COMPROMISED INSIDER HONEY POTS USING REVERSE HONEY TOKENS

US 20150013006A1
Filed: 07/02/2013
Published: 01/08/2015
Est. Priority Date: 07/02/2013
Status: Active Grant

First Claim

Patent Images

1. A method for setting a trap to detect if an intruder has compromised a client end station in an attempt to gain unauthorized access to enterprise data provided by a server executing on a server end station, wherein the client end station comprises a set of one or more user data files storing user data accessed through a set of one or more applications and further comprises a set of one or more configuration repositories storing application configuration data used by the set of applications to configure the operation of the set of applications, the method comprising:

causing a honey token to be placed on the client end station secluded within the application configuration data stored in at least one of the set of configuration repositories, wherein the honey token is one or more of metadata and instructions indicating how one or more of the set of applications can seemingly access the enterprise data provided by the server, wherein the honey token is invalid and does not allow access to any of the enterprise data provided by the server, wherein the server is unaware of the honey token, and wherein the honey token is a reverse honey token in that it is placed on the client end station and not on the server; and

causing a set of one or more attribute values to be installed on a security gateway implemented in an electronic device and coupled between the client end station and the server, wherein the set of attribute values are to be utilized for a security rule that causes the security gateway to,monitor network traffic for attempted use of the honey token to gain access to the enterprise data provided by the server, andgenerate an alert when a set of one or more packets that include the honey token are received.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.

130 Citations

45 Claims

1. A method for setting a trap to detect if an intruder has compromised a client end station in an attempt to gain unauthorized access to enterprise data provided by a server executing on a server end station, wherein the client end station comprises a set of one or more user data files storing user data accessed through a set of one or more applications and further comprises a set of one or more configuration repositories storing application configuration data used by the set of applications to configure the operation of the set of applications, the method comprising:
- causing a honey token to be placed on the client end station secluded within the application configuration data stored in at least one of the set of configuration repositories, wherein the honey token is one or more of metadata and instructions indicating how one or more of the set of applications can seemingly access the enterprise data provided by the server, wherein the honey token is invalid and does not allow access to any of the enterprise data provided by the server, wherein the server is unaware of the honey token, and wherein the honey token is a reverse honey token in that it is placed on the client end station and not on the server; and
  
  causing a set of one or more attribute values to be installed on a security gateway implemented in an electronic device and coupled between the client end station and the server, wherein the set of attribute values are to be utilized for a security rule that causes the security gateway to,monitor network traffic for attempted use of the honey token to gain access to the enterprise data provided by the server, andgenerate an alert when a set of one or more packets that include the honey token are received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the security rule further causes the security gateway to:
    - block the set of packets from reaching the server by not forwarding the set of packets toward the server.
  - 3. The method of claim 1, wherein said causing the honey token to be placed on the client end station comprises:
    - transmitting a generation program to the client end station, wherein the client end station executes the generation program to create the honey token.
  - 4. The method of claim 1, wherein said causing the set of attribute values to be installed on the security gateway comprises:
    - transmitting the set of attribute values to the security gateway.
  - 5. The method of claim 1, further comprising:
    - causing one or more different honey tokens, based upon a time schedule, to be placed on the client end station.
  - 6. The method of claim 5, further comprising:
    - causing, responsive to receiving the set of packets that include the honey token, an estimated time that the client end station was compromised to be presented to a user, wherein the estimated time is determined based upon the honey token and the time schedule.
  - 7. The method of claim 1, wherein the honey token comprises at least one of:
    - a database name;
      
      a database table name; and
      
      a database query.
  - 8. The method of claim 1, wherein the honey token comprises at least one of:
    - a filename; and
      
      a file system path.
  - 9. The method of claim 1, wherein the honey token comprises at least one of:
    - a URI; and
      
      a cookie value of a HyperText Transfer Protocol (HTTP) cookie.
  - 10. The method of claim 1, wherein the honey token comprises a network address.
  - 11. The method of claim 1, wherein the at least one of the set of configuration repositories comprises a data source name (DSN) data structure.
  - 12. The method of claim 1, wherein the at least one of the set of configuration repositories comprises an operating system configuration data structure.
  - 13. The method of claim 12, wherein the operating system configuration data structure is a Windows registry database.
  - 14. The method of claim 1, wherein the at least one of the set of configuration repositories comprises one of:
    - an application configuration file; and
      
      a local storage of a web browser.
  - 15. The method of claim 1, wherein the set of attribute values comprises a part of the honey token that is less than all of the honey token.

16. A system for setting a trap to detect if an intruder has compromised a client end station in an attempt to gain unauthorized access to enterprise data provided by a server executing on a server end station, wherein the client end station comprises a set of one or more user data files storing user data accessed through a set of one or more applications and further comprises a set of one or more configuration repositories storing application configuration data used by the set of applications to configure the operation of the set of applications, the system comprising:
- a reverse honey token management module that,causes a honey token to be placed on the client end station secluded within the application configuration data stored in at least one of the set of configuration repositories, wherein the honey token is one or more of metadata and instructions indicating how one or more of the set of applications can seemingly access the enterprise data provided by the server, wherein the honey token is invalid and does not allow access to any of the enterprise data provided by the server, wherein the server is unaware of the honey token, and wherein the honey token is a reverse honey token in that it is placed on the client end station and not on the server, andcauses a set of one or more attribute values to be installed on a security gateway to cause the security gateway to utilize a security rule to detect an attempted use of the honey token to gain access to the enterprise data provided by the server; and
  
  the security gateway implemented in an electronic device and coupled between the client end station and the server that,monitors network traffic, using the security rule and the set of attribute values, for the attempted use of the honey token, andgenerates an alert when a set of one or more packets that include the honey token are received.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system of claim 16, wherein the security rule further causes the security gateway to:
    - block the set of packets from reaching the server by not forwarding the set of packets toward the server.
  - 18. The system of claim 16, wherein the reverse honey token management module causes the honey token to be placed on the client end station by being configured to:
    - transmit a generation program to the client end station, wherein the client end station executes the generation program to create the honey token.
  - 19. The system of claim 16, wherein the reverse honey token management module causes the set of attribute values to be installed on the security gateway by being configured to:
    - transmit the set of attribute values to the security gateway.
  - 20. The system of claim 16, wherein the reverse honey token management module is further configured to:
    - cause one or more different honey tokens, based upon a time schedule, to be placed on the client end station.
  - 21. The system of claim 20, wherein the security gateway is further configured to:
    - cause, responsive to receiving the set of packets that include the honey token, an estimated time that the client end station was compromised to be presented to a user, wherein the estimated time is determined based upon the honey token and the time schedule.
  - 22. The system of claim 16, wherein the honey token comprises at least one of:
    - a database name;
      
      a database table name; and
      
      a database query.
  - 23. The system of claim 16, wherein the honey token comprises at least one of:
    - a filename; and
      
      a file system path.
  - 24. The system of claim 16, wherein the honey token comprises at least one of:
    - a URI; and
      
      a cookie value of a HyperText Transfer Protocol (HTTP) cookie.
  - 25. The system of claim 16, wherein the honey token comprises a network address.
  - 26. The system of claim 16, wherein the at least one of the set of configuration repositories comprises a data source name (DSN) data structure.
  - 27. The system of claim 16, wherein the at least one of the set of configuration repositories comprises an operating system configuration data structure.
  - 28. The system of claim 27, wherein the operating system configuration data structure is a Windows registry database.
  - 29. The system of claim 16, wherein the at least one of the set of configuration repositories comprises one of:
    - an application configuration file; and
      
      a local storage of a web browser.
  - 30. The system of claim 16, wherein the set of attribute values comprises a part of the honey token that is less than all of the honey token.

31. A non-transitory computer-readable storage medium comprising instructions for one or more processors, which, when executed by the one or more processors, cause the one or more processors to perform operations for setting a trap to detect if an intruder has compromised a client end station in an attempt to gain unauthorized access to enterprise data provided by a server executing on a server end station, wherein the client end station comprises a set of one or more user data files storing user data accessed through a set of one or more applications and further comprises a set of one or more configuration repositories storing application configuration data used by the set of applications to configure the operation of the set of applications, wherein the operations comprise:
- causing a honey token to be placed on the client end station secluded within the application configuration data stored in at least one of the set of configuration repositories, wherein the honey token is one or more of metadata and instructions indicating how one or more of the set of applications can seemingly access the enterprise data provided by the server, wherein the honey token is invalid and does not allow access to any of the enterprise data provided by the server, wherein the server is unaware of the honey token, and wherein the honey token is a reverse honey token in that it is placed on the client end station and not on the server; and
  
  causing a set of one or more attribute values to be installed on a security gateway coupled between the client end station and the server, wherein the set of attribute values are to be utilized for a security rule that causes the security gateway to,monitor network traffic for attempted use of the honey token to gain access to the enterprise data provided by the server, andgenerate an alert when a set of one or more packets that include the honey token are received.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 32. The non-transitory computer-readable storage medium of claim 31, wherein the security rule further causes the security gateway to:
    - block the set of packets from reaching the server by not forwarding the set of packets toward the server.
  - 33. The non-transitory computer-readable storage medium of claim 31, wherein said causing the honey token to be placed on the client end station comprises:
    - transmitting a generation program to the client end station, wherein the client end station executes the generation program to create the honey token.
  - 34. The non-transitory computer-readable storage medium of claim 31, wherein said causing the set of attribute values to be installed on the security gateway comprises:
    - transmitting the set of attribute values to the security gateway.
  - 35. The non-transitory computer-readable storage medium of claim 31, wherein the operations further comprise:
    - causing one or more different honey tokens, based upon a time schedule, to be placed on the client end station.
  - 36. The non-transitory computer-readable storage medium of claim 35, wherein the operations further comprise:
    - causing, responsive to receiving the set of packets that include the honey token, an estimated time that the client end station was compromised to be presented to a user, wherein the estimated time is determined based upon the honey token and the time schedule.
  - 37. The non-transitory computer-readable storage medium of claim 31, wherein the honey token comprises at least one of:
    - a database name;
      
      a database table name; and
      
      a database query.
  - 38. The non-transitory computer-readable storage medium of claim 31, wherein the honey token comprises at least one of:
    - a filename; and
      
      a file system path.
  - 39. The non-transitory computer-readable storage medium of claim 31, wherein the honey token comprises at least one of:
    - a URI; and
      
      a cookie value of a HyperText Transfer Protocol (HTTP) cookie.
  - 40. The non-transitory computer-readable storage medium of claim 31, wherein the honey token comprises a network address.
  - 41. The non-transitory computer-readable storage medium of claim 31, wherein the at least one of the set of configuration repositories comprises a data source name (DSN) data structure.
  - 42. The non-transitory computer-readable storage medium of claim 31, wherein the at least one of the set of configuration repositories comprises an operating system configuration data structure.
  - 43. The non-transitory computer-readable storage medium of claim 42, wherein the operating system configuration data structure is a Windows registry database.
  - 44. The non-transitory computer-readable storage medium of claim 31, wherein the at least one of the set of configuration repositories comprises one of:
    - an application configuration file; and
      
      a local storage of a web browser.
  - 45. The non-transitory computer-readable storage medium of claim 31, wherein the set of attribute values comprises a part of the honey token that is less than all of the honey token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Cherny, Michael, Dulce, Sagie

Granted Patent

US 8,973,142 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

COMPROMISED INSIDER HONEY POTS USING REVERSE HONEY TOKENS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

130 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

COMPROMISED INSIDER HONEY POTS USING REVERSE HONEY TOKENS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links