System and a Method for Identifying Malware Network Activity Using a Decoy Environment
First Claim
1. A system for gathering information about malware, comprising:
- a working environment comprising;
a plurality of working environment servers;
a plurality of working environment endpoints;
a working environment network interconnecting said plurality of working environment servers and said plurality of working environment endpoints;
at least one working environment switch directing traffic within said working environment network; and
at least one working environment router directing traffic between said working environment network and an external network;
a decoy environment comprising;
at least one physical machine;
at least one decoy environment server;
at least one decoy environment endpoint;
a decoy environment network interconnecting said at least one physical machine, said at least one decoy environment server and said at least one decoy environment endpoint; and
at least one decoy environment router directing traffic between said decoy environment network and an external network;
a file directing mechanism, functionally associated with said working environment and with said decoy environment, directing at least some files intended for said working environment to said at least one physical machine of said decoy environment; and
a threat tracking mechanism, functionally associated with said decoy environment, tracking and observing actions triggered by said at least some files in said decoy environment.
5 Assignments
0 Petitions
Accused Products
Abstract
A system for gathering information about malware and a method of use therefor, the system comprising a working environment including physical working environment servers, physical working environment endpoints, a working environment network, a switch, and a router directing traffic between said working environment network and an external network, a decoy environment including at least one physical machine, a decoy environment server, a decoy environment endpoint, a decoy environment network and a decoy environment router, a file directing mechanism directing at least some files to the decoy environment, and a threat tracking mechanism tracking and observing actions triggered by the files in the decoy environment.
182 Citations
19 Claims
-
1. A system for gathering information about malware, comprising:
-
a working environment comprising; a plurality of working environment servers; a plurality of working environment endpoints; a working environment network interconnecting said plurality of working environment servers and said plurality of working environment endpoints; at least one working environment switch directing traffic within said working environment network; and at least one working environment router directing traffic between said working environment network and an external network; a decoy environment comprising; at least one physical machine; at least one decoy environment server; at least one decoy environment endpoint; a decoy environment network interconnecting said at least one physical machine, said at least one decoy environment server and said at least one decoy environment endpoint; and at least one decoy environment router directing traffic between said decoy environment network and an external network; a file directing mechanism, functionally associated with said working environment and with said decoy environment, directing at least some files intended for said working environment to said at least one physical machine of said decoy environment; and a threat tracking mechanism, functionally associated with said decoy environment, tracking and observing actions triggered by said at least some files in said decoy environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for generating a network response to a network request in a decoy system functionally associated with a network of an organization, the method comprising:
-
collecting requests made to nodes in said network of said organization and responses associated therewith in a database, said decoy system having access to said database; upon receipt of a request by said decoy system, finding in said database a past request, similar to said received request; from said decoy system, providing a response to said received request, said response based on a past response associated with said past request in said database. - View Dependent Claims (14, 15, 16)
-
-
17. A method for identifying a process running malware in an infected endpoint of a network using a decoy system, the method comprising:
-
tracking communication between said decoy system and at least one of a process in said infected endpoint and said infected endpoint to identify at least one characteristic of a communication channel between said infected endpoint and said decoy system; initiating communication between said decoy system and said infected endpoint; during said communication between said decoy system and said infected endpoint, using at least one communication method to gather information about said infected endpoint and processes running thereon; and based on information gathered from said infected endpoint using each of said at least one communication method, identifying a process running in said infected endpoint through which infecting malware is operating. - View Dependent Claims (18, 19)
-
Specification