Method and system for protection against information stealing software
First Claim
1. A computer-implemented method for reducing exposure to a dictionary attack on an organizational password file comprising a plurality of passwords, the plurality of passwords configured for use by users to access sensitive resources, while verifying whether data transmitted over a computer network is one of the plurality of passwords, the method comprising:
- performing, using an electronic processor, a first encoding, of the plurality of passwords with a Bloom filter;
searching, using an electronic processor, outgoing traffic from at least one computerized device within an organizational perimeter to a site outside the organizational perimeter, by performing a second encoding of the outgoing traffic with the Bloom filter;
performing, using an electronic processor, a weak validation based on a result of the first encoding and a result of the second encoding;
determining, using an electronic processor, the existence of one of the plurality of passwords in the outgoing traffic based only on the weak validation;
determining, using an electronic processor, whether to block, alert, or quarantine the outgoing traffic based at least in part on the existence of one of the plurality of passwords in the outgoing traffic; and
enforcing, using an electronic processor, the determination of whether to block, alert, or quarantine the outgoing traffic.
16 Assignments
0 Petitions
Accused Products
Abstract
A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software.
147 Citations
11 Claims
-
1. A computer-implemented method for reducing exposure to a dictionary attack on an organizational password file comprising a plurality of passwords, the plurality of passwords configured for use by users to access sensitive resources, while verifying whether data transmitted over a computer network is one of the plurality of passwords, the method comprising:
-
performing, using an electronic processor, a first encoding, of the plurality of passwords with a Bloom filter; searching, using an electronic processor, outgoing traffic from at least one computerized device within an organizational perimeter to a site outside the organizational perimeter, by performing a second encoding of the outgoing traffic with the Bloom filter; performing, using an electronic processor, a weak validation based on a result of the first encoding and a result of the second encoding; determining, using an electronic processor, the existence of one of the plurality of passwords in the outgoing traffic based only on the weak validation; determining, using an electronic processor, whether to block, alert, or quarantine the outgoing traffic based at least in part on the existence of one of the plurality of passwords in the outgoing traffic; and enforcing, using an electronic processor, the determination of whether to block, alert, or quarantine the outgoing traffic. - View Dependent Claims (2, 3, 4)
-
-
5. A system for reducing exposure of an organizational password file comprising a plurality of passwords to a dictionary attack, wherein the passwords in the password file are configured for use by users to access sensitive resources, while verifying whether data transmitted over a computer network is one of the plurality of passwords, the system comprising:
-
a management unit configured to perform a first encoding of the plurality of passwords in the organizational password file using a Bloom filter; a processor configured to execute computer instructions, wherein the computer instructions implement a traffic analyzer in communication with the computer network, the traffic analyzer being configured to search outgoing traffic from at least one computerized device within an organizational perimeter to a site outside the organizational perimeter by performing a second encoding using the Bloom filter and perform a weak validation based on a result of the first encoding and a result of the second encoding, determining the existence of one of the plurality of passwords in the outgoing traffic based only on the weak validation; and a decision system configured to make a decision whether to do at least one of “
block”
, “
alert”
or “
quarantine”
the traffic based at least in part on the existence of one of the plurality of passwords in the outgoing traffic, and enforce the decision on the traffic. - View Dependent Claims (6, 7, 8)
-
-
9. A system for reducing exposure of an organizational password file comprising a plurality of passwords to a dictionary attack, wherein the passwords in the password file are configured for use by users to access sensitive resources, while verifying whether data transmitted over a computer network is one of the plurality of passwords, the system comprising:
-
means for performing a first encoding of the plurality of passwords in the organizational password file using a Bloom filter; a processor configured to execute computer instructions, wherein the computer instructions include data traffic analyzer means in communication with the computer network, the traffic analyzer means for searching outgoing traffic from at least one computerized device within an organizational perimeter to a site outside the organizational perimeter by performing a second encoding using the Bloom filter and for performing a weak validation based on a result of the first encoding and a result of the second encoding and determining the existence of one of the plurality of passwords in the outgoing traffic based only on the weak validation; decision means for making a decision whether to do at least one of “
block”
, “
alert”
or “
quarantine”
the outgoing traffic based at least in part on the existence of one of the plurality of passwords in the outgoing traffic; andenforcing means for enforcing the decision on the outgoing traffic. - View Dependent Claims (10, 11)
-
Specification