Method and system for morphing honeypot with computer security incident correlation

US 20040128543A1
Filed: 12/31/2002
Published: 07/01/2004
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method for operating a server, the method comprising:

emulating a service on a server;

in response to receiving a request at the emulated service, sending a response that comprises information indicating a set of vulnerable characteristics at the server;

obtaining an event notification message concerning an event external to the server; and

automatically altering the set of vulnerable characteristics in response to obtaining the event notification message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot'"'"'s personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis. The morphing honeypot can also be integrated with intrusion detection systems and other types of computer security incident recognition systems to correlate its personality with detected nefarious activities.

Citations

36 Claims

1. A method for operating a server, the method comprising:
- emulating a service on a server;
  
  in response to receiving a request at the emulated service, sending a response that comprises information indicating a set of vulnerable characteristics at the server;
  
  obtaining an event notification message concerning an event external to the server; and
  
  automatically altering the set of vulnerable characteristics in response to obtaining the event notification message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
    - configuring a database of vulnerable characteristics.
  - 3. The method of claim 2 further comprising:
    - selecting the set of vulnerable characteristics from the database of vulnerable characteristics in accordance with a type of operating system, a type of emulatable service, or a type of vulnerable characteristic.
  - 4. The method of claim 3 further comprising:
    - extracting one or more notification values from the event notification message, each notification value indicating an operating system associated with the event, a type of service associated with the event, a type of vulnerable characteristic associated with the event, or some other characteristic associated with the event; and
      
      deriving the set of vulnerable characteristics from the database of vulnerable characteristics in accordance the one or more extracted values.
  - 5. The method of claim 1 further comprising:
    - configuring a database of filtering rules;
      
      retrieving a filtering rule from the database of filtering rules;
      
      examining the event notification message in accordance with the filtering rule; and
      
      triggering an automatic alteration of the set of vulnerable characteristics in response to a determination that the event notification message passes the filtering rule.
  - 6. The method of claim 5 further comprising:
    - retrieving a vulnerability alteration rule that is associated with the filtering rule; and
      
      deriving the set of vulnerable characteristics from the database of vulnerable characteristics in accordance with the vulnerability alteration rule in response to the triggering of an automatic alteration of the set of vulnerable characteristics.
  - 7. The method of claim 6 further comprising:
    - specifying a parameter for a type of operating system in the vulnerability alteration rule to be used in deriving the set of vulnerable characteristics.
  - 8. The method of claim 6 further comprising:
    - specifying a parameter for a type of service in the vulnerability alteration rule to be used in deriving the set of vulnerable characteristics.
  - 9. The method of claim 1 further comprising:
    - logging the event notification message; and
      
      temporally varying the set of vulnerable characteristics based on information in multiple logged event notification messages over a configurable period of time.
  - 10. The method of claim 1 further comprising:
    - subscribing to receive event notification messages with an event sensor external to the server.
  - 11. The method of claim 10 wherein the event sensor is a network intrusion detection system, an operating system-based intrusion detection system, an application-based intrusion detection system, or a risk management system.
  - 12. The method of claim 1 further comprising:
    - retrieving an event notification message from a computer security incident information center.

13. A data processing system comprising:
- means for emulating a service on a server;
  
  means for sending a response that comprises information indicating a set of vulnerable characteristics at the server in response to receiving a request at the emulated service;
  
  means for obtaining an event notification message concerning an event external to the server; and
  
  means for automatically altering the set of vulnerable characteristics in response to obtaining the event notification message.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 35)
- - 14. The data processing system of claim 13 further comprising:
    - means for configuring a database of vulnerable characteristics.
  - 15. The data processing system of claim 14 further comprising:
    - means for selecting the set of vulnerable characteristics from the database of vulnerable characteristics in accordance with a type of operating system, a type of emulatable service, or a type of vulnerable characteristic.
  - 16. The data processing system of claim 15 further comprising:
    - means for extracting one or more notification values from the event notification message, each notification value indicating an operating system associated with the event, a type of service associated with the event, a type of vulnerable characteristic associated with the event, or some other characteristic associated with the event; and
      
      means for deriving the set of vulnerable characteristics from the database of vulnerable characteristics in accordance the one or more extracted values.
  - 17. The data processing system of claim 13 further comprising:
    - means for configuring a database of filtering rules;
      
      means for retrieving a filtering rule from the database of filtering rules;
      
      means for examining the event notification message in accordance with the filtering rule; and
      
      means for triggering an automatic alteration of the set of vulnerable characteristics in response to a determination that the event notification message passes the filtering rule.
  - 18. The data processing system of claim 17 further comprising:
    - means for retrieving a vulnerability alteration rule that is associated with the filtering rule; and
      
      means for deriving the set of vulnerable characteristics from the database of vulnerable characteristics in accordance with the vulnerability alteration rule in response to the triggering of an automatic alteration of the set of vulnerable characteristics.
  - 19. The data processing system of claim 18 further comprising:
    - means for specifying a parameter for a type of operating system in the vulnerability alteration rule to be used in deriving the set of vulnerable characteristics.
  - 20. The data processing system of claim 18 further comprising:
    - means for specifying a parameter for a type of service in the vulnerability alteration rule to be used in deriving the set of vulnerable characteristics.
  - 21. The data processing system of claim 13 further comprising:
    - means for logging the event notification message; and
      
      means for temporally varying the set of vulnerable characteristics based on information in multiple logged event notification messages over a configurable period of time.
  - 22. The data processing system of claim 13 further comprising:
    - means for subscribing to receive event notification messages with an event sensor external to the server.
  - 23. The data processing system of claim 22 wherein the event sensor is a network intrusion detection system, an operating system-based intrusion detection system, an application-based intrusion detection system, or a risk management system.
  - 24. The data processing system of claim 13 further comprising:
    - means for retrieving an event notification message from a computer security incident information center.
  - 35. The computer program product of claim 24 wherein the event sensor is a network intrusion detection system, an operating system-based intrusion detection system, an application-based intrusion detection system, or a risk management system.

25. A computer program product in a computer readable medium for use in operating a data processing system, the computer program product comprising:
- means for emulating a service on a server;
  
  means for sending a response that comprises information indicating a set of vulnerable characteristics at the server in response to receiving a request at the emulated service;
  
  means for obtaining an event notification message concerning an event external to the server; and
  
  means for automatically altering the set of vulnerable characteristics in response to obtaining the event notification message.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 36)
- - 26. The computer program product of claim 25 further comprising:
    - means for configuring a database of vulnerable characteristics.
  - 27. The computer program product of claim 26 further comprising:
    - means for selecting the set of vulnerable characteristics from the database of vulnerable characteristics in accordance with a type of operating system, a type of emulatable service, or a type of vulnerable characteristic.
  - 28. The computer program product of claim 27 further comprising:
    - means for extracting one or more notification values from the event notification message, each notification value indicating an operating system associated with the event, a type of service associated with the event, a type of vulnerable characteristic associated with the event, or some other characteristic associated with the event; and
      
      means for deriving the set of vulnerable characteristics from the database of vulnerable characteristics in accordance the one or more extracted values.
  - 29. The computer program product of claim 26 further comprising:
    - means for configuring a database of filtering rules;
      
      means for retrieving a filtering rule from the database of filtering rules;
      
      means for examining the event notification message in accordance with the filtering rule; and
      
      means for triggering an automatic alteration of the set of vulnerable characteristics in response to a determination that the event notification message passes the filtering rule.
  - 30. The computer program product of claim 29 further comprising:
    - means for retrieving a vulnerability alteration rule that is associated with the filtering rule; and
      
      means for deriving the set of vulnerable characteristics from the database of vulnerable characteristics in accordance with the vulnerability alteration rule in response to the triggering of an automatic alteration of the set of vulnerable characteristics.
  - 31. The computer program product of claim 30 further comprising:
    - means for specifying a parameter for a type of operating system in the vulnerability alteration rule to be used in deriving the set of vulnerable characteristics.
  - 32. The computer program product of claim 30 further comprising:
    - means for specifying a parameter for a type of service in the vulnerability alteration rule to be used in deriving the set of vulnerable characteristics.
  - 33. The computer program product of claim 25 further comprising:
    - means for logging the event notification message; and
      
      means for temporally varying the set of vulnerable characteristics based on information in multiple logged event notification messages over a configurable period of time.
  - 34. The computer program product of claim 25 further comprising:
    - means for subscribing to receive event notification messages with an event sensor external to the server.
  - 36. The computer program product of claim 25 further comprising:
    - means for retrieving an event notification message from a computer security incident information center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Garrison, John Michael, Blake, Kenneth W., Converse, Vikki Kim, Edmark, Ronald O?apos;Neal

Granted Patent

US 7,412,723 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

Method and system for morphing honeypot with computer security incident correlation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for morphing honeypot with computer security incident correlation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links