Multi-factor deception management and detection for malicious actions in a computer network
First Claim
1. A network surveillance method to detect attackers, comprising:
- planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, comprising;
planting a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials; and
planting a second honeytoken in R1, used to access a third resource, R3, using second decoy credentials; and
alerting that an attacker is intruding the network only in response to both (i) an attempt to access R2 using the first decoy credentials, and (ii) a subsequent attempt to access R3 using the second decoy credentials.
0 Assignments
0 Petitions
Accused Products
Abstract
A network surveillance method to detect attackers, including planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, including planting a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and planting a second honeytoken in R1, used to access a third resource, R3, using second decoy credentials, and alerting that an attacker is intruding the network only in response to both (i) an attempt to access R2 using the first decoy credentials, and (ii) a subsequent attempt to access R3 using the second decoy credentials.
135 Citations
3 Claims
-
1. A network surveillance method to detect attackers, comprising:
-
planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, comprising; planting a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials; and planting a second honeytoken in R1, used to access a third resource, R3, using second decoy credentials; and alerting that an attacker is intruding the network only in response to both (i) an attempt to access R2 using the first decoy credentials, and (ii) a subsequent attempt to access R3 using the second decoy credentials. - View Dependent Claims (2, 3)
-
Specification
-
- Resources
-
Current Assigneeillusive networks LTD.
-
Original Assigneeillusive networks LTD.
-
InventorsTouboul, Shlomo, Levin, Hanan, Roubach, Stephane, Mischari, Assaf, Ben David, Itai, Avraham, Itay, Ozer, Adi, Kazaz, Chen, Israeli, Ofer, Vingurt, Olga, Gareh, Liad, Grimberg, Israel, Cohen, Cobby, Sultan, Sharon, Kubovsky, Matan
-
Primary Examiner(s)Potratz, Daniel B
-
Application NumberUS15/942,593Publication NumberTime in Patent Office743 DaysField of SearchUS Class CurrentCPC Class CodesG06F 21/55 Detecting local intrusion o...G06F 21/554 involving event detection a...G06F 21/56 Computer malware detection ...G06F 21/577 Assessing vulnerabilities a...G06N 20/00 Machine learningH04L 2463/146 Tracing the source of attacksH04L 63/10 for controlling access to d...H04L 63/102 Entity profilesH04L 63/1416 Event detection, e.g. attac...H04L 63/1425 Traffic logging, e.g. anoma...H04L 63/1433 Vulnerability analysisH04L 63/1441 Countermeasures against mal...H04L 63/1491 using deception as counterm...H04L 63/20 for managing network securi...
