WO2002098100A1 - Access control systems - Google Patents

Access control systems Download PDF

Info

Publication number
WO2002098100A1
WO2002098100A1 PCT/GB2001/002417 GB0102417W WO02098100A1 WO 2002098100 A1 WO2002098100 A1 WO 2002098100A1 GB 0102417 W GB0102417 W GB 0102417W WO 02098100 A1 WO02098100 A1 WO 02098100A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
computer
code
address
tcp
Prior art date
Application number
PCT/GB2001/002417
Other languages
French (fr)
Inventor
Peter Terrance Roux
Original Assignee
Preventon Technologies Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Preventon Technologies Limited filed Critical Preventon Technologies Limited
Priority to PCT/GB2001/002417 priority Critical patent/WO2002098100A1/en
Publication of WO2002098100A1 publication Critical patent/WO2002098100A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Definitions

  • the present invention generally relates to the control of access to computer systems by remote third parties. More particularly it relates to computer software, methods, and systems for restricting access to open ports of processes running on a computer to protect against, for example, attacks by hackers.
  • a computer is particularly vulnerable to attack by a hacker when it is connected to a computer network such as the Internet.
  • Communication over the Internet uses internet protocol (IP), under which data is transmitted in data packets to which IP adds an IP header.
  • IP header contains an IP source address, an IP destination address, checksum data, and other data such as time to live (TTL) data.
  • TTL time to live
  • the time to live data comprises a number which is decremented by one each time the IP packet passes through a router, the data packet being discarded when the number reaches zero. This prevents endless loops and also allows route tracing by incrementally increasing the time to live value of packets and monitoring how far they get.
  • IP address Every computer connected to the Internet has an internet or IP address, which is presently a 32 bit address arranged as four eight bit octets, for example 129.1.48.254.
  • IP Service Providers ISPs
  • IP address may be allocated by an ISP to a subscribing user either temporarily, for example on dial-up, or permanently.
  • ADSL asymmetrical digital subscriber line
  • a permanent IP address is normally allocated.
  • Internet resources such as web pages are located by means of uniform resource locators (URLs) which specify, among other things, a hostname of a computer on which the resource is stored. The URL is translated into an IP address by means of a domain name server or server tree.
  • URLs uniform resource locators
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • RDP Reliable Data Protocol
  • RFC 1700 RFC 1700.
  • the transmission control protocol breaks up data for communication over the Internet into a number of packets or datagrams, reassembles the datagrams in the correct order and performs error checking after transmission.
  • the internet protocol is responsible for routing the individual datagrams.
  • TCP adds a header to each datagram including, among other things, source and destination port number data, sequence number data (for reassembling the datagrams) and a selection of flags.
  • the flags include a Synchronize Sequence Numbers (SYN) flag which synchronizes sequence numbers to begin a connection, an Acknowledgement Field Significant (ACK) flag which, when set, indicates that the datagram includes acknowledgement data for confirming reception, and a Finish (FIN) flag which, which set, indicates that all the data has been sent.
  • SYN Synchronize Sequence Numbers
  • ACK Acknowledgement Field Significant
  • FIN Finish
  • IP packet 100 including a TCP datagram is shown schematically in Figure 1.
  • the IP data packet comprises an IP header 102, and a TCP header 104, as described above, and data 106.
  • TCP/IP is used to provide services available over the Internet such as a File Transfer Protocol (FTP), a Network Terminal Protocol (TELNET), a Simple Mail Transfer Protocol (SMTP), and other protocols such as the HyperText Transfer Protocol (HTTP) which is used for providing Hypertext Markup Language (HTML) documents on the World Wide Web.
  • FTP File Transfer Protocol
  • TELNET Network Terminal Protocol
  • SMTP Simple Mail Transfer Protocol
  • HTTP HyperText Transfer Protocol
  • HTML Hypertext Markup Language
  • a service When a connection is made to a computer specified by an IP address, a service may be requested by specifying a port.
  • a number of port numbers are conventionally assigned to specific services - for example FTP uses ports 20 and 21, and HTTP uses port 80.
  • port 139 provides NetBIOS session services for performing network operations on the computer.
  • a connection is established between client and server processes using pairs of sockets, each socket having a socket address comprising an internet address and a TCP port number.
  • TCP Transmission Control Protocol
  • a server process socket listens for a connection request and a client requests a connection to the socket.
  • data can be transmitted bidirectionally and transparently. This is known as stream communication; other protocols, such as UDP, use datagram communication in which the socket address of the receiving socket is sent in each datagram.
  • the other socket of the connection will have a port number selected more or less at random from those port numbers which are not reserved (ports 1024 and upwards). Programs to determine what ports on a computer are open for access are widely available for network administration purposes.
  • Figure 2 shows, schematically, connection of a user terminal, PC 200, to a server 202 via an internet service provider 204 over the Internet.
  • User PC 200 comprises operating system software 206 and application layer software 208.
  • the operating system software includes point-to-point protocol (PPP) software 201 and a TCP IP stack 212.
  • the application layer software includes a web browser 214 such as Microsoft Internet Explorer (Registered Trade Mark), and other application programs 216 such as MS Word, MS Excel, games software such as Doom, communications software such as PC Anywhere (Trade Mark), e-mail software, NetBIOS software, and the like.
  • the application layer software communicates with the operating system software for communication and other purposes (for ease of illustration other details of the operating system software are not shown).
  • PC 200 is connected to a modem 218, which may be internal, which in turn is coupled to a telephone line 220 for connecting PC 200 to the Internet.
  • Modem 218 may be a conventional audio modem or an ADSL modem or, where PC 200 is connected to the Internet via a cable TV link, a cable modem.
  • Modem 218 communicates with a similar modem 222 coupled to Internet service provider computer system 204; in general modem 222 will be one of many ISP modems.
  • ISP computer system 204 includes PPP software 224, which communicates with PPP software 210 in the user PC to allow a modem connection to be established between the user PC 200 and the ISP computer system 204.
  • the ISP computer system also includes a TCP/IP stack 226 and, once the modem connection has been established, TCP/IP stacks 212 and 226 establish a TCP/IP communications link through which further communications between PC 200 and ISP 204 take place.
  • ISP computer system 204 is also coupled to internet communications network 201 by means of one or more high bandwidth fixed lines 228. Also coupled to internet communications network 201 is server computer system 202, also including a TCP/IP stack 230, as well as web server code 232 and web page data 234.
  • the ISP computer system 204 includes DNS software 236 for resolving URLs, such as a URL for server 202, to IP addresses.
  • Figure 2 also illustrates a hacker computer system 203, connected to internet 201 for hacking into PC 200.
  • the hacker computer system again includes a TCP/IP stack 238, as well as application software 240 such as port scan software and other software usable for hacking.
  • Figure 3 shows, in outline, data communications involved in setting up a TCP/IP link between user PC 200 and ISP 204 and retrieving web page data from server 202.
  • Figure 3 also shows outline details of a hacker attack on PC 200.
  • An initial exchange 300 sets up a TCP/IP connection between PC 200 and ISP 204. This comprises an PPP communication 302 from PC 200 to establish a TCP/IP link 304.
  • the TCP/IP connection links to web browser 214 and thus uses port 80 on PC terminal 200, at the user's IP address, and an arbitrarily allocated port number at the ISP IP address.
  • web browser 214 is the client.
  • web browser 214 can retrieve web page data from server 202, as illustrated by data communications 306: browser 214 sends an HTTP request 308 including the URL of server 202 to ISP computer system 204.
  • ISP DNS code 236 resolves the URL to an IP address (normally by accessing one or more external servers) and then forwards HTTP request 310 to the server.
  • Web server process 232 on server 202 responds to the HTTP request by sending HTTP data 312, comprising HTML web page data, to the IP address of PC 200 via ISP 204.
  • the average home user has four or five open ports providing server processes which a hacker may access.
  • Microsoft Internet Explorer processes hyperlinks with a .doc or .xls extension to provide an "Open or Save As" dialogue box which will open Word or Excel as a server for the remote document.
  • games or communications software running on a PC will often provide a server socket process.
  • Microsoft Windows also runs a number of server processes by default, such as NetBIOS (which provides a server socket port 139), and the Windows 2000 printer server process. These may be exploited by a hacker, for example by means of command line buffer overflow.
  • Data communications 314 illustrate, in outline, connection of hacker computer system 203 to user PC 200.
  • a request 316 to connect to an open socket of a server process on PC 200 is sent to an open port at the PC IP address.
  • the hacker may either scan PC 200 for open ports or simply try those ports which are commonly left open.
  • a TCP/IP link 318 with the hacker computer system 203 is established.
  • commands and code may be uploaded and data on PC 200 may be examined and/or modified.
  • User PC 200 may also be used by the hacker for a further attack on another computer system. For example a distributed denial of service attack may be made on an internet service provider, a large number of separate home PCs being arranged to simultaneously access the ISP to bring its computer systems to a halt.
  • Establishing a TCP/IP connection to a user PC 200 can take some time and may therefore be difficult where a PC is only allocated an IP address on connection to an ISP.
  • a PC is only allocated an IP address on connection to an ISP.
  • the vulnerability to hacking is increased.
  • a carrier medium carrying computer readable code for controlling a computer to restrict access to said computer, said computer being couplable to a network and, when coupled to the network, having a network address; the code comprising: code to receive an incoming data packet including destination address data specifying the network address of said computer; code to modify said destination address data to specify a modified network address; and code to send said data packet to said modified network address; whereby said incoming data packet is redirected from the network address of said computer to said modified network address.
  • the carrier medium may be a storage medium such as a hard or floppy disk or CD-ROM, or an optical or electrical signal carrier.
  • a hacker By redirecting the incoming data packet on from its supposed final destination a hacker may be deceived into thinking that the message correctly arrived at its destination without being alerted to the presence of access control software.
  • the data packet may either be diverted to a non-responding address, in which case the hacker may assume that a port connection is not in fact present, or the data packet may be directed to another computer such as a "honeypot" server.
  • the purpose of such a "honeypot” server is to deceive a hacker into thinking that a connection with the target computer has been made when in fact the connection has been diverted to another computer, preferably configured to resemble, at least superficially, the main features a hacker would expect to find on the target machine.
  • Such a "honeypot” server may also be used to monitor a hacker's activities and, in some instances, to trap a hacker.
  • the incoming data packet comprises internet protocol data including a destination internet address which is modified to redirect the data packet. If no response is desired the data packet may be redirected to an impermitted or invalid IP address, such as a broadcast address (for example 255.255.255.255) or a reserved address. Alternatively the data packet may be redirected to the IP address of another computer such as a honeypot server.
  • the honeypot server can be implemented on the target computer but for security it is preferably implemented on a different machine.
  • An IP data packet from a hacker or other undesirable source will generally include data for communicating with or connecting to a server process of the computer.
  • the code may be configured to handle a TCP, UDP, RDP, or other protocol data packet.
  • the data packet further comprises port number data for specifying a port number of the computer server process.
  • the code preferably further comprises code to modify the port number data to redirect the data packet to a port at the modified (IP) network address.
  • IP modified
  • a mapping table is included for mapping an incoming request to connect to a data port to a modified (IP) address and, optionally, a modified port number.
  • IP IP
  • a modified port number may comprise a plurality of entries each comprising a port number for an incoming data connection request, and a corresponding redirection IP address and, optionally, redirection port number.
  • a user interface is also provided to allow the data in this table to be set up. This provides a simple and readily understandable way of setting up redirection rules. It will be appreciated that with this arrangement there is no need to redirect all incoming requests to connect to a (server) port and, if desired, a user may select some ports for mapping to a redirected address, and others to remain open.
  • the redirection process leaves the time to live data or "hop count" of the incoming (IP) data packet unchanged. This provides an additional layer of security against an attempt to trace the route the packet has taken and hence detect the redirection.
  • an additional option is provided to automatically close a connection to a port after the link has been inactive for a predetermined time and/or a predetermined time after the cessation of reception of incoming data.
  • the TCP FIN flag is set to indicate the end of a data stream, and by setting a time-out a predetermined interval after the non-appearance of a FIN flag, denial of service attacks can be helped to be prevented.
  • the invention provides a carrier medium carrying computer readable code for redirecting a transmission control protocol/internet protocol (TCP/IP) request for connection to a server process, the code comprising: code for receiving at an IP destination address an incoming TCP/IP connection request to connect to a server process at the IP destination address, the TCP/IP connection request having IP header data including the IP destination address; code for modifying at least said IP destination address of said TCP/IP connection request; and code for forwarding the said TCP/IP connection request to said modified address.
  • TCP/IP transmission control protocol/internet protocol
  • the invention provides a method of restricting access to a computer coupled to a computer network, the computer having a computer network address, the method comprising: receiving at the computer, from the network, a data packet having said computer network address as a destination address; modifying said destination address of said data packet; and passing said modified data packet to a data transmission process for forwarding said data packet to said modified address.
  • the invention provides a method of redirecting a transmission control protocol/internet protocol (TCP/IP) request for connection to a server process, the method comprising: receiving an incoming TCP/IP connection request including IP header data having an IP destination address; modifying at least said IP destination address of said TCP/IP connection request; and forwarding the said TCP/IP connection request to said modified address.
  • TCP/IP transmission control protocol/internet protocol
  • the invention provides a method of restricting access to a communications socket of a computer program, the communications socket having an address comprising a port number and a network address, the method comprising: receiving, at the network address, data intended for the computer program communications socket; modifying the received data to specify an alternative socket address; and redirecting the data to the alternative socket address.
  • the alternative socket address comprises the socket address of a computer program running on another machine such as a honeypot server, configured to resemble the target computer but with false, misleading, or spoof information.
  • This machine may be used to monitor access to the communication socket, for example to trap the hacker.
  • the invention provides a method of managing attempted accesses to a target computer system, the method comprising: receiving, at the computer system, a request for an internet protocol (IP) session with the computer system from a remote user; and redirecting the request to a second computer system.
  • IP internet protocol
  • the redirection is substantially transparent to the remote user so that without careful monitoring the redirection is not apparent to the remote user.
  • the above-described methods may be implemented by computer program code stored, for example, on a computer readable medium such as a disk.
  • the code may comprise source or executable code, and may be written in any conventional computer language.
  • the invention provides computer processing apparatus comprising: a data memory operable to store data to be processed; an instruction memory operable to store one or more application programs providing a network server function, and storing processor implementable code; a processor operable to process the data in accordance with the stored code; a network interface for coupling the apparatus to a network; and wherein the stored processor implementable code further comprises: code to receive an incoming data packet including destination address data specifying the network address of said computer; code to modify said destination address data to specify a modified network address; and code to send said data packet to said modified network address; whereby said incoming data packet is redirected from the network address of said computer to said modified network address to restrict access to a said application program server function.
  • Figure 1 shows a TCP/IP data packet
  • Figure 2 shows a schematic block diagram of a user terminal connected to a server via an internet service provider
  • Figure 3 shows an outline data communications diagram for the arrangement of Figure 2, illustrating a hacker attack
  • Figure 4 shows a schematic diagram of a computer network including a computer with access control software, and a honeypot server;
  • Figure 5 shows an exemplary user interface for an access control program
  • Figure 6 shows a data flow diagram for redirection of an incoming TCP/IP connection request from a hacker computer
  • Figure 7 shows a flowchart for the redirection process of Figure 6.
  • PC 400 comprises a general purpose computer system, similar to PC 200 of figure 2, onto which additional access control software 402 has been loaded.
  • computer 400 stores operating system program code 210, 212 for implementing PPP and TCP/IP protocols, and application code 214, 216 for a web browser and other application programs.
  • Computer 400 is cormectable to a modem 218 for connection to Internet 201 via ISP 204 over a telephone line or other data link.
  • Computer 400 also includes volatile and non-volatile data storage, a keyboard, mouse, and display and other conventional components not shown in figure 3.
  • Access control software 402 is additionally loaded onto computer 400.
  • This software may be provided to computer 400 on a removable storage device 404, such as a floppy disk, or this software may be downloaded from a server over the internet.
  • the access control software 402 comprises an access control user interface 402a coupled to a network device driver 402b.
  • User interface 402a allows the network device driver software 402b to be configured to redirect incoming data packets, such as TCP/IP data packets from hacker computer system 402 requesting set-up of a socket connection to application program 216 or to operating system programs running on computer 400.
  • the access control software 402 operates to re-direct incoming TCP/IP requests, as described in more detail below.
  • the network device driver 402b When installed, the network device driver 402b in effect provides a filter function for incoming IP data.
  • network device driver 402b is set up as the default device driver for network communications (where multiple device drivers are present in a Windows system, each is tried in turn by the system).
  • Device driver 402b runs as part of the kernel of the computer system, and is accessed by applications via kernel drivers which are part of the operating system software.
  • the network device driver may be implemented using a Microsoft DDK (device driver kit) such as the 98 DDK (for Windows 95 and 98) or the NT DDK (for Windows NT and 2000).
  • a Microsoft DDK device driver kit
  • 98 DDK for Windows 95 and 98
  • NT DDK for Windows NT and 2000
  • Implementing the device driver is relatively straightforward as use may be made of existing operating system routines such as DLLs (Dynamically Linked Library routines) to provide the necessary low level functions such as packet send, packet receive, packet get address, packet open adapter, get adapter name, and the like.
  • DLLs Dynanamically Linked Library routines
  • dynamic linking for example using shared object files under SunOS/Solaris (registered trade marks) operating systems.
  • a honeypot server computer system 406 is, optionally, also provided. Like computer 400, computer system 406 comprises a general purpose computer suitably programmed. Thus honeypot server 406 is couplable to a modem 408 for connecting the server to Internet 201 and, like computer 400, includes PPP operating system code 410 and TCP/IP operating system code 412. At least one server process 414 is also loaded onto the honeypot computer system to allow hacker system 203 to connect to honeypot server 406.
  • the honeypot server is loaded with a mirror of the applications on user PC 400, and thus includes, for example, a web browser such as browser 214 and other application programs corresponding to the set of application programs loaded onto user PC 400.
  • Spoof data (not shown in Figure 3) may also be loaded onto honeypot server 406 to simulate what a hacker might expect to see when connecting to user PC 400.
  • confidential data is preferably not placed on this server. Broadly speaking, the idea is to re-direct a request from hacker computer system 203 to connect to user PC 400 to the honeypot server 406, without making the hacker aware of the redirection.
  • the hacker will therefore imagine he or she is connected to user PC 400, and data is loaded onto honeypot server 406 to maintain this subterfuge. In fact the hacker will have been directed away from sensitive data to a computer system on or from which relatively little harm can be done.
  • monitoring software 416 may be loaded onto honeypot server 406 to monitor a hacker's actions.
  • This monitoring software should preferably be difficult to find or substantially invisible to the hacker; the monitoring software may attempt to determine details of the hacker computer system 203.
  • server 406 may be provided with an easy to break password and data of potential interest to a hacker, such as spoof password files, spoof credit card details and the like.
  • Figure 5 shows an exemplary user interface 500 for access control software 402.
  • a user is presented with a table comprising three columns.
  • a Port In column 502 an IP (address) Out column 504, and a Port Out column 506.
  • the Port In column is used for defining open ports to server processes on computer 400 which are to be redirected, and the IP (address) Out and Port Out columns are for entering an IP address and port to which data packets for the ports to be protected are to be redirected.
  • IP address 1.2.3.4 is the IP address of honeypot server 406, onto which are loaded web browser and NetBIOS application programs to give the impression that a connection to user PC 400 has been established when, in fact, the connection is to honeypot server 406.
  • an incoming FTP request (port 21) is redirected to IP address 255.255.255.0 which is a broadcast address and will not therefore allow a socket connection to be established.
  • the port number (port 1) is arbitrary.
  • port 1025 is redirected to port 1035 at the honeypot server's IP address of 1.2.3.4.
  • Port 1025 of user PC 400 may correspond to one of the other application programs 216 installed on the PC, such as a game or Microsoft Word, and this is redirected to the appropriate port for the corresponding application on honeypot server 406.
  • the port number is not conserved since it is not one of the pre-assigned "well-known" port numbers.
  • the redirection mapping table provides a relatively straightforward user interface for defining redirection rules for redirecting incoming TCP/IP data packets.
  • the user interface is implemented by access control user interface software component 402a, which creates a redirection or mapping table storing corresponding data, for use by network device driver 402b in redirecting incoming data packets.
  • PC 400 and honeypot server 406 are shown as having separate connections to ISP 204.
  • PC 400 and server 406 may both be connected to a local area network (LAN) or wide area network (WAN) which in turn is connected to an internet service provider via a gateway also coupled to the network.
  • LAN local area network
  • WAN wide area network
  • this shows signalling in a TCP/IP handshaking process 600 used to establish a connection between a client hacker computer system 203 and a honeypot server 406 when an incoming connection request from hacker computer system 203 is initially directed to user PC 400.
  • a first TCP/IP data packet is sent from hacker computer system 203 to the hacker's target, user PC 400.
  • This initial TCP/IP data packet has the general form indicated in Figure 1, and has an IP header specifying, among other things, an IP source address (the IP address of hacker computer system 203), an IP destination address (the IP address of user PC 400), time to live data, and a protocol number specifying that the IP data packet includes TCP data.
  • a TCP header including, among other things, a source port number (the source port of hacker computer system 203), a destination port number (specifying the port number of an open server process running on user PC 400, although in some circumstances this port number will not yet have been defined), sequence number data, acknowledgement number data, and a number of flags.
  • a hacker may attempt to gain illicit access to a computer system by providing TCP/IP data packets which are not in accordance with agreed standards, and preferably the access control software 402 is capable of handling such data packets.
  • network device driver 402b modifies at least the IP header data of the incoming data packet to change the destination address to the IP address of honeypot server 406.
  • the modified TCP/IP data packet 604 is then sent to honeypot server 406.
  • This initial TCP/IP data packet contains connection initialization information in the TCP header for establishing a connection between the hacker computer system and another computer system.
  • the honeypot server 406 Once the honeypot server 406 has received the modified data packet 604, it provides an ICMP (internet control message protocol) response 606 within an IP data packet having the IP address of user PC 400 as its destination address.
  • ICMP Internet control message protocol
  • the network device driver 402b on user PC 400 modifies the destination address in the IP header to substitute the IP address of hacker computer system 203, and a modified ICMP response 608 is then sent to the hacker computer system.
  • ICMP returns a "0" to indicate success delivery of a TCP/IP data packet, and returns a "3" to indicate an undeliverable data packet.
  • the ICMP protocol may also return a redirect instruction to indicate that future packets should be sent to an alternative IP address. This may be used internally by access control software 402 but, as will be appreciated, a "redirect" ICMP response is preferably not returned to hacker computer system 203 as such a redirection response would be readily discoverable.
  • This system issues a TCP link set-up request 601, in accordance with the usual TCP three-way handshaking procedure.
  • This link set-up request has the TCP SYN flag set and will usually include a datagram sequence number (for ordering received datagrams).
  • This TCP SYN request is again packaged in an IP data packet having the IP address of user PC 400 as the IP header destination address.
  • This IP packet is received by user PC 400 and network device driver 402b again modifies the destination address to that of honeypot server 406 and forwards a TCP SYN request 612 to honeypot server 406.
  • the network device driver 402b modifies the destination port number data in the TCP datagram header (there are no port numbers in ICMP messages).
  • the honeypot server Following reception of TCP SYN request 612 by honeypot server 406, the honeypot server issues a conventional TCP response 614 comprising an ACK flag, to acknowledge the SYN flag from hacker computer system 203, and its own SYN flag to establish a connection with hacker computer system 203. Generally, associated with the ACK flag, is acknowledge number data indicating the next sequence number the server is expecting. Finally hacker client computer system 203 issues its TCP ACK response 616 to the TCP SYN request 614 from honeypot server 406, completing the three-way TCP handshake and establishing a data link between hacker computer system 203 and honeypot server 406.
  • the TCP SYN, ACK response 614 and TCP ACK response 616 are both packaged within IP data packets, but at this stage the IP header for data packets exchanged between honeypot server 406 and hacker system 203 uses the IP address of honeypot server 406 rather than the IP address of user PC 400. Thus when data link 618 is established, packets of IP data exchanged over this link have source and destination IP addresses of the honeypot server 406 and of the hacker computer system 203, rather than being redirected via user PC 400.
  • the TCP/IP data link has already been at least partially established and the fact that the TCP responses are now enclosed within IP data packets which are going directly to and from the honeypot server 406 is not readily apparent to most software, although it could be detected by examining the data at a low level such as the IP level.
  • the TCP/IP data packets may always be routed via user PC 400, by modifying the source or destination address of the IP packet headers as necessary, optionally also modifying the TCP header port number data and, preferably, maintaining the IP packet header time-to- live data unchanged.
  • TTL time-to-live
  • TCP datagrams may be fragmented at the IP level, and this is indicated by a fragmentation flag in the IP header.
  • this fragmentation flag may be inspected to determine whether or not an IP data packet carries data which has already been checked. If a determination has been made as to whether or not a (fragmented) packet is to be redirected, the (fragmented) packet need not be checked again.
  • a loophole in the TCP specification can cause a TCP handshaking processing to hang if a TCP/IP data packet is sent specifying a non-existent source IP address.
  • the Windows implementation of TCP times-out after 75 seconds but this time-out can be circumvented by issuing more than 6 non-standard TCP/IP data packets. These holes can be used to mount a denial of service attack on a system.
  • the TCP Finish control flag FIN is usually set to request normal termination of a TCP connection in the direction the datagram containing the flag is travelling (one FIN in each direction is required to completely close a connection).
  • An optional additional feature of access control software 402 therefore monitors the status of a TCP connection and where a FIN flag is not provided following a predetermined time-out period of inactivity, the connection can be closed. This assists in countering such denial of service attacks.
  • the time-out period may be initiated by cessation of data reception or by inactivity of a TCP connection.
  • this shows a flow diagram for the redirection process of figure 6 implemented by the network device driver 402b of access control software 402.
  • the process illustrated in figure 7 is initialized, at step S10, by reception of an incoming TCP/IP data packet requesting connection to a port of a server process running on user PC 400.
  • the access control software reads the destination port number of the TCP header and compares this against incoming port number entries in a redirection table such as the redirection mapping table illustrated in figure 4. If, at step SI 2, there is no entry for the destination port number in the table the procedure continues to step SI 3, and the TCP/IP data packet is permitted to be processed by the server process identified by the TCP destination port number, and the procedure then ends at step SI 4. Processing of the data packets by the identified server process is, in effect, a default state of the access control software which, by not modifying the incoming data packet, allows the data to be processed in the normal way.
  • the procedure continues to step SI 5 and the IP address of hacker computer system 203 is stored for later use. Then, at step SI 6, the new destination IP address and, optionally, the new port number for the data packet is retrieved from the redirection table.
  • the new destination IP address could be an address such as a broadcast address from which no reply would be provided or an invalid or non-existent IP address such as an (as yet) unused class D or E internet address (addresses from 224 onwards) but for the purposes of illustration the new destination IP address will be assumed to be the IP address of honeypot server 406, and the new port number that of a server process running on the honeypot server to give the hacker the impression that access to user PC 400 has successfully been achieved.
  • the access control code replaces the destination IP address and, optionally, port number of the incoming TCP/IP data packet with the new destination IP address and port number of the honeypot server and server process. Then, at step SI 8, the modified TCP/IP data is forwarded to the honeypot server and, at step SI 9, an ICMP response is received back from the honeypot server by user PC 400.
  • the ICMP response is contained within an IP data packet and, at step S20, the source IP address in the IP header of the data packet is replaced with the IP address of the user PC 400 and, at step S21, the destination IP address in the IP header is replaced with the IP address of hacker computer system 203 (stored in step SI 5).
  • The, at step S22, the modified ICMP data packet is forwarded to hacker computer system 203, appearing to come from user PC 400 rather than from honeypot server 406.
  • the hacker computer system 203 issues a TCP SYN request which, at step S23, is received by user PC 400.
  • the access control software on user PC 400 replaces the destination IP address and, optionally, port number in the received IP packet containing the TCP SYN request, with the IP address and port number of a server process running on honeypot server 406.
  • the modified TCP SYN request (in an IP data packet) is then forwarded, at step S25, to the honeypot server for processing by the honeypot server TCP/IP stack 412.
  • the honeypot server then continues with the conventional TCP handshaking procedure as described with reference to figure 6 above to complete the establishment of data link 618 between the hacker computer system 203 and the honeypot server 406.
  • the access control software on user PC 400 however awaits receipt of a further incoming TCP/IP data packet requesting connection to a user PC server process (step S26) and on detection of such a packet, at step S27, loops back to starting step S10.
  • step S25 the subsequent TCP signals, TCP SYN, ACK response 614, and TCP ACK response 616, and the TCP/IP data link 618 are all passed through user PC 400 by substitution of source and destination IP addresses and port numbers as appropriate to provide a still greater degree of security.
  • UDP user datagram protocol
  • UDP user datagram protocol
  • RDP reliable data protocol
  • the above- described access control software may readily be configured to handle either TCP, UDP, or RDP data, redirecting incoming data based upon destination port number as described above. Again, as described above, the redirection may be to a non-existent IP address or to an IP address and port number of another server process on another machine such as honeypot server 406.
  • the access control software has been described in the context of a user personal computer connected to the Internet via a modem connection to an internet service provider but the software may also be employed on a computer connected to the Internet via a LAN or WAN and gateway.
  • the access control methods described above are not restricted to Windows-based environments, but may also be used with other operating systems such as Linux, Unix, the Mackintosh Operating System, OS/2, and other operating systems.
  • the above-described software and methods are not limited to use on IBM PCs, but may be used on other general-purpose micro or mini computers, on workstations and more powerful machines, and on servers in general.
  • the invention may also be applied to internet-enabled devices incorporating computers connected or connectable to the Internet or another IP network, such as internet-enabled domestic appliances, internet-enabled vending machines, and the like.
  • the invention is not limited to use with the Internet, and it may be used with other IP networks such as an Intranet or Extranet, as well as with non-IP networks.
  • IP networks such as an Intranet or Extranet
  • the invention may be employed with 3G web-enabled mobile phones and with PDAs (personal digital assistants).
  • PDAs personal digital assistants
  • redirection of a data packet may, for example, be employed with Bluetooth (Registered Trade Mark) enabled devices which have network addresses.

Abstract

A system, method, and computer software for controlling access to computer systems by third parties such as hackers. Software (402) detects attempeted accesses to ports of open server processes on a computer (400) and redirects such attempted accesses, preferably transparently. The hacker may be redirected to a honeypot server (406) arranged to resemble the target computer, to deceive the hacker into thinking the attempted access was successful. The software improves computer security and can assist in monitoring and trapping hackers.

Description

ACCESS CONTROL SYSTEMS
Field of the Invention
The present invention generally relates to the control of access to computer systems by remote third parties. More particularly it relates to computer software, methods, and systems for restricting access to open ports of processes running on a computer to protect against, for example, attacks by hackers.
Background to the Invention
The increasing sophistication of computers, particularly computers for home and small business use, increases the likelihood of leaving vulnerable backdoors of which hackers may take advantage. Sometimes such computers (or "PCs") store credit card data or other confidential information, but even where a user is not particularly concerned about the confidentiality of data stored on a computer, the computer may nonetheless be employed by a hacker as the basis for an attack on another computer system. It is therefore generally desirable to restrict the access of hackers to such computers.
A computer is particularly vulnerable to attack by a hacker when it is connected to a computer network such as the Internet. Communication over the Internet uses internet protocol (IP), under which data is transmitted in data packets to which IP adds an IP header. The IP header contains an IP source address, an IP destination address, checksum data, and other data such as time to live (TTL) data. The time to live data comprises a number which is decremented by one each time the IP packet passes through a router, the data packet being discarded when the number reaches zero. This prevents endless loops and also allows route tracing by incrementally increasing the time to live value of packets and monitoring how far they get. Every computer connected to the Internet has an internet or IP address, which is presently a 32 bit address arranged as four eight bit octets, for example 129.1.48.254. Internet Service Providers (ISPs) are generally allocated a range of internet addresses which they can allocate to users. An IP address may be allocated by an ISP to a subscribing user either temporarily, for example on dial-up, or permanently. Where a user accesses the Internet using an ADSL (asymmetrical digital subscriber line) modem or other "always on" technology a permanent IP address is normally allocated. Internet resources such as web pages are located by means of uniform resource locators (URLs) which specify, among other things, a hostname of a computer on which the resource is stored. The URL is translated into an IP address by means of a domain name server or server tree.
A range of additional protocols are used over the internet protocol, the most common of which is Transmission Control Protocol (TCP). Other protocols running over IP include UDP (User Datagram Protocol), and RDP (Reliable Data Protocol) - a more complete list can be found in RFC 1700. The transmission control protocol breaks up data for communication over the Internet into a number of packets or datagrams, reassembles the datagrams in the correct order and performs error checking after transmission. The internet protocol is responsible for routing the individual datagrams. Like IP, TCP adds a header to each datagram including, among other things, source and destination port number data, sequence number data (for reassembling the datagrams) and a selection of flags. The flags include a Synchronize Sequence Numbers (SYN) flag which synchronizes sequence numbers to begin a connection, an Acknowledgement Field Significant (ACK) flag which, when set, indicates that the datagram includes acknowledgement data for confirming reception, and a Finish (FIN) flag which, which set, indicates that all the data has been sent. Depending upon the amount of data to be sent, one or more datagrams may be necessary.
An IP packet 100 including a TCP datagram is shown schematically in Figure 1. The IP data packet comprises an IP header 102, and a TCP header 104, as described above, and data 106. TCP/IP is used to provide services available over the Internet such as a File Transfer Protocol (FTP), a Network Terminal Protocol (TELNET), a Simple Mail Transfer Protocol (SMTP), and other protocols such as the HyperText Transfer Protocol (HTTP) which is used for providing Hypertext Markup Language (HTML) documents on the World Wide Web. These services are provided as client/server services, a server providing services for other computers coupled to the network.
When a connection is made to a computer specified by an IP address, a service may be requested by specifying a port. A number of port numbers are conventionally assigned to specific services - for example FTP uses ports 20 and 21, and HTTP uses port 80. On home computers port 139 provides NetBIOS session services for performing network operations on the computer.
A connection is established between client and server processes using pairs of sockets, each socket having a socket address comprising an internet address and a TCP port number. Under TCP a server process socket listens for a connection request and a client requests a connection to the socket. Once two sockets have been connected data can be transmitted bidirectionally and transparently. This is known as stream communication; other protocols, such as UDP, use datagram communication in which the socket address of the receiving socket is sent in each datagram. Generally although one socket will have an assigned port number, the other socket of the connection will have a port number selected more or less at random from those port numbers which are not reserved (ports 1024 and upwards). Programs to determine what ports on a computer are open for access are widely available for network administration purposes.
Figure 2 shows, schematically, connection of a user terminal, PC 200, to a server 202 via an internet service provider 204 over the Internet.
User PC 200 comprises operating system software 206 and application layer software 208. The operating system software includes point-to-point protocol (PPP) software 201 and a TCP IP stack 212. The application layer software includes a web browser 214 such as Microsoft Internet Explorer (Registered Trade Mark), and other application programs 216 such as MS Word, MS Excel, games software such as Doom, communications software such as PC Anywhere (Trade Mark), e-mail software, NetBIOS software, and the like. The application layer software communicates with the operating system software for communication and other purposes (for ease of illustration other details of the operating system software are not shown).
PC 200 is connected to a modem 218, which may be internal, which in turn is coupled to a telephone line 220 for connecting PC 200 to the Internet. Modem 218 may be a conventional audio modem or an ADSL modem or, where PC 200 is connected to the Internet via a cable TV link, a cable modem. Modem 218 communicates with a similar modem 222 coupled to Internet service provider computer system 204; in general modem 222 will be one of many ISP modems.
ISP computer system 204 includes PPP software 224, which communicates with PPP software 210 in the user PC to allow a modem connection to be established between the user PC 200 and the ISP computer system 204. The ISP computer system also includes a TCP/IP stack 226 and, once the modem connection has been established, TCP/IP stacks 212 and 226 establish a TCP/IP communications link through which further communications between PC 200 and ISP 204 take place.
ISP computer system 204 is also coupled to internet communications network 201 by means of one or more high bandwidth fixed lines 228. Also coupled to internet communications network 201 is server computer system 202, also including a TCP/IP stack 230, as well as web server code 232 and web page data 234. The ISP computer system 204 includes DNS software 236 for resolving URLs, such as a URL for server 202, to IP addresses.
Figure 2 also illustrates a hacker computer system 203, connected to internet 201 for hacking into PC 200. The hacker computer system again includes a TCP/IP stack 238, as well as application software 240 such as port scan software and other software usable for hacking. Figure 3 shows, in outline, data communications involved in setting up a TCP/IP link between user PC 200 and ISP 204 and retrieving web page data from server 202. Figure 3 also shows outline details of a hacker attack on PC 200.
An initial exchange 300 sets up a TCP/IP connection between PC 200 and ISP 204. This comprises an PPP communication 302 from PC 200 to establish a TCP/IP link 304. In the illustrated example the TCP/IP connection links to web browser 214 and thus uses port 80 on PC terminal 200, at the user's IP address, and an arbitrarily allocated port number at the ISP IP address. For this connection web browser 214 is the client.
Once a TCP/IP link has been established between PC terminal 200 and ISP 204 web browser 214 can retrieve web page data from server 202, as illustrated by data communications 306: browser 214 sends an HTTP request 308 including the URL of server 202 to ISP computer system 204. At the ISP DNS code 236 resolves the URL to an IP address (normally by accessing one or more external servers) and then forwards HTTP request 310 to the server. Web server process 232 on server 202 responds to the HTTP request by sending HTTP data 312, comprising HTML web page data, to the IP address of PC 200 via ISP 204.
Generally speaking, at any one time the average home user has four or five open ports providing server processes which a hacker may access. For example Microsoft Internet Explorer (Trade Mark) processes hyperlinks with a .doc or .xls extension to provide an "Open or Save As" dialogue box which will open Word or Excel as a server for the remote document. Similarly games or communications software running on a PC will often provide a server socket process. Microsoft Windows (Registered Trade Mark) also runs a number of server processes by default, such as NetBIOS (which provides a server socket port 139), and the Windows 2000 printer server process. These may be exploited by a hacker, for example by means of command line buffer overflow.
Data communications 314 illustrate, in outline, connection of hacker computer system 203 to user PC 200. Initially a request 316 to connect to an open socket of a server process on PC 200 is sent to an open port at the PC IP address. The hacker may either scan PC 200 for open ports or simply try those ports which are commonly left open. Following this a TCP/IP link 318 with the hacker computer system 203 is established. Once this communications link has been established commands and code may be uploaded and data on PC 200 may be examined and/or modified. User PC 200 may also be used by the hacker for a further attack on another computer system. For example a distributed denial of service attack may be made on an internet service provider, a large number of separate home PCs being arranged to simultaneously access the ISP to bring its computer systems to a halt.
Establishing a TCP/IP connection to a user PC 200 can take some time and may therefore be difficult where a PC is only allocated an IP address on connection to an ISP. However, with the growth of "always on" technology, and the tendency to assign permanent IP addresses to users, the vulnerability to hacking is increased.
It is known to provide personal firewall software to check for incoming connection requests on specified ports and then block such requests, but this approach has a number of problems. Generally such software is complicated and difficult to set up, involving the definition of a number of rules which can interact. Furthermore such firewalls prevent a hacker from connecting to a socket by simply blocking an open port, which can alert a hacker to the presence of sensitive information. In combination with the difficulty of closing down all the potential holes in a system such personal firewalls can, in some instances, create more problems that they solve.
There therefore exists a need to provide improved software and methods for restricting access of hackers to computers, and particularly to home and small business computers. There exists a further need to provide improved software and methods for monitoring such attempted attacks.
Summary of the Invention
According to the present invention, there is therefore provided a carrier medium carrying computer readable code for controlling a computer to restrict access to said computer, said computer being couplable to a network and, when coupled to the network, having a network address; the code comprising: code to receive an incoming data packet including destination address data specifying the network address of said computer; code to modify said destination address data to specify a modified network address; and code to send said data packet to said modified network address; whereby said incoming data packet is redirected from the network address of said computer to said modified network address.
The carrier medium may be a storage medium such as a hard or floppy disk or CD-ROM, or an optical or electrical signal carrier.
By redirecting the incoming data packet on from its supposed final destination a hacker may be deceived into thinking that the message correctly arrived at its destination without being alerted to the presence of access control software. The data packet may either be diverted to a non-responding address, in which case the hacker may assume that a port connection is not in fact present, or the data packet may be directed to another computer such as a "honeypot" server. The purpose of such a "honeypot" server is to deceive a hacker into thinking that a connection with the target computer has been made when in fact the connection has been diverted to another computer, preferably configured to resemble, at least superficially, the main features a hacker would expect to find on the target machine. Such a "honeypot" server may also be used to monitor a hacker's activities and, in some instances, to trap a hacker.
In a preferred embodiment the incoming data packet comprises internet protocol data including a destination internet address which is modified to redirect the data packet. If no response is desired the data packet may be redirected to an impermitted or invalid IP address, such as a broadcast address (for example 255.255.255.255) or a reserved address. Alternatively the data packet may be redirected to the IP address of another computer such as a honeypot server. The honeypot server can be implemented on the target computer but for security it is preferably implemented on a different machine.
An IP data packet from a hacker or other undesirable source will generally include data for communicating with or connecting to a server process of the computer. The code may be configured to handle a TCP, UDP, RDP, or other protocol data packet. In the case of TCP, UDP and RDP protocols the data packet further comprises port number data for specifying a port number of the computer server process. Thus the code preferably further comprises code to modify the port number data to redirect the data packet to a port at the modified (IP) network address. This allows a server process on, for example, a honeypot server to handle the incoming data packet and provide a spoof response to a hacker. It may not be necessary to modify the port number of the incoming data packet where, for example, a server process with the same port number is set up on a honeypot server to handle the data packet. However it is desirable to provide for modification of the port number, for greater flexibility.
In many environments the code can make use of an existing TCP/IP stack with hooks into dynamically linked library routines. In a preferred embodiment a mapping table is included for mapping an incoming request to connect to a data port to a modified (IP) address and, optionally, a modified port number. Thus such a table may comprise a plurality of entries each comprising a port number for an incoming data connection request, and a corresponding redirection IP address and, optionally, redirection port number. Preferably a user interface is also provided to allow the data in this table to be set up. This provides a simple and readily understandable way of setting up redirection rules. It will be appreciated that with this arrangement there is no need to redirect all incoming requests to connect to a (server) port and, if desired, a user may select some ports for mapping to a redirected address, and others to remain open.
In a preferred embodiment the redirection process leaves the time to live data or "hop count" of the incoming (IP) data packet unchanged. This provides an additional layer of security against an attempt to trace the route the packet has taken and hence detect the redirection.
In one embodiment an additional option is provided to automatically close a connection to a port after the link has been inactive for a predetermined time and/or a predetermined time after the cessation of reception of incoming data. Normally the TCP FIN flag is set to indicate the end of a data stream, and by setting a time-out a predetermined interval after the non-appearance of a FIN flag, denial of service attacks can be helped to be prevented. In another aspect the invention provides a carrier medium carrying computer readable code for redirecting a transmission control protocol/internet protocol (TCP/IP) request for connection to a server process, the code comprising: code for receiving at an IP destination address an incoming TCP/IP connection request to connect to a server process at the IP destination address, the TCP/IP connection request having IP header data including the IP destination address; code for modifying at least said IP destination address of said TCP/IP connection request; and code for forwarding the said TCP/IP connection request to said modified address.
In a further aspect the invention provides a method of restricting access to a computer coupled to a computer network, the computer having a computer network address, the method comprising: receiving at the computer, from the network, a data packet having said computer network address as a destination address; modifying said destination address of said data packet; and passing said modified data packet to a data transmission process for forwarding said data packet to said modified address.
In a still further aspect the invention provides a method of redirecting a transmission control protocol/internet protocol (TCP/IP) request for connection to a server process, the method comprising: receiving an incoming TCP/IP connection request including IP header data having an IP destination address; modifying at least said IP destination address of said TCP/IP connection request; and forwarding the said TCP/IP connection request to said modified address.
In another aspect the invention provides a method of restricting access to a communications socket of a computer program, the communications socket having an address comprising a port number and a network address, the method comprising: receiving, at the network address, data intended for the computer program communications socket; modifying the received data to specify an alternative socket address; and redirecting the data to the alternative socket address.
Preferably the alternative socket address comprises the socket address of a computer program running on another machine such as a honeypot server, configured to resemble the target computer but with false, misleading, or spoof information. This machine may be used to monitor access to the communication socket, for example to trap the hacker.
In a further aspect the invention provides a method of managing attempted accesses to a target computer system, the method comprising: receiving, at the computer system, a request for an internet protocol (IP) session with the computer system from a remote user; and redirecting the request to a second computer system.
Preferably the redirection is substantially transparent to the remote user so that without careful monitoring the redirection is not apparent to the remote user.
The above-described methods may be implemented by computer program code stored, for example, on a computer readable medium such as a disk. The code may comprise source or executable code, and may be written in any conventional computer language.
In a yet further aspect the invention provides computer processing apparatus comprising: a data memory operable to store data to be processed; an instruction memory operable to store one or more application programs providing a network server function, and storing processor implementable code; a processor operable to process the data in accordance with the stored code; a network interface for coupling the apparatus to a network; and wherein the stored processor implementable code further comprises: code to receive an incoming data packet including destination address data specifying the network address of said computer; code to modify said destination address data to specify a modified network address; and code to send said data packet to said modified network address; whereby said incoming data packet is redirected from the network address of said computer to said modified network address to restrict access to a said application program server function.
Brief Description of the Drawings
These and other aspects of the invention will now be further described, by way of example only, with reference to the accompanying figures in which: Figure 1 shows a TCP/IP data packet;
Figure 2 shows a schematic block diagram of a user terminal connected to a server via an internet service provider;
Figure 3 shows an outline data communications diagram for the arrangement of Figure 2, illustrating a hacker attack;
Figure 4 shows a schematic diagram of a computer network including a computer with access control software, and a honeypot server;
Figure 5 shows an exemplary user interface for an access control program;
Figure 6 shows a data flow diagram for redirection of an incoming TCP/IP connection request from a hacker computer; and
Figure 7 shows a flowchart for the redirection process of Figure 6.
Detailed Description of Preferred Embodiments
Referring to figure 4, the server 202, hacker computer 203, ISP 204 and Internet 201 correspond to those illustrated in figure 2. User terminal (PC) 400 comprises a general purpose computer system, similar to PC 200 of figure 2, onto which additional access control software 402 has been loaded. Thus computer 400 stores operating system program code 210, 212 for implementing PPP and TCP/IP protocols, and application code 214, 216 for a web browser and other application programs. Computer 400 is cormectable to a modem 218 for connection to Internet 201 via ISP 204 over a telephone line or other data link. Computer 400 also includes volatile and non-volatile data storage, a keyboard, mouse, and display and other conventional components not shown in figure 3.
Access control software 402 is additionally loaded onto computer 400. This software may be provided to computer 400 on a removable storage device 404, such as a floppy disk, or this software may be downloaded from a server over the internet. The access control software 402 comprises an access control user interface 402a coupled to a network device driver 402b. User interface 402a allows the network device driver software 402b to be configured to redirect incoming data packets, such as TCP/IP data packets from hacker computer system 402 requesting set-up of a socket connection to application program 216 or to operating system programs running on computer 400.
The access control software 402 operates to re-direct incoming TCP/IP requests, as described in more detail below. When installed, the network device driver 402b in effect provides a filter function for incoming IP data. In a Windows (registered trade mark) PC system, network device driver 402b is set up as the default device driver for network communications (where multiple device drivers are present in a Windows system, each is tried in turn by the system). Device driver 402b runs as part of the kernel of the computer system, and is accessed by applications via kernel drivers which are part of the operating system software.
The network device driver may be implemented using a Microsoft DDK (device driver kit) such as the 98 DDK (for Windows 95 and 98) or the NT DDK (for Windows NT and 2000). Implementing the device driver is relatively straightforward as use may be made of existing operating system routines such as DLLs (Dynamically Linked Library routines) to provide the necessary low level functions such as packet send, packet receive, packet get address, packet open adapter, get adapter name, and the like. In other operating systems similar use may be made of dynamic linking, for example using shared object files under SunOS/Solaris (registered trade marks) operating systems.
In one embodiment implemented in a Windows environment, the network device driver is primarily implemented at layer 3 of the Windows operating system, although a flag is set to indicate incoming data at Windows layer 0. In a preferred embodiment, an error message is displayed if another device driver is installed in promiscuous mode as this could, under some circumstances, allow another application to take precedence over access to a port. Referring again to Figure 4, a honeypot server computer system 406 is, optionally, also provided. Like computer 400, computer system 406 comprises a general purpose computer suitably programmed. Thus honeypot server 406 is couplable to a modem 408 for connecting the server to Internet 201 and, like computer 400, includes PPP operating system code 410 and TCP/IP operating system code 412. At least one server process 414 is also loaded onto the honeypot computer system to allow hacker system 203 to connect to honeypot server 406.
Preferably, the honeypot server is loaded with a mirror of the applications on user PC 400, and thus includes, for example, a web browser such as browser 214 and other application programs corresponding to the set of application programs loaded onto user PC 400. Spoof data (not shown in Figure 3) may also be loaded onto honeypot server 406 to simulate what a hacker might expect to see when connecting to user PC 400. However, although the same broad categories of data may be loaded onto the honeypot server confidential data is preferably not placed on this server. Broadly speaking, the idea is to re-direct a request from hacker computer system 203 to connect to user PC 400 to the honeypot server 406, without making the hacker aware of the redirection. The hacker will therefore imagine he or she is connected to user PC 400, and data is loaded onto honeypot server 406 to maintain this subterfuge. In fact the hacker will have been directed away from sensitive data to a computer system on or from which relatively little harm can be done.
Optionally, monitoring software 416 may be loaded onto honeypot server 406 to monitor a hacker's actions. This monitoring software should preferably be difficult to find or substantially invisible to the hacker; the monitoring software may attempt to determine details of the hacker computer system 203. Where a hacker is to be trapped by the honeypot server, server 406 may be provided with an easy to break password and data of potential interest to a hacker, such as spoof password files, spoof credit card details and the like.
Figure 5 shows an exemplary user interface 500 for access control software 402. In Figure 5 a user is presented with a table comprising three columns. A Port In column 502, an IP (address) Out column 504, and a Port Out column 506. The Port In column is used for defining open ports to server processes on computer 400 which are to be redirected, and the IP (address) Out and Port Out columns are for entering an IP address and port to which data packets for the ports to be protected are to be redirected.
As shown in Figure 5, an incoming TCP IP request to connect to a server socket on user PC 400 at port 80 (corresponding to web browser 214) is redirected to IP address 1.2.3.4, although the port number is unchanged as a hacker would expect to make a connection to port 80 as this is a well-known, assigned port number. Similarly a request to user PC 400 to connect to NetBIOS using a server socket at port 139 is also directed to port 139 at IP address 1.2.3.4. Preferably IP address 1.2.3.4 is the IP address of honeypot server 406, onto which are loaded web browser and NetBIOS application programs to give the impression that a connection to user PC 400 has been established when, in fact, the connection is to honeypot server 406.
Referring again to Figure 5, an incoming FTP request (port 21) is redirected to IP address 255.255.255.0 which is a broadcast address and will not therefore allow a socket connection to be established. In this case the port number (port 1) is arbitrary. In the final row of the illustrative redirection mapping table of Figure 5 port 1025 is redirected to port 1035 at the honeypot server's IP address of 1.2.3.4. Port 1025 of user PC 400 may correspond to one of the other application programs 216 installed on the PC, such as a game or Microsoft Word, and this is redirected to the appropriate port for the corresponding application on honeypot server 406. The port number is not conserved since it is not one of the pre-assigned "well-known" port numbers.
To redirect a TCP/IP data packet only one of the IP destination address and port number need be changed and it is therefore theoretically possible to redirect an incoming data packet having the IP address of user PC 400 as its destination IP address to a different port on the same computer (user PC 400). This is generally undesirable as the hacker is given access to user PC 400, albeit in a controlled manner. Nevertheless there may be situations where this is desirable, providing careful control over a hacker's permitted activity is exercised. For example, in some circumstances it may not be practicable to provide a honeypot server on a separate machine, although it may nonetheless be desirable to monitor a hacker's attempted activities. A drawback with this approach is the potential visibility of the port to which incoming data packets are being redirected to a port scanning program, since the port to which packets are redirected must itself be open.
As can be seen from the above description, the redirection mapping table provides a relatively straightforward user interface for defining redirection rules for redirecting incoming TCP/IP data packets. The user interface is implemented by access control user interface software component 402a, which creates a redirection or mapping table storing corresponding data, for use by network device driver 402b in redirecting incoming data packets.
In the arrangement of Figure 4 the user PC 400 and honeypot server 406 are shown as having separate connections to ISP 204. However in alternative embodiments PC 400 and server 406 may both be connected to a local area network (LAN) or wide area network (WAN) which in turn is connected to an internet service provider via a gateway also coupled to the network.
Referring now to Figure 6, this shows signalling in a TCP/IP handshaking process 600 used to establish a connection between a client hacker computer system 203 and a honeypot server 406 when an incoming connection request from hacker computer system 203 is initially directed to user PC 400.
Initially, at 602, a first TCP/IP data packet is sent from hacker computer system 203 to the hacker's target, user PC 400. This initial TCP/IP data packet has the general form indicated in Figure 1, and has an IP header specifying, among other things, an IP source address (the IP address of hacker computer system 203), an IP destination address (the IP address of user PC 400), time to live data, and a protocol number specifying that the IP data packet includes TCP data. Also in the TCP/IP data packet is a TCP header including, among other things, a source port number (the source port of hacker computer system 203), a destination port number (specifying the port number of an open server process running on user PC 400, although in some circumstances this port number will not yet have been defined), sequence number data, acknowledgement number data, and a number of flags. In some circumstances a hacker may attempt to gain illicit access to a computer system by providing TCP/IP data packets which are not in accordance with agreed standards, and preferably the access control software 402 is capable of handling such data packets.
On receipt of the initial TCP/IP data packet 602, network device driver 402b modifies at least the IP header data of the incoming data packet to change the destination address to the IP address of honeypot server 406. The modified TCP/IP data packet 604 is then sent to honeypot server 406. This initial TCP/IP data packet contains connection initialization information in the TCP header for establishing a connection between the hacker computer system and another computer system.
Once the honeypot server 406 has received the modified data packet 604, it provides an ICMP (internet control message protocol) response 606 within an IP data packet having the IP address of user PC 400 as its destination address. The network device driver 402b on user PC 400 then modifies the destination address in the IP header to substitute the IP address of hacker computer system 203, and a modified ICMP response 608 is then sent to the hacker computer system.
ICMP returns a "0" to indicate success delivery of a TCP/IP data packet, and returns a "3" to indicate an undeliverable data packet. The ICMP protocol may also return a redirect instruction to indicate that future packets should be sent to an alternative IP address. This may be used internally by access control software 402 but, as will be appreciated, a "redirect" ICMP response is preferably not returned to hacker computer system 203 as such a redirection response would be readily discoverable.
Once the modified ICMP response has been received by hacker computer system 203, this system issues a TCP link set-up request 601, in accordance with the usual TCP three-way handshaking procedure. This link set-up request has the TCP SYN flag set and will usually include a datagram sequence number (for ordering received datagrams). This TCP SYN request is again packaged in an IP data packet having the IP address of user PC 400 as the IP header destination address. This IP packet is received by user PC 400 and network device driver 402b again modifies the destination address to that of honeypot server 406 and forwards a TCP SYN request 612 to honeypot server 406.
In the aforementioned redirection processes implemented by network device driver 402b on user PC 400, where the redirection mapping table (as illustrated in Figure 5) includes a modified port number, the network device driver also modifies the destination port number data in the TCP datagram header (there are no port numbers in ICMP messages).
Following reception of TCP SYN request 612 by honeypot server 406, the honeypot server issues a conventional TCP response 614 comprising an ACK flag, to acknowledge the SYN flag from hacker computer system 203, and its own SYN flag to establish a connection with hacker computer system 203. Generally, associated with the ACK flag, is acknowledge number data indicating the next sequence number the server is expecting. Finally hacker client computer system 203 issues its TCP ACK response 616 to the TCP SYN request 614 from honeypot server 406, completing the three-way TCP handshake and establishing a data link between hacker computer system 203 and honeypot server 406. The TCP SYN, ACK response 614 and TCP ACK response 616 are both packaged within IP data packets, but at this stage the IP header for data packets exchanged between honeypot server 406 and hacker system 203 uses the IP address of honeypot server 406 rather than the IP address of user PC 400. Thus when data link 618 is established, packets of IP data exchanged over this link have source and destination IP addresses of the honeypot server 406 and of the hacker computer system 203, rather than being redirected via user PC 400.
By the time TCP responses 614 and 616 are being exchanged between the hacker computer system 203 and the honeypot server 406 the TCP/IP data link has already been at least partially established and the fact that the TCP responses are now enclosed within IP data packets which are going directly to and from the honeypot server 406 is not readily apparent to most software, although it could be detected by examining the data at a low level such as the IP level. Thus in alternative embodiments the TCP/IP data packets may always be routed via user PC 400, by modifying the source or destination address of the IP packet headers as necessary, optionally also modifying the TCP header port number data and, preferably, maintaining the IP packet header time-to- live data unchanged.
Normally when a TCP/IP data packet is redirected the time-to-live (TTL) value indicating the number of hops that the packet is allowed to take before it is discarded, is decremented by 1. However in the above-described redirection process the TTL value is preferably unmodified to conceal the redirection from the hacker.
In some circumstances large TCP datagrams may be fragmented at the IP level, and this is indicated by a fragmentation flag in the IP header. In some embodiments of the network device driver 402b this fragmentation flag may be inspected to determine whether or not an IP data packet carries data which has already been checked. If a determination has been made as to whether or not a (fragmented) packet is to be redirected, the (fragmented) packet need not be checked again.
A loophole in the TCP specification can cause a TCP handshaking processing to hang if a TCP/IP data packet is sent specifying a non-existent source IP address. The Windows implementation of TCP times-out after 75 seconds but this time-out can be circumvented by issuing more than 6 non-standard TCP/IP data packets. These holes can be used to mount a denial of service attack on a system. The TCP Finish control flag FIN is usually set to request normal termination of a TCP connection in the direction the datagram containing the flag is travelling (one FIN in each direction is required to completely close a connection). An optional additional feature of access control software 402 therefore monitors the status of a TCP connection and where a FIN flag is not provided following a predetermined time-out period of inactivity, the connection can be closed. This assists in countering such denial of service attacks. The time-out period may be initiated by cessation of data reception or by inactivity of a TCP connection.
Referring now to Figure 7, this shows a flow diagram for the redirection process of figure 6 implemented by the network device driver 402b of access control software 402. The process illustrated in figure 7 is initialized, at step S10, by reception of an incoming TCP/IP data packet requesting connection to a port of a server process running on user PC 400. At step SI 1 the access control software reads the destination port number of the TCP header and compares this against incoming port number entries in a redirection table such as the redirection mapping table illustrated in figure 4. If, at step SI 2, there is no entry for the destination port number in the table the procedure continues to step SI 3, and the TCP/IP data packet is permitted to be processed by the server process identified by the TCP destination port number, and the procedure then ends at step SI 4. Processing of the data packets by the identified server process is, in effect, a default state of the access control software which, by not modifying the incoming data packet, allows the data to be processed in the normal way.
If an entry for the destination port number is found in the table the procedure continues to step SI 5 and the IP address of hacker computer system 203 is stored for later use. Then, at step SI 6, the new destination IP address and, optionally, the new port number for the data packet is retrieved from the redirection table. The new destination IP address could be an address such as a broadcast address from which no reply would be provided or an invalid or non-existent IP address such as an (as yet) unused class D or E internet address (addresses from 224 onwards) but for the purposes of illustration the new destination IP address will be assumed to be the IP address of honeypot server 406, and the new port number that of a server process running on the honeypot server to give the hacker the impression that access to user PC 400 has successfully been achieved.
Thus, at step SI 7, the access control code replaces the destination IP address and, optionally, port number of the incoming TCP/IP data packet with the new destination IP address and port number of the honeypot server and server process. Then, at step SI 8, the modified TCP/IP data is forwarded to the honeypot server and, at step SI 9, an ICMP response is received back from the honeypot server by user PC 400.
The ICMP response is contained within an IP data packet and, at step S20, the source IP address in the IP header of the data packet is replaced with the IP address of the user PC 400 and, at step S21, the destination IP address in the IP header is replaced with the IP address of hacker computer system 203 (stored in step SI 5). The, at step S22, the modified ICMP data packet is forwarded to hacker computer system 203, appearing to come from user PC 400 rather than from honeypot server 406. In response the hacker computer system 203 issues a TCP SYN request which, at step S23, is received by user PC 400. At step S24 the access control software on user PC 400 replaces the destination IP address and, optionally, port number in the received IP packet containing the TCP SYN request, with the IP address and port number of a server process running on honeypot server 406. The modified TCP SYN request (in an IP data packet) is then forwarded, at step S25, to the honeypot server for processing by the honeypot server TCP/IP stack 412.
The honeypot server then continues with the conventional TCP handshaking procedure as described with reference to figure 6 above to complete the establishment of data link 618 between the hacker computer system 203 and the honeypot server 406. The access control software on user PC 400 however awaits receipt of a further incoming TCP/IP data packet requesting connection to a user PC server process (step S26) and on detection of such a packet, at step S27, loops back to starting step S10. In other embodiments, following step S25 the subsequent TCP signals, TCP SYN, ACK response 614, and TCP ACK response 616, and the TCP/IP data link 618 are all passed through user PC 400 by substitution of source and destination IP addresses and port numbers as appropriate to provide a still greater degree of security.
Although the above redirection processes have been described with reference to the TCP transmission control protocol, they are also applicable to other IP-based protocols such as RDP and UDP, and to non-IP-based data transmission where such data transmission operates using packetized data including packet address data.
In the particular case of UDP (user datagram protocol) a very similar process to that described above may be employed for redirecting UDP-containing IP data packets. The UDP protocol uses an IP address and port number for connecting to a server process socket in a similar way to the TCP protocol,, although unlike TCP each UDP datagram includes a socket descriptor so that, in effect, each datagram is processed separately. Similarly considerations also apply to RDP (reliable data protocol). Thus the above- described access control software may readily be configured to handle either TCP, UDP, or RDP data, redirecting incoming data based upon destination port number as described above. Again, as described above, the redirection may be to a non-existent IP address or to an IP address and port number of another server process on another machine such as honeypot server 406.
The access control software has been described in the context of a user personal computer connected to the Internet via a modem connection to an internet service provider but the software may also be employed on a computer connected to the Internet via a LAN or WAN and gateway. The access control methods described above are not restricted to Windows-based environments, but may also be used with other operating systems such as Linux, Unix, the Mackintosh Operating System, OS/2, and other operating systems. Likewise the above-described software and methods are not limited to use on IBM PCs, but may be used on other general-purpose micro or mini computers, on workstations and more powerful machines, and on servers in general. The invention may also be applied to internet-enabled devices incorporating computers connected or connectable to the Internet or another IP network, such as internet-enabled domestic appliances, internet-enabled vending machines, and the like.
The invention is not limited to use with the Internet, and it may be used with other IP networks such as an Intranet or Extranet, as well as with non-IP networks. For example, the invention may be employed with 3G web-enabled mobile phones and with PDAs (personal digital assistants). The underlying idea of redirection of a data packet may, for example, be employed with Bluetooth (Registered Trade Mark) enabled devices which have network addresses.
No doubt many effective alternatives will occur to the skilled person and it will be understood that the invention is not limited to the described embodiments and encompasses modifications apparent to those skilled in the art lying within the spirit and scope of the claims appended hereto.

Claims

CLAIMS:
1. A carrier medium carrying computer readable code for controlling a computer to restrict access to said computer, said computer being couplable to a network and, when coupled to the network, having a network address; the code comprising: code to receive an incoming data packet including destination address data specifying the network address of said computer; code to modify said destination address data to specify a modified network address; and code to send said data packet to said modified network address; whereby said incoming data packet is redirected from the network address of said computer to said modified network address.
2. A carrier medium carrying computer readable code as claimed in claim 1, wherein said incoming data packet comprises an internet protocol (IP) data packet and wherein said computer network address and said modified network address comprise internet addresses.
3. A carrier medium carrying computer readable code as claimed in claim 2, wherein said IP data packet further includes port number data for specifying a port number of a server process of said computer, and wherein said code further comprises: code to modify said port number data for redirecting said incoming data packet to a modified port number at said modified network address.
4. A carrier medium carrying computer readable code as claimed in claim 2, wherein said IP data packet further includes port number data for specifying a port number of said computer; wherein said computer readable code includes mapping table data for mapping a said port number of said computer to data specifying a said modified network address; and wherein said code further comprises: code to read said port number data of said IP data packet; and code to use said port number data to retrieve said modified network address from said mapping table data.
5. A carrier medium carrying computer readable code as claimed in claim 4, wherein said mapping table data further includes data for mapping a said port number of said computer to a modified port number at said modified network address; and wherein said code further comprises: code to use said port number data to retrieve said modified port number from said mapping table data; and code to modify said port number data for redirecting said incoming data packet to a modified port number at said modified network address.
6. A carrier medium carrying computer readable code as claimed in claim 2, wherein said IP header data includes time to live (TTL) data related to the number of systems tlirough which the IP packet has passed, and wherein said time to live data of the data packet sent to the modified network address and said time to live data of said incoming data packet define the same number of systems.
7. A carrier medium carrying computer readable code as claimed in claim 2, wherein said IP data packet includes transmission control protocol (TCP) header data for establishing a connection with a server process of said computer.
8. A carrier medium carrying computer readable code as claimed in claim 7, wherein said TCP header data includes a FIN flag for indicating completion of data transmission and wherein said code includes code to disconnect a connection with a said server process after a predetermined period of connection inactivity when a FIN flag has not been received.
9. A carrier medium carrying computer readable code as claimed in claim 1, wherein said modified network address comprises a network address from which no valid reply will be provided to the redirected data packet.
10. A carrier medium carrying computer readable code as claimed in claim 1, wherein said code further comprises: code to provide a user interface for defining a said modified network address.
11. A carrier medium carrying computer readable code for redirecting a transmission control protocol/internet protocol (TCP/IP) request for connection to a server process, the code comprising: code for receiving at an IP destination address an incoming TCP/IP connection request to connect to a server process at the IP destination address, the TCP/IP connection request having IP header data including the IP destination address; code for modifying at least said IP destination address of said TCP/IP connection request; and code for forwarding the said TCP/IP connection request to said modified address.
12. A carrier medium carrying computer readable code as claimed in claim 11, wherein said incoming TCP/IP connection request includes port data specifying a TCP/IP connection request port number and wherein said code further comprises code for modifying said port data to specify a modified port number, for forwarding said TCP/IP connection request to a server process having said modified port number on a computer at said modified address.
13. A carrier medium carrying computer readable code as claimed in claim 12, wherein said computer readable code further comprises: user interface code for associating a port number of a said TCP/IP connection request with a said modified port number and a said modified address; whereby a user may set up one or more TCP/IP connection request redirection rules.
14. A carrier medium carrying computer readable code as claimed in claim 11 , wherein said incoming TCP/IP connection request includes TCP time to live (TTL) data and wherein the TTL data of said incoming TCP/IP connection request is the same as the TTL data of said forwarded TCP/IP connection request.
15. A method of restricting access to a computer coupled to a computer network, the computer having a computer network address, the method comprising: receiving at the computer, from the network, a data packet having said computer network address as a destination address; modifying said destination address of said data packet; and passing said modified data packet to a data transmission process for forwarding said data packet to said modified address.
16. A method of restricting access to a computer as claimed in claim 15, wherein said data packet comprises a request for connection to a server process on the computer.
17. A method of restricting access to a computer as claimed in claim 16, wherein said modified address comprises a network address from which no valid response is provided in response to reception of the data packet.
18. A method of restricting access to a computer as claimed in claim 16, wherein said modified address comprises a network address of a computer storing program code and/or data to resemble the computer to which access is restricted.
19. A method of restricting access to a computer as claimed in claim 15, wherein said data packet comprises an internet protocol (IP) data packet having header data including a hop count, and wherein the hop count of said modified data packet is equal to or greater than the hop count of said received data packet.
20. A method of redirecting a transmission control protocol/internet protocol (TCP/IP) request for connection to a server process, the method comprising: receiving an incoming TCP/IP connection request including IP header data having an IP destination address; modifying at least said IP destination address of said TCP/IP connection request; and forwarding the said TCP/IP connection request to said modified address.
21. A method of restricting access to a communications socket of a computer program, the communications socket having an address comprising a port number and a network address, the method comprising: receiving, at the network address, data intended for the computer program communications socket; modifying the received data to specify an alternative socket address; and redirecting the data to the alternative socket address.
22. A method as claimed in claim 21 , wherein the alternative socket address comprises the socket address of a second computer program; and further comprising storing the said computer program on a first computer, and storing said second computer program on a second computer configured to resemble said first computer insofar as the configuration of said second computer is practicably determinable using the socket address of the second computer.
23. A method as claimed in claim 22, further comprising using the second computer to monitor access to the communications socket.
24. A method of managing attempted accesses to a target computer system, the method comprising: receiving, at the computer system, a request for an internet protocol (IP) session with the computer system from a remote user; and redirecting the request to a second computer system.
25. A method as claimed in claim 24, wherein said redirection is substantially transparent to said remote user.
26. A computer readable medium carrying computer readable data to, when running, implement the method of any one of claims 15, 20, 21, 24 and 25.
27. Computer processing apparatus comprising: a data memory operable to store data to be processed; an instruction memory operable to store one or more application programs providing a network server function, and storing processor implementable code; a processor operable to process the data in accordance with the stored code; a network interface for coupling the apparatus to a network; and wherein the stored processor implementable code further comprises: code to receive an incoming data packet including destination address data specifying the network address of said computer; code to modify said destination address data to specify a modified network address; and code to send said data packet to said modified network address; whereby said incoming data packet is redirected from the network address of said computer to said modified network address to restrict access to a said application program server function.
PCT/GB2001/002417 2001-05-31 2001-05-31 Access control systems WO2002098100A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/GB2001/002417 WO2002098100A1 (en) 2001-05-31 2001-05-31 Access control systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/GB2001/002417 WO2002098100A1 (en) 2001-05-31 2001-05-31 Access control systems

Publications (1)

Publication Number Publication Date
WO2002098100A1 true WO2002098100A1 (en) 2002-12-05

Family

ID=9907843

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2001/002417 WO2002098100A1 (en) 2001-05-31 2001-05-31 Access control systems

Country Status (1)

Country Link
WO (1) WO2002098100A1 (en)

Cited By (49)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6664215B1 (en) 2000-06-06 2003-12-16 Brian H. Tomlinson Composition for controlling wellbore fluid and gas invasion and method for using same
GB2410401A (en) * 2004-01-21 2005-07-27 Mobotel Solutions Ltd A communication apparatus and method
EP1566947A1 (en) * 2004-02-18 2005-08-24 AT&T Corp. Method for distributed denial-of-service attack mitigation by selective black-holing in MPLS VPNs
EP1748342A1 (en) * 2005-07-29 2007-01-31 H+BEDV Datentechnik GmbH Honeypot computer system for detecting viruses in computer networks
WO2008049908A2 (en) * 2006-10-27 2008-05-02 Alcatel Lucent Device for controlling packets, for a router of a communication network with a view to the routing of suspect packets to dedicated analysis equipment
WO2014137640A1 (en) 2013-03-04 2014-09-12 Crowdstrike, Inc. Deception-based responses to security attacks
US9166994B2 (en) 2012-08-31 2015-10-20 Damballa, Inc. Automation discovery to identify malicious activity
US9306969B2 (en) 2005-10-27 2016-04-05 Georgia Tech Research Corporation Method and systems for detecting compromised networks and/or computers
WO2016160599A1 (en) * 2015-03-30 2016-10-06 Varmour Networks, Inc. System and method for threat-driven security policy controls
US9516058B2 (en) 2010-08-10 2016-12-06 Damballa, Inc. Method and system for determining whether domain names are legitimate or malicious
US9521115B1 (en) 2016-03-24 2016-12-13 Varmour Networks, Inc. Security policy generation using container metadata
US9525699B2 (en) 2010-01-06 2016-12-20 Damballa, Inc. Method and system for detecting malware
US20170006061A1 (en) * 2015-07-02 2017-01-05 Reliaquest Holdings, Llc Threat intelligence system and method
US9609083B2 (en) 2011-02-10 2017-03-28 Varmour Networks, Inc. Distributed service processing of network gateways using virtual machines
US9621595B2 (en) 2015-03-30 2017-04-11 Varmour Networks, Inc. Conditional declarative policies
US9680861B2 (en) 2012-08-31 2017-06-13 Damballa, Inc. Historical analysis to identify malicious activity
US9680852B1 (en) 2016-01-29 2017-06-13 Varmour Networks, Inc. Recursive multi-layer examination for computer network security remediation
US9686291B2 (en) 2011-02-01 2017-06-20 Damballa, Inc. Method and system for detecting malicious domain names at an upper DNS hierarchy
US9762599B2 (en) 2016-01-29 2017-09-12 Varmour Networks, Inc. Multi-node affinity-based examination for computer network security remediation
US9894088B2 (en) 2012-08-31 2018-02-13 Damballa, Inc. Data mining to identify malicious activity
US9930065B2 (en) 2015-03-25 2018-03-27 University Of Georgia Research Foundation, Inc. Measuring, categorizing, and/or mitigating malware distribution paths
US9948671B2 (en) 2010-01-19 2018-04-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US9973472B2 (en) 2015-04-02 2018-05-15 Varmour Networks, Inc. Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
US10027688B2 (en) 2008-08-11 2018-07-17 Damballa, Inc. Method and system for detecting malicious and/or botnet-related domain names
US10050986B2 (en) 2013-06-14 2018-08-14 Damballa, Inc. Systems and methods for traffic classification
US10084806B2 (en) 2012-08-31 2018-09-25 Damballa, Inc. Traffic simulation to identify malicious activity
US10091238B2 (en) 2014-02-11 2018-10-02 Varmour Networks, Inc. Deception using distributed threat detection
US10191758B2 (en) 2015-12-09 2019-01-29 Varmour Networks, Inc. Directing data traffic between intra-server virtual machines
US10193929B2 (en) 2015-03-13 2019-01-29 Varmour Networks, Inc. Methods and systems for improving analytics in distributed networks
US10264025B2 (en) 2016-06-24 2019-04-16 Varmour Networks, Inc. Security policy generation for virtualization, bare-metal server, and cloud computing environments
EP3508999A1 (en) * 2018-01-05 2019-07-10 Sap Se Dissuading stolen password reuse
US10425445B2 (en) 2016-12-15 2019-09-24 Interwise Ltd Deception using screen capture
US10524016B2 (en) 2017-12-12 2019-12-31 Stern Ip Holder I, Llc System and method for content monitoring and filtering to improve network efficiency
US10547674B2 (en) 2012-08-27 2020-01-28 Help/Systems, Llc Methods and systems for network flow analysis
EP3644146A1 (en) * 2018-10-26 2020-04-29 Serenicity Device for recording computer intrusion
US10755334B2 (en) 2016-06-30 2020-08-25 Varmour Networks, Inc. Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors
CN111885068A (en) * 2020-07-28 2020-11-03 杭州默安科技有限公司 Bypass deployment traffic distribution method and system
CN113709130A (en) * 2021-08-20 2021-11-26 江苏通付盾科技有限公司 Risk identification method and device based on honeypot system
US11290494B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Reliability prediction for cloud security policies
US11290493B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Template-driven intent-based security
US11310284B2 (en) 2019-05-31 2022-04-19 Varmour Networks, Inc. Validation of cloud security policies
US11570212B2 (en) 2018-03-19 2023-01-31 Huawei Technologies Co., Ltd. Method and apparatus for defending against network attack
US11575563B2 (en) 2019-05-31 2023-02-07 Varmour Networks, Inc. Cloud security management
US11711374B2 (en) 2019-05-31 2023-07-25 Varmour Networks, Inc. Systems and methods for understanding identity and organizational access to applications within an enterprise environment
US11734316B2 (en) 2021-07-08 2023-08-22 Varmour Networks, Inc. Relationship-based search in a computing environment
US11777978B2 (en) 2021-01-29 2023-10-03 Varmour Networks, Inc. Methods and systems for accurately assessing application access risk
US11818152B2 (en) 2020-12-23 2023-11-14 Varmour Networks, Inc. Modeling topic-based message-oriented middleware within a security system
US11863580B2 (en) 2019-05-31 2024-01-02 Varmour Networks, Inc. Modeling application dependencies to identify operational risk
US11876817B2 (en) 2020-12-23 2024-01-16 Varmour Networks, Inc. Modeling queue-based message-oriented middleware relationships in a security system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061349A (en) * 1995-11-03 2000-05-09 Cisco Technology, Inc. System and method for implementing multiple IP addresses on multiple ports
EP1011244A2 (en) * 1998-12-16 2000-06-21 Lucent Technologies Inc. Method and apparatus for transparently directing requests for web objects to proxy caches
US6148336A (en) * 1998-03-13 2000-11-14 Deterministic Networks, Inc. Ordering of multiple plugin applications using extensible layered service provider with network traffic filtering

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061349A (en) * 1995-11-03 2000-05-09 Cisco Technology, Inc. System and method for implementing multiple IP addresses on multiple ports
US6148336A (en) * 1998-03-13 2000-11-14 Deterministic Networks, Inc. Ordering of multiple plugin applications using extensible layered service provider with network traffic filtering
EP1011244A2 (en) * 1998-12-16 2000-06-21 Lucent Technologies Inc. Method and apparatus for transparently directing requests for web objects to proxy caches

Cited By (72)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6664215B1 (en) 2000-06-06 2003-12-16 Brian H. Tomlinson Composition for controlling wellbore fluid and gas invasion and method for using same
GB2410401A (en) * 2004-01-21 2005-07-27 Mobotel Solutions Ltd A communication apparatus and method
EP1566947A1 (en) * 2004-02-18 2005-08-24 AT&T Corp. Method for distributed denial-of-service attack mitigation by selective black-holing in MPLS VPNs
US7925766B2 (en) 2004-02-18 2011-04-12 At&T Intellectual Property Ii, L.P. Method for distributed denial-of-service attack mitigation by selective black-holing in MPLS VPNS
EP1748342A1 (en) * 2005-07-29 2007-01-31 H+BEDV Datentechnik GmbH Honeypot computer system for detecting viruses in computer networks
US9306969B2 (en) 2005-10-27 2016-04-05 Georgia Tech Research Corporation Method and systems for detecting compromised networks and/or computers
US10044748B2 (en) 2005-10-27 2018-08-07 Georgia Tech Research Corporation Methods and systems for detecting compromised computers
WO2008049908A3 (en) * 2006-10-27 2008-06-12 Alcatel Lucent Device for controlling packets, for a router of a communication network with a view to the routing of suspect packets to dedicated analysis equipment
WO2008049908A2 (en) * 2006-10-27 2008-05-02 Alcatel Lucent Device for controlling packets, for a router of a communication network with a view to the routing of suspect packets to dedicated analysis equipment
US10027688B2 (en) 2008-08-11 2018-07-17 Damballa, Inc. Method and system for detecting malicious and/or botnet-related domain names
US9525699B2 (en) 2010-01-06 2016-12-20 Damballa, Inc. Method and system for detecting malware
US10257212B2 (en) 2010-01-06 2019-04-09 Help/Systems, Llc Method and system for detecting malware
US9948671B2 (en) 2010-01-19 2018-04-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US9516058B2 (en) 2010-08-10 2016-12-06 Damballa, Inc. Method and system for determining whether domain names are legitimate or malicious
US9686291B2 (en) 2011-02-01 2017-06-20 Damballa, Inc. Method and system for detecting malicious domain names at an upper DNS hierarchy
US9609083B2 (en) 2011-02-10 2017-03-28 Varmour Networks, Inc. Distributed service processing of network gateways using virtual machines
US10547674B2 (en) 2012-08-27 2020-01-28 Help/Systems, Llc Methods and systems for network flow analysis
US10084806B2 (en) 2012-08-31 2018-09-25 Damballa, Inc. Traffic simulation to identify malicious activity
US9894088B2 (en) 2012-08-31 2018-02-13 Damballa, Inc. Data mining to identify malicious activity
US9166994B2 (en) 2012-08-31 2015-10-20 Damballa, Inc. Automation discovery to identify malicious activity
US9680861B2 (en) 2012-08-31 2017-06-13 Damballa, Inc. Historical analysis to identify malicious activity
WO2014137640A1 (en) 2013-03-04 2014-09-12 Crowdstrike, Inc. Deception-based responses to security attacks
EP2965256A4 (en) * 2013-03-04 2017-03-22 Crowdstrike, Inc. Deception-based responses to security attacks
US10713356B2 (en) 2013-03-04 2020-07-14 Crowdstrike, Inc. Deception-based responses to security attacks
EP3731125A1 (en) * 2013-03-04 2020-10-28 CrowdStrike, Inc. Deception-based responses to security attacks
EP3731124A1 (en) * 2013-03-04 2020-10-28 CrowdStrike, Inc. Deception-based responses to security attacks
US11809555B2 (en) 2013-03-04 2023-11-07 Crowdstrike, Inc. Deception-based responses to security attacks
US10050986B2 (en) 2013-06-14 2018-08-14 Damballa, Inc. Systems and methods for traffic classification
US10091238B2 (en) 2014-02-11 2018-10-02 Varmour Networks, Inc. Deception using distributed threat detection
US10193929B2 (en) 2015-03-13 2019-01-29 Varmour Networks, Inc. Methods and systems for improving analytics in distributed networks
US9930065B2 (en) 2015-03-25 2018-03-27 University Of Georgia Research Foundation, Inc. Measuring, categorizing, and/or mitigating malware distribution paths
US10333986B2 (en) 2015-03-30 2019-06-25 Varmour Networks, Inc. Conditional declarative policies
US10009381B2 (en) 2015-03-30 2018-06-26 Varmour Networks, Inc. System and method for threat-driven security policy controls
US9621595B2 (en) 2015-03-30 2017-04-11 Varmour Networks, Inc. Conditional declarative policies
WO2016160599A1 (en) * 2015-03-30 2016-10-06 Varmour Networks, Inc. System and method for threat-driven security policy controls
US9973472B2 (en) 2015-04-02 2018-05-15 Varmour Networks, Inc. Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
WO2017004619A1 (en) 2015-07-02 2017-01-05 Reliaquest Holdings, Llc Threat intelligence system and method
EP3318000A4 (en) * 2015-07-02 2019-01-16 Reliaquest Holdings, LLC Threat intelligence system and method
US20170006061A1 (en) * 2015-07-02 2017-01-05 Reliaquest Holdings, Llc Threat intelligence system and method
US11252181B2 (en) 2015-07-02 2022-02-15 Reliaquest Holdings, Llc Threat intelligence system and method
US11418536B2 (en) 2015-07-02 2022-08-16 Reliaquest Holdings, Llc Threat intelligence system and method
US10397267B2 (en) 2015-07-02 2019-08-27 Reliaquest Holdings, Llc Threat intelligence system and method
US10191758B2 (en) 2015-12-09 2019-01-29 Varmour Networks, Inc. Directing data traffic between intra-server virtual machines
US10382467B2 (en) 2016-01-29 2019-08-13 Varmour Networks, Inc. Recursive multi-layer examination for computer network security remediation
US9680852B1 (en) 2016-01-29 2017-06-13 Varmour Networks, Inc. Recursive multi-layer examination for computer network security remediation
US9762599B2 (en) 2016-01-29 2017-09-12 Varmour Networks, Inc. Multi-node affinity-based examination for computer network security remediation
US10009317B2 (en) 2016-03-24 2018-06-26 Varmour Networks, Inc. Security policy generation using container metadata
US9521115B1 (en) 2016-03-24 2016-12-13 Varmour Networks, Inc. Security policy generation using container metadata
US10264025B2 (en) 2016-06-24 2019-04-16 Varmour Networks, Inc. Security policy generation for virtualization, bare-metal server, and cloud computing environments
US10755334B2 (en) 2016-06-30 2020-08-25 Varmour Networks, Inc. Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors
US10425445B2 (en) 2016-12-15 2019-09-24 Interwise Ltd Deception using screen capture
US11102245B2 (en) 2016-12-15 2021-08-24 Inierwise Ltd. Deception using screen capture
US10524016B2 (en) 2017-12-12 2019-12-31 Stern Ip Holder I, Llc System and method for content monitoring and filtering to improve network efficiency
US10887661B2 (en) 2017-12-12 2021-01-05 Stern Ip Holder I, Llc System and method for content monitoring and filtering to improve network efficiency
US10771503B2 (en) 2018-01-05 2020-09-08 Sap Se Dissuading stolen password reuse
EP3508999A1 (en) * 2018-01-05 2019-07-10 Sap Se Dissuading stolen password reuse
US11570212B2 (en) 2018-03-19 2023-01-31 Huawei Technologies Co., Ltd. Method and apparatus for defending against network attack
EP3644146A1 (en) * 2018-10-26 2020-04-29 Serenicity Device for recording computer intrusion
FR3087910A1 (en) * 2018-10-26 2020-05-01 Serenicity COMPUTER INTRUSION RECORDING DEVICE
US11290493B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Template-driven intent-based security
US11310284B2 (en) 2019-05-31 2022-04-19 Varmour Networks, Inc. Validation of cloud security policies
US11290494B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Reliability prediction for cloud security policies
US11575563B2 (en) 2019-05-31 2023-02-07 Varmour Networks, Inc. Cloud security management
US11711374B2 (en) 2019-05-31 2023-07-25 Varmour Networks, Inc. Systems and methods for understanding identity and organizational access to applications within an enterprise environment
US11863580B2 (en) 2019-05-31 2024-01-02 Varmour Networks, Inc. Modeling application dependencies to identify operational risk
CN111885068A (en) * 2020-07-28 2020-11-03 杭州默安科技有限公司 Bypass deployment traffic distribution method and system
CN111885068B (en) * 2020-07-28 2022-11-15 杭州默安科技有限公司 Bypass deployment traffic distribution method and system
US11818152B2 (en) 2020-12-23 2023-11-14 Varmour Networks, Inc. Modeling topic-based message-oriented middleware within a security system
US11876817B2 (en) 2020-12-23 2024-01-16 Varmour Networks, Inc. Modeling queue-based message-oriented middleware relationships in a security system
US11777978B2 (en) 2021-01-29 2023-10-03 Varmour Networks, Inc. Methods and systems for accurately assessing application access risk
US11734316B2 (en) 2021-07-08 2023-08-22 Varmour Networks, Inc. Relationship-based search in a computing environment
CN113709130A (en) * 2021-08-20 2021-11-26 江苏通付盾科技有限公司 Risk identification method and device based on honeypot system

Similar Documents

Publication Publication Date Title
WO2002098100A1 (en) Access control systems
US7941839B2 (en) Countermeasures to automated methods and processes for establishing media streaming connections through firewalls and proxy servers
Holdrege et al. Protocol complications with the IP network address translator
EP1234246B1 (en) System and method for network access without reconfiguration
US8095982B1 (en) Analyzing the security of communication protocols and channels for a pass-through device
US6857009B1 (en) System and method for network access without reconfiguration
EP2105003B1 (en) Method and apparatus to control application messages between a client and a server having a private network address
AU687575B2 (en) Security system for interconnected computer networks
US7391770B1 (en) Network access control system and method using adaptive proxies
De Vivo et al. Internet security attacks at the basic levels
US7072933B1 (en) Network access control using network address translation
US7251824B2 (en) Accessing a private network
US7925693B2 (en) NAT access control with IPSec
US20050060535A1 (en) Methods and apparatus for monitoring local network traffic on local network segments and resolving detected security and network management problems occurring on those segments
US7369537B1 (en) Adaptive Voice-over-Internet-Protocol (VoIP) testing and selecting transport including 3-way proxy, client-to-client, UDP, TCP, SSL, and recipient-connect methods
US20040177276A1 (en) System and method for providing access control
KR20070041438A (en) System and method for automatically initiating and dynamically establishing secure internet connections between a fire-walled server and a fire-walled client
US20050108434A1 (en) In-band firewall for an embedded system
KR20070079781A (en) Intrusion prevention system using extract of http request information and method url cutoff using the same
US20070100998A1 (en) System and method of accessing a resource on a translated network device
Cisco Command Reference
Cisco Command Reference
Cisco Release Notes for the PIX Firewall (Covers all 4.2 versions)
US7979508B1 (en) System and method for improving gateway transparency
JP2011055299A (en) Service protecting system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP