Cyber attack disruption through multiple detonations of received payloads
First Claim
Patent Images
1. A method comprising:
- using a local network accessible system to receive a payload transmitted across a computer network, the local network accessible system comprising a processor, an associated memory and a decoy environment;
copying the received payload to the decoy environment and to the associated memory; and
repetitively detonating, within the decoy environment, the copied payload a plurality of times while concurrently activating, within the associated memory, the copied payload at least once,wherein the received payload includes a malicious component from an attacking party configured to carry out a malicious action responsive to activation of the payload,wherein the malicious action is carried out responsive to both the detonating of the copied payload within the decoy environment and activating of the copied payload within the associated memory,wherein the malicious action comprises generating a callback communication to the attacking party,wherein the detonation of the copied payload in the decoy environment said plurality of times in succession generates a corresponding plurality of decoy callback communications that are transferred across the network to the attacking party,wherein the activation of the copied payload in the associated memory generates at least one authentic callback communication that is transferred across the network to the attacking party during the continued transfer of said decoy callback communications so that the at least one authentic callback communication is masked within said decoy callback communications; and
wherein the copied payload is detonated within the decoy environment a plurality of times in succession at a time varying rate over an applicable period of time using a predefined profile so that a number of detonations is different for at least some successive elapsed time periods over the applicable period of time and the authentic callback communication is transferred during an intermediate one of the successive elapsed time periods.
1 Assignment
0 Petitions
Accused Products
Abstract
Apparatus and method for disrupting cyber attacks. In accordance with some embodiments, the apparatus includes a local computer system and an associated security system. The security system employs a decoy environment operationally isolated from the local computer system. The decoy environment operates to, responsive to receipt of a payload from an outside source, load the received payload into a memory of the decoy environment and detonate the loaded payload a plurality of times.
-
Citations
27 Claims
-
1. A method comprising:
-
using a local network accessible system to receive a payload transmitted across a computer network, the local network accessible system comprising a processor, an associated memory and a decoy environment; copying the received payload to the decoy environment and to the associated memory; and repetitively detonating, within the decoy environment, the copied payload a plurality of times while concurrently activating, within the associated memory, the copied payload at least once, wherein the received payload includes a malicious component from an attacking party configured to carry out a malicious action responsive to activation of the payload, wherein the malicious action is carried out responsive to both the detonating of the copied payload within the decoy environment and activating of the copied payload within the associated memory, wherein the malicious action comprises generating a callback communication to the attacking party, wherein the detonation of the copied payload in the decoy environment said plurality of times in succession generates a corresponding plurality of decoy callback communications that are transferred across the network to the attacking party, wherein the activation of the copied payload in the associated memory generates at least one authentic callback communication that is transferred across the network to the attacking party during the continued transfer of said decoy callback communications so that the at least one authentic callback communication is masked within said decoy callback communications; and wherein the copied payload is detonated within the decoy environment a plurality of times in succession at a time varying rate over an applicable period of time using a predefined profile so that a number of detonations is different for at least some successive elapsed time periods over the applicable period of time and the authentic callback communication is transferred during an intermediate one of the successive elapsed time periods. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system comprising a processor, an associated memory and a decoy environment, the processor having associated programming to execute the following steps responsive to receipt of a payload transmitted across a computer network:
-
copy the received payload to the decoy environment and to the associated memory; and repetitively detonate, within the decoy environment, the copied payload a plurality of times while concurrently activating, within the associated memory, the copied payload at least once, the received payload including a malicious component from an attacking party configured to carry out a malicious action responsive to activation of the payload, the malicious action carried out responsive to both the detonation of the copied payload within the decoy environment and the activation of the copied payload within the associated memory, the malicious action generating a callback communication to the attacking party, the detonation of the copied payload in the decoy environment said plurality of times in succession generating a corresponding plurality of decoy callback communications that are transferred across the network to the attacking party, the activation of the copied payload in the associated memory generating at least one authentic callback communication that is transferred across the network to the attacking party during the continued transfer of said decoy callback communications so that the at least one authentic callback communication is masked within said decoy callback communications, and the copied payload detonated within the decoy environment a plurality of times in succession at a time varying rate over an applicable period of time using a predefined profile so that a number of detonations is different for at least some successive elapsed time periods over the applicable period of time and the authentic callback communication is transferred during an intermediate one of the successive elapsed time periods. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A non-volatile, non-transitory computer readable medium on which is stored programming configured to, upon execution by a programmable processor, perform the following steps within a computer system:
-
responsive to receipt of a payload transmitted across a computer network, copy the received payload to a decoy environment and to an associated memory; and repetitively detonate, within the decoy environment, the copied payload a plurality of times while concurrently activating, within the associated memory, the copied payload at least once, the received payload including a malicious component from an attacking party configured to carry out a malicious action responsive to activation of the payload, the malicious action carried out responsive to both the detonation of the copied payload within the decoy environment and the activation of the copied payload within the associated memory, the malicious action generating a callback communication to the attacking party, the detonation of the copied payload in the decoy environment said plurality of times in succession generating a corresponding plurality of decoy callback communications that are transferred across the network to the attacking party, the activation of the copied payload in the associated memory generating at least one authentic callback communication that is transferred across the network to the attacking party during the continued transfer of said decoy callback communications so that the at least one authentic callback communication is masked within said decoy callback communications, and the copied payload detonated within the decoy environment a plurality of times in succession at a time varying rate over an applicable period of time using a predefined profile so that a number of detonations is different for at least some successive elapsed time periods over the applicable period of time and the authentic callback communication is transferred during an intermediate one of the successive elapsed time periods. - View Dependent Claims (25, 26, 27)
-
Specification