ALTERNATE FILES RETURNED FOR SUSPICIOUS PROCESSES IN A COMPROMISED COMPUTER NETWORK

US 20150096048A1
Filed: 09/30/2014
Published: 04/02/2015
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method of obscuring computer files from hackers in a computer, the method comprising:

monitoring read requests to a file system of a computer operating system;

intercepting, at a software filter, a first read request for a first file before the first read request reaches the file system;

ascertaining a file attribute of the first file to which the first read request is directed;

identifying a process executable that posted the first read request;

determining a security rating of the process executable;

comparing the security rating to a threshold;

revising, at the software filter, the first read request into a second read request, the revising based on the file attribute of the first file and the comparison; and

sending the second read request to the file system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are presented of presenting false and/or decoy content to an intruder operating on a computer system by obfuscating critical files on a computer storage device with data that directs subsequent infiltration and propagation to designated decoy hosts and decoy applications.

Method and systems are provided for selectively presenting different contents to different viewers/users of application resource files for the purpose of preventing the valuable content from being read, tampered with, exfiltrated, or used as a means to perform subsequent attacks on network resources.

Citations

12 Claims

1. A method of obscuring computer files from hackers in a computer, the method comprising:
- monitoring read requests to a file system of a computer operating system;
  
  intercepting, at a software filter, a first read request for a first file before the first read request reaches the file system;
  
  ascertaining a file attribute of the first file to which the first read request is directed;
  
  identifying a process executable that posted the first read request;
  
  determining a security rating of the process executable;
  
  comparing the security rating to a threshold;
  
  revising, at the software filter, the first read request into a second read request, the revising based on the file attribute of the first file and the comparison; and
  
  sending the second read request to the file system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the revising includes:
    - revising a first filename in the first read request into a second filename in the second read request, thereby changing a file that the process executable receives based on its security rating.
  - 3. The method of claim 1 further comprising:
    - altering, at the software filter, content returned by the second read request from the file system.
  - 4. The method of claim 1 further comprising:
    - sending a denial of the first read request in response to the intercepting.
  - 5. The method of claim 1 wherein determining the security rating of the process executable includes:
    - comparing a byte size of the process executable with each of a set of predetermined byte sizes;
      
      comparing a file location of the process executable with a predetermined list of directories;
      
      determining a visible attribute of the process executable;
      
      determining whether a description of the process executable is blank;
      
      ordetermining whether the process executable has a digital signature.
  - 6. The method of claim 1 wherein determining the security rating of the process executable includes:
    - determining from a registry key whether the process executable starts when the operating system starts.
  - 7. The method of claim 1 wherein ascertaining the attribute of the first file includes:
    - determining a filename of the first file;
      
      determining a file extension of the first file;
      
      determining a file type of the first file;
      
      determining a file location of the first file;
      
      determining a date, time, or size of the first file;
      
      determining a file usage of the first file;
      
      determining a file creator of the first file;
      
      determining a pattern in the first file that matches a predetermined pattern;
      
      or determining a registry path of the first file.
  - 8. The method of claim 1 wherein the first read request is part of a request to open the first file.
  - 9. The method of claim 1 further including:
    - retrieving a policy; and
      
      revising the first file read request based on the policy.
  - 10. The method of claim 1 wherein the operating system includes a Microsoft Windows®
    - , Unix, Linux, MacOS, Android, or iOS operating system.

11. A method of obscuring registry entries from hackers in a computer, the method comprising:
- monitoring read requests to a registry system of a computer operating system;
  
  intercepting, at a software filter, a read request for a registry entry before the request reaches the registry system;
  
  ascertaining an attribute of the registry entry to which the read request is directed;
  
  identifying a process executable that posted the read request;
  
  determining a security rating of the process executable;
  
  comparing the security rating to a threshold; and
  
  revising, at the software filter, the read request based on the attribute and the comparison.
- View Dependent Claims (12)
- - 12. The method of claim 11 wherein ascertaining an attribute of the registry entry includes:
    - determining a pattern in the registry entry that matches a predetermined pattern;
      
      determining a registry key name or value name of the registry entry;
      
      ordetermining a registry key value or value content of the registry entry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acalvio Technologies, Inc.
Original Assignee
Shadow Networks, Inc. (Acalvio Technologies, Inc.)
Inventors
Zhang, Yadong, Tsai, Ching-Hai, Wu, Johnson L., Schultz, Craig A.

Granted Patent

US 9,576,145 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

G06F 21/6218 to a system of files or obj...

ALTERNATE FILES RETURNED FOR SUSPICIOUS PROCESSES IN A COMPROMISED COMPUTER NETWORK

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

ALTERNATE FILES RETURNED FOR SUSPICIOUS PROCESSES IN A COMPROMISED COMPUTER NETWORK

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links