Method and system for morphing honeypot with computer security incident correlation
First Claim
1. A method for operating a server, the method comprising:
- emulating a service on a server;
in response to receiving a request at the emulated service, sending a response that comprises information indicating a set of vulnerable characteristics at the server;
obtaining an event notification message concerning an event external to the server; and
automatically altering the set of vulnerable characteristics in response to obtaining the event notification message.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot'"'"'s personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis. The morphing honeypot can also be integrated with intrusion detection systems and other types of computer security incident recognition systems to correlate its personality with detected nefarious activities.
-
Citations
36 Claims
-
1. A method for operating a server, the method comprising:
-
emulating a service on a server;
in response to receiving a request at the emulated service, sending a response that comprises information indicating a set of vulnerable characteristics at the server;
obtaining an event notification message concerning an event external to the server; and
automatically altering the set of vulnerable characteristics in response to obtaining the event notification message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A data processing system comprising:
-
means for emulating a service on a server;
means for sending a response that comprises information indicating a set of vulnerable characteristics at the server in response to receiving a request at the emulated service;
means for obtaining an event notification message concerning an event external to the server; and
means for automatically altering the set of vulnerable characteristics in response to obtaining the event notification message. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 35)
-
-
25. A computer program product in a computer readable medium for use in operating a data processing system, the computer program product comprising:
-
means for emulating a service on a server;
means for sending a response that comprises information indicating a set of vulnerable characteristics at the server in response to receiving a request at the emulated service;
means for obtaining an event notification message concerning an event external to the server; and
means for automatically altering the set of vulnerable characteristics in response to obtaining the event notification message. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 36)
-
Specification