×

Detecting malicious activity by using endemic network hosts as decoys

  • US 10,404,747 B1
  • Filed: 07/24/2018
  • Issued: 09/03/2019
  • Est. Priority Date: 07/24/2018
  • Status: Active Grant
First Claim
Patent Images

1. A system for detecting malicious activity in an organization network that includes network hosts, endemic decoy hosts (EDHs) and trap servers, wherein an EDH is an actual resource in the network used to host a decoy agent, comprising:

  • a deception management server having administrative credentials for the organization network, configured to (1) store deceptions within network hosts, each deception providing information that includes at least one decoy communication port of an EDH, (2) distribute a decoy agent to each EDH, wherein each decoy agent comprises active running hardware or software, and each decoy agent is configured to release a decoy port when software on the decoy agent'"'"'s EDH attempts to bind a port that is currently being used as a decoy port, and (3) generate a deception scheme setting forth (i) which deceptions to store in which network hosts, (ii) for each decoy agent, which ports of the decoy agent'"'"'s EDH to activate as decoy ports, and (iii) which trap server the decoy agent proxies communication to in response to the decoy agent identifying an attempt to communicate with the decoy agent'"'"'s EDH via one of the decoy ports, wherein a deception stored in a web browser of a network host points to a deceptive web server, and wherein the trap server, to which the decoy agent proxies communication with an attacker who follows the deception, is a web server hosting a deceptive website;

    at least one network host configured to store deceptions received from said deception management server;

    at least one EDH, each EDH having a first group of ports for communication applications, and a second group of ports, referred to as decoy ports, for connection by an attacker from a network host that the attacker has breached, using a deception stored in the breached network host, wherein each decoy agent is programmed to alert said deception management server, and to proxy communication with the attacker to a trap server, in response to the decoy agent identifying the attacker attempting a connection to the decoy agent'"'"'s EDH via one of the decoy ports, each EDH having a dual function as an active resource in the network and as a decoy host simultaneously;

    at least one trap server, to which a decoy agent proxies communication with the attacker, each trap server running services that interact with the attacker; and

    a forensic collector configured to collect, from the breached network host, forensics of the attacker'"'"'s activity vis-à

    -vis the breached network host, when said decoy agent acts as a proxy between the attacker and a trap server and the trap server interacts with the attacker, the forensics comprising the processes run and the tools used by the attacker.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×