Honey Monkey Network Exploration

US 20070208822A1
Filed: 03/01/2006
Published: 09/06/2007
Est. Priority Date: 03/01/2006
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a browser that is capable of visiting network locations as represented by uniform resource locators (URLs); and

a browser-based vulnerability exploit detector that directs the browser to visit a given URL by making an information request to the given URL;

the browser-based vulnerability exploit detector adapted to detect if the given URL accomplishes an exploit on the system after the browser makes the information request to the given URL.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network can be explored to investigate exploitive behavior. For example, network sites may be actively explored by a honey monkey system to detect if they are capable of accomplishing exploits, including browser-based exploits, on a machine. Also, the accomplishment of exploits may be detected by tracing events occurring on a machine after visiting a network site and analyzing the traced events for illicit behavior. Alternatively, site redirections between and among uniform resource locators (URLs) may be explored to discover relationships between sites that are visited.

Citations

20 Claims

1. A system comprising:
- a browser that is capable of visiting network locations as represented by uniform resource locators (URLs); and
  
  a browser-based vulnerability exploit detector that directs the browser to visit a given URL by making an information request to the given URL;
  
  the browser-based vulnerability exploit detector adapted to detect if the given URL accomplishes an exploit on the system after the browser makes the information request to the given URL.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system as recited in claim 1, wherein the browser-based vulnerability exploit detector comprises a honey monkey module and a tracer module;
    - and wherein the honey monkey module directs the browser to make the information request to the given URL, and the tracer module traces events that occur within the system after the information request is made.
  - 3. The system as recited in claim 2, wherein the tracer module produces a trace file that includes at least a list of URLs to which the browser is redirected.
  - 4. The system as recited in claim 2, wherein the tracer module produces a trace file that includes at least a list of writes that occur outside a browser sandbox.
  - 5. The system as recited in claim 1, wherein the system further comprises:
    - at least one virtual machine; and
      
      wherein the browser and at least a portion of the browser-based vulnerability exploit detector execute on the at least one virtual machine.
  - 6. The system as recited in claim 1, wherein the system destroys the at least one virtual machine when an exploit against the at least one virtual machine is detected;
    - and wherein the system re-instantiates a clean virtual machine to continue exploration of other URLs.
  - 7. The system as recited in claim 1, wherein the system further comprises:
    - multiple browsers that have different levels of patching, including a lower patched browser version and a higher patched browser version.
  - 8. The system as recited in claim 7, wherein the browser-based vulnerability exploit detector directs the lower patched browser version to visit the given URL and detects if the given URL accomplishes an exploit in conjunction with the lower patched browser version;
    - and wherein the browser-based vulnerability exploit detector directs the higher patched browser version to visit the given URL if an exploit is detected as being accomplished in conjunction with the lower patched browser version.
  - 9. The system as recited in claim 8, wherein the browser-based vulnerability exploit detector attempts to detect if the given URL accomplishes an exploit in conjunction with the higher patched browser version;
    - and wherein the browser-based vulnerability exploit detector determines that the exploit assaults a vulnerability remedied by a patch for the higher patched browser version if the browser-based vulnerability exploit detector does not detect that the given URL accomplishes an exploit in conjunction with the higher patched browser version.

10. One or more processor-accessible media comprising processor-executable instructions that, when executed, direct a device to perform actions comprising:
- visiting a uniform resource locator (URL) of a parent list of redirection URLs;
  
  producing a child list of redirection URLs from the action of visiting;
  
  recursively visiting child URLs of the child list of redirection URLs to discover redirection relationships of the URLs that are visited; and
  
  creating a graph that includes the URLs that are visited and that indicates the discovered redirection relationships.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The one or more processor-accessible media as recited in claim 10, comprising the processor-executable instructions that, when executed, direct the device to perform further actions comprising:
    - visiting a given URL;
      
      monitoring URL redirections resulting from the action of visiting the given URL; and
      
      tracing the monitored URL redirections to produce the parent list of redirection URLs.
  - 12. The one or more processor-accessible media as recited in claim 10, wherein the action of creating further comprises an action of:
    - visually differentiating between site nodes and page nodes in the graph.
  - 13. The one or more processor-accessible media as recited in claim 10, wherein the action of creating further comprises actions of:
    - representing URLs with corresponding symbols; and
      
      visually indicating a number of redirections that are associated with each URL by changing the corresponding symbols.
  - 14. The one or more processor-accessible media as recited in claim 10, wherein the action of creating further comprises an action of:
    - visually differentiating between (i) connections that represent relationships between site nodes and their hosted page nodes and (ii) connections that represent redirection relationships.
  - 15. The one or more processor-accessible media as recited in claim 10, comprising the processor-executable instructions that, when executed, direct the device to perform further actions comprising:
    - visiting each respective URL of the parent list of redirection URLs;
      
      producing respective child lists of redirection URLs from the action of visiting each respective URL; and
      
      recursively visiting child URLs of the child lists of redirection URLs to discover redirection relationships of the URLs that are visited.

16. A method comprising:
- requesting information from a targeted network location as represented by a uniform resource locator (URL);
  
  receiving a response from the targeted URL;
  
  tracing events that occur on a machine;
  
  ascertaining if an illicit event occurred based on the traced events; and
  
  determining that an exploit has been accomplished by the targeted URL if an illicit event is ascertained to have occurred.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method as recited in claim 16, further comprising:
    - waiting a predetermined time period (i) between the receiving and the ascertaining or (ii) between the requesting and the ascertaining.
  - 18. The method as recited in claim 16, further comprising:
    - starting a virtual machine; and
      
      launching a browser;
      
      wherein the requesting and the receiving are effected, at least partially, by the browser; and
      
      wherein the method further comprises;
      
      terminating the virtual machine if it is determined that an exploit has been accomplished on the virtual machine by the targeted URL.
  - 19. The method as recited in claim 16, wherein the ascertaining comprises:
    - ascertaining if a write occurred outside of a browser sandbox.
  - 20. The method as recited in claim 16, wherein the requesting and the receiving are effected, at least partially, by a lower patched browser version;
    - and wherein the method is repeated with the requesting and the receiving being effected, at least partially, by a higher patched browser version if it is determined that an exploit has been accomplished when the requesting and the receiving are first effected, at least partially, by the lower patched browser version.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wang, Yi-Min, Beck, Douglas

Granted Patent

US 7,774,459 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/217
CPC Class Codes

G06F 16/9566   URL specific, e.g. using al...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 67/125   involving control of end-de...

H04L 67/535   Tracking the activity of th...

Honey Monkey Network Exploration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Honey Monkey Network Exploration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links