Abstract: A system and method for tracking communication for determining device states. Communication between devices is observed and a respective state of at least one device is inferred. The inference is formed without directly communicating with the device. Various states of the devices include unknown, used, unfulfilled, virtual, omitted, and automatic. The respective state of a device is unknown when the observation shows that the device fails to respond to communication. The respective state of the device is unfulfilled when an ARP request comprising a destination address for the device is observed, and the device does not respond to the ARP request prior to expiration of a time limit. The respective state of a device is determined to be virtual when the observation shows that the device received a packet when its respective state was unfulfilled, and the device did not send a reply to the packet within a time limit.

Abstract: The present invention includes a method and apparatus for controlling data link layer access to protected servers on a computer network by a client device. Address resolution requests broadcast on the network by the client device seeking access to any network device are received and then processed to determine whether the client device is unknown. If the client device is unknown, restriction address resolution replies are transmitted to the protected devices to restrict access by the client device to the protected devices and allow access to an authentication server. The authentication server is monitored to determine if the client device is authorized or unauthorized by the authentication server. If the client device is authorized, access is allowed to the protected devices. If the client device is unauthorized, blocking address resolution replies are transmitted on the computer network to block access by the client device to all other network devices.

Abstract: A system, method, and computer-readable medium for deterring network incursion by formulating appropriate responses to attacks. Once an attack is detected, the system may respond in such a manner as to imitate a network device. The system may respond in a manner that provides a high cost to pursue further communication with the system. For example, the system may respond to TCP syn requests and window probes with messages indicating small packet and window sizes. As such, attempts to send packets to the system have a high network and processing cost. An attacking computer running multiple threads may ultimately slow or be disabled as a result of the receiving the responses and attempting to continue to communicate with the system.

Abstract: A peer connected device for controlling access by a client device to protected devices on a computer network. The peer connected device has a central processing unit and a network interface configured to receive address resolution requests broadcast on the computer network by the client device seeking access to one of the protected devices and to transmit address resolution replies generated by the apparatus on the computer network.

Abstract: The present invention includes a method and apparatus for controlling data link layer access to protected servers on a computer network by a client device. Address resolution requests broadcast on the network by the client device seeking access to any network device are received and then processed to determine whether the client device is unknown. If the client device is unknown, restriction address resolution replies are transmitted to the protected devices to restrict access by the client device to the protected devices and allow access to an authentication server. The authentication server is monitored to determine if the client device is authorized or unauthorized by the authentication server. If the client device is authorized, access is allowed to the protected devices. If the client device is unauthorized, blocking address resolution replies are transmitted on the computer network to block access by the client device to all other network devices.