Systems and Methods for Detecting and Tracking Adversary Trajectory

US 20170302691A1
Filed: 02/07/2017
Published: 10/19/2017
Est. Priority Date: 04/18/2016
Status: Active Grant

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.

Citations

40 Claims

1-20. -20. (canceled)

21. A method comprising:
- deploying a deception mechanism in a network;
  
  receiving a message from the deception mechanism, wherein the message indicates a communication between a device and the deception mechanism;
  
  identifying attack information associated with the device, wherein the attack information includes device information and interaction information corresponding to the device, and wherein the interaction information is related to the communication between the device and the deception mechanism;
  
  identifying the device in an adjacency data structure based on the device information, wherein the adjacency data structure indicates communications between devices in the network;
  
  generating an attack trajectory data structure from the adjacency data structure, wherein the attack trajectory data structure includes one or more suspect devices that are connected, either directly or indirectly, with the device in the adjacency data structure; and
  
  determining an attack trajectory path in the attack trajectory data structure based on the attack information, wherein the attack trajectory path indicates another device in the network that is included in the attack.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The method of claim 21, wherein the attack trajectory path is determined by identifying network flow information that is common between interactions.
  - 23. The method of claim 21, wherein the attack trajectory path is determined by identifying a username that is common between interactions.
  - 24. The method of claim 21, wherein the attack trajectory path includes a plurality of at least partially separate attack trajectory paths.
  - 25. The method of claim 24, further comprising:
    - computing a probability for each of the at least partially separate attack trajectory paths, wherein the probability indicates a likelihood that an at least partially separate trajectory path is associated with an attack.
  - 26. The method of claim 25, further comprising:
    - removing, from the attack trajectory path, an at least partially separate attack trajectory path that has a probability below a threshold.
  - 27. The method of claim 21, wherein the deception mechanism emulates a service, and wherein the communication is associated with the service.

28. A network device, comprising:
- one or more processors; and
  
  a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  deploy a deception mechanism in a network;
  
  receive a message from the deception mechanism, wherein the message indicates a communication between a device and the deception mechanism;
  
  identify attack information associated with the device, wherein the attack information includes device information and interaction information corresponding to the device, and wherein the interaction information is related to the communication between the device and the deception mechanism;
  
  identify the device in an adjacency data structure based on the device information, wherein the adjacency data structure indicates communications between devices in the network;
  
  generate an attack trajectory data structure from the adjacency data structure, wherein the attack trajectory data structure includes one or more suspect devices that are connected, either directly or indirectly, with the device in the adjacency data structure; and
  
  determine an attack trajectory path in the attack trajectory data structure based on the attack information, wherein the attack trajectory path indicates another device in the network that is included in the attack.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The network device of claim 28, wherein the attack trajectory path is determined by identifying network flow information that is common between interactions.
  - 30. The network device of claim 28, wherein the attack trajectory path is determined by identifying a username that is common between interactions.
  - 31. The network device of claim 28, wherein the attack trajectory path includes a plurality of at least partially separate attack trajectory paths.
  - 32. The network device of claim 31, wherein the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to:
    - compute a probability for each of the at least partially separate attack trajectory paths, wherein the probability indicates a likelihood that an at least partially separate trajectory path is associated with an attack.
  - 33. The network device of claim 32, the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to:
    - remove, from the attack trajectory path, an at least partially separate attack trajectory path that has a probability below a threshold.
  - 34. The network device of claim 28, wherein the deception mechanism emulates a service, and wherein the communication is associated with the service.

35. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
- deploy a deception mechanism in a network;
  
  receive a message from the deception mechanism, wherein the message indicates a communication between a device and the deception mechanism;
  
  identify attack information associated with the device, wherein the attack information includes device information and interaction information corresponding to the device, and wherein the interaction information is related to the communication between the device and the deception mechanism;
  
  identify the device in an adjacency data structure based on the device information, wherein the adjacency data structure indicates communications between devices in the network;
  
  generate an attack trajectory data structure from the adjacency data structure, wherein the attack trajectory data structure includes one or more suspect devices that are connected, either directly or indirectly, with the device in the adjacency data structure; and
  
  determine an attack trajectory path in the attack trajectory data structure based on the attack information, wherein the attack trajectory path indicates another device in the network that is included in the attack.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The computer-program product of claim 35, wherein the attack trajectory path is determined by identifying network flow information that is common between interactions.
  - 37. The computer-program product of claim 35, wherein the attack trajectory path is determined by identifying a username that is common between interactions.
  - 38. The computer-program product of claim 35, further including instructions that, when executed by the one or more processors, cause the one or more processors to:
    - compute a probability for each of a plurality of at least partially separate attack trajectory paths, wherein attack trajectory path includes the plurality of at least partially separate attack trajectory paths, and wherein the probability indicates a likelihood that an at least partially separate trajectory path is associated with an attack.
  - 39. The computer-program product of claim 38, further including instructions that, when executed by the one or more processors, cause the one or more processors to:
    - remove, from the attack trajectory path, an at least partially separate attack trajectory path that has a probability below a threshold.
  - 40. The computer-program product of claim 35, wherein the deception mechanism emulates a service, and wherein the communication is associated with the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acalvio Technologies, Inc.
Original Assignee
Acalvio Technologies, Inc.
Inventors
Singh, Satnam, Waseem, Mohammad, Desai, Suril, Sama, Venkata Babji, Gopalakrishna, Rajendra

Granted Patent

US 9,961,099 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

Systems and Methods for Detecting and Tracking Adversary Trajectory

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Detecting and Tracking Adversary Trajectory

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links