Personalized honeypot for detecting information leaks and security breaches

US 8,181,250 B2
Filed: 06/30/2008
Issued: 05/15/2012
Est. Priority Date: 06/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium, not comprising a propagated data signal, containing instructions which, when executed by one or more processors disposed in an electronic device, perform a method for associating a resource in a computing environment with a honeypot, the method comprising the steps of:

providing a bait-defining facility to a user on a local host for the user to define one or more resources for honeypotting;

associating unique identifiers at the local host with respective ones of the honeypotted resources defined by the user with the bait-defining facility;

providing the unique identifiers in notifications from the local host for transmission to a remote honeypot monitoring functionality disposed in a monitoring server that is instantiated in a separate computing platform from the local host so that any compromise of the local host does not reveal the existence of the user-defined honeypotted resources to an attacker, the notifications identifying the user-defined honeypotted resources to the monitoring functionality, the monitoring functionality being arranged for monitoring usage of the user-defined honeypotted resources responsively to the notifications and for generating an alert to a management server when unauthorized use of the user-defined honeypotted resources is detected, the alert identifying the affected user-defined honeypotted resource and identifying a compromised local host, the management server being arranged for implementing remediation on the compromised local host following receipt of the alert;

maintaining a data communication channel in the computing environment over which data traffic flows between the local host and the monitoring server; and

maintaining a bi-directional secure communications channel over which the notifications identifying the user-defined honeypotted resources are transmitted to the monitoring server and over which the alert is transmitted from the monitoring server, the bi-directional secure communications channel being configured to be separate from the data communications channel so that interception of data traffic by the attacker does not reveal the existence of the user-defined honeypotted resources to the attacker.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks.

92 Citations

View as Search Results

17 Claims

1. A computer-readable medium, not comprising a propagated data signal, containing instructions which, when executed by one or more processors disposed in an electronic device, perform a method for associating a resource in a computing environment with a honeypot, the method comprising the steps of:
- providing a bait-defining facility to a user on a local host for the user to define one or more resources for honeypotting;
  
  associating unique identifiers at the local host with respective ones of the honeypotted resources defined by the user with the bait-defining facility;
  
  providing the unique identifiers in notifications from the local host for transmission to a remote honeypot monitoring functionality disposed in a monitoring server that is instantiated in a separate computing platform from the local host so that any compromise of the local host does not reveal the existence of the user-defined honeypotted resources to an attacker, the notifications identifying the user-defined honeypotted resources to the monitoring functionality, the monitoring functionality being arranged for monitoring usage of the user-defined honeypotted resources responsively to the notifications and for generating an alert to a management server when unauthorized use of the user-defined honeypotted resources is detected, the alert identifying the affected user-defined honeypotted resource and identifying a compromised local host, the management server being arranged for implementing remediation on the compromised local host following receipt of the alert;
  
  maintaining a data communication channel in the computing environment over which data traffic flows between the local host and the monitoring server; and
  
  maintaining a bi-directional secure communications channel over which the notifications identifying the user-defined honeypotted resources are transmitted to the monitoring server and over which the alert is transmitted from the monitoring server, the bi-directional secure communications channel being configured to be separate from the data communications channel so that interception of data traffic by the attacker does not reveal the existence of the user-defined honeypotted resources to the attacker.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-readable medium of claim 1 in which the resources are honeypotted on the local host.
  - 3. The computer-readable medium of claim 1 in which the resources are honeypotted on a remote online server.
  - 4. The computer-readable medium of claim 1 in which the resources are honeypotted in a line-of-business application.
  - 5. The computer-readable medium of claim 1 in which the monitoring functionality is provided on a platform that is distinct from the local host.
  - 6. The computer-readable medium of claim 1 in which the monitoring functionality is provided by a monitoring agent that is instantiated on the local host or instantiated outside of the local host.
  - 7. The computer-readable medium of claim 1 in which the unique identifiers are selected from one of filename, signature, or content.
  - 8. The computer-readable medium of claim 1 in which the resources selected by the user through the bait-defining facility as honeypotted bait comprise one of personal information, e-mail contacts, instant messaging contacts, default passwords, confidential information, sensitive information, data in key locations, data in key folders, IP address, URL, user account name, computer group, or user group.
  - 9. The computer-readable medium of claim 1 in which the notifications notify the monitoring functionality that resources are fake resources that are configured to appear legitimate and which are used as honeypotted bait.

10. A method for remotely configuring a honeypot on a local host that is coupled to a plurality of monitoring servers on a network, the method comprising the steps of:
- defining resources for honeypotting on the local host;
  
  placing the resources in a honeypot on the local host;
  
  providing notifications to a honeypot monitoring functionality instantiated on each of the monitoring servers, each of the monitoring servers being instantiated in a separate computing platform from the local host so that a compromise of the local host does not reveal the existence of the user-defined honeypotted resources to an attacker, and each of the monitoring servers providing a business application-specific functionality, the monitoring functionality being arranged for monitoring usage of the honeypotted resources responsively to the notifications, the notifications uniquely identifying the honeypotted resources on the local host and each of the monitoring servers being further arranged for generating an alert to a management server when unauthorized use of the user-defined honeypotted resources is detected, the alert identifying the affected user-defined honeypotted resource and identifying a compromised local host, the management server being arranged for implementing remediation on the compromised local host following receipt of the alert;
  
  maintaining a data communication channel over which data traffic flows between the local host and each of the monitoring servers; and
  
  maintaining a bi-directional secure communications channel over which the notifications identifying the user-defined honeypotted resources are transmitted to the monitoring servers and over which the alert is transmitted from a monitoring server, the bi-directional secure communications channel being configured to be separate from the data communications channel so that interception of data traffic by the attacker does not reveal the existence of the user-defined honeypotted resources to the attacker.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10 in which the network comprises one of enterprise network or home network and the business application-specific functionality comprises one of e-mail, instant-messenger, firewall, event monitor, event logger, or auditing/journaling.
  - 12. The method of claim 10 including a further step of defining the resources as fake resources for luring malicious attacks.
  - 13. The method of claim 10 including a further step of defining the resources as real resources for which the honeypot provides an additional line of defense against malicious attacks.
  - 14. The method of claim 10 including a further step of configuring the local host to mimic the actions of a real user.

15. A method for providing a monitoring service of a honeypot on a host, the method comprising the steps of:
- adapting one or more monitoring servers that provide one or more business application-specific functionalities to include a monitoring functionality for monitoring outbound communications between the host and an external network, each of the monitoring servers being instantiated in a separate computing platform from the local host so that a compromise of the local host does not reveal the existence of the user-defined honeypotted resources to an attacker, and each of the monitoring servers being further arranged for generating an alert to a management server when unauthorized use of the user-defined honeypotted resources is detected, the alert identifying the affected user-defined honeypotted resource and identifying a compromised local host, the management server being arranged for implementing remediation on the compromised local host following receipt of the alert and each of the monitoring servers being selected from one of e-mail server, instant messaging server, firewall, event monitoring server, event logging server, auditing server, or journaling server;
  
  maintaining a data communication channel over which data traffic flows between the local host and the monitoring servers;
  
  maintaining a bi-directional secure communications channel over which the notifications identifying the user-defined honeypotted resources are transmitted to the monitoring server and over which the alert is transmitted from the monitoring server, the bi-directional secure communications channel being configured to be separate from the data communications channel so that interception of data traffic by the attacker does not reveal the existence of the user-defined honeypotted resources to the attacker;
  
  receiving a notification at the monitoring servers that identifies a resource that is honeypotted on the host;
  
  scanning the outbound communications from the host at the monitoring servers to detect usage of the honeypotted resource identified from the notification; and
  
  generating the alert when an outbound communication matches the identified honeypotted resource.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 including a further step of implementing the monitoring servers in one of cloud-computing platform, edge devices in an enterprise network, host-based monitoring agent, or home server in a home network.
  - 17. The method of claim 15 including a further step of identifying to the host the honeypotted resource that is matched to the outbound communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Rafalovich, Ziv, Arzi, Lior, Karidi, Ron, Hudis, Efim
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US12/165,460
Publication Number

US 20090328216A1
Time in Patent Office

1,415 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Personalized honeypot for detecting information leaks and security breaches

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Personalized honeypot for detecting information leaks and security breaches

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links