Systems and Methods for Detecting and Tracking Adversary Trajectory
1 Assignment
0 Petitions
Accused Products
Abstract
This disclosure is related to using network flow information of a network to determine the trajectory of an attack. In some examples, an adjacency data structure is generated for a network. The adjacency data structure can include a machine of the network that has interacted with another machine of the network. The network can further include one or more deception mechanisms. The deception mechanisms can indicate that an attack is occurring when a machine interacts with one of the deception mechanisms. When the attack is occurring, attack trajectory information can be generated by locating in the adjacency data structure the machine that interacted with the deception mechanism. The attack trajectory information can correlate the information from the interaction with the deception mechanism, the interaction information of the network, and machine information for each machine to determine a possible trajectory of an adversary.
-
Citations
40 Claims
-
1-20. -20. (canceled)
-
21. A method comprising:
-
deploying a deception mechanism in a network; receiving a message from the deception mechanism, wherein the message indicates a communication between a device and the deception mechanism; identifying attack information associated with the device, wherein the attack information includes device information and interaction information corresponding to the device, and wherein the interaction information is related to the communication between the device and the deception mechanism; identifying the device in an adjacency data structure based on the device information, wherein the adjacency data structure indicates communications between devices in the network; generating an attack trajectory data structure from the adjacency data structure, wherein the attack trajectory data structure includes one or more suspect devices that are connected, either directly or indirectly, with the device in the adjacency data structure; and determining an attack trajectory path in the attack trajectory data structure based on the attack information, wherein the attack trajectory path indicates another device in the network that is included in the attack. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
-
28. A network device, comprising:
-
one or more processors; and a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to; deploy a deception mechanism in a network; receive a message from the deception mechanism, wherein the message indicates a communication between a device and the deception mechanism; identify attack information associated with the device, wherein the attack information includes device information and interaction information corresponding to the device, and wherein the interaction information is related to the communication between the device and the deception mechanism; identify the device in an adjacency data structure based on the device information, wherein the adjacency data structure indicates communications between devices in the network; generate an attack trajectory data structure from the adjacency data structure, wherein the attack trajectory data structure includes one or more suspect devices that are connected, either directly or indirectly, with the device in the adjacency data structure; and determine an attack trajectory path in the attack trajectory data structure based on the attack information, wherein the attack trajectory path indicates another device in the network that is included in the attack. - View Dependent Claims (29, 30, 31, 32, 33, 34)
-
-
35. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
-
deploy a deception mechanism in a network; receive a message from the deception mechanism, wherein the message indicates a communication between a device and the deception mechanism; identify attack information associated with the device, wherein the attack information includes device information and interaction information corresponding to the device, and wherein the interaction information is related to the communication between the device and the deception mechanism; identify the device in an adjacency data structure based on the device information, wherein the adjacency data structure indicates communications between devices in the network; generate an attack trajectory data structure from the adjacency data structure, wherein the attack trajectory data structure includes one or more suspect devices that are connected, either directly or indirectly, with the device in the adjacency data structure; and determine an attack trajectory path in the attack trajectory data structure based on the attack information, wherein the attack trajectory path indicates another device in the network that is included in the attack. - View Dependent Claims (36, 37, 38, 39, 40)
-
Specification