Multilayered deception for intrusion detection and prevention

US 8,739,281 B2
Filed: 12/06/2011
Issued: 05/27/2014
Est. Priority Date: 12/06/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, by a processor executing a multilayer deception system controller application, a plurality of honey entities and an instance of honey activity associated with one honey entity of the plurality of honey entities at a private network, the plurality of honey entities including a honey profile for a honey user, wherein the honey profile is generated based upon a real profile of a real user associated with the private network, wherein the real profile comprises a first version of contact information, and wherein the honey profile comprises a second version of the contact information;

exposing, by the processor, the honey profile outside of the private network by uploading information associated with the honey profile to a social networking service;

detecting, by the processor, an interaction with the one honey entity of the plurality of honey entities; and

analyzing, by the processor, the interaction to determine if the interaction corresponds to an attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Concepts and technologies are disclosed herein for multilayered deception for intrusion detection. According to various embodiments of the concepts and technologies disclosed herein, a multilayer deception system includes honey servers, honey files and folders, honey databases, and/or honey computers. A multilayer deception system controller generates honey activity between the honey entities and exposes a honey profile with contact information associated with a honey user. Contact directed at the honey user and/or activity at any of the honey entities can trigger alarms and/or indicate an attack, and can be analyzed to prevent future attacks.

41 Citations

View as Search Results

16 Claims

1. A method comprising:
- generating, by a processor executing a multilayer deception system controller application, a plurality of honey entities and an instance of honey activity associated with one honey entity of the plurality of honey entities at a private network, the plurality of honey entities including a honey profile for a honey user, wherein the honey profile is generated based upon a real profile of a real user associated with the private network, wherein the real profile comprises a first version of contact information, and wherein the honey profile comprises a second version of the contact information;
  
  exposing, by the processor, the honey profile outside of the private network by uploading information associated with the honey profile to a social networking service;
  
  detecting, by the processor, an interaction with the one honey entity of the plurality of honey entities; and
  
  analyzing, by the processor, the interaction to determine if the interaction corresponds to an attack.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein generating the honey entity comprises generating a honey server at the private network.
  - 3. The method of claim 1, wherein the instance of honey activity comprises activity between the honey entity and a computer operating on the private network.
  - 4. The method of claim 3, wherein the computer comprises a honey computer isolated from the real user, wherein the attack comprises a spear-phishing email, and wherein the spear-phishing email is routed by the mail server to a multilayer deception system controller that monitors an email address associated with the honey profile.
  - 5. The method of claim 1, further comprising:
    - determining if an interaction threshold is satisfied by the interaction; and
      
      in response to determining that the interaction threshold is satisfied, determining that the interaction corresponds to the attack, triggering an alarm indicating that the attack is in progress, blocking the attack, and propagating information relating to the attack to a further entity within the private network.
  - 6. The method of claim 5, further comprising:
    - determining if the threshold is to be adjusted based upon a determination that the alarm comprises a false alarm.

7. A system comprising:
- a processor; and
  
  a memory that stores computer-executable instructions that, when executed by the processor, cause the processor to perform operations comprisingidentifying a real user as a target of an electronic attack,generating a honey profile for a honey user, the honey profile comprising a first version of contact information that differs from a second version of contact information associated with the real user,generating a honey entity and an instance of honey activity between a computer operating on a private network and the honey entity,exposing the honey profile on a public network by uploading the honey profile to a social networking server accessible via the public network,detecting an interaction with the honey entity, anddetermining, based upon detecting the interaction with the honey entity, if the interaction corresponds to the electronic attack.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the processor executes the computer-executable instructions to instruct a mail server associated with the private network to route communications directed to an email address associated with the honey profile to a multilayer deception system controller that monitors the email address.
  - 9. The system of claim 7, wherein the processor executes the computer-executable instructions to trigger an alarm, in response to determining that the interaction corresponds to the electronic attack.
  - 10. The system of claim 7, wherein the processor executes the computer-executable instructions to:
    - trigger an alarm, in response to detecting the interaction with the honey entity;
      
      analyze the interaction to determine if an interaction threshold is satisfied by the interaction; and
      
      in response to determining that the interaction threshold is satisfied, determine that the interaction corresponds to the attack, block the attack, and propagate information relating to the attack to a further entity within the private network.
  - 11. The system of claim 10, wherein the processor executes the computer-executable instructions to:
    - trigger an alarm, in response to detecting the interaction with the honey entity;
      
      analyze the interaction to determine if an interaction threshold is satisfied by the interaction;
      
      determine that that the threshold is to be adjusted based upon determining that the threshold is satisfied and determining that the interaction does not correspond to the attack; and
      
      adjust the threshold.
  - 12. The system of claim 7, wherein the social networking server stores social networking data comprising a profile associated with the real user.

13. A computer storage medium having computer-executable instructions stored thereon that, when executed by a processor, cause the processor to perform operations comprising:
- determining that a real user of a private network is a target of an attacker;
  
  generating a honey user and a honey profile for the honey user, the honey profile comprising a first version of contact information that differs from a second version of contact information associated with a real profile of the real user;
  
  exposing the honey profile outside of a private network associated with the real user by uploading the honey profile to a social networking server accessible via a public network;
  
  hosting honey entities at the private network;
  
  generating an instance of honey activity between a computer operating on the private network and the honey entities;
  
  detecting an interaction with one honey entity of the honey entities; and
  
  determining, based upon detecting the interaction with the one of the honey entities, if the interaction corresponds to an attack by the attacker.
- View Dependent Claims (14, 15, 16)
- - 14. The computer storage medium of claim 13, wherein the social networking server stores social networking data comprising the real profile.
  - 15. The computer storage medium of claim 13, further comprising computer-executable instructions that, when executed by the processor, cause the processor to perform operations further comprising:
    - instructing a mail server operating in communication with the private network to route a message intended for an email address associated with the honey profile to a honey computer;
      
      detecting routing of the message to the honey computer;
      
      analyzing the message to determine if the message comprises the attack; and
      
      triggering an alarm, in response to determining that the message comprises the attack.
  - 16. The computer storage medium of claim 15, further comprising computer-executable instructions that, when executed by the processor, cause the processor to perform operations further comprising:
    - blocking the attack; and
      
      propagating information associated with the attack to other entities associated with the private network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Wang, Wei, Shen, Qi, Forte, Andrea G., Bickford, Jeffrey E.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/311,608
Publication Number

US 20130145465A1
Time in Patent Office

903 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/14   for detecting or protecting...

H04L 63/1491   using deception as counterm...

Multilayered deception for intrusion detection and prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Multilayered deception for intrusion detection and prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links