component to generate dynamically a masquerading scheme representing a non-genuine view of a set of computing resources in the networked computer environment, based on the characteristics of the computing resources, a masquerading scheme implementer component to perform changes to the content of the data elements in the data traffic transmitted from the computing resource to the data communication network based on the masquerading scheme, in order to provide a non- genuine view of the computing resources. The apparatus further comprises a masquerading scheme verification component for detecting modifications to one or more characteristics of one or more computing resources, or to one or more computational parameters, and triggering an update to the masquerading scheme in accordance with modifications in the real configuration of the network segment or in the computational parameters. The segment of the networked computer environment comprises the whole network, or the segment is protected. The apparatus wherein the masquerading scheme implementer component modifies data elements in the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme. The apparatus wherein the masquerading scheme implementer component drops data elements from the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme. The apparatus wherein the masquerading scheme implementer component adds data elements to the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme. The apparatus wherein the networked computer environment comprises a firewall device, the firewall device linked to at least one computing resource. The apparatus wherein the networked computer environment comprises a routing device. The apparatus wherein the masquerading device further comprises a poisoned tokens handler component to generate one or more poisoned tokens from an execution location in the networked computer environment thereby. The apparatus wherein the masquerading device further comprises a computer resources characteristics table to store the genuine characteristics of the computing resources. The apparatus wherein the masquerading device further comprises an exposed vulnerabilities table to store known vulnerabilities associated with the at least one computing resource. The apparatus wherein the masquerading device further comprises a masquerading scheme data structure to store the masquerading scheme. The apparatus wherein the masquerading device further comprises a management interface to enable manual configuration of the computer resources characteristics table, the masquerading scheme table, and the rules table. The apparatus wherein the masquerading device further comprises a data collector device to obtain, to collect, and to analyze data elements from data traffic flow transmitted between the networked computer environment and the data communications network. The apparatus wherein the masquerading device further comprises a passive firewall access lists detector device to map firewalls access lists based on observed responses from the firewall device of the networked computer environment. The apparatus wherein the masquerading device further comprises a firewall access lists parser device to map access lists obtained from the firewall on the masquerading device.
The third aspect of the present invention regards a computer program product. The computer program product comprises a computer usable medium having computer readable program code embodied in the medium for causing an application program to execute on a computer that provides a system for use with the dynamic masquerading apparatus. The computer readable program code comprises a first computer readable program code for causing the computer to dynamically generate a masquerading scheme based on characteristics of a set of computing resources, a second computer readable program code for causing a computer to implement the masquerading scheme, and a computer readable storage medium containing a set of instructions for a general purpose computer, the set of instructions comprising a dynamic masquerading scheme generator routine for generating a masquerading scheme based on characteristics of computer resources, and a dynamic masquerading scheme implementation routine for implementing the masquerading scheme. The set of instructions further comprising a masquerading scheme verification routine for detecting changes to the real characteristics of the protected network segment and a change to one or more computational parameters, and calling the routines for updating and implementing the masquerading scheme in accordance with the real characteristics of the protected network segment and the computational parameters.
BRIEF DESCRIPTION OF THE DRAWINGS
The features and advantages of the present invention will become more apparent from the detailed description set forth below when taken in conjunction with the drawings in which: Fig. 1 is a semi-pictorial block diagram of an exemplary networked computer environment in which the present invention could be implemented, in accordance with a preferred embodiment of the present invention;
Fig. 2 is a block diagram illustrating the architecture of a the masquerading device, in accordance with the preferred embodiment of the present invention; Fig. 3 is a flowchart representing the method of masquerading, in accordance with the preferred embodiment of the present invention;
Fig. 4 is a block diagram representing the activities taken by the masquerading scheme computation component, in accordance with the preferred embodiment of the present invention; Fig. 5 is a schematic block diagram representing a masquerading computation and implementation layers model, in accordance with the preferred embodiment of the present invention,
Fig. 6 is a flow chart describing the operation of the real services and the real operating systems masquerading layer, in accordance with the preferred embodiment of the present invention.
Fig. 7A is a flow chart that describes the method of masquerading resources within the application, in accordance with the preferred embodiment of the present invention, and
Figs. 7B and 8 are flow charts that describe the method of adding virtual services to real hosts, in accordance with the preferred embodiment of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
DEFINITIONS
Masquerading - camouflaging available computer resources by concealing, removing, and changing the way an attacker perceives available computer resources, and deceiving the attacker to believe that non-existing resources do exist in the environment.
The present invention relates to an apparatus, method and computer program product for dynamically and defensively masquerading a set of computing resources, such as a protected segment of a computer network, in order to hide the resources and obscure the characteristics of the resources. In the preferred embodiment of the present invention, an entity such as a private or public corporation, organization or individual maintains the computer network which may include a combination of firewalls, servers, computer workstations, and other computing resources. The present invention is directed to providing an apparatus, method and computer program product implementing a masquerading device designed for the obstruction of potential misuse of the computing system, by concealment of the available resources. In the context of the present invention, masquerading means camouflaging available computer resources by concealing, removing, and changing the way an attacker perceives available computer resources, and deceiving the attacker to believe that non-existing resources do exist in the environment. The proposed apparatus, method, and program product augment the capabilities of currently employed security devices through masquerading the organization network, operating systems, services, applications, security policy, and the like. The proposed apparatus, method, and program product generate a masquerading scheme which represents a non-genuine alternative consistent view of the organization network, which is presented to the users of the network as the genuine view. The consistency of the non-genuine view is designed to satisfy an illegal intruder's initial purpose, such as collecting useful organization-specific intelligence prior to the performance of series of main intrusion attacks. The view provided is based on non- genuine information. Thus, the potential intruder is presented with an inaccurate or non- genuine view. It could be safely assumed that if attempting intrusion into a computer system without intelligence is difficult, then to attempt the same with the non-genuine information is substantially more difficult. Thus, the proposed apparatus, method, and program product will render a compound attack on computing resources a substantially more difficult task. The proposed method could be applied to all the network connections thus negating the need to distinguish between "good" and "bad" connections. Note should be taken that the non-genuine alternative view creates no threat to the legitimate users since the alternative view includes those genuine resources that enable the provisioning of the legitimately required services in the usual manner. At the same time, the alternative view provides false intelligence to the would-be intruders, turning effectively all their intrusion attempts into "blind" attacks. Thus, the probability of a successful intrusion and the associated risk metric to the targeted system are substantially reduced. In the preferred embodiment of the present invention the computer system misuse concerns an intrusion attempt initiated either by an unauthorized or malicious user or by a malicious attacker. The scope and spirit of the invention include other types of computer misuses, both presently known and those identified in the future. Fig. 1 is a block diagram of an exemplary computing environment 10 in which the present invention may be implemented. It should be understood that the particular environment 10 in Fig. 1 is shown for illustrative purposes only and does not limit the invention. Environment 10 includes a computer network 11, an optional firewall 18, a masquerading device 16, a router device 14, a legitimate user 15, and an attacker 12. In the preferred embodiment of the present invention, computer network 11 represents a corporate local area network (LAN), hi other preferred embodiments of the present invention network 11 could be a WLAN network segment, a sub-network, or even a single computer platform. Network 11 includes a network bus device 20, and several network elements 22, 24, 26, 28, 30, 32. The network elements 22, 24, 26, 28, 30, 32 are computing platforms, with specific software installed thereon, such as Web servers, e-mail servers, FTP servers, data processing systems, and the like. Optional firewall 18, where installed, serves as connection and separation between the local area network (LAN) 11 and the global data communication network 13, such as the Internet. A firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from users from other networks. The term also implies the security policy that is used with the said programs. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can reach directly at private network resources and usually includes network interface cards and public network ports connected to the external global network and one carefully monitored and controlled connection back to the internal network.
Still referring to Fig. 1 the typical data communications network 13 includes a router device 14, a legitimate user 15 and an attacker 12. A router is a device, or in some cases a software routine that determines the next network point to which a packet should be forwarded toward its destination. A router creates or maintains a table of the available routes and their conditions and uses this information along with distance and cost algorithms to determine the best route for a given packet.
The legitimate user 15 is an authorized network user that typically operates a computing platform (not shown). The user 15 accesses information stored or generated by the local area network 11 and optionally processes and transfers information to the local area network 11 via the utilization of legitimate application and/or service software routines that were developed for legitimate use. The attacker 12 is a malicious "hacker" that typically operates a computing platform (not shown). The attacker 12 initiates and performs intrusion attacks utilizing in combination readily available or specifically developed malicious "hacking" software and legitimate network monitoring software such as for example ping sweep port scan, whois, network analyzers, and the like. The attacks initiated by the attacker 12 are directed at the local area network 11 in order to achieve a surreptitious penetration of the network 11 defenses, to intrude into one or more computing machines within the network 11, to gain control of one or more machines, and to misuse the critical resources therein. Instances of misuses could include, but are not limited to, illegal login, privileged root usage, and access to files within a protected directory.
The masquerading device 16 is preferably positioned inline in front of the network segment 11. If the network segment 11 is firewall-protected then masquerading device 16 could be located either in the front of or behind the firewall 18. Note should be taken that the masquerading device 16 could be partitioned such as to perfoπn certain masquerading functions behind the firewall 18 and other masquerading functions before the firewall 18. Device 16 is a hardware computing device having a processor device (not shown), a memory device (not shown) and one or more devices to enable the connection both to the protected network and to the outside network, such as one or more network interface cards. From the side of the attacker masking device 16 has no Internet Protocol (IP) number, thus it is completely transparent for the attacker. Optionally, device 16 could have management IP on a network card facing the firewall 18. Some of the actions the device 16 executes are in bridge mode, while other actions are executed in transparent reverse proxy mode.
Referring now to Fig. 2, the masquerading device 51 includes a logically inter-related set of computer programs. Computer programs are labels for entities that consist of computer-readable functional program code, or sets of machine-readable instructions having pre-determined functionality. The computer programs are stored on a storage device of the masquerading device 51 and are loaded into a memory device of the device 51 prior to execution. Thus, the device 51 includes a first computer program or a first computer readable program code referred to as the scheme computation component 52, and a second computer program or a second computer readable program code referred to as masquerading scheme implementer component 54. The masquerading device 51 further includes a masquerading scheme verifier component 56, a poisoned tokens generator component 58, and a network discovery component 59. The masquerading device 51 further includes a set of data structures associated with the computer programs. Data structures are ordered or organized sets of machine readable information. The data structures on the masquerading device 51 include a computer resources characteristics table 60, a known vulnerabilities table 62, and a masquerading scheme table 64. According to the principles of the proposed apparatus and method of the present invention, the components 52, 54, 56, 58, 59 perform masquerading of the computing resources in a co-operative manner. The operation of the components 52, 54, 56, 58 is based on and controlled by the specific data stored within the tables 60, 62, 64. It should be understood that in other preferred embodiments of the present invention, the architecture of the masquerading device 51 could be different, such as, for example, to employ alternative components and tables in order to accomplish substantially the same objectives of the invention. Such other architectures will be apparent to one skilled in the relevant art based on the description contained herein.
Still referring to Fig. 2 masquerading scheme computation component 52 is responsible for generation of an alternative view of the network 11 of Fig. 1. The concept "alternative view" refers to an artificially constructed non-genuine or inaccurate in whole or in part image of the network 11, designed to be presented to the user 15 and to the attacker 12 of Fig. 1. The alternative view instigates the attacker 12 to perceive the alternative view as the genuine view of the network 11. The view that is reflected to the attacker 12 is based on a computed set of data that includes non-genuine information concerning the characteristics of existing resources as well as information concerning the characteristics of non-existing or virtual resources. The virtual resource types could include any of the common types of network elements, such as subnets, hosts, services, applications, and application-specific virtual data. The alternative view is generated by a masquerading scheme table 64 the contents of which are computed by the masquerading scheme computation component 52 based on the genuine characteristics of the genuine network elements/computing resources, and on several masquerading input parameters. The parameters are based on the characteristics of the network resources, on operating constraints, on environmental contingencies, on hardware configurations limitations, on system configurations limitations, and the like. The parameters include, but are not limited to known vulnerabilities, available free internet protocol addresses, available free ports, number of service instances, service associated risks, simulation abilities, and preferences of a system administrator managing the network 11. In addition, parameters that are related to any of the abovementioned parameters, for example the allocated ports which complement the free ports, can be used as masquerading input parameters. A more detailed description of the usage of the parameters will be provided herein after in association with the following drawings. The masquerading scheme implementer component 54 is responsible for the execution of the masquerading based on a masquerading scheme data structures generated by the masquerading scheme computation component 52. In accordance with the content of the masquerading scheme data structures, the component 54 processes intercepted network traffic packets that were transmitted from the protected network 11 to the global data communication network 13. The processing of the network packets could involve the modification of packets, the dropping of packets and the addition of packets in order to reflect an alternative view of the local network to the attacker 12 operating in the global data communication network 13. Masquerading scheme verifier component 56 is responsible for the ongoing discovery of modifications in the genuine characteristics of the computing resources, i.e. in the real configuration of the local network 113 and modifications in the computational parameters, such as for example the vulnerability tables. The verifier component 56 continuously employs a network discovery component 59 in order to learn the characteristics of the network elements/computing resources 22, 24, 26, 28, 30, 32 of the local network 11. When a change is detected in the genuine characteristics of the computing resources, or in a computational parameter, the masquerading scheme computation component 52 is activated, or triggered, in order to generate a new or upgraded masquerading scheme based on the modifications that were discovered within the local network 11, and masquerading scheme implementer component 54 is activated in order to implement the newly generated or upgraded masquerading scheme. Accordingly, the masquerading scheme is updated and the masquerading scheme table 64 is modified in order to provide an upgraded basis for the generation of an upgraded alternative view to be reflected to the attacker 12. Poisoned tokens generator component 58 is responsible for the construction of the poisoned tokens. Poisoned tokens (also referred to as honey tokens) are operative in supplying the attacker 12 with wrong applicative information designed to mislead the attacker 12, to dissociate the attacker 12 from the real protected data and to identify the attacker 12 as malicious on prospective (future) exploitation attempts. Poisoned tokens as opposed to honey pots refer to non- genuine applicative data on real services.
As opposed to the currently available systems capable of generating honey tokens, the proposed apparatus, method, and program product generate poisoned tokens from an execution location on the network, such as the masquerading device 16 of Fig. 1, for various services and applications. There can be one or more execution locations on the network. However, the method and program can generate poisoned tokens for the whole network or network segment, from each of the execution locations. Furthermore, the tokens generated are not necessarily part of an information service, such as SNMP, that has information on other services. The tokens are created as part of the service and the application. The created poisoned tokens are added transparently to the end user and are maintaining the consistency of the alternate view of the local network 11. Each poisoned token is generated according to its characteristics table (not shown) where some of the characteristics must be in a specific range. Thus, for example, a poisoned token expressed through a virtual file must have a name length that should not exceed a specific number of characters, a name extension that should match the service and operating system vendors, an application-matching location, a pre-defined size, a content type that should match the extension, a suitable access right, an environmentally consistent creation/access/modification date, and the like. Much in the same manner, characteristics table could be built for each different resource. For example, a credit card record will have logically consistent fields, such as length, holder name, expiration date, and the like. Network discovery component 59 is configured in a manual mode, an automatic mode or in a combined manual/automatic mode to learn the networked computer environment by the mapping of the network elements/computing resources 22, 24, 26, 28, 30, and 32. The discovery process is designed to identify the characteristics of the network elements/computing resources in the initialization stage and then identify changes and/or additions to the local network 11 as they are made during the day-to-day activity of the network 11.
Identification and characterization of the network elements/computing resources are performed by the utilization of both active and passive monitoring methods. Active methods include intentional queries and probes to specific components while passive methods include packet sniffing or the monitoring and analysis of network traffic within the network 11 and the classifying of data obtained from the traffic elements in order to build a network map. Active mapping is performed on demand while passive mapping may be performed automatically in a continuous manner, which facilitates adapting the masquerading scheme to changes in the network or in the network segment. The network elements/computing resources that are discovered could include protected network segments, hosts, ports, services, applications, patches, files, directories, and the like. If one or more firewalls are installed then the process of discovery could involve the mapping of firewall access lists. The network discovery component 59 maps the signatures of other active devices, such as intrusion prevention systems. The data generated by the network discovery component 59 is stored in the computer resources characteristics table 60 on a memory device. Periodically, in accordance with the changes detected in the network 11 the component 59 updates the table 60. Known vulnerabilities table 62 includes a list of known components and their associated vulnerabilities. Vulnerability lists are typically utilized in vulnerability assessment tools, such as the Nessus security scanner, for example. When either the computer resources characteristics table 60 or the known vulnerabilities table 62 are modified, a matching analysis routine (not shown) is executed in order to perform matches between the network elements and the associated vulnerabilities. Referring now to Fig. 3 a simplified flowchart of the masquerading method
40 is shown. The method is performed via the pre-defined and ordered execution of a set of functionally inter-related computer programs. The method is divided conceptually into three execution segments. Li the network discovery segment 42 the apparatus automatically detects the protected network at all the network layers (layer 2 through layer 7) including the structure of the protecting firewalls and the access lists thereof. Consequent to the installation and the implementation of the proposed apparatus and method in an organization the system is initialized in order to enter an environmental detecting mode. In the detecting mode all the network traffic is bridged via the masquerading device without interference. The masquerading device detects the networked computer environment by monitoring and analyzing the passing network traffic and by utilizing additional techniques. After a pre-determined network-specific amount of network traffic has passed through the masquerading device the device enters a protective mode. It should be noted that during the protective mode some detection activities are still carried out continuously. The objective of the network discovery segment is to discover the type, number, and characteristics of network elements/computing resources constituting the protected network. The results of the network discovery are collected into one or more data structures. Note should be taken that part or all of the network discovery could be performed manually. Thus, at step 41 the network elements/computing resources characteristics table 60 of Fig. 2 could be built manually by a system administrator via a specifically developed system management routine and associated user interface. At step 43 the automatic environment detection is performed. The output structure of step 41 and step 43 is the same and is detailed below. The automatic detection could be performed in a passive mode or in an active mode. In the passive mode the system performs passive fingerprinting of the packets transmitted through the masquerading device. The passive fingerprinting could supply the following information on the machines of the protected network or network segment: a) media access control (MAC) addresses, b) internet protocol addresses, c) operating systems, d) machine-specific transmission control protocol (TCP) stack changes, e) open ports, f) running services, g) running applications, h) installed patches, I) files and directories, j) distance to protected machines, k) uptime of protected machines, and 1) firewalls and load balances presence, and the like. The passive fingerprinting generates a stateful sessions table that contains current sessions information, such as: a) a session state, such as "invalid", "new", "related", "established", and the like, b) a source internet protocol and port, and c) destination internet protocol and port. If firewalls are installed the passive fingerprinting is also associated with passive access lists detection. The masquerading device observes responses from the firewall protecting the network or the network segment and incrementally builds the actual access list used by the firewall. The purpose of the passive active-list detector is to learn the rule base structure of the firewall behind it. The information is used by the later part of the method in order to create virtual services on real hosts. As opposed to passive fingerprinting active fingerprinting is performed on demand in accordance with the preferences of the system administrator. Active fingerprinting includes scanning for open ports and running applications, web crawling-like activities, the discovery of target operating system, and the discovery of exposed vulnerabilities. The data retrieved from the active fingerprinting is merged with the data detected by the passive mechanism in order to achieve a comprehensive and accurate image of the protected network or network segment structure, the associated vulnerabilities and the existing defenses. The masquerading scheme is further detailed in association with the text below, referring to Fig. 4.
Still referring to Fig. 3 the masquerading scheme computation segment 44 is responsible for the computation of the masquerading scheme. The masquerading scheme is based on the network elements/computing resources discovered, the vulnerabilities associated therewith, several masquerading input parameters, and the preferences of the system administrator. The types of the input parameters were described herein above. At step 45 the previously discovered network elements/computing resources types, number, and characteristics are obtained from the characteristics table. At step 46 the input parameters for the masquerading scheme computation are obtained from the characteristics table. At step 47 a compound multi-level analysis of the network elements and computing resources characteristics, of the exposed vulnerabilities, the masquerading input parameters, and the system administrator's preferences is performed. A masquerading scheme is proposed that is operative in setting up virtual subnets, virtual hosts, services (both on real and virtual hosts) and applications. The masquerading scheme further includes the masquerading of real operating systems, of applications and of real services, such that the proposed service characteristics will make the services appear different. Resource identification could be assisted by the fact that many resources reveal information on a constant basis, such as repeating information in each and every packet. Based on the computed masquerading scheme the system performs static masquerading, such that the resource will be misidentified in a typical masquerade-specific manner. Static masquerading means that the masquerading scheme is consistent and does not change unless a change in the network or network segment configuration occurs. Masquerading is performed from an execution location on the network, such as the masquerading device 16 of Fig. 1. The masquerading is not limited in the number of servers that can be handled for masquerading. Concerning the service and application level masquerading, the proposed method will dynamically perform changes to the content of the information transmitted to the attacker. The changes include data omission, data modification, and new data additions, hi HTTP for example, the method could focus on changing headers order, handling of session cookies, banners modification within the packets and the like. The changes could be applied, for example, to dynamic HTML pages generated and transmitted and omission of data may concern developer's comments, modifications of data may concern file names, such as CGI locations, and addition of new information may concern non-genuine comments meant to misinform the attacker or indicating specific non-existing files or directories. In other protocol environments masquerading could involve the addition of new information to the packets, the removal of existing information from packets, the generation of new packets, and the like. Operating systems level masquerading of involves modifications to TCP stack parameters to match the pretended OS. When using service and OS masquerading there is a need for reacting properly to errors generated on purpose by the user in order to match the generated masquerade. The masquerading scheme generation is further detailed in association with the text below, referring to Figs. 6, 7, and 8. Still referring to Fig. 3 some actions are typical of computing resources in specific situations. For example, different applications may react in a different manner to an identical error. Knowing how a server reacts, the attacker may deliberately perform a task resulting from an error where the output of the error output may define the server's type and the server's version. In order to frustrate the attacker's objectives the proposed method may manipulate the output result including changes and replacements of data. These changes could be done either by pre-defined actions set in a table generated in the masquerading computation stage or by an exterior mechanism. Note should be taken that the implementation of the same concepts could be different under other protocols. The proposed method provides advanced capabilities to interact with attempts to approach its non-genuine resources. These abilities could be determined by an external device.
Still referring to Fig. 3 the masquerading scheme implementation segment 48 is responsible for the activation of the masquerading scheme and the application of the masquerading to the network traffic. Subsequent to the activation the implementation segment 48 will operate at all times. At step 49 the computed masquerading scheme is obtained and at step 50 masquerading is generated. The masquerading will be performed based on the information within the masquerading scheme. The masquerading will modify the network traffic in order to reflect a non-genuine, alternative and consistent view of the protected network or network segment to the users. Program control will then proceed to the network discovery segment 41 in order to check for modifications performed in the network or network segment configuration. Thus, if for example, a server is added to the existing network elements, then the network elements/computer resources characteristics table will be modified and subsequently the masquerading scheme computation based on the characteristics table will dynamically generate a modified masquerading scheme. The masquerading reaction to changes in the configuration of the network and in the vulnerabilities table is dynamic and the masquerading scheme will be modified, so as to provide logical consistency between the non-genuine or view of the network and the mapping image of the real network. Referring now to Fig. 4 the masquerading scheme implementation 184 is based on the masquerading scheme 182. The masquerading implementation, to be executed in step 47 of Fig. 3, provides a multi-layer reaction to the detection of changes in the structure of the network. The masquerading scheme implementation provides the following masquerading capabilities: A) Masquerading of operating system on existing host (186). By manipulating the TCP stack parameter of the real host and the responses thereof to various events at layer 4 the device can impersonate other operating system for the real host. B) Masquerading for real services on existing hosts (188). By masquerading real services the masquerading device makes the services appear different than their real nature. This ability is based on either static masquerading or half-static masquerading. Under the HTTP protocol or other text based protocols static masquerading focuses on changes of service banners and header order setting in a way typical to the service. Under binary protocols the changes implemented could be different. Static masquerading is functional in the generation of error messages by the attacker by deliberately introducing specific requests. Since different servers and different operating systems respond in a different manner to certain error conditions consequent of the introduction of specific potentially error-raising requests the attacker is capable of deducing from the presence, structure and content of the error message various information concerning the target host, such as the OS, the type and the version of the server, the application, etc. The masquerading device parses the requests and heuristically selects an error message that will match the non-genuine service identity declared in the service banners. C) Addition of a new virtual host with a specified operating system (194). Utilizing internet protocol addresses that are not allocated to any host in the network, the proposed apparatus and method creates virtual hosts with any defined operating system. These virtual hosts can respond to Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) requests. D) Addition of virtual services on virtual hosts (196). Using its virtual hosts the proposed apparatus and method can create virtual service and applications (layer 5 through layer 7) having advanced interaction capabilities during connection attempts. The interaction capabilities are determined by an external mechanism. E) Addition of virtual services on existing hosts with free ports (190). The creation of virtual services and applications could be made on real hosts with free ports. The virtual ports are served by the masquerading device while the real host serves the real ports. Advanced interaction capabilities are provided during connection attempts where the interaction capabilities are determined by an external mechanism. F) Addition of virtual services on existing hosts with occupied ports (192). The utilization of the learning mechanism that was described herein above provides the proposed apparatus and method with the information concerning the accessibility options of the ports, such as which ports are accessible and by whom at a specific time. Using the information the apparatus and method could implement virtual services and applications even on real active ports. As a result, authorized users could see the real network and communicate therewith in a standard manner while non- authorized users will interact with the virtual system having advancing interaction capabilities during connection attempts. G) Service masquerading and application content masquerading (200). The proposed method dynamically and adaptively applies modifications to the content of the information transmitted. Modification includes changing data, omitting data or adding new data. Such manipulations could concern, for example, changes in HTML developer's comments, hidden field names, adding of misleading comments, and the like. The proposed apparatus and method supply poisoned tokens both on the service and application layers. On the service level poisoned tokens are functional in providing access to non-existing directories on a server, in providing virtual directory content, in adding virtual files to an existing directory. On the application level poisoned tokens can represent various components. A poisoned token might be a virtual credit card number record in the database, whole virtual table in database, a virtual hidden field in HTML form, or even wrapping of existing HTTP session cookies with deliberately easy-to-break encryption. Innocent users should not notice the difference while an attacker may be tempted to handle the poisoned tokens. Any other applicative token at any supported protocol and application could be generated to match the business logic of an organization associated with the protected network or network segment. Poisoned tokens could also be used for supplying non- genuine information to various protocol requests. For example, in an environment based on the Microsoft software products non-genuine information could be supplied on domains, workgroups, internal servers protected by a firewall, shared resources, users, permissions, running applications protected by a firewall, various registry information, and the like.
Referring now to Fig. 5 that shows the masquerading layers model 202 in which the masquerading is computed and implemented. The masquerading layers 216'- 216", 212, 208, and 204 are arranged in the bottom-top direction. Each masquerading layer provides the required input 218, 214, 210, and 206 from the lower masquerading levels to the higher masquerading levels. This input 218, 214, 210, 206 includes additional data that will be described herein below. The input with the included additional data provides the means for the computation of the optimal masquerading.
Referring now to Fig. 6 the real services and real operating systems masquerading method 220 includes a series of execution steps. Execution steps 222 through 228 represent a method for real services masquerading and for operating systems masquerading. The method is implemented in the masquerading real services layer 216' in Fig. 5. The steps 222 through 228 are performed for each real service implemented on a real computing machine. Thus, for each real service implemented on the real computing machine, at step 222 a service-fingerprinting database is accessed. The database includes many of the fingerprinting a potential attacker could utilize in order to discover the identity of the real service. The database records include information concerning sets of resources typically associated with the real service where each service contains a plurality of resources.
Each set of resources (a set includes one or more resource) reveals something about the service, thus it has a "fingerprint" for the service. For example, a combination of resource A and resource B can reveal the service version, while resource C alone reveals the patch level applied to that service version.. Resources are not unique to one fingerprinting record, but might appear more than once, whereas the combination of different resources provides various fingerprints. For example, HTTP resources could be a banner, the relative order between headers, a session cookie, application behavior such as reaction to errors, grant or denial of access to resources, and the like. The combination of the above mentioned HTTP resources could reveal service vendor, version, and the like. Note should be taken that certain services may have different database records where the number of records is created in accordance with potentially different usage of the real service. .
The masquerading device is able to generate alternative behavior for each of the above mentioned examples by: a) modifying the banners in order to reflect a different service vendor and/or a different service version, b) set the orders of the HTTP headers to match the presented banner, c) hide and/or generate session cookies to match the presented banner, and d) react to errors in the same manner the selected service vendor would. The masquerading device is capable of handling any supported service, such as text based services (FTP, SMTP, POP, and the like) or binary based services (RPC, SNMP, and the like). Still referring to Fig. 6 at step 224 an alternative service-identities database is accessed. The alternative service-identities database is indexed by the resource set inside the service, whereas each resource set has an alternative identities set. At step 226 the possible alternative identities sets are generated. The generation process is performed under the constraint that all service resources in a set, including their combinations with other resources, must display the same service identity. If no alternative service identity exists for the given resources set, then the masquerading of the real service is not possible. At step 228 all the possible identities sets per service, including the real identity, are stored. Selection of the specific set to be used for masquerading will be performed only consequent to the computation of all possible alternative operating systems.
Still referring now Fig. 6, execution steps 230 through 234 represent a method for real operating system masquerading. The method is implemented in the masquerading of real operating systems layer 216" in Fig. 5. The steps 230 through 234 are performed for each real service implemented on a real computing machine. Thus, for each real service implemented on the real computing machine, at step 230 the stored alternative identities set for the real service is obtained. At step 232 the possible alternative operating systems sets for each service identity are generated. Consequently at step 232 service identity tables are built that include identity records. The identify records comprise a service identify identification field and a set of alternative operating systems for the identity. At step 234 the service tables built at step 232 are indexed by service and stored into a storage device.
Still referring to Fig. 6 at step 236 for each service table that is built and stored at step 234, a set of services identities, for the whole machine, is built with common alternative operating system. Each set should contain only one identity per service, but the same identity could participate in more than one set. The sets of service identities with common alternative operating systems are stored into an alternative operating system-service identities set table. The table includes alternative operating system-services identities sets records. The records comprise a combination of an alternative operating system identification and an alternative service identity for each real service that exists on the machine. At step 238 one alternative operating system and a matching services identities set is selected from the available options, whereas the selection is performed according to the following exemplary criteria: a) the selection will include minimum vulnerabilities as seen from the attacker side, b) priority will be given to the best match with combinations that already exist on other masqueraded machines, and c) if more than one combination exists then one of the combinations is selected in a random manner.
Referring now to Fig. 7A in contrast to the masquerading of real service and real operating systems the purpose of which is hiding the characteristics and the nature of a service and/or an application, masquerading resources inside the application generates virtual resources inside the application. Such virtual resources could be virtual files, virtual directories, virtual SQL tables, virtual fields, and the like. Virtual resources are also referred to as poisoned tokens. Some applications along with their vulnerabilities can be identified by the mere existence of specific directories and/or files on the server. The masquerading devices could thus generate a non-genuine image of application or vulnerabilities by creating virtual files and directories. These virtual resources will be seen only by those users that will be looking for them specifically. The purpose of the virtual resources or poisoned tokens is to "poison" or "mark" the attacker's database, such that the malicious intentions thereof will be identified during successive attack attempts. The virtual resources are intentionally inserted into specific locations known to be the typical targets of an attacker during reconnaissance attempts into the application. Execution steps 242 through 246 illustrate the procedure for the generation of the virtual resources. Execution steps 242 through 246 are executed for each real service at the application level. At step 242 an available resource type in the application is obtained, such as a file, a directory, a table, and the like. At step 244 the poisoned token types available for the application are obtained. At step 246 for each resource type that exists as an available token type, a specific number of poisoned tokens are generated where the number is based on the resource type characteristics table and on the preferences of the administrator. In many cases the number of poisoned tokens generated will not exceed the number of available real resources from this type in the application in order to prevent the attacker from realizing that he may be facing poisoned tokens.
Referring now to Fig. 7B during the addition of the virtual services to real hosts a number of basic decisions must be taken, such as: a) which virtual services to open, b) how many services from a specific type will be opened, c) which services should be allocated to which hosts, and d) which ports to use for the virtual services. In the majority of cases the virtual services that will be opened will be the masqueraded duplicates of existing real services. The device will not generate virtual services from a type that are not implemented in the network. However, in specific cases, such as where the attacker may expect to find services that are specifically designed to provide information of environment, such as SNMP, NetBIOS, and the like, the device may generate such services. At step 248 real services types lists in their masqueraded state are obtained. Note should be taken that identical services with a differing masquerading are considered to be different services. At step 250 the real service types are sorted where the values of the sort parameters are based on the preferences of the administrator, on the risks associated with the service, on the number of exposed vulnerabilities, and the like. At step 252 those services that the masquerading device is unable to simulate are eliminated from the service types lists. At step 254 for each service type in the list, the total number of service instances to be presented to an attacker is computed. In the preferred embodiment of the present invention, the number of service instances is computed from the actual number of service instances multiplied by some virtual factor value. At step 256 for each service type an iteration is performed on a real host is order to determine whether to clone the service type, and to set the appropriate running parameters for the running of the cloned service. At step 258 program control is passed to the iteration section of the method wherein the virtual services are selectively and controllably added to the real hosts.
Referring now to Fig. 8 the iteration section 243 of the method is activated by appropriate program instruction received at step 244. The section attempts to clone a real matching service for each of the total number of service instances computed at step 254 of Fig. 7B. At step 246 it is determined whether the number of cloned service instances already reached the total number of service instances computed at step 254 of Fig. 7B. If the result is positive then the cloning of the service on the host is passed over. At step 246 it is determined whether the host has the service implemented. If the result is positive then the cloning of the service on the host is passed over. At step 248 it is verified that the added service matches the host regarding the operating system thereof and the already installed services thereof. If the result is negative then the cloning of the service on the host is passed over. At step 250 a real matching service of identical type is cloned to the host. At step 252 it is determined whether the real service type is running on standard ports only or on both standard ports and non-standard ports. If the result is "standard ports only" then the cloned service is located on the standard ports only. If the result is "standard and non-standard" then at step 254 some of the cloned service instances are located on standard ports while other cloned service instances are clone on non-standard or organization-specific ports. During the cloning of real hosts to provide virtual hosts 204 of Fig. 5 a number of basic decisions must be taken, such as: a) how many virtual hosts to open, b) how to allocate the newly created virtual hosts to existing real hosts, c) how to locate the IP address of a virtual host in the available subnet. The total number of virtual hosts to be opened is marked as "M". "M" is calculated by multiplying the number of the existing hosts marked as "N" with a host virtual factor. Thus, the average number of real machine clones is M/N. Each real host has a weight factor marked as "W". The value of "W" is between 1 and 0. This number is generated from a parameter table that includes parameters, such as host usability, exposed vulnerabilities on host, service usability, application usability, administrator preferences, and the like. Sigma of "W" multiplied by "M"/"N" should not exceed the value of "M". Cloned hosts are the precise duplicates of the original host in its masqueraded state. IP allocation to virtual hosts is performed typically on the basis of possible IP addresses scanning methods that are typically used by attackers. Thus, for each real host: a) the first cloned host will be located, if practical, in the range "X" before (numerically smaller than) the IP address of the real host, where the precise location within the range will be selected in a random manner, b) the second cloned host will be located in practical on the range "Y" after (numerically higher than) the IP address of the real host, where the precise location within the range will be selected in a random manner, c) the third cloned host will be located, if practical, in the range "V", at the beginning of the range of the real host IP but before (numerically smaller than) the "X" range, where the precise location within the range will be selected in a random manner, and d) the fourth cloned host will be located, if practical, in the range "Z", at the end of the range of the real host IP but after (numerically higher than) the "Y" range, where the precise location within the range will be selected in a random manner, All the additional cloned hosts will be located in accordance with the above described logic performed from a to d. As a result, the IP numbers of the cloned hosts will be located on the numbers axis, such as to enclose substantially symmetrically the centrally located IP number of the real host.
It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather the scope of the present invention is defined only by the claims which follow.

Claims

CLAIMS I/We claim:
1. A method for the automatic, dynamic and adaptive masquerading of an at least one computing resource operating within a segment of a networked computer environment, the method is performed on at least one execution location in the environment, the method comprising:
Computing dynamically a masquerading scheme representing an at least one non-genuine view of the at least one computing resource based on the genuine characteristics of the at least one computing resource within the networked computer environment or on an at least one masquerading scheme-specific computational parameter, and implementing the generated masquerading scheme in order to provide the at least one non-genuine view of the at least one computing resource operating in the networked computer environment to a user of the at least one computing resource within the networked computer environment in order to masquerade the genuine characteristics of the at least one computing resource.
2. The method of claim 1 where the non-genuine view is consistent.
3. The method of claim 1 wherein the segment of the networked computer environment comprises the whole network.
4. The method of claim 1 wherein the segment of the networked computer environment is protected.
5. The method of claim 1 wherein generating dynamically the masquerading scheme comprises: obtaining the genuine characteristics of the at least one computing resource; obtaining the at least one masquerading scheme-specific computational parameter; and computing the masquerading scheme based on the genuine characteristics of the at least one computing resource and on the at least one computational parameter.
6. The method of claim 5 wherein the user is an illegitimate user or a legitimate user requesting information about at least one characteristic of the at least one computing resource.
7. The method of claim 1 wherein implementing the masquerading scheme comprises: obtaining the generated masquerading scheme; generating the. non-genuine view of the at least one computing resource by selectively modifying the data traffic elements transmitted from the at least one computing resource in the networked computer environment.
8. The method of claim 1 wherein generating the non-genuine view of the at least one computing resource comprises masquerading an at least one operating system on at least one existing host.
9. The method of claim 1 wherein generating the non-genuine view of the at least one computing resource comprises masquerading an at least one service on at least one existing host.
10. The method of claim 1 wherein generating the non-genuine view of the at least one computing resource comprises addition of at least one virtual service on at least one free port on at least one existing host.
11. The method of claim 1 wherein generating the non-genuine view of the at least one computing resource comprises addition of at least one virtual service on at least one occupied port on at least one existing host.
12. The method of claim 1 wherein generating the non-genuine view of the at least one computing resource comprises addition of at least one virtual host with an operating system.
13. The method of claim 1 wherein generating the non-genuine view of the at least one computing resource comprises addition of at least one virtual service on an at least one virtual host.
14. The method of claim 1 wherein generating the non-genuine view of the at least one computing resource comprises masquerading at least one service with an at least one poisoned token.
15. The method of claim 1 wherein generating the non-genuine view of the at least one computing resource comprises masquerading at least one application with an at least one poisoned token.
16. The method of claim 1 wherein each of the at least one computing resource is selected from the group consisting of: a computing platform; an operating system; a computer-based service; a network based service; a web-based service; a web server; an e-mail server; an FTP-server; an application; data; one or more data structures having a relative order; file, directory; applicative behavior; a firewall; a firewall access list.
17. The method of claim 1 wherein the networked computer environment is a Local Area Network or a segment thereof.
18. The method of claim 1 wherein the networked computer environment is a Wireless Local Area Network or a segment thereof.
19. The method of claim 1 wherein each of the at least one computational parameter is selected from the group consisting of: an exposed vulnerability associated with the at least one computing resource; a list of available free IP addresses; the number of available free IP addresses; a list of available free logical ports utilized for communication with the network, the number of available free logical ports utilized for communication with the network, a list of service instances created for a service type; the number of service instances created for a service type; a list of service associated risks; a list of simulation abilities; a preference of an operator of the network computer environment; a host usability; a service usability; an application usability;
20. The method of claim 19 wherein the at least one computational parameter is associates with an at least one other computational parameter.
21. The method of claim 1 further comprising a step of discovering at least one genuine characteristic of the at least one computing resource operating within the networked computer environment.
22. The method of claim 21 wherein the discovering of the at least one genuine characteristic of the at least one computing resource within the networked computer environment is performed by manual configuration.
23. The method of claim 21 wherein the discovering of the at least one genuine characteristic of the at least one computing resource in the networked computer environment is performed automatically and in passive or active manner by the reading, collection and analysis the data traffic elements transmitted between the networked computer environment and an external data communication network.
24. The method of claim 1 further comprising dynamically verifying the masking scheme.
25. The method of claim 24 wherein dynamically verifying the masking scheme comprises: dynamically detecting at least one characteristic of the at least one computing resource or at least one computational parameter; dynamically triggering the computing and implementing of the masking scheme in case a modification to at least one characteristic of the at least one computing resource or at least one computational parameter has been detected, in order to generate an updated and consistent non-genuine view that reflects the detected changes.
26. The method of claim 1 further comprising dynamically generating an at least one poisoned token.
27. The method of claim 0 wherein the poisoned token misinforms an unauthorized user by providing non-genuine applicative information.
28. The method of claim 0 wherein the at least one poisoned token is created at and obtained from an execution location within the networked computer environment.
29. An apparatus for the dynamic masquerading of at least one computing resource operating within a segment of a networked computer environment, the apparatus is installed at an execution location within the environment, the apparatus comprising: a masquerading device having a processor device, a memory device, an at least one network interface card linked to an at least one computing resource in a networked computer environment and to a data communication network, the masquerading device comprising: a masquerading scheme computation component to generate dynamically a masquerading scheme representing a non-genuine view of the an at least one computing resource in the networked computer environment, based on the characteristics of the at least one computing resource, and a masquerading scheme implementer component to perform changes to the content of the data elements in the data traffic transmitted from the at least one computing resource to the data communication network based on the masquerading scheme, in order to provide a non-genuine view of the at least one computing resource.
30. The apparatus of claim 29 further comprising a verification component for detecting modifications to the real configuration of the network segment or to an at least one computational parameter, and activating the masquerading scheme computation component and the masquerading scheme implementer component in accordance with the detected modifications.
31. The apparatus of claim 29 wherein the segment of the networked computer environment comprises the whole network.
32. The apparatus of claim 29 wherein the segment of the networked computer environment is protected.
33. The apparatus of claim 29 wherein the masquerading scheme implementer component modifies data elements in the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme.
34. The apparatus of claim 29 wherein the masquerading scheme implementer component drops data elements from the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme.
35. The apparatus of claim 29 wherein the masquerading scheme implementer component adds data elements to the data traffic transmitted from the networked computer environment to the data communications network, according to the masquerading scheme.
36. The apparatus of claim 29 wherein the networked computer environment comprises a firewall device, the firewall device linked to at least one computing resource.
37. The apparatus of claim 29 wherein the networked computer environment comprises a routing device.
38. The apparatus of claim 29 wherein the masquerading device further comprises a poisoned tokens handler component to generate at least one poisoned token from an execution location in the networked computer environment thereby.
39. The apparatus of claim 29 wherein the masquerading device further comprises a computer resources characteristics table to store the genuine characteristics of the at least one computing resource.
40. The apparatus of claim 29 wherein the masquerading device further comprises an exposed vulnerabilities table to store known vulnerabilities associated with the at least one computing resource.
41. The apparatus of claim 29 wherein the masquerading device further comprises a masquerading scheme data structure to store the masquerading scheme.
42. The apparatus of claim 29 wherein the masquerading device further comprises a management interface to enable manual configuration of the computer resources characteristics table, the masquerading scheme table, and the rules table.
43. The apparatus of claim 29 wherein the masquerading device further comprises a data collector device to obtain, to collect, and to analyze data elements from data traffic flow transmitted between the networked computer environment and the data communications network.
44. The apparatus of claim 29 wherein the masquerading device further comprises a passive firewall access lists detector device to map firewalls access lists based on observed responses from the firewall device of the networked computer environment.
45. The apparatus of claim 29 wherein the masquerading device further comprises a firewall access lists parser device to map access lists obtained from the firewall on the masquerading device.
46. A computer program product comprising a computer usable medium having computer readable program code embodied in the medium for causing an application program to execute on a computer that provides a system for use with the dynamic masquerading apparatus, the computer readable program code comprising: a first computer readable program code for causing the computer to dynamically generate a masquerading scheme based on characteristics of computing resources; and a second computer readable program code for causing a computer to implement the masquerading scheme. a computer readable storage medium containing a set of instructions for a general purpose computer, the set of instructions comprising: a dynamic masquerading scheme generator routine for generating a masquerading scheme based on characteristics of computer resources; and a dynamic masquerading scheme implementation routine for implementing the masquerading scheme.
47. The product of claim 46 further comprising a masquerading scheme verification routine for detecting modifications to the real configuration of the network segment or to an at least one computational parameter, and activating the routines for generating and implementing the masquerading scheme in accordance with the real characteristics of the protected network segment and the real computational parameters.
PCT/IL2006/000266 2005-03-04 2006-02-28 Method and apparatus for the dynamic defensive masquerading of computing resources WO2006092785A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US65820405P 2005-03-04 2005-03-04
US60/658,204 2005-03-04

Publications (2)

Publication Number Publication Date
WO2006092785A2 true WO2006092785A2 (en) 2006-09-08
WO2006092785A3 WO2006092785A3 (en) 2007-10-18

Family

ID=36941550

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2006/000266 WO2006092785A2 (en) 2005-03-04 2006-02-28 Method and apparatus for the dynamic defensive masquerading of computing resources

Country Status (1)

Country Link
WO (1) WO2006092785A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9027126B2 (en) 2012-08-01 2015-05-05 Bank Of America Corporation Method and apparatus for baiting phishing websites
US9094452B2 (en) 2012-08-01 2015-07-28 Bank Of America Corporation Method and apparatus for locating phishing kits

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020066034A1 (en) * 2000-10-24 2002-05-30 Schlossberg Barry J. Distributed network security deception system
US20020065930A1 (en) * 2000-03-07 2002-05-30 Rhodes David L. Collaborative host masquerading system
US6584569B2 (en) * 2000-03-03 2003-06-24 Sanctum Ltd. System for determining web application vulnerabilities

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6584569B2 (en) * 2000-03-03 2003-06-24 Sanctum Ltd. System for determining web application vulnerabilities
US20020065930A1 (en) * 2000-03-07 2002-05-30 Rhodes David L. Collaborative host masquerading system
US20020066034A1 (en) * 2000-10-24 2002-05-30 Schlossberg Barry J. Distributed network security deception system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9027126B2 (en) 2012-08-01 2015-05-05 Bank Of America Corporation Method and apparatus for baiting phishing websites
US9094452B2 (en) 2012-08-01 2015-07-28 Bank Of America Corporation Method and apparatus for locating phishing kits

Also Published As

Publication number Publication date
WO2006092785A3 (en) 2007-10-18

Similar Documents

Publication Publication Date Title
US10542006B2 (en) Network security based on redirection of questionable network access
Lippmann et al. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection
US9641550B2 (en) Network protection system and method
JP6086968B2 (en) System and method for local protection against malicious software
US9942270B2 (en) Database deception in directory services
US9609019B2 (en) System and method for directing malicous activity to a monitoring system
US6185689B1 (en) Method for network self security assessment
Hachem et al. Botnets: lifecycle and taxonomy
EP2147390B1 (en) Detection of adversaries through collection and correlation of assessments
US9185127B2 (en) Network protection service
US9667589B2 (en) Logical / physical address state lifecycle management
US20150195291A1 (en) Identification of malware sites using unknown url sites and newly registered dns addresses
Young et al. The hacker's handbook: the strategy behind breaking into and defending networks
JP2008532133A (en) System and method for detecting and mitigating DNS camouflaged Trojans
WO2016081561A1 (en) System and method for directing malicious activity to a monitoring system
Yoshioka et al. Your sandbox is blinded: Impact of decoy injection to public malware analysis systems
Stiawan et al. Penetration Testing and Mitigation of Vulnerabilities Windows Server.
Mohammed et al. Honeypots and Routers: Collecting internet attacks
Dutta et al. Intrusion detection systems fundamentals
WO2006092785A2 (en) Method and apparatus for the dynamic defensive masquerading of computing resources
Sheikh Certified Ethical Hacker (CEH) Preparation Guide
Karamanos Investigation of home router security
Hamisi et al. Intrussion detection by penetration test in an organization network
Angadi et al. Penetration Testing: Smart Home IoT Devices
Verwoerd Active network security

Legal Events

Date Code Title Description
NENP Non-entry into the national phase in:

Ref country code: DE

NENP Non-entry into the national phase in:

Ref country code: RU

WWW Wipo information: withdrawn in national office

Country of ref document: RU

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06711248

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 06711248

Country of ref document: EP

Kind code of ref document: A2