MULTI-FACTOR DECEPTION MANAGEMENT AND DETECTION FOR MALICIOUS ACTIONS IN A COMPUTER NETWORK

US 20170230384A1
Filed: 06/07/2016
Published: 08/10/2017
Est. Priority Date: 06/08/2015
Status: Active Grant

First Claim

Patent Images

1. A system for multi-factor network surveillance to detect attackers, comprising:

a management server within a network of resources in which users access the resources based on credentials, comprising a memory containing instructions and a processor that executes the instructions to plant multiple decoy credentials DC₁, . . . , DC_n, in respective multiple resources R₁, . . . , R_n, wherein each decoy credential DC_kmay be used by an attacker to access resource R_k+1; and

a security manager comprising a memory containing instructions and a processor that executes the instructions (i) to receive multiple reports of attempts to use respective decoy credentials DC_k, (ii) to evaluate the likelihood that the multiple reported attempts to use the decoy credentials were malicious attempts, and (iii) to generate an alert that an attacker is intruding the network only when the likelihood exceeds a threshold confidence level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network surveillance system, including a management server within a network of resources in which users access the resources in the network based on credentials, including a deployment module planting honeytokens in resources in the network, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, and wherein the deployment module plants a first honeytoken in a first resource, R₁, used to access a second resource, R₂, using first decoy credentials, and plants a second honeytoken in R₂, used to access a third resource, R₃, using second decoy credentials, and an alert module alerting that an attacker is intruding the network only in response to both an attempt to access R₂using the first decoy credentials, and a subsequent attempt to access R₃using the second decoy credentials.

Citations

9 Claims

1. A system for multi-factor network surveillance to detect attackers, comprising:
- a management server within a network of resources in which users access the resources based on credentials, comprising a memory containing instructions and a processor that executes the instructions to plant multiple decoy credentials DC₁, . . . , DC_n, in respective multiple resources R₁, . . . , R_n, wherein each decoy credential DC_kmay be used by an attacker to access resource R_k+1; and
  
  a security manager comprising a memory containing instructions and a processor that executes the instructions (i) to receive multiple reports of attempts to use respective decoy credentials DC_k, (ii) to evaluate the likelihood that the multiple reported attempts to use the decoy credentials were malicious attempts, and (iii) to generate an alert that an attacker is intruding the network only when the likelihood exceeds a threshold confidence level.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 wherein some of the resources are bona fide enterprise resources and others of the resources are decoy resources for the purpose of intrusion detection, and wherein resources R₂, . . . , R_n+1comprise decoy resources.
  - 3. The system of claim 1 wherein credentials include passwords for accessing resources in the network, and wherein the decoy credentials include respective hash versions of corresponding passwords.
  - 4. The system of claim 1 wherein credentials include members of the group consisting of user credentials, FTP server credentials and SSH server credentials.

5. A network surveillance method to detect attackers, comprising:
- planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, comprising;
  
  planting a first honeytoken in a first resource, R₁, used to access a second resource, R₂, using first decoy credentials; and
  
  planting a second honeytoken in R₁, used to access a third resource, R₃, using second decoy credentials; and
  
  alerting that an attacker is intruding the network only in response to both (i) an attempt to access R₂using the first decoy credentials, and (ii) a subsequent attempt to access R₃using the second decoy credentials.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5 wherein credentials include passwords for accessing resources in the network, and wherein the first and second decoy credentials include respective hash versions of first and second passwords.
  - 7. The method of claim 5 wherein credentials of honeytokens include members of the group consisting of user credentials, FTP server credentials and SSH server credentials.

8. A system for multi-factor network surveillance to detect attackers, comprising:
- a management server within a network of resources, comprising a memory containing instructions and a processor that executes the instructions to plant multiple honeytokens HT₁, . . . , HT_nin respective resources R₁, . . . , R_n, wherein each honeytoken HT_kis an object in memory or storage of R_kthat may be used by an attacker to discover existence of R_k+1; and
  
  a security manager comprising a memory containing instructions and a processor that executes the instructions (i) to receive multiple reports of attempts to access resources R_k, (ii) to evaluate the likelihood that the multiple reported attempts were malicious attempts, and (iii) to generate an alert that an attacker is intruding the network only when the likelihood exceeds a threshold confidence level.
- View Dependent Claims (9)
- - 9. The system of claim 8 wherein some of the resources are bona fide enterprise resources and others of the resources are decoy resources for the purpose of intrusion detection, and wherein resources R₂, . . . , R_n+1comprise decoy resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
illusive networks LTD.
Original Assignee
illusive networks LTD.
Inventors
Touboul, Shlomo, Levin, Hanan, Roubach, Stephane, Mischari, Assaf, Ben David, Itai, Avraham, Itay, Ozer, Adi, Kazaz, Chen, Israeli, Ofer, Vingurt, Olga, Gareh, Liad, Grimberg, Israel, Cohen, Cobby, Sultan, Sharon, Kubovsky, Matan

Granted Patent

US 9,954,878 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06N 20/00   Machine learning

H04L 2463/146   Tracing the source of attacks

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

MULTI-FACTOR DECEPTION MANAGEMENT AND DETECTION FOR MALICIOUS ACTIONS IN A COMPUTER NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-FACTOR DECEPTION MANAGEMENT AND DETECTION FOR MALICIOUS ACTIONS IN A COMPUTER NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links