Intrusion and misuse deterrence system employing a virtual network

摘要

A method and apparatus is disclosed for increasing the security of computer networks through the use of an Intrusion and Misuse Deterrence System (IMDS) operating on the network. The IMDS is a system that creates a synthetic network complete with synthetic hosts and routers. It is comprised of a network server with associated application software that appears to be a legitimate portion of a real network to a network intruder. The IMDS consequently invites inquiry and entices the intruder away from the real network. Simulated services are configured to appear to be running on virtual clients with globally unique, class “C” IP addresses. Since there are no legitimate users of the virtual network simulated by the IMDS, all such activity must be inappropriate and can be treated as such. Consequently, the entire set of transactions by an intruder can be collected and identified rather than just those transactions that meet a predefined attack profile. Also, new exploits and attacks are handled just as effectively as known attacks, resulting in better identification of attack methodologies as well as the identification and analysis of new attack types. Since the IMDS only has to be concerned with the traffic going to its simulated hosts it additionally eliminates the bandwidth limitation that plagues a traditional IDS.

主权项

1. A method to be practiced on a computer, said method comprising:
receiving, by operation of said computer, via a router in a network including said router, a packet from an intruder entity located outside of said network; routing, by operation of said computer, said packet from said router to a network address translator (NAT) within said network, said NAT mapping said packet to a selected virtual port; determining, by operation of said computer, a proper route for said mapped packet and sending said mapped packet within said network and via said proper route to a packet filter; blocking, by operation of said packet filter, simultaneous access by said mapped packet to virtual ports other than said selected port; forwarding, by operation of said computer, said mapped packet within said network to an Internet Services Daemon (ISD) which executes a correct facade service based on said selected port; and by operation of said computer, responding to said mapped packet appropriately by returning, via said router, a response packet to said intruder entity located outside of said network.