SYSTEM AND A METHOD FOR IDENTIFYING THE PRESENCE OF MALWARE AND RANSOMWARE USING MINI-TRAPS SET AT NETWORK ENDPOINTS

US 20160323316A1
Filed: 07/18/2016
Published: 11/03/2016
Est. Priority Date: 09/05/2014
Status: Active Grant

First Claim

Patent Images

1. A system for identifying the presence of malware on a network, comprising:

a plurality of resources, interconnected to form a network;

at least one decoy drive;

at least one mini-trap installed on at least one of said plurality of resources and functionally associated with at one of said at least one decoy drive, said at least one mini-trap comprising deceptive information directing ransomware accessing said at least one mini-trap to said decoy drive associated therewith; and

a manager node forming part of said network and configured to manage placement of said at least one mini-trap on said at least one of said plurality of resources and association between said at least one mini-trap and said decoy drive associated therewith.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method for identifying the presence of ransomware on a network including a plurality of resources, and for trapping the ransomware therein.

Citations

18 Claims

1. A system for identifying the presence of malware on a network, comprising:
- a plurality of resources, interconnected to form a network;
  
  at least one decoy drive;
  
  at least one mini-trap installed on at least one of said plurality of resources and functionally associated with at one of said at least one decoy drive, said at least one mini-trap comprising deceptive information directing ransomware accessing said at least one mini-trap to said decoy drive associated therewith; and
  
  a manager node forming part of said network and configured to manage placement of said at least one mini-trap on said at least one of said plurality of resources and association between said at least one mini-trap and said decoy drive associated therewith.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein said decoy drive forms part of a decoy network.
  - 3. The system of claim 1, wherein said at least one decoy drive is mounted on at least one of said plurality of resources.
  - 4. The system of claim 1, wherein at least one said decoy drive is mounted on each of said plurality of resources.
  - 5. The system of claim 1, wherein said decoy drive includes a plurality of decoy files to be encrypted by said ransomware, and wherein said decoy drive continuously provides said decoy files thereby continuously occupying said ransomware.
  - 6. The system of claim 1, wherein said at least one decoy drive communicates with said ransomware and identifies a specific process running said ransomware.
  - 7. The system of claim 6, wherein said manager node comprises a user interface functionally associated with said at least one decoy drive, wherein said user interface can be used by an operator of said system to terminate said specific process identified by said at least one decoy drive.
  - 8. The system of claim 1, wherein said manager node comprises a user interface, allowing a user to configure said network, set up one or more of said at least one mini-trap and of said at least one decoy drive, and gather information from said at least one decoy drive.

9. A method for identifying the presence of ransomware on a network including a plurality of resources, the method comprising:
- providing at least one decoy drive including a plurality of decoy files;
  
  installing at least one mini-trap on at least one of said plurality of resources, said at least one mini-trap comprising deceptive information directing ransomware accessing said at least one mini-trap to a specific one of said at least one decoy drive associated therewith; and
  
  detecting said ransomware encrypting decoy files in said at least one decoy drive, thereby to identify the presence of said ransomware on said at least one of said plurality of resources where said at least one mini-trap is installed.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein said providing said at least one decoy drive comprises mounting said at least one decoy drive on at least one of said plurality of resources.
  - 11. The method of claim 9, wherein said providing said at least one decoy drive comprises mounting at least one said decoy drive on each of said plurality of resources.
  - 12. The method of claim 9, wherein said detecting further comprises, following said detecting said ransomware encrypting said decoy files, continuously providing additional decoy files to said ransomware for encryption, thereby continuously occupying said ransomware.
  - 13. The method of claim 12, further comprising:
    - communicating with said ransomware to identify a specific process running said ransomware; and
      
      terminating said identified specific process.

14. A system for identifying the presence of malware on a network, comprising:
- a plurality of resources, interconnected to form a network;
  
  at least one decoy drive mounted onto at least one of said plurality of resources; and
  
  a manager node forming part of said network and configured to manage placement of said at least one mini-trap on said at least one of said plurality of resources and association between said at least one mini-trap and said decoy drive associated therewith,wherein, when ransomware accesses said at least one decoy drive and encrypts at least one decoy file thereon, said decoy drive continuously provides to said ransomware additional decoy files for encryption, thereby continuously occupying said ransomware.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein said decoy drive forms part of a decoy network.
  - 16. The system of claim 14, wherein at least one said decoy drive is mounted on each one of said plurality of resources.
  - 17. The system of claim 14, wherein said at least one decoy drive communicates with said ransomware and identifies a specific process running said ransomware.
  - 18. The system of claim 17, wherein said manager node comprises a user interface functionally associated with said at least one decoy drive, wherein said user interface can be used by an operator of said system to terminate said specific process identified by said at least one decoy drive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Runway Growth Finance Corporation
Original Assignee
Topspin Security Ltd (Fidelis Cybersecurity, Inc.)
Inventors
Kolton, Doron, Mizrahi, Rami, Zohar, Omer, Ben-Rabi, Benny, Barbalat, Alex, Gabai, Shlomi

Granted Patent

US 9,807,115 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/145 the attack involving the pr...

H04L 63/1491 using deception as counterm...

SYSTEM AND A METHOD FOR IDENTIFYING THE PRESENCE OF MALWARE AND RANSOMWARE USING MINI-TRAPS SET AT NETWORK ENDPOINTS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND A METHOD FOR IDENTIFYING THE PRESENCE OF MALWARE AND RANSOMWARE USING MINI-TRAPS SET AT NETWORK ENDPOINTS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links