Detecting malicious activity by using endemic network hosts as decoys
First Claim
1. A system for detecting malicious activity in an organization network that includes network hosts, endemic decoy hosts (EDHs) and trap servers, wherein an EDH is an actual resource in the network used to host a decoy agent, comprising:
- a deception management server having administrative credentials for the organization network, configured to (1) store deceptions within network hosts, each deception providing information that includes at least one decoy communication port of an EDH, (2) distribute a decoy agent to each EDH, wherein each decoy agent comprises active running hardware or software, and each decoy agent is configured to release a decoy port when software on the decoy agent'"'"'s EDH attempts to bind a port that is currently being used as a decoy port, and (3) generate a deception scheme setting forth (i) which deceptions to store in which network hosts, (ii) for each decoy agent, which ports of the decoy agent'"'"'s EDH to activate as decoy ports, and (iii) which trap server the decoy agent proxies communication to in response to the decoy agent identifying an attempt to communicate with the decoy agent'"'"'s EDH via one of the decoy ports, wherein a deception stored in a web browser of a network host points to a deceptive web server, and wherein the trap server, to which the decoy agent proxies communication with an attacker who follows the deception, is a web server hosting a deceptive website;
at least one network host configured to store deceptions received from said deception management server;
at least one EDH, each EDH having a first group of ports for communication applications, and a second group of ports, referred to as decoy ports, for connection by an attacker from a network host that the attacker has breached, using a deception stored in the breached network host, wherein each decoy agent is programmed to alert said deception management server, and to proxy communication with the attacker to a trap server, in response to the decoy agent identifying the attacker attempting a connection to the decoy agent'"'"'s EDH via one of the decoy ports, each EDH having a dual function as an active resource in the network and as a decoy host simultaneously;
at least one trap server, to which a decoy agent proxies communication with the attacker, each trap server running services that interact with the attacker; and
a forensic collector configured to collect, from the breached network host, forensics of the attacker'"'"'s activity vis-à
-vis the breached network host, when said decoy agent acts as a proxy between the attacker and a trap server and the trap server interacts with the attacker, the forensics comprising the processes run and the tools used by the attacker.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for detecting malicious activity in networks, including a deception manager having administrative credentials for a network, planting deceptions within network hosts, and distributing a decoy agent to each endemic decoy host (EDH), each deception including information regarding decoy communication ports of an EDH, each EDH having a group of ports, referred to as decoy ports, for connection by an attacker from a network host that the attacker has breached, wherein each decoy agent is programmed to alert the deception management server, and to proxy communication with the attacker to a trap server, in response to the decoy agent identifying the attacker attempting a connection to the decoy agent'"'"'s EDH via one of the decoy ports, and a forensic collector that collects, from the breached network host, forensics of the attacker'"'"'s activity, when the decoy agent acts as a proxy between the attacker and the trap server.
-
Citations
10 Claims
-
1. A system for detecting malicious activity in an organization network that includes network hosts, endemic decoy hosts (EDHs) and trap servers, wherein an EDH is an actual resource in the network used to host a decoy agent, comprising:
-
a deception management server having administrative credentials for the organization network, configured to (1) store deceptions within network hosts, each deception providing information that includes at least one decoy communication port of an EDH, (2) distribute a decoy agent to each EDH, wherein each decoy agent comprises active running hardware or software, and each decoy agent is configured to release a decoy port when software on the decoy agent'"'"'s EDH attempts to bind a port that is currently being used as a decoy port, and (3) generate a deception scheme setting forth (i) which deceptions to store in which network hosts, (ii) for each decoy agent, which ports of the decoy agent'"'"'s EDH to activate as decoy ports, and (iii) which trap server the decoy agent proxies communication to in response to the decoy agent identifying an attempt to communicate with the decoy agent'"'"'s EDH via one of the decoy ports, wherein a deception stored in a web browser of a network host points to a deceptive web server, and wherein the trap server, to which the decoy agent proxies communication with an attacker who follows the deception, is a web server hosting a deceptive website; at least one network host configured to store deceptions received from said deception management server; at least one EDH, each EDH having a first group of ports for communication applications, and a second group of ports, referred to as decoy ports, for connection by an attacker from a network host that the attacker has breached, using a deception stored in the breached network host, wherein each decoy agent is programmed to alert said deception management server, and to proxy communication with the attacker to a trap server, in response to the decoy agent identifying the attacker attempting a connection to the decoy agent'"'"'s EDH via one of the decoy ports, each EDH having a dual function as an active resource in the network and as a decoy host simultaneously; at least one trap server, to which a decoy agent proxies communication with the attacker, each trap server running services that interact with the attacker; and a forensic collector configured to collect, from the breached network host, forensics of the attacker'"'"'s activity vis-à
-vis the breached network host, when said decoy agent acts as a proxy between the attacker and a trap server and the trap server interacts with the attacker, the forensics comprising the processes run and the tools used by the attacker. - View Dependent Claims (2, 3, 4)
-
-
5. A method for detecting malicious activity in an organization network that includes network hosts, endemic decoy hosts (EDHs) and trap servers, wherein an EDH is an actual resource in the network used to host a decoy agent, comprising:
-
storing, by a deception management server, deceptions within network hosts, each deception providing information that includes at least one decoy communication port of an EDH; distributing, by the deception management server, decoy agents to EDHs, wherein each EDH has a first group of ports for communication applications, and a second group of ports, referred to as decoy ports, for connection by an attacker who has breached a network host using a deception stored in the breached network host, and wherein the decoy agents comprise active hardware or software components that run on the EDHs, listen to decoy ports, send alerts to the deception management server, and proxy communication to trap servers, each EDH having a dual function as an active resource in the network and as a decoy host simultaneously; generating, by the deception management server, a deception scheme setting forth (i) which deceptions to store in which network hosts, (ii) for each decoy agent, which ports of the decoy agent'"'"'s EDH to activate as decoy ports, and (iii) which trap server the decoy agent proxies communication to, when an attempt to communicate with the decoy agent'"'"'s EDH via one of the decoy ports is identified, wherein a deception stored in a network host'"'"'s web browser points to a deceptive web server, and wherein the trap server to which the decoy agent proxies communication with an attacker who follows the deception, is a web server hosting a deceptive website; releasing, by each decoy agent, a decoy port when software on the decoy agent'"'"'s EDH attempts to bind a port that is currently being used as a decoy port; proxying, by each decoy agent, communication with the attacker through a trap server, in response to the decoy agent identifying an attempt by the attacker to connect to the EDH by one of the decoy ports, wherein the trap server runs services that interact with the attacker; triggering, by the trap server, an alert to the deception management server when a decoy agent proxies communication between the attacker and the trap server; and collecting, from the breached network host, forensics of the attacker'"'"'s activity vis-à
-vis the breached network host, when the decoy agent acts as a proxy between the attacker and the trap server and the trap server interacts with the attacker, the forensics comprising the processes run and the tools used by the attacker. - View Dependent Claims (6, 7, 8, 9, 10)
-
Specification