Invented by Taylor Ettema, Huagang Xie, Palo Alto Networks Inc

In today’s digital age, cybersecurity threats are becoming increasingly sophisticated and difficult to detect. One of the most common techniques used by cybercriminals is peer-checking and IP evasion, which involves masking their true IP address and using multiple IP addresses to avoid detection. To counter these threats, businesses and organizations are turning to integrating an IP honey network with their target network. An IP honey network is a decoy network that is designed to attract cybercriminals and hackers. It is set up to mimic a real network, but it is isolated from the main network and contains no sensitive data. The honey network is monitored closely, and any activity on it is immediately flagged as suspicious. Integrating an IP honey network with a target network is a powerful way to counter peer-checking and IP evasion techniques. By setting up a honey network, businesses can lure cybercriminals into revealing their true IP addresses and other identifying information. This information can then be used to track down and prosecute the criminals. In addition to providing a powerful tool for detecting and preventing cybercrime, integrating an IP honey network with a target network can also help businesses to comply with regulatory requirements. Many industries, such as healthcare and finance, are subject to strict data privacy laws and regulations. By implementing an IP honey network, businesses can demonstrate that they are taking proactive steps to protect their data and comply with these regulations. However, implementing an IP honey network is not without its challenges. It requires a significant investment in time and resources to set up and maintain the network. Additionally, businesses must ensure that the honey network is isolated from the main network and that it contains no sensitive data. Failure to do so could result in a breach of sensitive data and significant financial and reputational damage. In conclusion, the market for integrating an IP honey network with a target network to counter peer-checking and IP evasion techniques is growing rapidly. Businesses and organizations are recognizing the importance of proactive cybersecurity measures and are investing in technologies that can help them to detect and prevent cybercrime. While there are challenges associated with implementing an IP honey network, the benefits of doing so are significant and can help businesses to protect their data and comply with regulatory requirements.

The Palo Alto Networks Inc invention works as follows

Techniques are disclosed for integrating a honeynet with a target environment (e.g. an enterprise network) in order to counter IP and peer checking evasion techniques. A system for integrating honey networks with target network environments includes a device profile database store that contains a plurality if attributes of all the devices in target network environments; a virtual-clone manager executed by a processor that instantiates virtual clones of one or several devices in target network environments based on one or many attributes for target devices in device profile data stores; and a honey policy that routes an external network communication through the honey network environment from the virtual copy for target device in honey network.

Background for Integrating an IP honey network with a target net to counter peer-checking and IP evasion techniques

A firewall protects networks against unauthorized access, while allowing authorized communications to pass through it. A firewall is typically a device (or a group of devices) that provides network access. Firewalls can be integrated into the operating systems of various devices, such as computers, smart phones and other network communication-capable devices. Firewalls may also be integrated into, or executed as software on computers servers, gateways or network/routing device (e.g. network routers) or data appliances (e.g. security appliances or any other special purpose devices).

Firewalls are designed to deny or allow network transmissions based on a specific set of rules. These policies are also known as rules. A firewall, for example, can filter outbound traffic using a set or policies. Firewalls can also filter outbound traffic using a set policy or rules. Firewalls are also capable of basic routing functions.

The invention may be implemented in many ways. It can be used as an apparatus, a process, a system, a composition, a product of computer programming, and/or a CPU, such as one that executes instructions stored on or provided by a memory connected to the processor. These implementations and any other form of the invention can be called techniques in this specification. The invention allows for the possibility of altering the order of steps in disclosed processes. A component, such as a processor and a memory, described as being capable of performing a task can be implemented either as a general component that is temporarily set up to perform the task at a particular time or as a specific component that was manufactured to do the task. The term “processor” is used herein. The term “processor” refers to any one or more devices, circuits and/or processing cores that are designed to process data such as computer program instruction.

Below is a detailed description of some embodiments of the invention, along with accompanying figures that illustrate its principles. Although the invention is described with these embodiments in mind, it is not limited to them. The claims limit the scope of the invention, and the invention includes many alternatives, modifications, and equivalents. The following description provides a detailed understanding of the invention. These details are given for example purposes only. The invention can be used according to the claims without any or all of these details. To be clear, the technical material related to the invention that is well-known has not been described in detail. This is done in order not to obscure the invention.

Advanced Firewalls of the Next Generation

A firewall protects networks against unauthorized access, while allowing authorized communications to pass through it. A firewall can be a device, a group of devices or software that allows network access. A firewall can be integrated with operating systems, such as computers, smart phones or other network communication-capable devices. A firewall can also integrate into or be executed as software applications on different types of devices or security device, including computer servers, gateways and network/routing devices (e.g. network routers) or data appliances (e.g. security appliances or other special purpose devices). In some cases, special purpose hardware can be used to execute certain operations, such an ASIC or FPGA.

Firewalls are designed to deny or allow network transmission based upon a set rules. These rules are commonly referred to as policies (e.g. network policies or network security policy). A firewall, for example, can filter outbound traffic by applying a series of rules or policies that prevents unwanted traffic from reaching protected devices. Firewalls can also filter outbound traffic using a set or policies. These policies can include allow, block or monitor, notify, log and/or any other actions. Similar to a firewall, a firewall can filter intranet traffic and local network traffic using a similar set of rules.

Security devices (e.g., security appliances, security gateways, security services, and/or other security devices) can perform various security operations (e.g., firewall, anti-malware, intrusion prevention/detection, proxy, and/or other security functions), networking functions (e.g., routing, Quality of Service (QoS), workload balancing of network related resources, and/or other networking functions), and/or other security and/or networking related operations. Routing can be done based on information such as IP address, port, destination, and protocol information.

A basic packet filtering firewall inspects network communication traffic and inspects individual packets. (e.g. packet filtering firewalls or first generation firewalls which are stateless packet filtering shields) Stateless packet filtering firewalls inspect individual packets and then apply rules based upon the packets.

Application firewalls can also perform layer filtering (e.g. using second-generation firewalls or application layer filtering firewalls that work at the application level of TCP/IP stack). Application firewalls and application layer filtering firewalls are generally able to identify certain protocols and applications (e.g. web browsing with HyperText Transfer Protocol, a Domain Name System request, a File Transfer Protocol file transfer (FTP), as well as various other types and protocols such Telnet, DHCP TCP, UDP and TFTP (GSS). Application firewalls can block unapproved protocols trying to communicate over a standard ports (e.g., an out-of-police protocol trying to get through by using a nonstandard port can be identified with application firewalls).

Stateful firewalls also have the ability to perform stateful packet inspection. This means that each packet is examined in the context of all packets related to that network transmission’s packet flow/packet flow. (e.g. stateful firewalls, third-generation firewalls). This firewall technique is commonly referred to as stateful packet inspection. It keeps records of all connections that pass through it and can determine whether a packet represents a new connection, part of an existing connection, invalid packet, or the start of a new one. The state of a connection, for example, can be used to trigger a policy rule.

Advanced firewalls, or the next-generation firewalls, can perform stateless and stateful application layer filtering and packet filtering. The next generation firewalls are capable of performing additional firewall techniques. Some firewalls, sometimes called advanced or next-generation firewalls, can identify content and users. Certain next-generation firewalls have the ability to automatically identify thousands of applications. Palo Alto Networks, Inc. sells examples of next-generation firewalls. (e.g., Palo Alto Networks’ PA Series firewalls).

Palo Alto Networks next-generation firewalls allow enterprises to control and identify applications, users, content, and IP addresses. They use a variety of identification technologies such as App-ID, User-ID, Content-ID, and File-ID. This allows for the real-time scanning of content and controls web surfing, data limits, and file transfer limitations. Instead of using traditional port-blocking firewalls, these identification technologies enable enterprises to secure allow application usage by using business-relevant concepts. Special purpose hardware, such as dedicated appliances, can provide better performance for application inspection than software that runs on general-purpose hardware. This is a good example of the special purpose hardware used for next generation firewalls.

Dynamic Analysis for Advanced Threats.

Security detection techniques face a significant challenge in identifying threats (e.g. malware), which is malicious programs that attempt to do malicious or unintended actions. A new zero-day threat or advanced threat such as an Advanced Persistent Threat is one example. This refers to programs that attempt to perform malicious or undesired actions. They often use external command and control (C&C), which monitors and extracts data from specific targets. Sometimes, these sophisticated adversaries also employ stealthy, persistent methods that can be evaded traditional security measures such as signature-based Malware detection measures.

In particular, modern attackers are using new and targeted variants of malware to avoid detection from traditional security solutions. Advanced security threats, such as advanced cyber-attacks, are using stealthy, persistent techniques to bypass traditional security measures. Modern security teams must reevaluate their assumptions that traditional antivirus and intrusion prevention systems are capable of defeating advanced security threats such as APTs.

To address this problem, we need to develop new and better techniques that can efficiently and effectively identify these advanced threats. Executing suspect files, e.g. malware samples, in a virtual environment (e.g. an instrumented virtual environments, also known as using a Sandbox Analysis of Malware Samples) and watching their behavior can help to quickly and accurately identify such malware, even if it hasn’t been previously detected and analyzed.

Once a file has been deemed malicious (e.g. a malware sample has been deemed to have been malware), protections can automatically be generated using, for instance, a cloud security system (e.g. implementing a dynamic security assessment of malware samples in an scalable cloud-based virtual environment to observe the behavior and exploits of potentially malicious software) and delivered to subscribers to the cloud security services (e.g. within minutes to hours of detection). These techniques can be used to foresee who/what was attacked, the application used in delivery, and any Uniform Resource Locator Addresses (URLs). The protections can then be automatically generated using a cloud security service. The cloud security service can identify unknown malware and exploits and execute them in a cloud-based, virtual environment. This is also known as an instrumented virtual environment, which Palo Alto Networks, Inc. provides. It allows for dynamic analysis to identify unknown threats and blocks them. One embodiment of the cloud security service creates and distributes protections in real-time to assist security teams with the challenges presented by advanced security threats. The cloud security service can extend the next-generation firewall platform to classify all traffic across multiple applications. In this example, it can perform a behavioral analysis without regard to ports or encryption. It also has full visibility into web traffic and email protocols (SMTP. IMAP. POP), FTP. SMB and/or other protocols. This allows for detection and dissemination of protections in close real-time to deal with advanced security threats.

However, skilled attackers can detect existing techniques for using an orchestrated virtual machine (VM), environment. This is because they may be able determine whether the malware is executing on the target host or target network environment. Existing sandbox methods for malware detection usually only install one version (e.g. applications or any other software) per instance of virtual machine. Another example is that some existing methods execute multiple virtual machines (VM) instances with different software settings (e.g. multiple VM instances can run simultaneously or sequentially in a VM environment). However, these approaches do not sync various attributes between a target host (or VM instances) and their respective software configurations. These approaches also fail to emulate other devices within the VM environment (e.g., a target host’s network printer, a file sharing/server, a DNS, email, proxy server, other clients, and/or devices in target network environment).

Even though VM environments are currently implemented to provide malware detection and security analysis, they typically analyze discrete events such as downloading of malware?a malware sample, and any subsequent activity in a stand alone sandbox. This is where a standalone sandbox is usually executing one or two VM instances using fixed configurations. These can be implemented using a cloud solution or appliance-based solution. Existing approaches, for example, only try to simulate a single host. Although they may allow access to the Internet, they do not allow local network communication in the target network. These approaches are limited in their ability to analyze the environment and allow for a short execution time, typically between 1 and 5 minutes using the VM instance. APT attacks, for example, are typically performed over a longer time by a skilled attacker. This attacker would usually be attempting a targeted attack (e.g. directing malware or communications to a target host). Such an attacker would often be able detect that the VM instance doesn’t have the expected attributes and/or previously observed attributes of the target host. Another example is that an attacker trying an APT attack targets a host within a target network. He/she expects to see other devices within the network environment that are in communication with the target hosts (e.g. logs and/or local configuration information on the target host, and/or network scans of devices in the target environment using Nmap and other network scanning tools).

The existing methods of implementing VM environments are not sufficient to defeat various anti-VM techniques used to detect whether or NOT their malware is executing within a VM environment. VM environments used for security analysis are not realistic enough to simulate a target host or target network environment. This is because they do not provide a realistic emulation. For example, an attacker trying to execute an APT attack against a target host in a target environment. Even if the VM environment contains some features that fool the attacker, such as a customized VM with attributes similar to the target host’s attributes, this would not suffice as the attacker will also be able detect any other devices in the environment. The attacker will not usually expose all of their malicious techniques, techniques, or procedures (TTP), and/or terminate their attack once they are detected or suspected. Insufficient and inadequate competitive intelligence, such as adversary intelligence against APT attacks or attackers, can be obtained using the existing methods to create VM environments for security analysis.

Click here to view the patent on Google Patents.