ADAPTING DECOY DATA PRESENT IN A NETWORK

US 20160019395A1
Filed: 10/01/2015
Published: 01/21/2016
Est. Priority Date: 03/25/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed, causing the at least one computing device to at least:

obtain policy data, the policy data specifying decoy data eligible to be inserted in a data store and further specifying a behavioral characteristic for accessing the data store;

obtain a response to an access of the data store, the response comprising the decoy data among a plurality of non-decoy data;

determine legitimacy of the access of the data store based at least in part upon the behavioral characteristic associated with the access; and

initiate an action associated with the decoy data, the action being initiated in response to the legitimacy of the access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for obtaining policy data specifying decoy data eligible to be inserted within a response to an access of a data store. The decoy data is detected in the response among a plurality of non-decoy data based at least upon the policy data. An action associated with the decoy data is initiated in response to the access of the data store meeting a configurable threshold.

67 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed, causing the at least one computing device to at least:
- obtain policy data, the policy data specifying decoy data eligible to be inserted in a data store and further specifying a behavioral characteristic for accessing the data store;
  
  obtain a response to an access of the data store, the response comprising the decoy data among a plurality of non-decoy data;
  
  determine legitimacy of the access of the data store based at least in part upon the behavioral characteristic associated with the access; and
  
  initiate an action associated with the decoy data, the action being initiated in response to the legitimacy of the access.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program further causes the at least one computing device to at least:
    - obtain signature data, the signature data specifying the decoy data previously inserted in the response and further specifying a second action associated with the decoy data;
      
      detect the decoy data via a scan of a plurality of data communications of a network, one of the data communications comprising the response; and
      
      initiate the second action associated with the decoy data, the second action being initiated in response to the detection of the decoy data.
  - 3. The non-transitory computer-readable medium of claim 2, wherein the second action comprises interrupting the one of the data communications comprising the response.

4. A system, comprising:
- at least one computing device connected to a network, the at least one computing device configured to at least;
  
  obtain policy data, the policy data specifying decoy data eligible to be inserted in a data store and further specifying a behavioral characteristic for accessing the data store;
  
  obtain a response to an access of the data store, the response comprising the decoy data among a plurality of non-decoy data;
  
  determine legitimacy of the access of the data store based at least in part upon the behavioral characteristic associated with the access; and
  
  initiate an action associated with the decoy data, the action being initiated in response to the legitimacy of the access.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The system of claim 4, wherein the decoy data is inserted into the response without insertion into at least one table comprising the plurality of non-decoy data.
  - 6. The system of claim 4, wherein the decoy data is inserted into at least one table comprising the plurality of non-decoy data.
  - 7. The system of claim 4, wherein the action comprises modifying the decoy data responsive to the access being legitimate.
  - 8. The system of claim 4, wherein the action comprises removing the decoy data from the response responsive to the access being legitimate.
  - 9. The system of claim 4, wherein the behavioral characteristic comprises a rate of access.
  - 10. The system of claim 4, wherein the behavioral characteristic comprises at least one attribute that, when included in the response, indicates the access as illegitimate.
  - 11. The system of claim 4, wherein the at least one computing device is further configured to at least:
    - obtain signature data, the signature data specifying the decoy data previously inserted in the response and further specifying a second action associated with the decoy data;
      
      detect the decoy data via a scan of a plurality of data communications of the network, one of the data communications comprising the response; and
      
      initiate the second action associated with the decoy data, the second action being initiated in response to the detection of the decoy data.
  - 12. The system of claim 11, wherein the second action comprises interrupting the one of the data communications comprising the response.

13. A method, comprising:
- obtaining, by at least one computing device, policy data specifying decoy data eligible to be inserted within a response to an access of a data store and further specifying a threshold associated with a user accessing the data store;
  
  detecting, by the at least one computing device, decoy data among a plurality of non-decoy data based at least upon the policy data, the decoy data being inserted in the response to the access of the data store; and
  
  interrupting, via the computing device, delivery of the response to a client application when the access falls below the threshold.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, further comprising removing, by the at least one computing device, the decoy data from the response when the access meets the threshold.
  - 15. The method of claim 13, further comprising modifying, by the at least one computing device, the decoy data in the response when the access meets the threshold.
  - 16. The method of claim 13, further comprising inserting, by the at least one computing device, low-priority decoy data within the response when the access meets the threshold.
  - 17. The method of claim 16, wherein the low-priority decoy data comprises a timestamp.
  - 18. The method of claim 13, wherein the threshold defines a rate of access of the data store.
  - 19. The method of claim 13, further comprising:
    - obtaining, by the at least one computing device, signature data specifying the decoy data previously inserted in the response, the signature data being encrypted;
      
      detecting, by the at least one computing device, the decoy data via a scan of a memory of the second computing device, the memory comprising volatile and non-volatile storage; and
      
      transmitting, by the at least one computing device, a notice to a central reporting site in response to detection of the decoy data, the notice including the decoy data.
  - 20. The method of claim 19, wherein the notice further includes at least a portion of the non-decoy data, the decoy data being detected, but not located among the non-decoy data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Ramalingam, Harsha, Johansson, Jesper Mikael, Petts, James Connelly, Brezinski, Dominique Imjya

Granted Patent

US 9,990,507 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/30   for supporting lawful inter...

ADAPTING DECOY DATA PRESENT IN A NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ADAPTING DECOY DATA PRESENT IN A NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links