System for detecting, analyzing, and controlling infiltration of computer and network systems

US 9,060,017 B2
Filed: 02/20/2013
Issued: 06/16/2015
Est. Priority Date: 02/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and manipulating a malicious actor/communication on a computer system, the method comprising the steps of:

providing multiple detection points at specific locations in the computer system, each detection point presenting an opportunity to detect and manipulate a malicious actor/communication;

detecting a malicious actor/communication on the system based on a triggering of a first detection point;

controlling or manipulating the malicious actor/communication to a second detection point;

characterizing the malicious actor/communication to determine some information about the malicious actor/communication based on an analysis of the activities or aspects of the malicious actor/communication detected by the triggering of one or more of the detection points;

wherein there are multiple detection points provided in the system that are accessible from the first detection point;

wherein the step of controlling or manipulating the malicious actor/communication comprises permitting the malicious actor/communication to access the multiple detection points that are accessible from the first detection point; and

wherein the step of characterizing the malicious actor/communication involves determining an aspect of the malicious actor/communication based on which of the multiple detection points that are accessible from the first detection point are triggered by the malicious actor/communication.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting and manipulating a malicious actor/communication on a computer network or system. The method includes the steps of incorporating one or more synthetic vulnerabilities into the computer system at distinct locations, where each synthetic vulnerability presents an opportunity for exploitation by a malicious actor/communication, detecting an exploitation of one of the vulnerabilities by an actor, analyzing the actor to determine if the actor is a malicious actor/communication; and manipulating the malicious actor/communication. A computer program on a storage medium is also disclosed.

29 Citations

View as Search Results

28 Claims

1. A method for detecting and manipulating a malicious actor/communication on a computer system, the method comprising the steps of:
- providing multiple detection points at specific locations in the computer system, each detection point presenting an opportunity to detect and manipulate a malicious actor/communication;
  
  detecting a malicious actor/communication on the system based on a triggering of a first detection point;
  
  controlling or manipulating the malicious actor/communication to a second detection point;
  
  characterizing the malicious actor/communication to determine some information about the malicious actor/communication based on an analysis of the activities or aspects of the malicious actor/communication detected by the triggering of one or more of the detection points;
  
  wherein there are multiple detection points provided in the system that are accessible from the first detection point;
  
  wherein the step of controlling or manipulating the malicious actor/communication comprises permitting the malicious actor/communication to access the multiple detection points that are accessible from the first detection point; and
  
  wherein the step of characterizing the malicious actor/communication involves determining an aspect of the malicious actor/communication based on which of the multiple detection points that are accessible from the first detection point are triggered by the malicious actor/communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein the step of controlling or manipulating the malicious actor/communication involves modifying the content of the malicious actor/communication.
  - 3. A method according to claim 1, wherein at least one of the multiple detection points is selected from at least one of the following:
    - a program mistake in the code, hidden comments embedded in a web page, files in a file system, information on the system operation, a prescribed location, a potentially compromisable application, content that is adapted for use by a malicious actor in the attack, compromise, or disabling of computer systems, or the acquisition, destruction, or modification of information, and content that drives a certain activity that indicates that the communication is malicious, is from a malicious or unauthorized source, or has a malicious intent.
  - 4. A method according to claim 1, wherein the step of characterizing involves one or more of:
    - storing information related to the detection point that the malicious actor/communication is exploiting, detecting tools, programs or methods being used by the malicious actor/communication, and detecting what information about the system the malicious actor/communication is using to exploit the detection point.
  - 5. A method according to claim 1, wherein the step of triggering of a detection point involves matching one or more features of the malicious actor/communication to a set of rules at a detection point, the features including one or more of:
    - a source address where the communication was received from, a file being requested, a directory where a file requested resides, a time of day that a request is being made, a user making a request, a system where the request is made, and the contents be accessed.
  - 6. A method according to claim 1, wherein step of manipulating the malicious actor/communication involves one or more of:
    - adding content to the malicious actor/communication, modifying content in the malicious actor/communication, deleting content in the malicious actor/communication, redirecting the malicious actor/communication to a separate server where the malicious actor/communication is processed, and recording of the actions by the malicious actor/communication associated with the triggering of the detection point for use in future detecting of the malicious actor/communication.
  - 7. A method according to claim 1, wherein step of manipulating the malicious actor/communication involves adding additional detection points based on the outcome of the characterization step.
  - 8. A method according to claim 1, wherein the system further comprises the step of generating a report as a result of the triggering of a detection point.

9. A method for detecting and manipulating a malicious actor/communication on a computer system, the method comprising the steps of:
- providing multiple detection points at specific locations in the computer system, each detection point presenting an opportunity to detect and manipulate a malicious actor/communication;
  
  detecting a malicious actor/communication on the system based on a triggering of a first detection point;
  
  controlling or manipulating the malicious actor/communication to a second detection point;
  
  characterizing the malicious actor/communication to determine some information about the malicious actor/communication based on an analysis of the activities or aspects of the malicious actor/communication detected by the triggering of one or more of the detection points;
  
  wherein some of the multiple detection points are arranged in the system in a sequence with one detection point leading to another detection point thereby defining a mission; and
  
  wherein the step of characterizing involves analyzing information related to the malicious actor/communication and its progression through the multiple detection points.

10. A method for detecting and manipulating a malicious actor/communication on a computer network or system, the method comprising the steps of:
- creating multiple detection points for detecting, capturing or directing a malicious actor/communication;
  
  implementing, integrating, or applying the multiple detection points to a target system or network;
  
  intercepting a malicious actor/communication that is directed to the target system or network based on a triggering of a first detection point;
  
  controlling or manipulating the malicious actor/communication to proceed to another detection point; and
  
  characterizing the malicious actor/communication to determine some information about the malicious actor/communication based on an analysis of the activities or aspects of the malicious actor/communication that triggered at least one of the detection points;
  
  wherein the step of controlling or manipulating the malicious actor/communication involves providing the malicious actor/communication with access to multiple detection points that are directly accessible from the first detection point; and
  
  wherein the characterizing step involves analyzing which detection points were selected by the malicious actor/communication out of the multiple detection points, and determining an aspect of the malicious actor/communication based on that analysis.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 11. A method according to claim 10, wherein the characterizing step involves analyzing the detection points that are triggered by the malicious actor/communication.
  - 12. A method according to claim 10, wherein the characterizing step involves determining one or more of the following about the malicious actor/communication:
    - what it is seeking, where it may have originated, how it accomplishes its malicious activities, the tools it is using, information used by the malicious actor/communication, and a relationship to other sources of malicious activity.
  - 13. A method according to claim 10, wherein the controlling or manipulating step involves directing or altering the malicious actor/communication to prevent harm to the target system.
  - 14. A method according to claim 13, wherein the malicious actor/communication is a malicious communication and wherein the step of altering of the malicious actor/communication involves modifying the malicious communication so it is no longer harmful to the target system, and wherein the malicious communication is sent to the target system after the modification.
  - 15. A method according to claim 13, wherein the malicious actor/communication is a malicious communication and wherein the altering of the malicious actor/communication involves modifying the malicious communication to add a tag for tracking of and conducting later actions on the malicious communication.
  - 16. A method according to claim 15, wherein the tag includes a data string added to the malicious communication'"'"'s cookie header identifying a source as a malicious actor, and wherein the string stores a cookie in a web browser of the source which attaches information to later communications sent from that web browser.
  - 17. A method according to claim 13, wherein the directing of the malicious actor/communication involves directing the malicious actor/communication to a vulnerability server that includes further detection points.
  - 18. A method according to claim 10, wherein the controlling or manipulating step involves implementing further detection points into the system based on the characterization of the malicious actor/communication.
  - 19. A method according to claim 10, wherein based on the second detection point triggered the controlling or manipulating step involves predicting future actions of the malicious actor/communication and modifying or adding detection points to the system to control or track the malicious actor/communication.
  - 20. A method according to claim 10, wherein the step of creating one or more detection points includes leveraging actual data from the system or fake data incorporated into a part of the system that can be accessed by a malicious actor/communication, and wherein the step of characterizing the malicious actor/communication involves detecting when a malicious actor/communication uses the data in another part of the system and determining an aspect about the malicious actor/communication based on that detection.
  - 21. A method according to claim 10, wherein the step of characterizing the malicious actor/communication involves storing information related to the malicious actor/communication for use in analyzing the malicious actor/communication.
  - 22. A method according to claim 21, wherein the information stored is information related to the abilities of the malicious actor/communication to access a certain vulnerability in the system.
  - 23. A method according to claim 10, wherein the detection point includes report rules which control generation of a report upon triggering of the detection point.

24. A method for detecting and manipulating a malicious actor/communication on a computer network or system, the method comprising the steps of:
- creating multiple detection points for detecting, capturing or directing a malicious actor/communication;
  
  implementing, integrating, or applying the multiple detection points to a target system or network;
  
  intercepting a malicious actor/communication that is directed to the target system or network based on a triggering of a first detection point;
  
  controlling or manipulating the malicious actor/communication to proceed to another detection point; and
  
  characterizing the malicious actor/communication to determine some information about the malicious actor/communication based on an analysis of the activities or aspects of the malicious actor/communication that triggered at least one of the detection points;
  
  wherein the step of implementing, integrating, or applying the one or more detection points involves creating a mission using multiple detection points, with each detection point leading to another detection point, the mission being indicative of certain information being sought by a malicious actor/communication.

25. A non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to be executed to implement a method for detecting and manipulating a malicious actor/communication on a computer network or system, the method comprising the steps of:
- creating multiple detection points for detecting, capturing or directing a malicious actor/communication;
  
  implementing, integrating, or applying the detection points to a target system or network;
  
  intercepting a malicious actor/communication that is directed to the target system or network based on a triggering of a first detection point;
  
  controlling or manipulating the malicious actor/communication to a second detection point; and
  
  characterizing the malicious actor/communication to determine some information about the malicious actor/communication based on an analysis of the activities or aspects of the malicious actor/communication detected by the triggering of one or more of the detection points;
  
  wherein there are multiple detection points provided in the system that are accessible from the first detection point;
  
  wherein the step of controlling or manipulating the malicious actor/communication comprises permitting the malicious actor/communication to access the multiple detection points that are accessible from the first detection point; and
  
  wherein the step of characterizing the malicious actor/communication involves determining an aspect of the malicious actor/communication based on which of the multiple detection points that are accessible from the first detection point are triggered by the malicious actor/communication.

26. A protection system for detecting and manipulating a malicious actor/communication on a target computer program, the protection system comprising:
- a computer engine module configured to receive communications including malicious communications, the engine module including a first detection point and second detection points, each detection point including one or more match rules and actions to be accomplished upon a match being found, the engine module including program coding configured to compare the received communication against the match rules associated with the detection point to characterize the communication as a malicious communication, implement the actions associated with a detection point upon a determination that a communication matches the rules, and to control or manipulate the malicious communication;
  
  a report generator in communication with the engine module, the report generator adapted to generate a report upon a determination that a communication matches the rules;
  
  a storage database for receiving and storing detection points and reports; and
  
  an admin GUI module for creating detection points and sending the detection points to the engine module;
  
  wherein there are multiple second detection points provided in the system that are accessible from the first detection point;
  
  wherein controlling or manipulating the malicious actor/communication comprises detecting the triggering by the malicious actor/communication of the first detection point, and permitting the malicious actor/communication to access the multiple second detection points that are accessible from the first detection point; and
  
  wherein characterizing the malicious actor/communication involves determining an aspect of the malicious actor/communication based on which of the multiple second detection points that are accessible from the first detection point are triggered by the malicious actor/communication.
- View Dependent Claims (27, 28)
- - 27. The protection system according to claim 26, wherein the engine module is configured as a proxy located between potential sources of malicious communications and the target program, the engine module configured such that malicious communications passes through the engine module before reaching the target program.
  - 28. The protection system according to claim 26, wherein the engine module is located on a separate server from the target program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Logos Technologies Holdco, Inc.
Original Assignee
Logos Technologies, LLP
Inventors
Marion, John, Chamales, George
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US14/362,265
Publication Number

US 20140298469A1
Time in Patent Office

846 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

System for detecting, analyzing, and controlling infiltration of computer and network systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

System for detecting, analyzing, and controlling infiltration of computer and network systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others