PERSONALIZED HONEYPOT FOR DETECTING INFORMATION LEAKS AND SECURITY BREACHES

US 20090328216A1
Filed: 06/30/2008
Published: 12/31/2009
Est. Priority Date: 06/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, performs a method for associating a resource in a computing environment with a honeypot, the method comprising the steps of:

providing a facility to a user on a host for defining one or more resources for honeypotting;

associating unique identifiers with respective ones of the honeypotted resources; and

providing the unique identifiers in notifications to a honeypot monitoring functionality arranged for monitoring usage of the honeypotted resources.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks.

125 Citations

20 Claims

1. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, performs a method for associating a resource in a computing environment with a honeypot, the method comprising the steps of:
- providing a facility to a user on a host for defining one or more resources for honeypotting;
  
  associating unique identifiers with respective ones of the honeypotted resources; and
  
  providing the unique identifiers in notifications to a honeypot monitoring functionality arranged for monitoring usage of the honeypotted resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable medium of claim 1 in which the resources are honeypotted on the host.
  - 3. The computer-readable medium of claim 1 in which the resources are honeypotted on an online server.
  - 4. The computer-readable medium of claim 1 in which the resources are honeypotted in a LOB application.
  - 5. The computer-readable medium of claim 1 in which the monitoring functionality is provided on a platform that is distinct from the host.
  - 6. The computer-readable medium of claim 1 in which the monitoring functionality is provided by a monitoring agent that is instantiated on the host or instantiated outside of the host.
  - 7. The computer-readable medium of claim 1 in which the unique identifiers are selected from one of filename, signature, or content.
  - 8. The computer-readable medium of claim 1 in which the resources comprise one of personal information, e-mail contacts, instant messaging contacts, default passwords, confidential information, sensitive information, data in key locations, data in key folders, IP address, URL, user account name, computer group, or user group.
  - 9. The computer-readable medium of claim 1 in which the notifications notify the monitoring functionality that resources are fake resources that are configured to appear legitimate and which are used as honeypot bait.
  - 10. The computer-readable medium of claim 1 including the further steps of receiving an alert from the monitoring functionality that indicates unauthorized access of a honeypotted resource on the host and responsively implementing remediation techniques on the host.

11. A method for remotely configuring a honeypot on a local host that is coupled to a monitoring server on a network, the method comprising the steps of:
- defining resources for honeypotting on the local host;
  
  placing the resources in a honeypot on the local host; and
  
  providing notifications to a honeypot monitoring functionality on the server that is arranged for monitoring usage of the resources, the notifications uniquely identifying the resources in the honeypot on the local host.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11 in which the network comprises one of enterprise network or home network.
  - 13. The method of claim 11 including a further step of defining the resources as fake resources for luring malicious attacks.
  - 14. The method of claim 11 including a further step of defining the resources as real resources for which the honeypot provides an additional line of defense against malicious attacks.
  - 15. The method of claim 11 including a further step of configuring the local host to mimic the actions of a real user.
  - 16. The method of claim 11 in which the notifications are provided using a notification channel that is distinct from the data communication channel between the host and the monitoring server.

17. A method for providing monitoring service of a honeypot on a host, the method comprising the steps of:
- configuring one or more monitoring servers for monitoring outbound communications between the host and an external network;
  
  receiving a notification that identifies a resource that is honeypotted on the host;
  
  scanning the outbound communications from the host at the monitoring servers to detect usage of the identified honeypotted resource; and
  
  generating an alert when an outbound communication matches the identified honeypotted resource.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 including a further step of implementing the monitoring servers in one of cloud-computing platform, edge devices in an enterprise network, host-based monitoring agent, or home server in a home network.
  - 19. The method of claim 17 including a further step of identifying to the host the honeypotted resource that is matched to the outbound communication.
  - 20. The method of claim 17 in which the monitoring servers are selected from ones of e-mail server, instant messaging server, firewall, event monitoring server, event logging server, auditing server, or journaling server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Rafalovich, Ziv, Karidi, Ron, Hudis, Efim, Arzi, Lior

Granted Patent

US 8,181,250 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

PERSONALIZED HONEYPOT FOR DETECTING INFORMATION LEAKS AND SECURITY BREACHES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PERSONALIZED HONEYPOT FOR DETECTING INFORMATION LEAKS AND SECURITY BREACHES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links