Abstract: Methods, apparatus, and articles of manufacture for managing logical and physical address state lifecycles are disclosed. An example apparatus includes a network interface to capture a first data packet from a first network, and a data transmitter to transmit the first data packet from the apparatus to a security device, where the security device is to determine whether the first data packet is associated with a threat. The apparatus further includes a table updater to adjust an address resolution protocol (ARP) table of the apparatus to mask a device communicatively coupled to the apparatus from the threat when the apparatus obtains a second data packet, where the second data packet is generated in response to the security device determining that the first data packet is associated with the threat.

Abstract: A system and method for managing logical and physical address state lifecycles. A state of unknown can be assigned to an address when the state has not been assigned. The state of the address is changed when communication is targeted to the address. The state can be changed to unfulfilled when the communication includes an address resolution protocol request sent to a device having the address when a time limit for a response to the address resolution protocol request has not expired. The state can be changed to virtual when the communication is received at the address when the state of the address is unfulfilled, and a time limit for responding to the communication expires before a response is sent. The state can be changed to unknown when the state of the address is not unknown, and the address does not participate in the communication within a time limit.

Abstract: The invention relates to managing network communications packets on a local segment of a network. If an attack on the network segment is detected, the system creates one or more synthetic hardware addresses for substitution with existing hardware address. If this substitution is maintained in address resolution tables, packets sent to or from an attacker may be monitored, managed, dropped, or responded to in a controlled manner while preventing communication with sensitive devices on the local network segment. If a permissible packet is sent to the synthetic hardware address, the packet may be reformulated by a server, workstation, smart router, or security device, among others and sent with the appropriate hardware address. The synthetic hardware address may be a hardware address not associated with a device on the local network segment. For example, the synthetic hardware address may be synthetic MAC address.

Abstract: A system and method for managing logical and physical address state lifecycles. A state of unknown can be assigned to an address when the state has not been assigned. The state of the address is changed when communication is targeted to the address. The state can be changed to unfulfilled when the communication includes an address resolution protocol request sent to a device having the address when a time limit for a response to the address resolution protocol request has not expired. The state can be changed to virtual when the communication is received at the address when the state of the address is unfulfilled, and a time limit for responding to the communication expires before a response is sent. The state can be changed to unknown when the state of the address is not unknown, and the address does not participate in the communication within a time limit.

Abstract: A system and method for managing logical and physical address state lifecycles. A state of unknown can be assigned to an address when the state has not been assigned. The state of the address is changed when communication is targeted to the address. The state can be changed to unfulfilled when the communication includes an address resolution protocol request sent to a device having the address when a time limit for a response to the address resolution protocol request has not expired. The state can be changed to virtual when the communication is received at the address when the state of the address is unfulfilled, and a time limit for responding to the communication expires before a response is sent. The state can be changed to unknown when the state of the address is not unknown, and the address does not participate in the communication within a time limit.

Abstract: A method, system, apparatus, and computer-readable medium to detect rapidly propagating threats in a network. A rapidly propagating threat is detected by capturing a series of packets as the packets are communicated to nodes of the organizational network. The rapidly propagating threat can be detected without relying upon a known signature for the threat. Behavior of nodes when sending and receiving packets is examined for patterns typical of worm propagation.

Abstract: A method, system, apparatus, and computer-readable medium to enable a set of security device interfaces within a broadcast domain to identify and mitigate attacks. For each address of a device communicating within the broadcast domain, a responsible interface is determined by a zero hop ownership determination algorithm. The algorithm operates by counting a respective number of replies observed by each of multiple interfaces. Each reply is made in response to a respective request for one address. A responsible interface is assigned to the one address using the respective number of replies observed by each respective interface. The algorithm approximates the security device interface physically closest to the address in question without querying the switches themselves and without requiring the security device interface to be in-line on the network.

Abstract: A system and method for tracking communication for determining device states. Communication between devices is observed and a respective state of at least one device is inferred. The inference is formed without directly communicating with the device. Various states of the devices include unknown, used, unfulfilled, virtual, omitted, and automatic. The respective state of a device is unknown when the observation shows that the device fails to respond to communication. The respective state of the device is unfulfilled when an ARP request comprising a destination address for the device is observed, and the device does not respond to the ARP request prior to expiration of a time limit. The respective state of a device is determined to be virtual when the observation shows that the device received a packet when its respective state was unfulfilled, and the device did not send a reply to the packet within a time limit.

Abstract: A system, method, and computer-readable medium for deterring network incursion by formulating appropriate responses to attacks. Once an attack is detected, the system may respond in such a manner as to imitate a network device. The system may respond in a manner that provides a high cost to pursue further communication with the system. For example, the system may respond to TCP syn requests and window probes with messages indicating small packet and window sizes. As such, attempts to send packets to the system have a high network and processing cost. An attacking computer running multiple threads may ultimately slow or be disabled as a result of the receiving the responses and attempting to continue to communicate with the system.