System and method for creation, deployment and management of augmented attacker map

US 10,142,367 B2
Filed: 10/02/2017
Issued: 11/27/2018
Est. Priority Date: 06/08/2015
Status: Active Grant

First Claim

Patent Images

1. A system for network surveillance to detect attackers, comprising:

a deception management server within a network of resources, comprising a deployment module managing and planting one or more decoy lateral attack vectors in one or more of the resources in the network, wherein a lateral attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network; and

one or more decoy servers accessible from resources in the network, each decoy server comprising;

an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy lateral attack vectors planted in the specific resource by said deployment module; and

a delay module, purposely delaying incoming connections to the decoy server while a resource accesses the decoy server, in order to allow additional time to monitor activity on the decoy server.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for network surveillance to detect attackers, including a deception management server within a network of resources, including a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and one or more decoy servers accessible from resources in the network, each decoy server including an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy attack vectors planted in the specific resource by the deployment module, and a delay module, delaying access to data on the decoy server while a resource accesses the decoy server.

123 Citations

17 Claims

1. A system for network surveillance to detect attackers, comprising:
- a deception management server within a network of resources, comprising a deployment module managing and planting one or more decoy lateral attack vectors in one or more of the resources in the network, wherein a lateral attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network; and
  
  one or more decoy servers accessible from resources in the network, each decoy server comprising;
  
  an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy lateral attack vectors planted in the specific resource by said deployment module; and
  
  a delay module, purposely delaying incoming connections to the decoy server while a resource accesses the decoy server, in order to allow additional time to monitor activity on the decoy server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein said alert module causes a real-time forensic application to be transmitted to a destination resource in the network when a specific decoy server is being accessed by a specific resource, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing the specific decoy server, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to said deception management server.
  - 3. The system of claim 2 wherein said deception management server further comprises a notification module, transmitting to a notification server a notification that the specific resource in the network accessed the specific decoy server, and information in the forensic report provided by the forensic application, in response to said deception management server receiving the forensic report.
  - 4. The system of claim 1, further comprising an event monitor, recognizing an attempt by a first resource in the network to access a second resource in the network via the decoy attack vectors planted by said deployment module in the first resource, and causing, in response to the recognizing, a real-time forensic application to be transmitted to a destination resource, wherein the forensic application, when launched in the destination resource, identifies a process running within the first resource that is accessing the second resource, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to said deception management server.
  - 5. The system of claim 4 wherein said deception management server further comprises a notification module transmitting a notification that the first resource attempted to access the second resource, and information in the forensic report provided by the forensic application, in response to said deception management server receiving a forensic report from the forensic application running on the destination computer.
  - 6. The system of claim 1 wherein said deception management server further comprises a database of lateral attack vectors, and wherein the one or more decoy lateral attack vectors planted by said deployment processor are lateral attack vectors in said database of lateral attack vectors.
  - 7. The system of claim 6, wherein the lateral attack vectors in said database of lateral attack vectors include at least one member of (i) username and password, (ii) username and authentication ticket, (iii) FTP server address, username and password, (iv) database server address, username and password, and (v) SSH server address, username and password.
  - 8. The system of claim 6 further comprising an update server transmitting, from time to time, updated lateral attack vectors to said database of lateral attack vectors.
  - 9. The system of claim 6, wherein the resources in the network are grouped into multiple groups of resources, wherein said deception management server further comprises a database of policies that specify, for each group of resources on the network, one or more decoy lateral attack vectors to plant in that group of resources, from among the lateral attack vectors in said database of lateral attack vectors, and wherein said deployment processor plants the one or more decoy lateral attack vectors in the groups of resources in accordance with the database of policies.

10. A non-transitory computer readable medium storing instructions, which, when executed by a processor of a management computer, cause the computer:
- to plant one or more decoy lateral attack vectors in one or more resources in a network of computers, wherein a lateral attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network;
  
  to recognize that a specific decoy server in the network is being accessed by a specific resource in the network via one or more of the decoy lateral attack vectors planted in the specific resource by said planting;
  
  to purposely delay incoming connections to data on the specific decoy server while the specific resource accesses the decoy server, in order to allow additional time to monitor activity on the decoy server; and
  
  to issue an alert in response to the recognizing.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10 wherein the processor further causes the computer to cause a real-time forensic application to be transmitted to a destination resource in response to the recognizing, wherein the forensic application, when launched on the destination resource, is operative:
    - to identify a process running within the specific resource that is accessing the specific decoy server;
      
      to log the activities performed by the thus-identified process in a forensic report; and
      
      to transmit the forensic report to a deception management server.
  - 12. The method of claim 10 wherein the processor further causes the computer:
    - to further recognize an attempt by a first resource in the network to access a second resource in the network via one or more of the decoy lateral attack vectors planted in the first resource; and
      
      to cause a real-time forensic application to be transmitted to a-destination resource, in response to the further recognizing, wherein the forensic application, when launched on the destination resource, is operative;
      
      to identify a process running within the first resource that is attempting to access the second resource;
      
      to log the activities performed by the thus-identified process in a forensic report; and
      
      to transmit the forensic report to a deception management server.
  - 13. The method of claim 10, wherein the decoy attack vectors include at least one member of (i) username and password, (ii) username and authentication ticket, (iii) FTP server address, username and password, (iv) database server address, username and password, and (v) SSH server address, username and password.

14. A system for network surveillance to detect attackers, comprising:
- a deception management server within a network of resources, comprising a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource; and
  
  one or more decoy servers accessible from resources in the network, each decoy server comprising an alert module causing a real-time forensic application to be transmitted to a destination resource in the network when a specific decoy server is being accessed by a specific resource, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing the specific decoy server, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to said deception management server.

15. A system for network surveillance to detect attackers, comprising:
- a deception management server within a network of resources, comprising a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource; and
  
  an event monitor, recognizing an attempt by a first resource in the network to access a second resource in the network via the decoy attack vectors planted by said deployment module in the first resource, and causing, in response to the recognizing, a real-time forensic application to be transmitted to a destination resource, wherein the forensic application, when launched in the destination resource, identifies a process running within the first resource that is accessing the second resource, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to said deception management server.

16. A non-transitory computer readable medium storing instructions, which, when executed by a processor of a management computer, cause the computer:
- to plant one or more decoy attack vectors in one or more resources in a network of computers, wherein an attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network;
  
  to recognize that a specific decoy server in the network is being accessed by a specific resource in the network via one or more of the decoy attack vectors planted in the specific resource;
  
  to cause a real-time forensic application to be transmitted to a destination resource, wherein the forensic application, when launched on the destination resource, is operative;
  
  to identify a process running within the specific resource that is accessing the specific decoy server;
  
  to log the activities performed by the thus-identified process in a forensic report; and
  
  to transmit the forensic report to a deception management server.

17. A non-transitory computer readable medium storing instructions, which, when executed by a processor of a management computer, cause the computer:
- to plant one or more decoy attack vectors in one or more resources in a network of computers, wherein an attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network;
  
  to recognize an attempt by a first resource in the network to access a second resource in the network via one or more of the decoy attack vectors planted in the first resource; and
  
  to cause a real-time forensic application to be transmitted to a destination resource, wherein the forensic application, when launched on the destination resource, is operative;
  
  to identify a process running within the first resource that is attempting to access the second resource;
  
  to log the activities performed by the thus-identified process in a forensic report; and
  
  to transmit the forensic report to a deception management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
illusive networks LTD.
Original Assignee
illusive networks LTD.
Inventors
Touboul, Shlomo, Levin, Hanan, Roubach, Stephane, Mischari, Assaf, Ben David, Itai, Avraham, Itay, Ozer, Adi, Kazaz, Chen, Israeli, Ofer, Vingurt, Olga, Gareh, Liad, Grimberg, Israel, Cohen, Cobby, Sultan, Sharon, Kubovsky, Matan
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US15/722,351
Publication Number

US 20180027017A1
Time in Patent Office

421 Days
Field of Search

726 22- 26, 726 11, 709228, 709220, 709224, 709206, 455410, 714 43
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06N 20/00   Machine learning

H04L 2463/146   Tracing the source of attacks

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

System and method for creation, deployment and management of augmented attacker map

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

123 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for creation, deployment and management of augmented attacker map

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links