Capturing a security breach

US 7,725,937 B1
Filed: 02/09/2004
Issued: 05/25/2010
Est. Priority Date: 02/09/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method of capturing a security breach, comprising:

deploying a honey pot server comprising a honey pot;

using a processor to detect a breach of the honey pot, wherein the breach indicates the honey pot has been compromised;

using the processor to capture a state of the honey pot, including by creating a copy of data associated with the honey pot as compromised; and

using the processor to automatically redeploy the honey pot, including by reinitializing the state of the honey pot to an initial state in which the honey pot was in at the time it was deployed; and

wherein deploying the honey pot comprises registering with a virtual machine instance an initialization image associated with the initial state and instructing the virtual machine instance to execute the image, the image comprising data usable by the virtual machine to provide a virtual environment having a running instance of an operating system and one or more applications or other programs running on the operating system instance, and wherein redeploying the honey pot includes using the image to reset the virtual machine instance to the initial state.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique is disclosed for capturing a security breach. In one embodiment, the technique comprises initially deploying a honey pot; detecting a breach of the honey pot; and automatically redeploying the honey pot.

Citations

17 Claims

1. A method of capturing a security breach, comprising:
- deploying a honey pot server comprising a honey pot;
  
  using a processor to detect a breach of the honey pot, wherein the breach indicates the honey pot has been compromised;
  
  using the processor to capture a state of the honey pot, including by creating a copy of data associated with the honey pot as compromised; and
  
  using the processor to automatically redeploy the honey pot, including by reinitializing the state of the honey pot to an initial state in which the honey pot was in at the time it was deployed; and
  
  wherein deploying the honey pot comprises registering with a virtual machine instance an initialization image associated with the initial state and instructing the virtual machine instance to execute the image, the image comprising data usable by the virtual machine to provide a virtual environment having a running instance of an operating system and one or more applications or other programs running on the operating system instance, and wherein redeploying the honey pot includes using the image to reset the virtual machine instance to the initial state.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further including analyzing the breach.
  - 3. The method of claim 1, further including automatically analyzing the breach.
  - 4. The method of claim 1, wherein the breach is automatically detected.
  - 5. The method of claim 1, further including configuring the honey pot.
  - 6. The method of claim 1, wherein capturing the state comprises copying a honey pot image.
  - 7. The method of claim 1, wherein detecting is based on the number of outgoing connections detected.
  - 8. The method of claim 1, wherein detecting is based on the number of incoming connections detected.
  - 9. The method of claim 1, wherein detecting is based on an elapsed time.
  - 10. The method of claim 1, wherein the honey pot runs a Linux operating system.
  - 11. The method of claim 1, further including saving state information associated with the honey pot.
  - 12. The method of claim 1, further including saving state information associated with the honey pot and wherein saving and redeploying occur in parallel.
  - 13. The method of claim 1, further including analyzing the breach and wherein analyzing and redeploying occur in parallel.
  - 14. The method of claim 1, further including:
    - receiving an incoming connection associated with an IP address;
      
      mapping the IP address to the honey pot; and
      
      releasing the IP address mapping.
  - 15. The method of claim 1, further including:
    - receiving an incoming connection associated with an IP address;
      
      mapping the IP address to the honey pot;
      
      releasing the IP address mapping; and
      
      mapping another IP address to the honey pot.

16. A computer program product for capturing a security breach, the computer program product being embodied in a computer readable storage medium and comprising computer instructions for:
- deploying a honey pot;
  
  detecting a breach of the honey pot, wherein the breach indicates the honey pot has been compromised;
  
  capturing a state of the honey pot, including by creating a copy of data associated with the honey pot as compromised; and
  
  automatically redeploying the honey pot, including by reinitializing the state of the honey pot to an initial state in which the honey pot was in at the time it was deployed; and
  
  wherein deploying the honey pot comprises registering with a virtual machine instance an initialization image associated with the initial state and instructing the virtual machine instance to execute the image, the image comprising data usable by the virtual machine to provide a virtual environment having a running instance of an operating system and one or more applications or other programs running on the operating system instance, and wherein redeploying the honey pot includes using the image to reset the virtual machine instance to the initial state.

17. A system for capturing a security breach, comprising:
- a processor configured to;
  
  deploy a honey pot;
  
  detect a breach of the honey pot, wherein the breach indicates the honey pot has been compromised;
  
  capture a state of the honey pot, including by creating a copy of data associated with the honey pot as compromised; and
  
  automatically redeploy the honey pot, including by reinitializing the state of the honey pot to an initial state in which the honey pot was in at the time it was deployed; and
  
  a memory coupled with the processor, wherein the memory provides the processor with instructions;
  
  wherein the processor is configured to deploy the honey pot at least in part by registering with a virtual machine instance an initialization image associated with the initial state and instructing the virtual machine instance to execute the image, the image comprising data usable by the virtual machine to provide a virtual environment having a running instance of an operating system and one or more applications or other programs running on the operating system instance, and wherein redeploying the honey pot includes using the image to reset the virtual machine instance to the initial state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Levy, Elias
Primary Examiner(s)
Brown; Christopher J

Application Number

US10/775,764
Time in Patent Office

2,297 Days
Field of Search

726/22, 726/23, 713/187, 713/188
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

Capturing a security breach

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Capturing a security breach

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links