Cyber attack disruption through multiple detonations of received payloads

US 8,943,594 B1
Filed: 12/18/2013
Issued: 01/27/2015
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

using a local network accessible system to receive a payload transmitted across a computer network, the local network accessible system comprising a processor, an associated memory and a decoy environment;

copying the received payload to the decoy environment and to the associated memory; and

repetitively detonating, within the decoy environment, the copied payload a plurality of times while concurrently activating, within the associated memory, the copied payload at least once,wherein the received payload includes a malicious component from an attacking party configured to carry out a malicious action responsive to activation of the payload,wherein the malicious action is carried out responsive to both the detonating of the copied payload within the decoy environment and activating of the copied payload within the associated memory,wherein the malicious action comprises generating a callback communication to the attacking party,wherein the detonation of the copied payload in the decoy environment said plurality of times in succession generates a corresponding plurality of decoy callback communications that are transferred across the network to the attacking party,wherein the activation of the copied payload in the associated memory generates at least one authentic callback communication that is transferred across the network to the attacking party during the continued transfer of said decoy callback communications so that the at least one authentic callback communication is masked within said decoy callback communications; and

wherein the copied payload is detonated within the decoy environment a plurality of times in succession at a time varying rate over an applicable period of time using a predefined profile so that a number of detonations is different for at least some successive elapsed time periods over the applicable period of time and the authentic callback communication is transferred during an intermediate one of the successive elapsed time periods.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and method for disrupting cyber attacks. In accordance with some embodiments, the apparatus includes a local computer system and an associated security system. The security system employs a decoy environment operationally isolated from the local computer system. The decoy environment operates to, responsive to receipt of a payload from an outside source, load the received payload into a memory of the decoy environment and detonate the loaded payload a plurality of times.

Citations

27 Claims

1. A method comprising:
- using a local network accessible system to receive a payload transmitted across a computer network, the local network accessible system comprising a processor, an associated memory and a decoy environment;
  
  copying the received payload to the decoy environment and to the associated memory; and
  
  repetitively detonating, within the decoy environment, the copied payload a plurality of times while concurrently activating, within the associated memory, the copied payload at least once,wherein the received payload includes a malicious component from an attacking party configured to carry out a malicious action responsive to activation of the payload,wherein the malicious action is carried out responsive to both the detonating of the copied payload within the decoy environment and activating of the copied payload within the associated memory,wherein the malicious action comprises generating a callback communication to the attacking party,wherein the detonation of the copied payload in the decoy environment said plurality of times in succession generates a corresponding plurality of decoy callback communications that are transferred across the network to the attacking party,wherein the activation of the copied payload in the associated memory generates at least one authentic callback communication that is transferred across the network to the attacking party during the continued transfer of said decoy callback communications so that the at least one authentic callback communication is masked within said decoy callback communications; and
  
  wherein the copied payload is detonated within the decoy environment a plurality of times in succession at a time varying rate over an applicable period of time using a predefined profile so that a number of detonations is different for at least some successive elapsed time periods over the applicable period of time and the authentic callback communication is transferred during an intermediate one of the successive elapsed time periods.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the received payload is an email message with an embedded hyperlink, the email message being concurrently transferred to both the associated memory for access by a user of the local network accessible system and to the decoy environment, and the multiple detonations comprise activation of the embedded hyperlink.
  - 3. The method of claim 1, wherein every payload received by the local network accessible system over said network is concurrently transferred to the associated memory and to the decoy environment.
  - 4. The method of claim 3, further comprising detecting the generation of the multiple decoy callback communications and, in response thereto, removing the received payload from the associated memory after the generation of the authentic callback communication to prevent the generation of additional authentic callback communications while continuing to generate the decoy callback communications.
  - 5. The method of claim 1, wherein the received payload is an email message with an attachment, the detonation of the received payload comprising executing an application program in memory to open the attachment.
  - 6. The method of claim 1, wherein the copying step comprises transferring the received payload is transferred to the decoy environment, initiating a short delay period, and transferring the received payload to the local computer system after the short delay period.
  - 7. The method of claim 1, wherein the payload comprises an executable file or a memory stream.
  - 8. The method of claim 1, wherein the payload comprises a file or memory stream associated with a host application or associated with an interpreter.
  - 9. The method of claim 1, wherein the communication is repetitively detonated by being opened, executed or launched at least N times where N is a plural number.
  - 10. The method of claim 1, wherein N is greater than or equal to 100.
  - 11. The method of claim 1, wherein the predetermined profile nominally follows a Gaussian distribution.
  - 12. The method of claim 1, wherein the predetermined profile is multi-modal so that a first succession of the elapsed time periods have successively increased numbers of transmitted decoy callback communications, a following second succession of the elapsed time periods have successively decreased numbers of transmitted decoy callback communications, and a following third succession of the elapsed time periods have successively increased numbers of transmitted decoy callback communications.
  - 13. the method of claim 1, further comprising forming a plurality of detonation stages within the decoy environment and copying the received payload to each of the detonation stages.
  - 14. The method of claim 13, further comprising using each of the detonation stages to detonate only a single copy of the received payload once.
  - 15. The method of claim 13, wherein the plurality of detonation stages comprises a first detonation stage which emulates a first operating system and a second detonation stage which emulates a different, second operating system.
  - 16. The method of claim 1, wherein the decoy environment comprises a plurality of detonation stages including a first detonation stage which activates a first copy of the received payload using a first application program and a different, second local detonation stage which activates a different, second copy of the received payload using a different, second application program.

17. A computer system comprising a processor, an associated memory and a decoy environment, the processor having associated programming to execute the following steps responsive to receipt of a payload transmitted across a computer network:
- copy the received payload to the decoy environment and to the associated memory; and
  
  repetitively detonate, within the decoy environment, the copied payload a plurality of times while concurrently activating, within the associated memory, the copied payload at least once, the received payload including a malicious component from an attacking party configured to carry out a malicious action responsive to activation of the payload, the malicious action carried out responsive to both the detonation of the copied payload within the decoy environment and the activation of the copied payload within the associated memory, the malicious action generating a callback communication to the attacking party, the detonation of the copied payload in the decoy environment said plurality of times in succession generating a corresponding plurality of decoy callback communications that are transferred across the network to the attacking party, the activation of the copied payload in the associated memory generating at least one authentic callback communication that is transferred across the network to the attacking party during the continued transfer of said decoy callback communications so that the at least one authentic callback communication is masked within said decoy callback communications, and the copied payload detonated within the decoy environment a plurality of times in succession at a time varying rate over an applicable period of time using a predefined profile so that a number of detonations is different for at least some successive elapsed time periods over the applicable period of time and the authentic callback communication is transferred during an intermediate one of the successive elapsed time periods.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The computer system of claim 17, the received payload comprising an email message with an embedded hyperlink, the email message transferred to the associated memory for access by a user of the computer system and to the decoy environment for detonation, the multiple detonations comprising activation of the embedded hyperlink multiple times.
  - 19. The computer system of claim 17, the payload comprising an email message with an attachment, the email message and the attachment transferred to the associated memory for access by a user of the computer system and to the decoy environment for detonation, the multiple detonations comprising using an application program to open the attachment.
  - 20. The computer system of claim 17, the processor directing a concurrent transfer of every payload received by the computer system over said to the associated memory and to the decoy environment.
  - 21. The computer system of claim 17, the predetermined profile nominally following a Gaussian distribution.
  - 22. The computer system of claim 17, the predetermined profile nominally following a multi-modal distribution.
  - 23. the computer system of claim 17, the processor forming a plurality of detonation stages within the decoy environment and copying the received payload to each of the detonation stages.

24. A non-volatile, non-transitory computer readable medium on which is stored programming configured to, upon execution by a programmable processor, perform the following steps within a computer system:
- responsive to receipt of a payload transmitted across a computer network, copy the received payload to a decoy environment and to an associated memory; and
  
  repetitively detonate, within the decoy environment, the copied payload a plurality of times while concurrently activating, within the associated memory, the copied payload at least once, the received payload including a malicious component from an attacking party configured to carry out a malicious action responsive to activation of the payload, the malicious action carried out responsive to both the detonation of the copied payload within the decoy environment and the activation of the copied payload within the associated memory, the malicious action generating a callback communication to the attacking party, the detonation of the copied payload in the decoy environment said plurality of times in succession generating a corresponding plurality of decoy callback communications that are transferred across the network to the attacking party, the activation of the copied payload in the associated memory generating at least one authentic callback communication that is transferred across the network to the attacking party during the continued transfer of said decoy callback communications so that the at least one authentic callback communication is masked within said decoy callback communications, and the copied payload detonated within the decoy environment a plurality of times in succession at a time varying rate over an applicable period of time using a predefined profile so that a number of detonations is different for at least some successive elapsed time periods over the applicable period of time and the authentic callback communication is transferred during an intermediate one of the successive elapsed time periods.
- View Dependent Claims (25, 26, 27)
- - 25. The medium of claim 24, the payload comprising an executable file.
  - 26. The medium of claim 24, the payload comprising a memory stream.
  - 27. The medium of claim 24, the programming further configured to, upon execution of the programmable processor, detect the generation of the malicious callbacks and quarantine the copy of the payload in the memory to prevent further generation of authentic callbacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Haystack Security, LLC
Original Assignee
Haystack Security, LLC
Inventors
Arrowood, James Lee Wayne
Primary Examiner(s)
Shaw, Peter

Application Number

US14/132,824
Publication Number

US 20150047035A1
Time in Patent Office

405 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 2221/2127   Bluffing

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

Cyber attack disruption through multiple detonations of received payloads

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber attack disruption through multiple detonations of received payloads

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links