SYSTEM AND METHOD FOR DIRECTING MALICOUS ACTIVITY TO A MONITORING SYSTEM

US 20150326588A1
Filed: 11/20/2014
Published: 11/12/2015
Est. Priority Date: 05/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

transmitting, by a server system, to a client device a record with an instruction to store the record in a cache of the client device, the record mimicking data recording access of a service on the server system by the client device and not corresponding to any actual access of the service on the server system by the client device;

receiving, from a malicious module that has accessed the record and is executing on one of the client device and a different computing device, accessing of the service using data contained in the record;

monitoring, by the server system, activities of the malicious module with respect to the server system; and

characterizing, by the server system, the malicious module according to the monitoring of the activities of the malicious module.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system of client devices and a server system implementing services makes use of credentials to facilitate authentication of the client devices with the server and generates log entries for different accesses to the server system. A monitoring system places credentials and log entries referencing the monitoring system with the credentials and log entries on the client devices without any authentication or actual access attempts by the client devices to the monitoring system. Unauthorized access to the client devices may result in the credentials and log entries to the monitoring system being accessed and used to access the monitoring system. Attempts to exploit the monitoring system using the credentials and log entries is contained within the monitoring system and data is collected to characterize malicious code attempting to exploit the monitoring system. The data is then used to prevent attacks and detect compromised client devices and server systems.

Citations

20 Claims

1. A method comprising:
- transmitting, by a server system, to a client device a record with an instruction to store the record in a cache of the client device, the record mimicking data recording access of a service on the server system by the client device and not corresponding to any actual access of the service on the server system by the client device;
  
  receiving, from a malicious module that has accessed the record and is executing on one of the client device and a different computing device, accessing of the service using data contained in the record;
  
  monitoring, by the server system, activities of the malicious module with respect to the server system; and
  
  characterizing, by the server system, the malicious module according to the monitoring of the activities of the malicious module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the record is a credential containing data for authenticating the client device with the server system.
  - 3. The method of claim 1, wherein monitoring, by the server system, activities of the malicious code with respect to the server system further comprises:
    - executing, on the server system, a characterizing module, an engagement module, and a sinkhole module each executing one or more services on one or more ports;
      
      detecting, by the engagement module, suspicious activities of the malicious code with respect to the one or more ports of the engagement module;
      
      allowing, by the engagement module, installation of malicious code by the malicious module in the engagement module;
      
      forwarding, by the engagement module, traffic generated by the malicious code, to the sinkhole module;
      
      responding, by the sinkhole module, to the traffic by processing the traffic and a transmitting a simulated response to the malicious module according to a service of the one or more services of the sinkhole module;
      
      transmitting by the engagement module a first plurality of events describing behavior of the malicious code executing within the engagement module;
      
      transmitting by the sinkhole module a second plurality of events processing of the traffic by the sinkhole module;
      
      correlating, by the characterizing module the first and second plurality of events to generate a descriptor of the malicious code; and
      
      using by one of the computer system and a different computer system, the descriptor to at least one of prevent an attempt to install the malicious code and remove an instance of the malicious code on one or more computing devices.
  - 4. The method of claim 3, wherein the engagement module includes one or more virtual machines executing on the first server system and each executing one or more of the one or more services of the sinkhole module.
  - 5. The method of claim 4, wherein the one or more virtual machines each hosts an operating system instance.
  - 6. The method of claim 4, wherein the sinkhole module includes one or more virtual machines executing on the computer system and each executing one or more of the one or more services of the sinkhole module.
  - 7. The method of claim 4, wherein the engagement module and sinkhole module are executed within a single host operating system instance.
  - 8. The method of claim 3, further comprising:
    - detecting generation of the traffic by the malicious module;
      
      identifying a service requested by the traffic; and
      
      instantiating the sinkhole module and provisioning the sinkhole module with the service in response to detecting generation of the traffic and identifying the service.
  - 9. The method of claim 3, further comprising:
    - transforming the traffic, by the sinkhole module, to obtain transformed data;
      
      forwarding, by the sinkhole module, the transformed data to a destination specified in the traffic; and
      
      receiving, by the sinkhole module, an external response to the transformed data; and
      
      wherein the second plurality of events include the external response.
  - 10. The method of claim 9, further comprising substituting an address of the sinkhole module in the transformed data for a source address included in the traffic.

11. A method comprising:
- accessing, by a client device, a service on a first server system;
  
  recording, by the client device in a memory device operably coupled thereto, a first record of the accessing of the service on the first server, the first record including an identifier of the first server system and a first description of the accessing of the service;
  
  receiving, by the client device, a second record referencing a second server system and a second description mimicking the first description, the second server system implementing services and monitoring functions operable to gather data with respect to unauthorized code accessing the second server system;
  
  recording, by the client device, the second record in the memory device;
  
  accessing, by the client device using a malicious code module one of accessing and executing on the client device, the second record;
  
  accessing, by the malicious code module executing on one of the client device and another device, the second server system using data contained in the second record;
  
  monitoring, by the second server, activities of the malicious module with respect to the second server; and
  
  characterizing, by the second server system, the malicious module according to the monitoring of the activities of the malicious module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein recording the first and second records comprises making entries in a same log file.
  - 13. The method of claim 11, wherein accessing, by the client device, the service on the first server system comprises authenticating the client device with the service on the first server system;
    - andwherein recording the first record in the memory device comprises receiving a first credential for automatically authenticating the client device with the service on the first server system and storing the first credential in the memory device; and
      
      wherein the second record is a second credential mimicking data contained in the first credential but referencing the second server.
  - 14. The method of claim 11, wherein recording the first and second records comprises storing the first and second records in one of the same cache file and the same cache folder.
  - 15. The method of claim 11, wherein accessing, by the malicious code module executing on one of the client device and another device, the second server system using data contained in the second record further comprises:
    - executing, on the second server system, a characterizing module, an engagement module, and a sinkhole module each executing one or more services on one or more ports;
      
      detecting, by the engagement module, suspicious activities of the malicious code with respect to the one or more ports of the engagement module;
      
      allowing, by the engagement module, installation of malicious code by the malicious module in the engagement module;
      
      forwarding, by the engagement module, traffic generated by the malicious code, to the sinkhole module;
      
      responding, by the sinkhole module, to the traffic by processing the traffic and a transmitting a simulated response to the malicious module according to a service of the one or more services of the sinkhole module;
      
      transmitting by the engagement module a first plurality of events describing behavior of the malicious code executing within the engagement module;
      
      transmitting by the sinkhole module a second plurality of events processing of the traffic by the sinkhole module;
      
      correlating, by the characterizing module the first and second plurality of events to generate a descriptor of the malicious code; and
      
      using by one of the computer system and a different computer system, the descriptor to at least one of prevent an attempt to install the malicious code and remove an instance of the malicious code on one or more computing devices.
  - 16. The method of claim 15, wherein the engagement module includes one or more virtual machines executing on the first server system and each executing one or more of the one or more services of the sinkhole module.
  - 17. The method of claim 16, wherein the one or more virtual machines each hosts an operating system instance.
  - 18. The method of claim 16, wherein the sinkhole module includes one or more virtual machines executing on the computer system and each executing one or more of the one or more services of the sinkhole module.
  - 19. The method of claim 16, wherein the engagement module and sinkhole module are executed within a single host operating system instance.
  - 20. The method of claim 15, further comprising:
    - detecting generation of the traffic by the malicious module;
      
      identifying a service requested by the traffic; and
      
      instantiating the sinkhole module and provisioning the sinkhole module with the service in response to detecting generation of the traffic and identifying the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SentinelOne Inc.
Original Assignee
Attivo Networks, Inc.
Inventors
Vissamsetty, Venu, Buruganahalli, Shivakumar

Granted Patent

US 9,609,019 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/142   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

SYSTEM AND METHOD FOR DIRECTING MALICOUS ACTIVITY TO A MONITORING SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DIRECTING MALICOUS ACTIVITY TO A MONITORING SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links