Personalized honeypot for detecting information leaks and security breaches
First Claim
1. A computer-readable medium, not comprising a propagated data signal, containing instructions which, when executed by one or more processors disposed in an electronic device, perform a method for associating a resource in a computing environment with a honeypot, the method comprising the steps of:
- providing a bait-defining facility to a user on a local host for the user to define one or more resources for honeypotting;
associating unique identifiers at the local host with respective ones of the honeypotted resources defined by the user with the bait-defining facility;
providing the unique identifiers in notifications from the local host for transmission to a remote honeypot monitoring functionality disposed in a monitoring server that is instantiated in a separate computing platform from the local host so that any compromise of the local host does not reveal the existence of the user-defined honeypotted resources to an attacker, the notifications identifying the user-defined honeypotted resources to the monitoring functionality, the monitoring functionality being arranged for monitoring usage of the user-defined honeypotted resources responsively to the notifications and for generating an alert to a management server when unauthorized use of the user-defined honeypotted resources is detected, the alert identifying the affected user-defined honeypotted resource and identifying a compromised local host, the management server being arranged for implementing remediation on the compromised local host following receipt of the alert;
maintaining a data communication channel in the computing environment over which data traffic flows between the local host and the monitoring server; and
maintaining a bi-directional secure communications channel over which the notifications identifying the user-defined honeypotted resources are transmitted to the monitoring server and over which the alert is transmitted from the monitoring server, the bi-directional secure communications channel being configured to be separate from the data communications channel so that interception of data traffic by the attacker does not reveal the existence of the user-defined honeypotted resources to the attacker.
2 Assignments
0 Petitions
Accused Products
Abstract
A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks.
92 Citations
17 Claims
-
1. A computer-readable medium, not comprising a propagated data signal, containing instructions which, when executed by one or more processors disposed in an electronic device, perform a method for associating a resource in a computing environment with a honeypot, the method comprising the steps of:
-
providing a bait-defining facility to a user on a local host for the user to define one or more resources for honeypotting; associating unique identifiers at the local host with respective ones of the honeypotted resources defined by the user with the bait-defining facility; providing the unique identifiers in notifications from the local host for transmission to a remote honeypot monitoring functionality disposed in a monitoring server that is instantiated in a separate computing platform from the local host so that any compromise of the local host does not reveal the existence of the user-defined honeypotted resources to an attacker, the notifications identifying the user-defined honeypotted resources to the monitoring functionality, the monitoring functionality being arranged for monitoring usage of the user-defined honeypotted resources responsively to the notifications and for generating an alert to a management server when unauthorized use of the user-defined honeypotted resources is detected, the alert identifying the affected user-defined honeypotted resource and identifying a compromised local host, the management server being arranged for implementing remediation on the compromised local host following receipt of the alert; maintaining a data communication channel in the computing environment over which data traffic flows between the local host and the monitoring server; and maintaining a bi-directional secure communications channel over which the notifications identifying the user-defined honeypotted resources are transmitted to the monitoring server and over which the alert is transmitted from the monitoring server, the bi-directional secure communications channel being configured to be separate from the data communications channel so that interception of data traffic by the attacker does not reveal the existence of the user-defined honeypotted resources to the attacker. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for remotely configuring a honeypot on a local host that is coupled to a plurality of monitoring servers on a network, the method comprising the steps of:
-
defining resources for honeypotting on the local host; placing the resources in a honeypot on the local host; providing notifications to a honeypot monitoring functionality instantiated on each of the monitoring servers, each of the monitoring servers being instantiated in a separate computing platform from the local host so that a compromise of the local host does not reveal the existence of the user-defined honeypotted resources to an attacker, and each of the monitoring servers providing a business application-specific functionality, the monitoring functionality being arranged for monitoring usage of the honeypotted resources responsively to the notifications, the notifications uniquely identifying the honeypotted resources on the local host and each of the monitoring servers being further arranged for generating an alert to a management server when unauthorized use of the user-defined honeypotted resources is detected, the alert identifying the affected user-defined honeypotted resource and identifying a compromised local host, the management server being arranged for implementing remediation on the compromised local host following receipt of the alert; maintaining a data communication channel over which data traffic flows between the local host and each of the monitoring servers; and maintaining a bi-directional secure communications channel over which the notifications identifying the user-defined honeypotted resources are transmitted to the monitoring servers and over which the alert is transmitted from a monitoring server, the bi-directional secure communications channel being configured to be separate from the data communications channel so that interception of data traffic by the attacker does not reveal the existence of the user-defined honeypotted resources to the attacker. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A method for providing a monitoring service of a honeypot on a host, the method comprising the steps of:
-
adapting one or more monitoring servers that provide one or more business application-specific functionalities to include a monitoring functionality for monitoring outbound communications between the host and an external network, each of the monitoring servers being instantiated in a separate computing platform from the local host so that a compromise of the local host does not reveal the existence of the user-defined honeypotted resources to an attacker, and each of the monitoring servers being further arranged for generating an alert to a management server when unauthorized use of the user-defined honeypotted resources is detected, the alert identifying the affected user-defined honeypotted resource and identifying a compromised local host, the management server being arranged for implementing remediation on the compromised local host following receipt of the alert and each of the monitoring servers being selected from one of e-mail server, instant messaging server, firewall, event monitoring server, event logging server, auditing server, or journaling server; maintaining a data communication channel over which data traffic flows between the local host and the monitoring servers; maintaining a bi-directional secure communications channel over which the notifications identifying the user-defined honeypotted resources are transmitted to the monitoring server and over which the alert is transmitted from the monitoring server, the bi-directional secure communications channel being configured to be separate from the data communications channel so that interception of data traffic by the attacker does not reveal the existence of the user-defined honeypotted resources to the attacker; receiving a notification at the monitoring servers that identifies a resource that is honeypotted on the host; scanning the outbound communications from the host at the monitoring servers to detect usage of the honeypotted resource identified from the notification; and generating the alert when an outbound communication matches the identified honeypotted resource. - View Dependent Claims (16, 17)
-
Specification