Deception-Based Responses to Security Attacks
First Claim
1. A computer-implemented method comprising:
- receiving automated or manual notification of an attack;
transitioning the attack to a monitored computing process or device that is configured to pose to an adversary as a computing device impacted by the attack; and
enabling the adversary to obtain deceptive information from the monitored computing process or device.
4 Assignments
0 Petitions
Accused Products
Abstract
Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.
-
Citations
42 Claims
-
1. A computer-implemented method comprising:
-
receiving automated or manual notification of an attack; transitioning the attack to a monitored computing process or device that is configured to pose to an adversary as a computing device impacted by the attack; and enabling the adversary to obtain deceptive information from the monitored computing process or device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. One or more tangible computer-readable media storing computer-executable instructions configured to program one or more computing devices to perform operations comprising:
-
configuring a document to report identifying information of a device opening the document to the one or more computing devices; receiving a report associated with the document, the report including the identifying information; determining, based on the identifying information that an unauthorized entity is in possession of the document; and alerting an entity associated with the document of the possession by the unauthorized entity. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
30. A computer-implemented method comprising:
-
receiving a domain name resolution request from a requesting process; determining that a domain name included in the domain name resolution request is indicative of malicious activity; and responding to the domain name resolution request with a network address of a monitored computing process or device to cause the requesting process to communicate with the monitored computing process or device in place of an adversary server. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A system comprising:
-
one or more processors; a repository of dormant domain names associated with malicious activity; a monitoring module operated by the one or more processors and configured to monitor for changes to name resolutions or registrations of domain names included in the repository; and a response module operated by the one or more processors and configured to perform at least one of updating a security device or agent configuration or alerting a security service user based on the detected changes. - View Dependent Claims (40, 41, 42)
-
Specification