Systems and methods for creating a deception computing system

US 10,277,629 B1
Filed: 12/20/2016
Issued: 04/30/2019
Est. Priority Date: 12/20/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for creating a deception computing system, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, by the computing device, a dataset of security alert signatures from a set of client devices;

determining, by the computing device, a set of software vulnerabilities based on the dataset of security alert signatures;

clustering, by the computing device, the set of software vulnerabilities to increase a length of at least one potential attack path within a predetermined number of honeypot machines; and

distributing, by the computing device, a set of vulnerable software among a set of honeypot machines within a honeynet by, for each honeypot machine, assigning a distribution of vulnerable software to the honeypot machine based on a cluster of software vulnerabilities.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for creating a deception computing system may include (i) identifying, by a computing device, a dataset of security alert signatures from a set of client devices, (ii) determining, by the computing device, a set of software vulnerabilities based on the dataset of security alert signatures, (iii) clustering, by the computing device, the set of software vulnerabilities to increase a length of at least one potential attack path within a predetermined number of honeypot machines, and (iv) distributing, by the computing device and based on clusters of software vulnerabilities, a set of vulnerable software among a set of honeypot machines within a honeynet. Various other methods, systems, and computer-readable media are also disclosed.

29 Citations

View as Search Results

20 Claims

1. A computer-implemented method for creating a deception computing system, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, by the computing device, a dataset of security alert signatures from a set of client devices;
  
  determining, by the computing device, a set of software vulnerabilities based on the dataset of security alert signatures;
  
  clustering, by the computing device, the set of software vulnerabilities to increase a length of at least one potential attack path within a predetermined number of honeypot machines; and
  
  distributing, by the computing device, a set of vulnerable software among a set of honeypot machines within a honeynet by, for each honeypot machine, assigning a distribution of vulnerable software to the honeypot machine based on a cluster of software vulnerabilities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the dataset of security alert signatures comprises, for each security alert signature, at least one of:
    - an identifier of an attack;
      
      a description of the attack;
      
      a source identifier of an origin client device; and
      
      a destination identifier of an attacked client device.
  - 3. The method of claim 1, wherein determining the set of software vulnerabilities comprises at least one of:
    - performing data mining on the dataset of security alert signatures;
      
      correlating a vulnerable software with a security alert signature;
      
      identifying an attack resulting from the vulnerable software; and
      
      identifying an attack path involving the vulnerable software.
  - 4. The method of claim 3, wherein the attack path comprises:
    - a sequence of client devices compromised by related attacks; and
      
      a sequence of vulnerable software on the compromised client devices.
  - 5. The method of claim 1, wherein clustering the set of software vulnerabilities to increase the length of the potential attack path comprises:
    - creating a matrix of attacks from origin honeypot machines to destination honeypot machines for the set of software vulnerabilities;
      
      calculating a likelihood of an attack traversing from an origin honeypot machine to a destination honeypot machine; and
      
      determining that a cluster of software vulnerabilities increases the likelihood of the attack traversing to the destination honeypot machine.
  - 6. The method of claim 1, wherein clustering the set of software vulnerabilities to increase the length of the potential attack path comprises dividing the software vulnerabilities into a number of different sets of software vulnerabilities based on the predetermined number of honeypot machines.
  - 7. The method of claim 1, wherein distributing the set of vulnerable software among the set of honeypot machines comprises at least one of:
    - assigning the distribution of vulnerable software to the honeypot machine based on a configuration of the set of honeypot machines;
      
      instructing the set of honeypot machines to install the set of vulnerable software; and
      
      sending a distribution of the set of vulnerable software to the set of honeypot machines to an administrator.
  - 8. The method of claim 1, further comprising distributing a new set of vulnerable software among the set of honeypot machines based on a change in the dataset of security alert signatures.

9. A system for creating a deception computing system, the system comprising:
- an identification module, stored in memory, that identifies, by a computing device, a dataset of security alert signatures from a set of client devices;
  
  a determination module, stored in memory, that determines, by the computing device, a set of software vulnerabilities based on the dataset of security alert signatures;
  
  a clustering module, stored in memory, that clusters, by the computing device, the set of software vulnerabilities to increase a length of at least one potential attack path within a predetermined number of honeypot machines;
  
  a distribution module, stored in memory, that distributes, by the computing device, a set of vulnerable software among a set of honeypot machines within a honeynet by, for each honeypot machine, assigning a distribution of vulnerable software to the honeypot machine based on a cluster of software vulnerabilities; and
  
  at least one processor that executes the identification module, the determination module, the clustering module, and the distribution module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the dataset of security alert signatures comprises, for each security alert signature, at least one of:
    - an identifier of an attack;
      
      a description of the attack;
      
      a source identifier of an origin client device; and
      
      a destination identifier of an attacked client device.
  - 11. The system of claim 9, wherein the determination module determines the set of software vulnerabilities by at least one of:
    - performing data mining on the dataset of security alert signatures;
      
      correlating a vulnerable software with a security alert signature;
      
      identifying an attack resulting from the vulnerable software; and
      
      identifying an attack path involving the vulnerable software.
  - 12. The system of claim 11, wherein the attack path comprises:
    - a sequence of client devices compromised by related attacks; and
      
      a sequence of vulnerable software on the compromised client devices.
  - 13. The system of claim 9, wherein the clustering module clusters the set of software vulnerabilities to increase the length of the potential attack path by:
    - creating a matrix of attacks from origin honeypot machines to destination honeypot machines for the set of software vulnerabilities;
      
      calculating a likelihood of an attack traversing from an origin honeypot machine to a destination honeypot machine; and
      
      determining that a cluster of software vulnerabilities increases the likelihood of the attack traversing to the destination honeypot machine.
  - 14. The system of claim 9, wherein the clustering module clusters the set of software vulnerabilities to increase the length of the potential attack path by dividing the software vulnerabilities into a number of different sets of software vulnerabilities based on the predetermined number of honeypot machines.
  - 15. The system of claim 9, wherein the distribution module distributes the set of vulnerable software among the set of honeypot machines by at least one of:
    - assigning the distribution of vulnerable software to the honeypot machine based on a configuration of the set of honeypot machines;
      
      instructing the set of honeypot machines to install the set of vulnerable software; and
      
      sending a distribution of the set of vulnerable software to the set of honeypot machines to an administrator.
  - 16. The system of claim 9, further comprising distributing a new set of vulnerable software among the set of honeypot machines based on a change in the dataset of security alert signatures.

17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, by the computing device, a dataset of security alert signatures from a set of client devices;
  
  determine, by the computing device, a set of software vulnerabilities based on the dataset of security alert signatures;
  
  cluster, by the computing device, the set of software vulnerabilities to increase a length of at least one potential attack path within a predetermined number of honeypot machines; and
  
  distribute, by the computing device, a set of vulnerable software among a set of honeypot machines within a honeynet by, for each honeypot machine, assigning a distribution of vulnerable software to the honeypot machine based on a cluster of software vulnerabilities.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the dataset of security alert signatures comprises, for each security alert signature, at least one of:
    - an identifier of an attack;
      
      a description of the attack;
      
      a source identifier of an origin client device; and
      
      a destination identifier of an attacked client device.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the computer-executable instructions cause the computing device to determine the set of software vulnerabilities by at least one of:
    - performing data mining on the dataset of security alert signatures;
      
      correlating a vulnerable software with a security alert signature;
      
      identifying an attack resulting from the vulnerable software; and
      
      identifying an attack path involving the vulnerable software.
  - 20. The non-transitory computer-readable medium of claim 19, wherein the attack path comprises:
    - a sequence of client devices compromised by related attacks; and
      
      a sequence of vulnerable software on the compromised client devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Guntur, Ravindra
Primary Examiner(s)
McNally, Michael S

Application Number

US15/384,999
Time in Patent Office

861 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

H04L 2463/146   Tracing the source of attacks

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

Systems and methods for creating a deception computing system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for creating a deception computing system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links