Techniques for detecting advanced security threats

US 9,418,222 B1
Filed: 09/27/2013
Issued: 08/16/2016
Est. Priority Date: 09/27/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a security threat comprising:

receiving resource information from a backend server via a network indicating a defined resource to be generated on a plurality of clients, wherein the defined resource to be generated is specified by the backend server based on at least one computing resource characteristic and at least one known usage of at least a first client of the plurality of clients, and wherein the first client is separate from the backend server and associated with a known threat;

generating the defined resource at the plurality of clients respectively based on the received resource information, wherein the defined resource is a decoy resource different from the received resource information and monitored differently from other client resources;

implementing the decoy resource automatically on each respective client of the plurality of clients, wherein the implemented decoy resource simulates on the respective client one of a physical computing resource of at least the first client and a virtualized computing resource of at least the first client available to applications executing on at least the first client;

monitoring system behavior of the respective client having the decoy resource implemented thereon;

determining by the respective client whether a security event involving the implemented decoy resource has occurred based on the monitored system behavior of the respective client including the at least one computing characteristic and the at least one known usage of at least the first client; and

generating a report at the respective client including detailed information regarding the security event and the monitored system behavior of the respective client when it has been determined that the security event has occurred and sending the report to the backend server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting advanced security threats are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting a security threat including generating a resource at a client, implementing the resource on the client, monitoring system behavior of the client having the resource implemented thereon, determining whether a security event involving the implemented resource has occurred based on the monitored system behavior, and generating a report when it has been determined that the security event has occurred.

150 Citations

20 Claims

1. A method for detecting a security threat comprising:
- receiving resource information from a backend server via a network indicating a defined resource to be generated on a plurality of clients, wherein the defined resource to be generated is specified by the backend server based on at least one computing resource characteristic and at least one known usage of at least a first client of the plurality of clients, and wherein the first client is separate from the backend server and associated with a known threat;
  
  generating the defined resource at the plurality of clients respectively based on the received resource information, wherein the defined resource is a decoy resource different from the received resource information and monitored differently from other client resources;
  
  implementing the decoy resource automatically on each respective client of the plurality of clients, wherein the implemented decoy resource simulates on the respective client one of a physical computing resource of at least the first client and a virtualized computing resource of at least the first client available to applications executing on at least the first client;
  
  monitoring system behavior of the respective client having the decoy resource implemented thereon;
  
  determining by the respective client whether a security event involving the implemented decoy resource has occurred based on the monitored system behavior of the respective client including the at least one computing characteristic and the at least one known usage of at least the first client; and
  
  generating a report at the respective client including detailed information regarding the security event and the monitored system behavior of the respective client when it has been determined that the security event has occurred and sending the report to the backend server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the decoy resource is automatically generated upon receipt of the resource information from the backend server.
  - 3. The method of claim 1, wherein the resource information received from the backend server is included in a policy update.
  - 4. The method of claim 1, wherein the decoy resource is defined in accordance with a classification of at least the first client.
  - 5. The method of claim 1, wherein the system behavior is monitored in accordance with a monitoring policy.
  - 6. The method of claim 5, wherein the implemented decoy resource is monitored at a level higher than the other client resources based on the monitoring policy.
  - 7. The method of claim 1, wherein the monitoring of the implemented decoy resource is defined by the backend server.
  - 8. The method of claim 1, further comprising:
    - transmitting the report to the backend server, wherein the report includes the detailed information regarding the security event and additional client behavior information, and wherein the security event is an attempted access of the implemented decoy resource.
  - 9. The method of claim 1, further comprising:
    - creating a virtualized environment on each of the plurality of clients, wherein the decoy resource is implemented in the respective virtualized environment on each of the plurality of clients, respectively.
  - 10. The method of claim 1, wherein the respective client simulates a server and the decoy resource is one of an open port, an SQL Server administrator console, and an application directory.
  - 11. The method of claim 1, wherein the respective client simulates a desktop computer and the decoy resource is one of a remote login, a word-processing document, a cookie, a favorite, and a shortcut.
  - 12. At least one non-transitory processor readable storage medium storing a computer program of instructions configured to be readable by at least one processor for instructing the at least one processor to execute a computer process for performing the method as recited in claim 1.

13. A method for detecting a security threat comprising:
- generating, at a backend server, resource information specifying a defined resource based on at least one computing resource characteristic and at least one known usage of at least a first client of a plurality of clients, and wherein the first client is separate from the backend server and associated with a known threat;
  
  transmitting the resource information from the backend server to the plurality of clients via a network;
  
  generating the defined resource at the plurality of clients respectively based on the resource information received at the respective plurality of clients, wherein the defined resource is a decoy resource different from the resource information and monitored differently from other resources;
  
  implementing the decoy resource automatically on each respective client of the plurality of clients based on the generated resource information, wherein the implemented decoy resource simulates one of a physical computing resource of at least the first client and a virtualized computing resource of at least the first client available to applications executing on at least the first client;
  
  determining whether a report has been received from one of the plurality of clients indicating that a security event involving the decoy resource implemented at the one of the plurality of clients has occurred;
  
  analyzing the received report; and
  
  determining an appropriate action to be performed based on the report analysis.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein the report indicates a type of the security event and at least one of an application, process, and user responsible for causing the security event.
  - 15. The method of claim 13, wherein the appropriate action is determined based on additional reports received from at least two of the plurality of clients having the decoy resource implemented thereon.
  - 16. The method of claim 13, wherein the appropriate action is determined based on a predetermined reputation of an application that caused the security event.
  - 17. The method of claim 13, wherein the appropriate action includes at least one of quarantining an application that caused the security event, generating a rule for the application, and adjusting a reputation of the application.
  - 18. The method of claim 13, further comprising:
    - transmitting information indicating the appropriate action to the one of the plurality of clients.
  - 19. At least one non-transitory processor readable storage medium storing a computer program of instructions configured to be readable by at least one processor for instructing the at least one processor to execute a computer process for performing the method as recited in claim 13.

20. A system for detecting a security threat comprising:
- a backend server comprising one or more first computer processors communicatively coupled to a network; and
  
  a plurality of clients each comprising one or more second computer processors and a memory communicatively coupled to the network, wherein the plurality of clients are separate from the backend server and associated with a known threat,wherein the one or more first computer processors are configured to;
  
  transmit resource information from the backend server to the plurality of clients via the network indicating a defined resource to be generated on the plurality of clients respectively, wherein the defined resource to be generated is based on at least one computing resource characteristic and at least one known usage of at least a first client of the plurality of clients; and
  
  wherein the one or more second computer processors are configured to;
  
  generate the defined resource at the plurality of clients respectively based on the resource information, wherein the defined resource is a decoy resource different from the resource information and monitored differently from other resources;
  
  implement the decoy resource automatically on each respective client of the plurality of clients, wherein the implemented decoy resource simulates one of a physical computing resource of at least the first client and a virtualized computing resource available of at least the first client to applications executing on at least the first client;
  
  monitor system behavior of the respective client having the decoy resource implemented thereon;
  
  determine by the respective client whether a security event involving the implemented decoy resource has occurred based on the monitored system behavior of the respective client including the at least one computing characteristic and the at least one known usage of at least the first client; and
  
  generate a report at the respective client including detailed information regarding the security event and the associated system behavior of the respective client when it has been determined that the security event has occurred and sending the report to the backend server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Rivera, Shireen, Ashley, Peter
Primary Examiner(s)
Zhao, Don

Application Number

US14/039,985
Time in Patent Office

1,054 Days
Field of Search

726/2, 726/22, 726/23, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

Techniques for detecting advanced security threats

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

150 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for detecting advanced security threats

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links