AUTOMATIC NETWORK ATTACK DETECTION AND REMEDIATION USING INFORMATION COLLECTED BY HONEYPOTS

US 20160164894A1
Filed: 11/30/2015
Published: 06/09/2016
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method for securing a computer system, the method comprising:

detecting a malware attack on a honeypot node, and, based on the detected malware attack, automatically generating investigation directives for verifying whether an endpoint of the computer system is subject to the malware attack;

distributing the investigation directives to one or more software agents that are each associated with one or more endpoints of the computer system; and

identifying, by the software agents using the investigation directives, at least one infected endpoint in the computer system that is subject to the malware attack.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for securing a computer system includes detecting a malware attack on a honeypot node, and, based on the detected malware attack, automatically generating investigation directives for verifying whether an endpoint of the computer system is subject to the malware attack. The investigation directives are distributed to one or more software agents that are each associated with one or more endpoints of the computer system. At least one infected endpoint in the computer system, which is subject to the malware attack, is identified by the software agents using the investigation directives.

42 Citations

View as Search Results

24 Claims

1. A method for securing a computer system, the method comprising:
- detecting a malware attack on a honeypot node, and, based on the detected malware attack, automatically generating investigation directives for verifying whether an endpoint of the computer system is subject to the malware attack;
  
  distributing the investigation directives to one or more software agents that are each associated with one or more endpoints of the computer system; and
  
  identifying, by the software agents using the investigation directives, at least one infected endpoint in the computer system that is subject to the malware attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein detecting the malware attack comprises automatically generating one or more characteristics of the malware attack, by automatically distinguishing between legitimate accesses and hostile accesses to the honeypot node.
  - 3. The method according to claim 1, wherein detecting the malware attack, generating and distributing the investigation directives, and identifying the infected node are performed without human involvement.
  - 4. The method according to claim 1, wherein automatically generating the investigation directives comprises automatically specifying at least one characteristic of the malware attack, selected from a group of characteristics consisting of:
    - one or more processes installed on the honeypot node as part of the malware attack;
      
      one or more files uploaded to the honeypot node as part of the malware attack;
      
      one or more registry added or modified on the honeypot node as part of the malware attack;
      
      one or more user accounts added on the honeypot as part of the malware attack;
      
      one or more Command and Control (C&
      
      C) addresses or Uniform Resource Locators (URLs) accessed during the malware attack; and
      
      one or more backdoors created as part of the malware attack.
  - 5. The method according to claim 4, wherein automatically specifying the files uploaded to the honeypot node comprises specifying only the files that were uploaded to the honeypot node and then executed.
  - 6. The method according to claim 1, wherein automatically generating the investigation directives comprises automatically specifying a type of endpoint that is targeted by the malware attack.
  - 7. The method according to claim 6, wherein distributing the investigation directives comprises sending the investigation directives only to the software agents that are associated with at least one endpoint of the specified type.
  - 8. The method according to claim 6, wherein distributing the investigation directives comprises notifying a given software agent of the endpoints that are associated with the given software agent and are of the specified type.
  - 9. The method according to claim 6, wherein specifying the type of endpoint comprises specifying an Operating System (OS) type targeted by the malware attack.
  - 10. The method according to claim 1, wherein one or more of the endpoints comprise Virtual Machines (VMs), and wherein identifying the infected endpoint comprises examining a memory of one or more of the VMs using memory introspection.
  - 11. The method according to claim 1, and comprising, in response to identifying the infected endpoint, automatically quarantining the infected endpoint or a node of the computing system that hosts the infected endpoint.
  - 12. The method according to claim 1, and comprising, in response to identifying the infected endpoint, automatically remediating the infected endpoint.

13. Apparatus for securing a computer system, the apparatus comprising:
- a honeypot node, which is configured to detect a malware attack thereon and to initiate, based on the detected malware attack, automatic generation of investigation directives for verifying whether an endpoint of the computer system is subject to the malware attack; and
  
  one or more software agents, which are each associated with one or more endpoints of the computer system and configured to receive the investigation directives, and to identify, using the investigation directives, at least one infected endpoint in the computer system that is subject to the malware attack.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The apparatus according to claim 13, wherein the honeypot node is configured to automatically generate one or more characteristics of the malware attack, by automatically distinguishing between legitimate accesses and hostile accesses to the honeypot node.
  - 15. The apparatus according to claim 13, wherein the honeypot node and the software agents are configured to detect the malware attack, generate and distribute the investigation directives and identify the infected node without human involvement.
  - 16. The apparatus according to claim 13, wherein the honeypot node is configured to initiate generation of the investigation directives, by automatically specifying at least one characteristic of the malware attack, selected from a group of characteristics consisting of:
    - one or more processes installed on the honeypot node as part of the malware attack;
      
      one or more files uploaded to the honeypot node as part of the malware attack;
      
      one or more registry added or modified on the honeypot node as part of the malware attack;
      
      one or more user accounts added on the honeypot as part of the malware attack;
      
      one or more Command and Control (C&
      
      C) addresses or Uniform Resource Locators (URLs) accessed during the malware attack; and
      
      one or more backdoors created as part of the malware attack.
  - 17. The apparatus according to claim 16, wherein the honeypot node is configured to automatically specify, from among the files uploaded to the honeypot node, only the files that were uploaded and then executed.
  - 18. The apparatus according to claim 13, wherein the honeypot node is configured to automatically specify a type of endpoint that is targeted by the malware attack.
  - 19. The apparatus according to claim 18, and comprising a security management unit that is configured to distribute the investigation directives only to the software agents that are associated with at least one endpoint of the specified type.
  - 20. The apparatus according to claim 18, and comprising a security management unit that is configured to notify a given software agent of the endpoints that are associated with the given software agent and are of the specified type.
  - 21. The apparatus according to claim 18, wherein the honeypot node is configured to automatically specify the type of endpoint by an Operating System (OS) type targeted by the malware attack.
  - 22. The apparatus according to claim 13, wherein one or more of the endpoints comprise Virtual Machines (VMs), and wherein the software agents are configured to identify the infected endpoint by examining a memory of one or more of the VMs using memory introspection.
  - 23. The apparatus according to claim 13, and comprising a security management unit that is configured, in response to identifying the infected endpoint, to automatically quarantine the infected endpoint or a node of the computing system that hosts the infected endpoint.
  - 24. The apparatus according to claim 13, and comprising a security management unit that is configured, in response to identifying the infected endpoint, to automatically remediate the infected endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
GuardiCore Ltd. (Akamai Technologies, Inc.)
Inventors
Zeitlin, Ariel, Neudorfer, Lior

Granted Patent

US 9,906,538 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/12   Applying verification of th...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

H04L 67/306   User profiles

AUTOMATIC NETWORK ATTACK DETECTION AND REMEDIATION USING INFORMATION COLLECTED BY HONEYPOTS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATIC NETWORK ATTACK DETECTION AND REMEDIATION USING INFORMATION COLLECTED BY HONEYPOTS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links