System and method for analyzing unauthorized intrusion into a computer network
Abstract
The method analyzes unauthorized intrusion into a computer network. Access is allowed through one or more open ports to one or more virtualized decoy operating systems running on a hypervisor operating system hosted on a decoy network device. This may be done by opening a port on one of the virtualized decoy operating systems. A network attack on the virtualized operating system is then intercepted by an introspection module running on the hypervisor operating system. The attack-identifying information is communicated through a private network interface channel and stored on a database server as forensic data. A signature-generation engine uses this forensic data to generate a signature of the attack. An intrusion prevention system then uses the attack signature to identify and prevent subsequent attacks. A web-based visualization interface facilitates configuration of the system and analysis of (and response to) forensic data generated by the introspection module and the signature generation engine, as well as that stored in the processing module's relational databases.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for analyzing unauthorized intrusion into a computer network, the method comprising:
allowing access to an apparently vulnerable virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device; using an introspection module comprising a virtual-machine-based rootkit module and its associated userland processes running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and generating forensic data on the network attack from the attack-identifying information.
2 . The method of claim 1 , further comprising:
generating an attack signature from the forensic data; and providing the attack signature to an intrusion prevention system configured to control access to a protected network using the attack signature to identify subsequent attacks.
3 . The method of claim 2 , further comprising controlling access to the protected network using the attack signature.
4 . The method of claim 2 , wherein the attack signature is automatically generated by the system without human intervention.
5 . The method of claim 1 , further comprising, before the allowing, opening a port on the virtualized decoy operating system through which the network attack is made.
6 . The method of claim 1 , further comprising:
allowing access to an additional virtualized decoy operating system running on the hypervisor operating system; using the virtual-machine-based rootkit module to intercept an additional network attack on the additional virtualized operating system, wherein the additional network attack includes additional attack-identifying information; and generating additional forensic data on the additional network attack from the additional attack-identifying information.
7 . The method of claim 6 , further comprising:
generating an additional attack signature from the additional forensic data; and providing the additional attack signature to an intrusion prevention system configured to control access to a protected network using the attack-identifying information.
8 . The method of claim 1 , wherein the virtualized decoy operating system and the additional virtualized decoy operating system are different types of operating systems.
9 . The method of claim 1 , wherein said forensic data is generated based on an attack payload including keystrokes, ASCII, or binary files.
10 . The method of claim 1 , wherein the attack forensics are generated if an attacker is able to successfully gain access to the virtualized decoy operating system.
11 . The method of claim 1 , further comprising providing a report of said network attack to a network administrator.
12 . The method of claim 1 , further comprising storing the attack forensics in a database.
13 . A system for analyzing unauthorized intrusion into a computer network, the system comprising:
a virtualized operating system module comprising:
a hypervisor operating system comprising:
at least one virtualized decoy operating system;
a virtual-machine-based rootkit configured to intercept a network attack on the virtualized operating system, wherein the network attack includes transmission of attack-identifying information; and
a processing module electrically coupled to the introspection module via a network interface communication channel, wherein the processing module comprises: a database configured to store forensic data on the network attack.
14 . The system of claim 13 , wherein the processing module further comprises an attack signature-generation engine configured to generate an attack signature from the forensic data on the network attack, wherein attack signatures may be generated on a timescale ranging from near-immediate to several minutes after initiation of an attack.
15 . The system of claim 14 , wherein the processing module further comprises a web-based visualization interface that facilitates configuration of the system and forensic analysis of captured attack information by administrators.
16 . The system of claim 15 , further comprising an intrusion prevention system electrically coupled to the signature-generation engine.
17 . The system of claim 13 , wherein the intrusion detection system is configured to prevent unauthorized intrusion into a protected computer network.
18 . The system of claim 13 , wherein the network interface communication channel is a private channel.
19 . The system of claim 13 , wherein the virtualized operating system module includes multiple virtualized decoy operating systems on the hypervisor operating system.
20 . The system of claim 13 , wherein the attack forensics are based on an attack payload including keystrokes or ASCII or binary files.
21 . The system of claim 13 , wherein the virtualized operating system module and the processing module are contained in memory on the same or separate computing devices that each includes a processor.
22 . A computing device configured for analyzing unauthorized intrusion into a computer network, the device comprising:
a processor; and memory coupled to the processor, wherein the memory comprises procedures for: allowing access to a virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device; using an introspection module running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and generating forensic data on the network attack from the attack-identifying information.
23 . The computing device of claim 22 , further comprising a web-based visualization module comprising procedures for:
analyzing forensic data generated by the introspection module and the signature generation engine, as well as that stored in the processing module's relational databases; and configuring the system, wherein an administrator can tune the system's behavior, including its pattern matching facilities, as well as automate the system's response to attack-identifying information captured by the introspection module and automate its response to forensic data generated by the signature-generation engine and any information stored on the processing module's relational databases.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.