MULTI-FACTOR DECEPTION MANAGEMENT AND DETECTION FOR MALICIOUS ACTIONS IN A COMPUTER NETWORK
First Claim
1. A system for multi-factor network surveillance to detect attackers, comprising:
- a management server within a network of resources in which users access the resources based on credentials, comprising a memory containing instructions and a processor that executes the instructions to plant multiple decoy credentials DC1, . . . , DCn, in respective multiple resources R1, . . . , Rn, wherein each decoy credential DCk may be used by an attacker to access resource Rk+1; and
a security manager comprising a memory containing instructions and a processor that executes the instructions (i) to receive multiple reports of attempts to use respective decoy credentials DCk, (ii) to evaluate the likelihood that the multiple reported attempts to use the decoy credentials were malicious attempts, and (iii) to generate an alert that an attacker is intruding the network only when the likelihood exceeds a threshold confidence level.
1 Assignment
0 Petitions
Accused Products
Abstract
A network surveillance system, including a management server within a network of resources in which users access the resources in the network based on credentials, including a deployment module planting honeytokens in resources in the network, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, and wherein the deployment module plants a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and plants a second honeytoken in R2, used to access a third resource, R3, using second decoy credentials, and an alert module alerting that an attacker is intruding the network only in response to both an attempt to access R2 using the first decoy credentials, and a subsequent attempt to access R3 using the second decoy credentials.
-
Citations
9 Claims
-
1. A system for multi-factor network surveillance to detect attackers, comprising:
-
a management server within a network of resources in which users access the resources based on credentials, comprising a memory containing instructions and a processor that executes the instructions to plant multiple decoy credentials DC1, . . . , DCn, in respective multiple resources R1, . . . , Rn, wherein each decoy credential DCk may be used by an attacker to access resource Rk+1; and a security manager comprising a memory containing instructions and a processor that executes the instructions (i) to receive multiple reports of attempts to use respective decoy credentials DCk, (ii) to evaluate the likelihood that the multiple reported attempts to use the decoy credentials were malicious attempts, and (iii) to generate an alert that an attacker is intruding the network only when the likelihood exceeds a threshold confidence level. - View Dependent Claims (2, 3, 4)
-
-
5. A network surveillance method to detect attackers, comprising:
-
planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, comprising; planting a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials; and planting a second honeytoken in R1, used to access a third resource, R3, using second decoy credentials; and alerting that an attacker is intruding the network only in response to both (i) an attempt to access R2 using the first decoy credentials, and (ii) a subsequent attempt to access R3 using the second decoy credentials. - View Dependent Claims (6, 7)
-
-
8. A system for multi-factor network surveillance to detect attackers, comprising:
-
a management server within a network of resources, comprising a memory containing instructions and a processor that executes the instructions to plant multiple honeytokens HT1, . . . , HTn in respective resources R1, . . . , Rn, wherein each honeytoken HTk is an object in memory or storage of Rk that may be used by an attacker to discover existence of Rk+1; and a security manager comprising a memory containing instructions and a processor that executes the instructions (i) to receive multiple reports of attempts to access resources Rk, (ii) to evaluate the likelihood that the multiple reported attempts were malicious attempts, and (iii) to generate an alert that an attacker is intruding the network only when the likelihood exceeds a threshold confidence level. - View Dependent Claims (9)
-
Specification