Throughout the history of war, deception has been a cornerstone of successful offense and defense. Indeed, the history of information protection includes many examples of the use of deception for defense including the use of honey pots to gain insight on attacker behavior, the use of lightning rods to draw fire, and the use of program evolution as a technique for defending against automated attacks on operating systems. Even long before computers existed, information protection through deception was widely demonstrated. The history of information protection also demonstrates that the use of deception by attackers far outstrips its use by defenders in this field.
The present invention in one part concerns novel and advanced techniques for using deception in information systems protection. The invention in further embodiments, comprises independently novel techniques of network emulation and address substitution, which are described herein and should be understood as independent inventions.
In particular embodiments, the present invention utilizes techniques of address translation. Address translation in general is a known technique in the art. FIG. 1B is a block diagram illustrating address translations between a first client network and a second server network using a proxy server as known in the prior art. One common use of translations is to separate an inside network containing internal IP addresses from an outside network, such as the Internet. Consider an office LAN with 100 computers, each having an IP address of the form 10.*.*.*. The computers can talk with any other computer on the LAN, using the 10.*.*.* IP addresses as source and destination addresses in transmitted packets. However, when an inside computer wishes to communicate to an address on the outside internet, an issue arises in that the internal IP address may not be a valid external IP address. For example, destination addresses beginning with 10. are reserved for private networking and are not routable on the Internet. Also, internal IP addresses may have been assigned without acquiring the corresponding external IP address. So an internal address of 24.24.24.2, for example, may be registered in the external network to another institution. Therefore, while an inside computer 10.n.m.o might be able to transmit a packet out over the Internet with a valid external destination address, no packets can be returned from the external network if the original source address is 10.n.m.o or another not valid IP address because that address cannot be correctly routed over the external Internet.
A second issue is that valid external IP addresses can be expensive, and an institution with a very large number of computers may not wish to buy a valid external IP address for each computer if it is not necessary. In the simplest case, an institution might wish to use just one external IP address for its entire LAN.
To solve these problems, network administrators use a network computing device or logic module sometimes referred to as a PROXY SERVER or an ADDRESS TRANSLATION GATEWAY (ATG). An ATG sits between a private LAN network or server network and the outside network. It receives any packet on the LAN that is addressed to an outside computer, and translates at least the source address of that packet before placing that packet on the Internet. A return packet is routed back to the ATG using the translated source address as the destination and the ATG or proxy again translates the packet addresses and places the packet on the internal network.
Translations can be accomplished by a variety of techniques known in the art, such as table-lookup, rules-based translations algorithms, using port fields to hold portions of an addresss, or using transmit and response timing to match packets. An ATG keeps track of internal address/external address pairs so that when it receives packets from the external network, they can be sent over the LAN to the correct individual machine. The ATG/proxy function can be performed by logic within another network device (such as a firewall or server or bridge) or the function can be performed by a dedicate gateway computer. Additional information about gateways, internet addressing, and subnetworks can be found at www.sohointer.net/learn/gateways.htm and www.sohointer.net/learn/addrs.htm and their referenced pages.
An ATG functionality will typically be incorporated with other functions in a network devices. Thus, devices acting as firewalls, routers, or servers can include ATG functions. Network capable devices with ATG functionality are available from a number of different vendors. Some examples of such devices include Cisco Routers, the Linux OS, FreeBSD.
Standard configurations and capabilities provided by such devices include:                1. At least two interfaces for connecting between two separate communication environments (such as a private (or local) network and an outside network).        2. At least one external interface able to detect and receive packets on an external network directed to the ATGs external network addresses.        3. At least one internal interface able to detect and receive packets on said internal network directed to one or more external network addresses.        4. An address translation ability to change source and destination addresses for packets transferred between the internal interface and the external interface.        5. An address facility able to map between external addresses and internal addresses.        
The inventor has written a number of papers and books regarding network and data security deception. Many of these writings are available at http://all.net/. A few papers of interest are listed in the section below.