System and a Method for Identifying Malware Network Activity Using a Decoy Environment

US 20160080414A1
Filed: 09/08/2015
Published: 03/17/2016
Est. Priority Date: 09/12/2014
Status: Active Grant

First Claim

Patent Images

1. A system for gathering information about malware, comprising:

a working environment comprising;

a plurality of working environment servers;

a plurality of working environment endpoints;

a working environment network interconnecting said plurality of working environment servers and said plurality of working environment endpoints;

at least one working environment switch directing traffic within said working environment network; and

at least one working environment router directing traffic between said working environment network and an external network;

a decoy environment comprising;

at least one physical machine;

at least one decoy environment server;

at least one decoy environment endpoint;

a decoy environment network interconnecting said at least one physical machine, said at least one decoy environment server and said at least one decoy environment endpoint; and

at least one decoy environment router directing traffic between said decoy environment network and an external network;

a file directing mechanism, functionally associated with said working environment and with said decoy environment, directing at least some files intended for said working environment to said at least one physical machine of said decoy environment; and

a threat tracking mechanism, functionally associated with said decoy environment, tracking and observing actions triggered by said at least some files in said decoy environment.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for gathering information about malware and a method of use therefor, the system comprising a working environment including physical working environment servers, physical working environment endpoints, a working environment network, a switch, and a router directing traffic between said working environment network and an external network, a decoy environment including at least one physical machine, a decoy environment server, a decoy environment endpoint, a decoy environment network and a decoy environment router, a file directing mechanism directing at least some files to the decoy environment, and a threat tracking mechanism tracking and observing actions triggered by the files in the decoy environment.

182 Citations

19 Claims

1. A system for gathering information about malware, comprising:
- a working environment comprising;
  
  a plurality of working environment servers;
  
  a plurality of working environment endpoints;
  
  a working environment network interconnecting said plurality of working environment servers and said plurality of working environment endpoints;
  
  at least one working environment switch directing traffic within said working environment network; and
  
  at least one working environment router directing traffic between said working environment network and an external network;
  
  a decoy environment comprising;
  
  at least one physical machine;
  
  at least one decoy environment server;
  
  at least one decoy environment endpoint;
  
  a decoy environment network interconnecting said at least one physical machine, said at least one decoy environment server and said at least one decoy environment endpoint; and
  
  at least one decoy environment router directing traffic between said decoy environment network and an external network;
  
  a file directing mechanism, functionally associated with said working environment and with said decoy environment, directing at least some files intended for said working environment to said at least one physical machine of said decoy environment; and
  
  a threat tracking mechanism, functionally associated with said decoy environment, tracking and observing actions triggered by said at least some files in said decoy environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, further comprising a threat identifying mechanism, functionally associated with said working environment and with said file directing mechanisms, identifying suspicious files intended for said working environment, and providing said suspicious files to said file directing mechanism for directing to said decoy environment.
  - 3. The system of claim 1, said file directing mechanism directing all files intended for said working environment to said decoy environment.
  - 4. The system of claim 1, at least one of said at least one decoy environment server and said at least one decoy environment endpoint comprises said at least one physical machine.
  - 5. The system of claim 1, at least one of said at least one decoy environment server and said at least one decoy environment endpoint comprises a virtual machine.
  - 6. The system of claim 1, said threat tracking mechanism further providing information about tracked and observed actions triggered by one or more of said at least some files to said working environment.
  - 7. The system of claim 1, wherein said working environment includes network traffic, and said decoy environment includes network traffic mimicking said network traffic in said working environment.
  - 8. The system of claim 7, wherein said network traffic of said decoy environment is generated based on at least one of observation of said network traffic in said working environment, sniffing said network traffic in said working environment and providing responses to requests from said decoy environment based on said sniffed network traffic, and making assumptions regarding said network traffic in said working environment.
  - 9. The system of claim 1, wherein at least one of said at least one decoy environment server and said at least one decoy environment endpoint includes at least one file mimicking characteristics of at least one file in at least one of said plurality of working environment servers and said plurality of working environment files, such that said at least one file in said decoy environment does not include data of the at least one file being mimicked.
  - 10. The system of claim 1, wherein at least one of said at least one decoy environment server and said at least one decoy environment endpoint includes a file system (golden image) mimicking a complete file system of a corresponding one of said plurality of working environment servers and said plurality of working environment endpoints, without including the data contained in said corresponding one of said plurality of working environment servers and said plurality of working environment endpoints.
  - 11. The system of claim 1, wherein said threat identifying mechanism forms part of said working environment and enables one way communication with said decoy environment for directing said at least some files to said decoy environment.
  - 12. The system of claim 1, wherein said threat identifying mechanism comprises a threat identifying router external to said working environment and to said decoy environment, said threat identifying router receiving all traffic intended for said working environment, and in addition to directing all received traffic to said router of said working environment, also directing said at least some files to said router of said decoy environment.

13. A method for generating a network response to a network request in a decoy system functionally associated with a network of an organization, the method comprising:
- collecting requests made to nodes in said network of said organization and responses associated therewith in a database, said decoy system having access to said database;
  
  upon receipt of a request by said decoy system, finding in said database a past request, similar to said received request;
  
  from said decoy system, providing a response to said received request, said response based on a past response associated with said past request in said database.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein said collecting requests and responses comprises collecting at least one of single request-response pairs and sessions of requests and responses.
  - 15. The method of claim 13, wherein said collecting comprises maintaining, in said collected requests and responses, a structure of traffic within said network of said organization.
  - 16. The method of claim 13, wherein said database is dedicated to a specific type of communication or server, and wherein said collected requests and responses relate to said specific type of communication or server.

17. A method for identifying a process running malware in an infected endpoint of a network using a decoy system, the method comprising:
- tracking communication between said decoy system and at least one of a process in said infected endpoint and said infected endpoint to identify at least one characteristic of a communication channel between said infected endpoint and said decoy system;
  
  initiating communication between said decoy system and said infected endpoint;
  
  during said communication between said decoy system and said infected endpoint, using at least one communication method to gather information about said infected endpoint and processes running thereon; and
  
  based on information gathered from said infected endpoint using each of said at least one communication method, identifying a process running in said infected endpoint through which infecting malware is operating.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, wherein said at least one characteristic comprises at least one of:
    - an IP address of said infected endpoint;
      
      an IP address of said decoy system;
      
      a communication port of said infected endpoint used for communication with said decoy system;
      
      a communication port of said decoy system used for communication with said infected endpoint; and
      
      a communication protocol used in communication between said infected endpoint and said decoy system.
  - 19. The method of claim 17, wherein said at least one communication method comprises using at least one of:
    - remotely accessing resources on said infected endpoint using at least one management application programing interface (API);
      
      starting a dedicated agent on said infected endpoint; and
      
      remotely retrieving information from said infected endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Runway Growth Finance Corporation
Original Assignee
Topspin Security Ltd (Fidelis Cybersecurity, Inc.)
Inventors
Mizrahi, Rami, Zohar, Omer, Ben-Rabi, Benny, Barbalat, Alex, Gabai, Shlomi, Kolton, Doron

Granted Patent

US 9,992,225 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/142   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and a Method for Identifying Malware Network Activity Using a Decoy Environment

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

182 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and a Method for Identifying Malware Network Activity Using a Decoy Environment

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

182 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links