Method and system for protection against information stealing software

US 8,407,784 B2
Filed: 03/19/2008
Issued: 03/26/2013
Est. Priority Date: 03/19/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for reducing exposure to a dictionary attack on an organizational password file comprising a plurality of passwords, the plurality of passwords configured for use by users to access sensitive resources, while verifying whether data transmitted over a computer network is one of the plurality of passwords, the method comprising:

performing, using an electronic processor, a first encoding, of the plurality of passwords with a Bloom filter;

searching, using an electronic processor, outgoing traffic from at least one computerized device within an organizational perimeter to a site outside the organizational perimeter, by performing a second encoding of the outgoing traffic with the Bloom filter;

performing, using an electronic processor, a weak validation based on a result of the first encoding and a result of the second encoding;

determining, using an electronic processor, the existence of one of the plurality of passwords in the outgoing traffic based only on the weak validation;

determining, using an electronic processor, whether to block, alert, or quarantine the outgoing traffic based at least in part on the existence of one of the plurality of passwords in the outgoing traffic; and

enforcing, using an electronic processor, the determination of whether to block, alert, or quarantine the outgoing traffic.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software.

147 Citations

11 Claims

1. A computer-implemented method for reducing exposure to a dictionary attack on an organizational password file comprising a plurality of passwords, the plurality of passwords configured for use by users to access sensitive resources, while verifying whether data transmitted over a computer network is one of the plurality of passwords, the method comprising:
- performing, using an electronic processor, a first encoding, of the plurality of passwords with a Bloom filter;
  
  searching, using an electronic processor, outgoing traffic from at least one computerized device within an organizational perimeter to a site outside the organizational perimeter, by performing a second encoding of the outgoing traffic with the Bloom filter;
  
  performing, using an electronic processor, a weak validation based on a result of the first encoding and a result of the second encoding;
  
  determining, using an electronic processor, the existence of one of the plurality of passwords in the outgoing traffic based only on the weak validation;
  
  determining, using an electronic processor, whether to block, alert, or quarantine the outgoing traffic based at least in part on the existence of one of the plurality of passwords in the outgoing traffic; and
  
  enforcing, using an electronic processor, the determination of whether to block, alert, or quarantine the outgoing traffic.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the searching of the outgoing traffic is performed by a traffic analyzer in communication with the computer network.
  - 3. The method of claim 2, wherein the traffic analyzer is configured to block the data from being transmitted over the network if the data is one of the plurality of passwords.
  - 4. The method of claim 1, wherein a percent of false positives provided by the Bloom Filter is tunable.

5. A system for reducing exposure of an organizational password file comprising a plurality of passwords to a dictionary attack, wherein the passwords in the password file are configured for use by users to access sensitive resources, while verifying whether data transmitted over a computer network is one of the plurality of passwords, the system comprising:
- a management unit configured to perform a first encoding of the plurality of passwords in the organizational password file using a Bloom filter;
  
  a processor configured to execute computer instructions, wherein the computer instructions implement a traffic analyzer in communication with the computer network, the traffic analyzer being configured to search outgoing traffic from at least one computerized device within an organizational perimeter to a site outside the organizational perimeter by performing a second encoding using the Bloom filter and perform a weak validation based on a result of the first encoding and a result of the second encoding, determining the existence of one of the plurality of passwords in the outgoing traffic based only on the weak validation; and
  
  a decision system configured to make a decision whether to do at least one of “
  
  block”
  
  , “
  
  alert”
  
  or “
  
  quarantine”
  
  the traffic based at least in part on the existence of one of the plurality of passwords in the outgoing traffic, and enforce the decision on the traffic.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, further comprising a gateway configured to receive instructions from the decision system.
  - 7. The system of claim 6, wherein the traffic analyzer is installed on the gateway.
  - 8. The system of claim 5, wherein a percent of false positives provided by the Bloom Filter is tunable.

9. A system for reducing exposure of an organizational password file comprising a plurality of passwords to a dictionary attack, wherein the passwords in the password file are configured for use by users to access sensitive resources, while verifying whether data transmitted over a computer network is one of the plurality of passwords, the system comprising:
- means for performing a first encoding of the plurality of passwords in the organizational password file using a Bloom filter;
  
  a processor configured to execute computer instructions, wherein the computer instructions include data traffic analyzer means in communication with the computer network, the traffic analyzer means for searching outgoing traffic from at least one computerized device within an organizational perimeter to a site outside the organizational perimeter by performing a second encoding using the Bloom filter and for performing a weak validation based on a result of the first encoding and a result of the second encoding and determining the existence of one of the plurality of passwords in the outgoing traffic based only on the weak validation;
  
  decision means for making a decision whether to do at least one of “
  
  block”
  
  , “
  
  alert”
  
  or “
  
  quarantine”
  
  the outgoing traffic based at least in part on the existence of one of the plurality of passwords in the outgoing traffic; and
  
  enforcing means for enforcing the decision on the outgoing traffic.
- View Dependent Claims (10, 11)
- - 10. The system of claim 9, wherein the traffic analyzer means blocks the data from being transmitted over the network if the data is one of the plurality of passwords.
  - 11. The system of claim 9, wherein a percent of false positives provided by the Bloom Filter is tunable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Troyansky, Lidror
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ZHAO, DON GORDON

Application Number

US12/051,670
Publication Number

US 20090241187A1
Time in Patent Office

1,833 Days
Field of Search

726/1, 726 22- 23, 726/25
US Class Current

726/22
CPC Class Codes

G06F 21/46   by designing passwords or c...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

Method and system for protection against information stealing software

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protection against information stealing software

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links