Method and system for detecting network compromise
First Claim
1. A method for detecting an attack on a network of victim computers in a victim cloud that connect to one or more Domain Name System (DNS) or Dynamic Domain Name System (DDNS) servers, comprising:
- operating one or more decoy bot computers in the victim cloud;
operating one or more decoy control computers among one or more control computers that communicates with one or more victim computers and decoy bot computers in the victim cloud;
identifying threats by analyzing data traffic communicated with the one or more victim computers, the one or more decoy bot computers and the one or more decoy control computers; and
upon identifying information suspected of being stolen by a hacker,if the identified information was identified from a victim computer from among the one or more victim computers in communication with a control computer used by the hacker, modifying a lookup table in a DNS or DDNS server from among the one or more DNS or DDNS servers to replace an Internet Protocol (IP) address for the control computer with an Internet Protocol (IP) address for a sinkhole computer for connecting the victim computer to the sinkhole computer; and
if the identified information was identified from a decoy bot computer from among the one or more decoy bot computers or a decoy control computer from among the one or more decoy control computers, intercepting a transmission and removing data suspected of being stolen from the data traffic while maintaining ongoing communications between the decoy control computer or the decoy bot computer and the hacker.
7 Assignments
0 Petitions
Accused Products
Abstract
A method and system are described for detecting unauthorized access to one or more of a plurality of networked victim computers in a victim cloud. The networked victim computers connect to one or more DNS servers. The system includes one or more decoy bot computers, which are operated as victim computers in the victim cloud. The system also includes one or more decoy control computers, which are operated as control computers that communicate with victim computers in the victim cloud. Threats are identified by analyzing data traffic communicated with the decoy bot computers and decoy control computers for information suspected of having being sent from a victim'"'"'s computer without proper authorization, and by monitoring whether behavior of a DNS server deviates from expected behaviors.
-
Citations
16 Claims
-
1. A method for detecting an attack on a network of victim computers in a victim cloud that connect to one or more Domain Name System (DNS) or Dynamic Domain Name System (DDNS) servers, comprising:
-
operating one or more decoy bot computers in the victim cloud; operating one or more decoy control computers among one or more control computers that communicates with one or more victim computers and decoy bot computers in the victim cloud; identifying threats by analyzing data traffic communicated with the one or more victim computers, the one or more decoy bot computers and the one or more decoy control computers; and upon identifying information suspected of being stolen by a hacker, if the identified information was identified from a victim computer from among the one or more victim computers in communication with a control computer used by the hacker, modifying a lookup table in a DNS or DDNS server from among the one or more DNS or DDNS servers to replace an Internet Protocol (IP) address for the control computer with an Internet Protocol (IP) address for a sinkhole computer for connecting the victim computer to the sinkhole computer; and if the identified information was identified from a decoy bot computer from among the one or more decoy bot computers or a decoy control computer from among the one or more decoy control computers, intercepting a transmission and removing data suspected of being stolen from the data traffic while maintaining ongoing communications between the decoy control computer or the decoy bot computer and the hacker. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting an attack on a network of victim computers in a victim cloud that connect to one or more Domain Name System (DNS) servers, comprising:
-
at least one decoy bot computer in the victim cloud; at least one decoy control computer operating among one or more control computers that communicates with one or more victim computers and decoy bot computers in the victim cloud; and a threat analyzer in communication with the at least one decoy control computer, the at least one decoy victim computer, and a sinkhole computer, wherein the threat analyzer (i) identifies threats by analyzing data from the sinkhole computer and data traffic communicated with the at least one decoy bot computer and the at least one decoy control computer for information suspected of having been sent from a victim computer from among the one or more victim computers, without proper authorization, and (ii) intercepts transmissions and removes data suspected of being stolen, from the data traffic, while maintaining ongoing communications between the at least one decoy control computer or the at least one decoy bot computer and a hacker that uses a control computer from among the one or more control computers, wherein the victim computer is connected to the sinkhole computer upon identifying the information as having been sent from the victim computer and modifying a lookup table in a DNS server from among the one or more DNS servers to replace an Internet Protocol (IP) address for the control computer with an Internet Protocol (IP) address for the sinkhole computer. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
Specification