Scarecrow for data security

US 10,171,494 B2
Filed: 02/16/2016
Issued: 01/01/2019
Est. Priority Date: 02/16/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving information pertaining to network data traffic being communicated between a protected resource that is network accessible and a plurality of computers, including a first computer that is at least partially under the control of a user;

determining, by machine logic performed by a machine, and based at least in part on a set of detection rules, and the information, that the plurality of computers are acting in concert to perform a hacking transaction with respect to the protected resource; and

in response to determining that the plurality of computers are acting in concert to perform the hacking transaction;

generating, by machine logic performed by a machine, a plurality of scarecrow messages, respectively corresponding to the plurality of computers, designed for display in human understandable form and format,sending the plurality of scarecrow messages, through a network communication channel, to respectively corresponding computers of the plurality of computers, andsending, by machine logic performed by a machine, a security alert to a security product;

wherein;

the set of detection rules enables detection of at least one indicator of a hacking transaction where the indicator of the hacking transaction is any set of communication(s) from the first computer that tend to indicate that the first computer is engaged in subverting security of the protected resource; and

each respective scarecrow message is a customized warning message, the content of which comprises an element that is selected from the group consisting of;

an internet protocol (IP) address associated with the respectively corresponding computer;

a phantom background process; and

a log-in chain associated with the respectively corresponding computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer program product and/or system receives information pertaining to network data traffic from and/or to a network accessible resource, analyzes the information to determine whether a user is engaged in potential hacking transaction(s) with respect to the resource. On condition that the user is determined to be engaged in potential hacking transaction(s), a “scarecrow” message designed for display to the user, is generated and sent to the user.

Citations

15 Claims

1. A computer-implemented method comprising:
- receiving information pertaining to network data traffic being communicated between a protected resource that is network accessible and a plurality of computers, including a first computer that is at least partially under the control of a user;
  
  determining, by machine logic performed by a machine, and based at least in part on a set of detection rules, and the information, that the plurality of computers are acting in concert to perform a hacking transaction with respect to the protected resource; and
  
  in response to determining that the plurality of computers are acting in concert to perform the hacking transaction;
  
  generating, by machine logic performed by a machine, a plurality of scarecrow messages, respectively corresponding to the plurality of computers, designed for display in human understandable form and format,sending the plurality of scarecrow messages, through a network communication channel, to respectively corresponding computers of the plurality of computers, andsending, by machine logic performed by a machine, a security alert to a security product;
  
  wherein;
  
  the set of detection rules enables detection of at least one indicator of a hacking transaction where the indicator of the hacking transaction is any set of communication(s) from the first computer that tend to indicate that the first computer is engaged in subverting security of the protected resource; and
  
  each respective scarecrow message is a customized warning message, the content of which comprises an element that is selected from the group consisting of;
  
  an internet protocol (IP) address associated with the respectively corresponding computer;
  
  a phantom background process; and
  
  a log-in chain associated with the respectively corresponding computer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1 wherein an indicator of a hacking transaction is based on information associated with the user'"'"'s access to the protected resource and a set of access rules defined for access to the protected resource, and the indicator is selected from the group consisting of:
    - (i) an indication that the user has previously engaged in a hacking transaction;
      
      (ii) the protected resource receives a plurality of requests from the user'"'"'s computer at a rate that exceeds a pre-determined threshold;
      
      (iii) data access attempts received by the protected resource, and from the first computer, generate errors at a rate exceeding a pre-defined threshold; and
      
      (iv) a hostname associated with the first computer exists in more than a pre-defined threshold number of sessions with the protected resource.
  - 3. The computer-implemented method of claim 1 further comprising:
    - determining that the first computer is attempting to access data from the protected resource;
      
      in response to determining that the first computer is attempting to access data from the protected resource;
      
      receiving, from the protected resource, the data,altering the data to generate altered data, andsending, through a network communication channel, the altered data to the first computer.
  - 4. The computer-implemented method of claim 1 wherein:
    - the scarecrow message is sent to the first computer in a form and format that is displayable by software running on the first computer.
  - 5. The computer-implemented method of claim 3 wherein altering the data includes an action selected from the group consisting of:
    - (i) adding an electronic watermark to the data;
      
      (ii) preventing transmission to the first computer of at least a portion of the data; and
      
      (iii) substituting transformed data in place of at least a portion of the data.

6. A computer program product comprising a computer readable storage medium having stored thereon:
- first program instructions programmed to receive information pertaining to network data traffic being communicated between a protected resource that is network accessible and a plurality of computers, including a first computer that is at least partially under the control of a user;
  
  second program instructions programmed to determine, by machine logic performed by a machine, and based at least in part on a set of detection rules, and the information, that the plurality of computers are acting in concert to perform a hacking transaction with respect to the protected resource; and
  
  in response to determining that the plurality of computers are acting in concert to perform the hacking transaction;
  
  third program instructions programmed to generate a plurality of scarecrow messages, respectively corresponding to the plurality of computers, designed for display in human understandable form and format,fourth program instructions programmed to send the plurality of scarecrow messages, through a network communication channel, to the respectively corresponding computers of the plurality of computers, andfifth program instructions programmed to send a security alert to a security product;
  
  wherein;
  
  the set of detection rules enables detection of at least one indicator of a hacking transaction where the indicator of the hacking transaction is as any set of communication(s) from the first computer that tend to indicate that the first computer is engaged in subverting security of the protected resource; and
  
  each respective scarecrow message is a customized warning message, the content of which comprises an element that is selected from the group consisting of;
  
  an internet protocol (IP) address associated with the respectively corresponding computer;
  
  a phantom background process; and
  
  a log-in chain associated with the respectively corresponding computer.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer program product of claim 6 wherein an indicator of a hacking transaction is based on information associated with the user'"'"'s access to the protected resource and a set of access rules defined for access to the protected resource, and the indicator is selected from the group consisting of:
    - (i) an indication that the user has previously engaged in a hacking transaction;
      
      (ii) the protected resource receives a plurality of requests from the user'"'"'s computer at a rate that exceeds a pre-determined threshold;
      
      (iii) data access attempts received by the protected resource, and from the user'"'"'s computer, generate errors at a rate exceeding a pre-defined threshold; and
      
      (iv) a hostname associated with the user'"'"'s computer exists in more than a pre-defined threshold number of sessions with the protected resource.
  - 8. The computer program product of claim 6 further comprising:
    - sixth program instructions programmed to determine that the first computer is attempting to access data from the protected resource;
      
      in response to determining that the first computer is attempting to access data from the protected resource;
      
      seventh program instructions programmed to receive, from the protected resource, the data,eighth program instructions programmed to alter the data to generate altered data, andninth program instructions programmed to send, through a network communication channel, the altered data to the first computer.
  - 9. The computer program product of claim 6 wherein the scarecrow message is sent to the first computer in a form and format that is displayable by software running on the first computer.
  - 10. The computer program product of claim 8 wherein altering the data includes an action selected from the group consisting of:
    - (i) ninth program instructions programmed to add an electronic watermark to the data;
      
      (ii) tenth program instructions programmed to prevent transmission to the first computer of at least a portion of the data; and
      
      (iii) eleventh program instructions programmed to substitute transformed data in place of at least a portion of the data.

11. A computer system comprising:
- a processor(s) set; and
  
  a computer readable storage medium;
  
  wherein;
  
  the processor(s) set is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and
  
  the program instructions include;
  
  first program instructions programmed to receive information pertaining to network data traffic being communicated between a protected resource that is network accessible and a plurality of computers, including a first computer that is at least partially under the control of a user;
  
  second program instructions programmed to determine, by machine logic performed by a machine, and based at least in part on a set of detection rules, and the information, that the plurality of computers are acting in concert to perform a hacking transaction with respect to the protected resource; and
  
  in response to determining that the plurality of computers are acting in concert to perform the hacking transaction;
  
  third program instructions programmed to generate a plurality of scarecrow messages, respectively corresponding to the plurality of computers, designed for display in human understandable form and format,fourth program instructions programmed to send the plurality of scarecrow messages, through a network communication channel, to the respectively corresponding computers of the plurality of computers, andfifth program instructions programmed to send a security alert to a security product;
  
  wherein;
  
  the set of detection rules enables detection of at least one indicator of a hacking transaction where the indicator of the hacking transaction is as any set of communication(s) from the first computer that tend to indicate that the first computer is engaged in subverting security of the protected resource; and
  
  each respective scarecrow message is a customized warning message, the content of which comprises an element that is selected from the group consisting of;
  
  an internet protocol (IP) address associated with the respectively corresponding computer;
  
  a phantom background process; and
  
  a log-in chain associated with the respectively corresponding computer.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer system of claim 11 wherein an indicator of a hacking transaction is based on information associated with the user'"'"'s access to the protected resource and a set of access rules defined for access to the protected resource, and the indicator is selected from the group consisting of:
    - (i) an indication that the user has previously engaged in a hacking transaction;
      
      (ii) the protected resource receives a plurality of requests from the user'"'"'s computer at a rate that exceeds a pre-determined threshold;
      
      (iii) data access attempts received by the protected resource, and from the user'"'"'s computer, generate errors at a rate exceeding a pre-defined threshold; and
      
      (iv) a hostname associated with the user'"'"'s computer exists in more than a pre-defined threshold number of sessions with the protected resource.
  - 13. The computer system of claim 11 further comprising:
    - sixth program instructions programmed to determine that the first computer is attempting to access data from the protected resource;
      
      in response to determining that the first computer is attempting to access data from the protected resource;
      
      seventh program instructions programmed to receive, from the protected resource, the data,eighth program instructions programmed to alter the data to generate altered data, andninth program instructions programmed to send, through a network communication channel, the altered data to the first computer.
  - 14. The computer system of claim 11 wherein the scarecrow message is sent to the first computer in a form and format that is displayable by software running on the first computer.
  - 15. The computer system of claim 13 wherein altering the data includes an action selected from the group consisting of:
    - (i) ninth program instructions programmed to add an electronic watermark to the data;
      
      (ii) tenth program instructions programmed to prevent transmission to the first computer of at least a portion of the data; and
      
      (iii) eleventh program instructions programmed to substitute transformed data in place of at least a portion of the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Miroshnikov, Roza, Rozenblat, David, Sofer, Oded
Primary Examiner(s)
Doan, Trang T

Application Number

US15/044,479
Publication Number

US 20170237771A1
Time in Patent Office

1,050 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1466 Active attacks involving in...

Scarecrow for data security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Scarecrow for data security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links