Dynamically configuring a honeypot

US 10,594,729 B2
Filed: 10/31/2017
Issued: 03/17/2020
Est. Priority Date: 10/31/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

crawling, by a web crawler, one or more webpages to gather information, resulting in gathered information;

generating candidate content based on the gathered information by generating fake notes appearing to be about the gathered information and appearing to tie the gathered information to fake project names assigned to honeypot content deployed by a honeypot;

obtaining, by a honeypot logger, activity log data of one or more hackers that access a portion of the honeypot content;

training a neural network using training data based on the activity log data;

determining a feature vector based on the gathered information and the activity log data;

determining, by the neural network, weights associated with different categories of the candidate content based on the feature vector; and

selecting the honeypot content from the candidate content based on the weights, wherein selecting the honeypot content based on the weights comprises selecting different amounts of the different categories of the candidate content based on the weights.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method includes crawling, by a web crawler, one or more webpages to gather information, resulting in gathered information. The computer-implemented method includes obtaining, by a honeypot logger, activity log data of one or more hackers that access a portion of honeypot content deployed by a honeypot. The computer-implemented method includes dynamically configuring, by a machine capable of learning, the honeypot using the activity log data and the gathered information.

16 Citations

View as Search Results

17 Claims

1. A computer-implemented method, comprising:
- crawling, by a web crawler, one or more webpages to gather information, resulting in gathered information;
  
  generating candidate content based on the gathered information by generating fake notes appearing to be about the gathered information and appearing to tie the gathered information to fake project names assigned to honeypot content deployed by a honeypot;
  
  obtaining, by a honeypot logger, activity log data of one or more hackers that access a portion of the honeypot content;
  
  training a neural network using training data based on the activity log data;
  
  determining a feature vector based on the gathered information and the activity log data;
  
  determining, by the neural network, weights associated with different categories of the candidate content based on the feature vector; and
  
  selecting the honeypot content from the candidate content based on the weights, wherein selecting the honeypot content based on the weights comprises selecting different amounts of the different categories of the candidate content based on the weights.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein determining the feature vector comprises:
    - parsing the activity log data to determine first categories associated with the portion of the honeypot content;
      
      performing topic detection on the gathered information to identify one or more topics; and
      
      determining the feature vector based on the first categories and the one or more topics.
  - 3. The computer-implemented method of claim 2, wherein the first categories are indicative of which categories of the honeypot content the one or more hackers are interested in, and wherein the one or more topics are indicative of current events that are likely to be of interest to the one or more hackers.
  - 4. The computer-implemented method of claim 1, wherein the gathered information comprises current news articles and social media activity regarding a company that uses the honeypot.
  - 5. The computer-implemented method of claim 2, further comprising storing a set of template notes that include blank portions for insertion of the one or more topics.
  - 6. The computer-implemented method of claim 1, wherein the neural network includes an output layer, and wherein a number of nodes in the output layer corresponds to a number of the different categories.
  - 7. The computer-implemented method of claim 1, wherein the different categories of the candidate content include a first category of content corresponding to financial data content, a second category of content corresponding to strategy content, a third category of content corresponding to health care data content, and a fourth category of content corresponding to intellectual property data content, and wherein selecting the honeypot content includes determining, based on the weights, an amount of the first category of content to include in the honeypot content, an amount of the second category of content to include in the honeypot content, an amount of the third category of content to include in the honeypot content, and an amount of the fourth category of content to include in the honeypot content.
  - 8. The computer-implemented method of claim 7, further comprising:
    - generating one or more documents or log files using the gathered information; and
      
      adding the one or more documents or log files to the candidate content.

9. A system, comprising:
- a web crawler configured to crawl one or more webpages to gather information, resulting in gathered information;
  
  a honeypot logger configured to obtain activity log data of one or more hackers that access a portion of honeypot content deployed by a honeypot; and
  
  a honeypot configuration engine coupled to the web crawler and the honeypot logger and configured to;
  
  generate candidate content based on the gathered information by generating fake notes appearing to be about the gathered information and appearing to tie the gathered information to fake project names assigned to the honeypot content;
  
  train a neural network using training data based on the activity log data;
  
  determine a feature vector based on the gathered information and the activity log data;
  
  determine, by the neural network, weights associated with different categories of the candidate content based on the feature vector; and
  
  select the honeypot content from the candidate content based on the weights, wherein selecting the honeypot content based on the weights comprises selecting different amounts of the different categories of the candidate content based on the weights.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein, to select the honeypot content, the honeypot configuration engine is configured to:
    - parse the activity log data to determine first categories associated with the portion of the honeypot content;
      
      perform topic detection on the gathered information to identify one or more topics; and
      
      determine the feature vector based on the first categories and the one or more topics.
  - 11. The system of claim 10, wherein the first categories are indicative of which categories of the honeypot content the one or more hackers are interested in, and wherein the one or more topics are indicative of current events that are likely to be of interest to the one or more hackers.
  - 12. The system of claim 9, wherein the different categories of the candidate content include a first category of content corresponding to financial data content, a second category of content corresponding to strategy content, a third category of content corresponding to health care data content, and a fourth category of content corresponding to intellectual property data content, and wherein to select the honeypot content, the honeypot configuration engine is configured to determine, based on the weights, an amount of the first category of content to include in the honeypot content, an amount of the second category of content to include in the honeypot content, an amount of the third category of content to include in the honeypot content, and an amount of the fourth category of content to include in the honeypot content.
  - 13. The system of claim 12, wherein the honeypot configuration engine is further configured to:
    - generate one or more documents or log files using the gathered information; and
      
      add the one or more documents or log files to the candidate content.

14. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the program instructions are executable by a computer to cause the computer to:
- crawl one or more webpages to gather information, resulting in gathered information;
  
  generate candidate content based on the gathered information by generating fake notes appearing to be about the gathered information and appearing to tie the gathered information to fake project names assigned to honeypot content deployed by a honeypot;
  
  obtain activity log data of one or more hackers that access a portion of the honeypot content deployed by the honeypot;
  
  train a neural network using training data based on the activity log data;
  
  determine a feature vector based on the gathered information and the activity log data;
  
  determine, by the neural network, weights associated with different categories of the candidate content based on the feature vector; and
  
  select the honeypot content from the candidate content based on the weights, wherein selecting the honeypot content based on the weights comprises selecting different amounts of the different categories of the candidate content based on the weights.
- View Dependent Claims (15, 16, 17)
- - 15. The computer program product of claim 14, wherein the program instructions that are executable by the computer to cause the computer to select the honeypot content are executable by the computer to cause the computer to:
    - parse the activity log data to determine first categories associated with the portion of the honeypot content;
      
      perform topic detection on the gathered information to identify one or more topics; and
      
      determine the feature vector based on the first categories and the one or more topics.
  - 16. The computer program product of claim 15, wherein the first categories are indicative of which categories of the honeypot content the one or more hackers are interested in, and wherein the one or more topics are indicative of current events that are likely to be of interest to the one or more hackers.
  - 17. The computer program product of claim 14, wherein the different categories of the candidate content include a first category of content corresponding to financial data content, a second category of content corresponding to strategy content, a third category of content corresponding to health care data content, and a fourth category of content corresponding to intellectual property data content, and wherein the program instructions that are executable by the computer to cause the computer to select the honeypot content by determining, based on the weights, an amount of the first category of content to include in the honeypot content, an amount of the second category of content to include in the honeypot content, an amount of the third category of content to include in the honeypot content, and an amount of the fourth category of content to include in the honeypot content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kraenzel, Carl, Linton, Jeb R., Mani, Ravi
Primary Examiner(s)
Brown, Christopher J

Application Number

US15/799,647
Publication Number

US 20190132359A1
Time in Patent Office

868 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06N 20/00   Machine learning

G06N 3/084   Backpropagation, e.g. using...

H04L 63/1408   by monitoring network traff...

H04L 63/1491   using deception as counterm...

Dynamically configuring a honeypot

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically configuring a honeypot

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links