Protecting electronic assets using false profiles in social networks

US 8,856,928 B1
Filed: 06/28/2012
Issued: 10/07/2014
Est. Priority Date: 06/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a secure network from malicious communications, the method comprising:

configuring, on the secure network, receiving circuitry to identify communications that include a particular user identifier;

storing the particular user identifier in a server remote from the secure network;

receiving, at the secure network, a particular communication;

verifying, by the receiving circuitry, whether the particular communication includes the particular user identifier;

issuing an alert when the particular communication includes the particular user identifier;

not issuing the alert when the particular communication does not include the particular user identifier, wherein the server hosts a website of a social network and maps values of the user identifier corresponding to each employee of the set of employees to an employee profile on the social network;

wherein storing the particular user identifier includes;

sending the particular user identifier to the server, the server generating an employee profile of a false employee on the social network from the particular user identifierwherein the particular communication that includes the particular user identifier is sent by a malicious user and further includes identification information identifying the malicious user; and

wherein the method further comprises;

extracting the identification information identifying the malicious user; and

issuing the alert upon receiving communications that include the identification information identifying the malicious user.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved technique utilizes a honeypot-style seeding of synthetic user identifiers which, if used by spear-phishing intruders, enable easy discovery of the intruders. Along these lines, an administrator of a network constructs false employee profiles on a social network with the intent of intercepting any email to that employee. Such employee profiles correspond to no actual employee of the corporation, but are in fact synthetic entities designed to appear to be an actual employee. These profiles contain identifiers that describe the employee, such as a name, position within the corporation, telephone number, educational background, past positions, and social connections. The administrator configures a receiver at the corporate network to block from entering the secure network emails that include references to any of these identifiers.

Citations

19 Claims

1. A method of protecting a secure network from malicious communications, the method comprising:
- configuring, on the secure network, receiving circuitry to identify communications that include a particular user identifier;
  
  storing the particular user identifier in a server remote from the secure network;
  
  receiving, at the secure network, a particular communication;
  
  verifying, by the receiving circuitry, whether the particular communication includes the particular user identifier;
  
  issuing an alert when the particular communication includes the particular user identifier;
  
  not issuing the alert when the particular communication does not include the particular user identifier, wherein the server hosts a website of a social network and maps values of the user identifier corresponding to each employee of the set of employees to an employee profile on the social network;
  
  wherein storing the particular user identifier includes;
  
  sending the particular user identifier to the server, the server generating an employee profile of a false employee on the social network from the particular user identifierwherein the particular communication that includes the particular user identifier is sent by a malicious user and further includes identification information identifying the malicious user; and
  
  wherein the method further comprises;
  
  extracting the identification information identifying the malicious user; and
  
  issuing the alert upon receiving communications that include the identification information identifying the malicious user.
- View Dependent Claims (2, 3, 4, 5, 17, 18, 19)
- - 2. A method as in claim 1, wherein the identification data information includes an address of the malicious user;
    - andwherein the method further comprises;
      
      sending additional communications to the address of the malicious user, the additional communications being configured to induce the malicious user to provide additional identification data information.
  - 3. A method as in claim 1, wherein the secure network belongs to a corporation having a set of employees, each employee of the set of employees having a user identifier corresponding to the employee;
    - Wherein in the method father comprises;
      
      method further comprises;
      
      mapping the particular user identifier to a command of the receiving circuitry that is configured to issue the alert, andnot mapping the user identifier corresponding to the employee of the set of employees to a command of the receiving circuitry that is configured to issue the alert.
  - 4. A method as in claim 1,wherein a user identifier of an employee includes an employee name;
    - wherein an employee profile includes a connection attribute which represents a connection to another employee profile on the social network and has a value as the name of the user identifier from which the other employee profile was generated;
      
      wherein sending the particular user identifier to the server includes;
      
      assigning the name of an employee profile generated form a user identifier of an employee of the set of employees to the value of the connection attribute of the employee profile of the false employee.
  - 5. A method as in claim 1, wherein the communication that includes the particular user identifier includes an email having a header;
    - wherein extracting the identification data identifying the malicious user includes;
      
      obtaining a source address from the header of the email, the source address belonging to a particular location on the network from which the email was sent; and
      
      wherein issuing the alert when the particular communications includes the particular user identifier includes;
      
      saving the source address in a database.
  - 17. A method as in claim 1, wherein the employee profile generated from the particular user identifier is distinct from the employee profile of each employee of the set of employees;
    - wherein the method further comprises creating the particular user identifier from a list of plausible employee names, each plausible employee name of the list of plausible employee names being distinct from the user identifier of each employee of the set of employees.
  - 18. A method as in claim 17, wherein creating the particular user identifier from the list of plausible employee names includes performing a random selection from the list of plausible employee names.
  - 19. A method as in claim 17, wherein sending the particular user identifier to the server includes providing instructions to the server hosting the website of the social network to generate the employee profile of the false employee from the particular user identifier, the employee profile having attributes included in profiles of employees of the set of employees on the website of the social network.

6. A system constructed and arranged to protect a secure network from malicious communications, the system comprising:
- a network interface;
  
  memory; and
  
  a controller including receiving circuitry and controlling circuitry coupled to the memory, the controlling circuitry being constructed and arranged to;
  
  configure, on the secure network, receiving circuitry to identify communications that include a particular user identifier;
  
  store the particular user identifier in a server remote from the secure network;
  
  receive, at the secure network, a particular communication;
  
  cause the receiving circuitry to verify whether the particular communication includes the particular user identifier;
  
  issue an alert when the particular communication includes the particular user identifier;
  
  not issue the alert when the particular communication does not include the particular user identifier wherein the server hosts a website of a social network and maps values of the user identifier corresponding to the employee of the set of employees to an employee profile on the social network; and
  
  wherein storing the particular user identifier includes;
  
  sending the particular user identifier to the server, the server generating an employee profile of a false employee on the social network from the particular user identifierwherein the particular communication that includes the particular user identifier is sent by a malicious user and further includes identification information identifying the malicious user; and
  
  wherein the method further comprises;
  
  extracting the identification information identifying the malicious user; and
  
  issuing the alert upon receiving communications that include the identification information identifying the malicious user.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. A system as in claim 6,wherein the particular communication that includes the particular user identifier is sent by a malicious user and further includes identification information identifying the malicious user;
    - wherein the controlling circuitry is further constructed and arranged to;
      
      extract the identification information identifying the malicious user, andissue the alert upon receiving communications that include the identification information identifying the malicious user.
  - 8. A system as in claim 7,wherein the identification information includes an address of the malicious user;
    - andwherein the controlling circuitry is further constructed and arranged to;
      
      send additional communications to the address of the malicious user, the additional communications being configured to induce the malicious user to provide additional identification information.
  - 9. A method as in claim 7,wherein the secure network belongs to a corporation having a set of employees, each employee of the set of employees having a user identifier corresponding to the employee;
    - wherein the controlling circuitry is further constructed and arranged to;
      
      map the particular user identifier to a command of the receiving circuitry that is configured to issue the alert, andmap the user identifier corresponding to the employee of the set of employees to a command of the receiving circuitry that is configured to not issue the alert.
  - 10. A system as in claim 6,wherein a user identifier of an employee includes an employee name;
    - wherein an employee profile includes a connection attribute which represents a connection to another employee profile on the social network and has a value as the name of the user identifier from which the other employee profile was generated;
      
      wherein sending the particular user identifier to the server includes;
      
      assigning the name of an employee profile generated form a user identifier of an employee of the set of employees to the value of the connection attribute of the employee profile of the false employee.
  - 11. A system as in claim 7,wherein the communication that includes the false information includes an email having a header;
    - wherein extracting the identification data identifying the malicious user includes;
      
      obtaining a source address from the header of the email, the source address belonging to a particular location on the network from which the email was sent; and
      
      wherein issuing the alert when the particular communications includes the particular user identifier includes;
      
      saving the source address in a database.

12. A computer program product having a non-transitory, computer-readable storage medium which stores code to protect a secure network from malicious communications, the code including instructions to:
- configure, on the secure network, receiving circuitry to identify communications that include a particular user identifier;
  
  store the particular user identifier in a server remote from the secure network;
  
  receive, at the secure network, a particular communication;
  
  verify, by the receiving circuitry, whether the particular communication includes the particular user identifier;
  
  issue an alert when the particular communication includes the particular user identifier;
  
  not issue the alert when the particular communication does not include the particular user identifier wherein the server hosts a website of a social network and maps values of the user identifier corresponding to the employee of the set of employees to an employee profile on the social network; and
  
  wherein storing the particular user identifier includes;
  
  sending the particular user identifier to the server, the server generating an employee profile of a false employee on the social network from the particular user identifierwherein the particular communication that includes the particular user identifier is sent by a malicious user and further includes identification information identifying the malicious user; and
  
  wherein the method further comprises;
  
  extracting the identification information identifying the malicious user; and
  
  issuing the alert upon receiving communications that include the identification information identifying the malicious user.
- View Dependent Claims (13, 14, 15, 16)
- - 13. A computer program product as in claim 12,wherein the particular communication that includes the particular user identifier is sent by a malicious user and further includes identification information identifying the malicious user;
    - wherein the controlling circuitry is further constructed and arranged to;
      
      extract the identification information identifying the malicious user, andissue the alert upon receiving communications that include the identification information identifying the malicious user.
  - 14. A computer program product as in claim 13,wherein the identification information includes an address of the malicious user;
    - andwherein the code includes further instructions to;
      
      send additional communications to the address of the malicious user, the additional communications being configured to induce the malicious user to provide additional identification information.
  - 15. A method as in claim 13,wherein the secure network belongs to a corporation having a set of employees, each employee of the set of employees having a user identifier corresponding to the employee;
    - wherein the code includes further instructions to;
      
      map the particular user identifier to a command of the receiving circuitry that is configured to issue the alert, andmap the user identifier corresponding to the employee of the set of employees to a command of the receiving circuitry that is configured to not issue the alert.
  - 16. A computer program product as in claim 12,wherein a user identifier of an employee includes an employee name;
    - wherein an employee profile includes a connection attribute which represents a connection to another employee profile on the social network and has a value as the name of the user identifier from which the other employee profile was generated;
      
      wherein sending the particular user identifier to the server includes;
      
      assigning the name of an employee profile generated form a user identifier of an employee of the set of employees to the value of the connection attribute of the employee profile of the false employee.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Rivner, Uri, Aharoni, Idan
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
RAHIM, MONJUR

Application Number

US13/535,417
Time in Patent Office

831 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06Q 50/01   Social networking

H04L 63/1491   using deception as counterm...

H04L 67/306   User profiles

Protecting electronic assets using false profiles in social networks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting electronic assets using false profiles in social networks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links