Method and system for detecting network compromise

US 9,356,942 B1
Filed: 03/04/2013
Issued: 05/31/2016
Est. Priority Date: 03/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an attack on a network of victim computers in a victim cloud that connect to one or more Domain Name System (DNS) or Dynamic Domain Name System (DDNS) servers, comprising:

operating one or more decoy bot computers in the victim cloud;

operating one or more decoy control computers among one or more control computers that communicates with one or more victim computers and decoy bot computers in the victim cloud;

identifying threats by analyzing data traffic communicated with the one or more victim computers, the one or more decoy bot computers and the one or more decoy control computers; and

upon identifying information suspected of being stolen by a hacker,if the identified information was identified from a victim computer from among the one or more victim computers in communication with a control computer used by the hacker, modifying a lookup table in a DNS or DDNS server from among the one or more DNS or DDNS servers to replace an Internet Protocol (IP) address for the control computer with an Internet Protocol (IP) address for a sinkhole computer for connecting the victim computer to the sinkhole computer; and

if the identified information was identified from a decoy bot computer from among the one or more decoy bot computers or a decoy control computer from among the one or more decoy control computers, intercepting a transmission and removing data suspected of being stolen from the data traffic while maintaining ongoing communications between the decoy control computer or the decoy bot computer and the hacker.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are described for detecting unauthorized access to one or more of a plurality of networked victim computers in a victim cloud. The networked victim computers connect to one or more DNS servers. The system includes one or more decoy bot computers, which are operated as victim computers in the victim cloud. The system also includes one or more decoy control computers, which are operated as control computers that communicate with victim computers in the victim cloud. Threats are identified by analyzing data traffic communicated with the decoy bot computers and decoy control computers for information suspected of having being sent from a victim'"'"'s computer without proper authorization, and by monitoring whether behavior of a DNS server deviates from expected behaviors.

Citations

16 Claims

1. A method for detecting an attack on a network of victim computers in a victim cloud that connect to one or more Domain Name System (DNS) or Dynamic Domain Name System (DDNS) servers, comprising:
- operating one or more decoy bot computers in the victim cloud;
  
  operating one or more decoy control computers among one or more control computers that communicates with one or more victim computers and decoy bot computers in the victim cloud;
  
  identifying threats by analyzing data traffic communicated with the one or more victim computers, the one or more decoy bot computers and the one or more decoy control computers; and
  
  upon identifying information suspected of being stolen by a hacker,if the identified information was identified from a victim computer from among the one or more victim computers in communication with a control computer used by the hacker, modifying a lookup table in a DNS or DDNS server from among the one or more DNS or DDNS servers to replace an Internet Protocol (IP) address for the control computer with an Internet Protocol (IP) address for a sinkhole computer for connecting the victim computer to the sinkhole computer; and
  
  if the identified information was identified from a decoy bot computer from among the one or more decoy bot computers or a decoy control computer from among the one or more decoy control computers, intercepting a transmission and removing data suspected of being stolen from the data traffic while maintaining ongoing communications between the decoy control computer or the decoy bot computer and the hacker.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - terminating the control computer upon identifying information transmitted by the control computer that is suspected of having being sent from the victim computer to a hacker.
  - 3. The method of claim 2, further comprising:
    - upon terminating the control computer through which the victim computer was communicating with a suspected hacker, connecting the victim computer to a sinkhole;
      
      subjecting traffic routed through the sinkhole to packet inspection; and
      
      correlating results of the packet inspection with threat data obtained from other sources to analyze the likelihood that the victim computer has been compromised.
  - 4. The method of claim 1, further comprising:
    - terminating a DNS server in communication with the control computer upon identifying information transmitted by the control computer that is suspected of having being sent from the victim computer to a hacker.
  - 5. The method of claim 4, wherein when DNS servers are terminated, monitoring a request rate for a next domain name or subdomain name by a control computer to determine whether the control computer is suspicious.
  - 6. The method of claim 1, wherein a plurality of victim computers in the victim cloud operate within a corporate network that includes an internal threat monitor,and wherein the step of identifying threats additionally comprises analyzing threat data communicated by the internal threat monitor.
  - 7. The method of claim 6, wherein a plurality of corporate networks that include internal threat monitors are included in the victim cloud,and wherein the step of identifying threats additionally comprises analyzing threat data communicated by the internal threat monitors.

8. A system for detecting an attack on a network of victim computers in a victim cloud that connect to one or more Domain Name System (DNS) servers, comprising:
- at least one decoy bot computer in the victim cloud;
  
  at least one decoy control computer operating among one or more control computers that communicates with one or more victim computers and decoy bot computers in the victim cloud; and
  
  a threat analyzer in communication with the at least one decoy control computer, the at least one decoy victim computer, and a sinkhole computer,wherein the threat analyzer (i) identifies threats by analyzing data from the sinkhole computer and data traffic communicated with the at least one decoy bot computer and the at least one decoy control computer for information suspected of having been sent from a victim computer from among the one or more victim computers, without proper authorization, and (ii) intercepts transmissions and removes data suspected of being stolen, from the data traffic, while maintaining ongoing communications between the at least one decoy control computer or the at least one decoy bot computer and a hacker that uses a control computer from among the one or more control computers, wherein the victim computer is connected to the sinkhole computer upon identifying the information as having been sent from the victim computer and modifying a lookup table in a DNS server from among the one or more DNS servers to replace an Internet Protocol (IP) address for the control computer with an Internet Protocol (IP) address for the sinkhole computer.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The system of claim 8, wherein the threat analyzer is additionally in communication with at least one DNS server and monitors whether behavior of the DNS server deviates from expected behaviors.
  - 10. The system of claim 8, wherein the threat analyzer terminates the at least one decoy control computer upon identifying information transmitted by the at least one decoy control computer that is suspected of having being sent from the victim computer to a hacker.
  - 11. The system of claim 10,wherein a victim computer is connected to the sinkhole upon terminating the control computer through which the victim computer was communicating with a suspected hacker.
  - 12. The system of claim 8, wherein the threat analyzer terminates a DNS server in communication with a control computer is upon identifying information transmitted by the control computer that is suspected of having being sent from the victim computer to a hacker.
  - 13. The system of claim 8, wherein a plurality of victim computers in the victim cloud operate within a corporate network that includes an internal threat monitor, and the threat analyzer analyzes threat data communicated by the internal threat monitor.
  - 14. The system of claim 13, wherein a plurality of corporate networks that include internal threat monitors are included in the victim cloud, and the threat analyzer identifies threat data communicated by the internal threat monitors.
  - 15. The system of claim 8, wherein the threat analyzer further includes a correlation engine.
  - 16. The system of claim 8, further comprising a report generator that notifies owners of victim computers upon determination by the threat analyzer that an intrusion potentially has occurred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vercara LLC
Original Assignee
Neustar Incorporated
Inventors
Joffe, Rodney L.
Primary Examiner(s)
Jhaveri, Jayesh

Application Number

US13/784,710
Time in Patent Office

1,184 Days
Field of Search

726 22- 25, 726/27
US Class Current

1/1
CPC Class Codes

G06F 12/00   Accessing, addressing or al...

G06F 12/14   Protection against unauthor...

G06F 21/00   Security arrangements for p...

H04L 2463/144   Detection or countermeasure...

H04L 43/10   Active monitoring, e.g. hea...

H04L 61/4511   using domain name system [DNS]

H04L 63/02   for separating internal fro...

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04W 12/00   Security arrangements; Auth...

Method and system for detecting network compromise

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting network compromise

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links