Luring attackers towards deception servers

Assignee

• Attivo Networks Inc. · US

Inventors

• Venu Vissamsetty · San Jose, US
• Srikant Vissamsetti · Fremont, US
• Muthukumar Lakshmanan · Bengaluru, IN
• Harinath Vishwanath Ramchetty · Kanchinakote, IN
• Vinod Kumar A. Porwal · Bengaluru, IN

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1416
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Endpoints in a computer network create connections to a deception server without sending any payload data. The connections create records of the connection on the endpoints, by which an attacker accesses the deception server. Received packets that include payload data are determined to be unauthorized. The deception server acquires IP addresses in various VLANS and provides these IP addresses to the endpoints over a secure channel. The connections from the endpoints to the deception server are not performed on the secure channel. IP addresses acquired by the deception server are not assigned to an interface. Instead, NAT is used to route packets including the IP addresses to various engagement servers. Each IP address is assigned a unique hostname in order to appear as multiple distinct servers. The deception server further generates broadcast traffic to generate other records that may be used to lure an attacker to the deception server.