Method and system for protection against information stealing software

US 9,495,539 B2
Filed: 04/16/2015
Issued: 11/15/2016
Est. Priority Date: 03/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring an electronic device to detect infection by unwanted software, the method comprising:

receiving parameters and inserting the parameters into artificial sensitive information using a software agent running on the electronic device, wherein the parameters include identifying information for the electronic device;

performing, using the software agent running on the electronic device, a login session using the artificial sensitive information; and

monitoring, at a computer hardware network gateway, network transmissions of the electronic device unrelated to the login session to detect a transmission of the artificial sensitive information to another electronic device based on a comparison of information included in a network transmission to the artificial sensitive information to determine the existence of unwanted software on the electronic device based on the information identifying the electronic device being included in the transmission of the artificial sensitive information.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software.

221 Citations

17 Claims

1. A method for monitoring an electronic device to detect infection by unwanted software, the method comprising:
- receiving parameters and inserting the parameters into artificial sensitive information using a software agent running on the electronic device, wherein the parameters include identifying information for the electronic device;
  
  performing, using the software agent running on the electronic device, a login session using the artificial sensitive information; and
  
  monitoring, at a computer hardware network gateway, network transmissions of the electronic device unrelated to the login session to detect a transmission of the artificial sensitive information to another electronic device based on a comparison of information included in a network transmission to the artificial sensitive information to determine the existence of unwanted software on the electronic device based on the information identifying the electronic device being included in the transmission of the artificial sensitive information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising installing the software agent on the electronic device.
  - 3. The method of claim 1, further comprising performing, using the software agent, the login session by emulating keystrokes on the electronic device.
  - 4. The method of claim 3, further comprising emulating the keystrokes, using the software agent, at a variable rate.
  - 5. The method of claim 1, further comprising:
    - detecting encrypted electronic output of the electronic device within the network transmissions of the electronic device;
      
      correlating an amount of the encrypted electronic output with one or more properties of the artificial sensitive information; and
      
      determining that the network transmissions of the electronic device include the transmission of the artificial sensitive information based on the correlating.
  - 6. The method of claim 5, further comprising detecting the encrypted electronic output based on an entropy of the network transmissions of the electronic device.
  - 7. The method of claim 1, wherein the electronic output is analyzed by correlating the output with the artificial sensitive information.
  - 8. The method of claim 1, further comprising:
    - storing information about the artificial sensitive information in a database; and
      
      comparing information from a user with the information in the database in order to determine if the electronic device that transmitted the artificial sensitive information contains unwanted software.
  - 9. The method of claim 1, wherein the software agent performs the login session on a target site, the method further comprising:
    - configuring the artificial sensitive information to identify the electronic device; and
      
      monitoring the target site for detection of the artificial sensitive information to determine the existence of unwanted software on the electronic device.

10. A system for monitoring an electronic device to detect infection by unwanted software, the system comprising:
- a software agent installed on the electronic device and configured to;
  
  receive parameters and insert the parameters into artificial sensitive information, wherein the parameters include identifying information for the electronic device, andperform a login session using the artificial sensitive information; and
  
  a computer hardware network gateway configured to monitor network transmissions of the electronic device unrelated to the login session that include a transmission of the artificial sensitive information over a network to another electronic device to determine the existence of unwanted software on the electronic device based on the information identifying the electronic device being included in the transmission of the artificial sensitive information.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, further comprising a management unit configured to install the software agent on the electronic device.
  - 12. The system of claim 10, wherein the software agent is configured to perform the login session by emulating keystrokes on the electronic device.
  - 13. The system of claim 12, wherein the software agent is further configured to emulate the keystrokes at a variable rate.
  - 14. The system of claim 10, wherein the computer hardware network gateway is further configured to:
    - detect encrypted electronic output of the electronic device within the network transmissions of the electronic device;
      
      correlate an amount of the encrypted electronic output with one or more properties of the artificial sensitive information; and
      
      determine that the network transmissions of the electronic device include the transmission of the artificial sensitive information based on the correlating.
  - 15. The system of claim 10, wherein the computer hardware network gateway is further configured to detect the encrypted electronic output based on an entropy of the network transmissions of the electronic device.
  - 16. The system of claim 10, wherein the computer hardware network gateway is further configured to store information about the artificial sensitive information in a database, and to compare information from a user with the information in the database in order to determine if the electronic device that transmitted the artificial sensitive information contains unwanted software.
  - 17. The system of claim 10, wherein the software agent is configured to perform the login session on a target site, and the computer hardware network gateway is configured to monitor the target site for detection of the artificial sensitive information to determine the existence of unwanted software on the electronic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Websense, Llc (Forcepoint LLC)
Inventors
Troyansky, Lidror, Bruckner, Sharon, Hubbard, Daniel Lyle
Primary Examiner(s)
Sholeman, Abu

Application Number

US14/688,944
Publication Number

US 20150220732A1
Time in Patent Office

579 Days
Field of Search

726/25, 726/1, 726/22, 726/23, 726/24, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Method and system for protection against information stealing software

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

221 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protection against information stealing software

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

221 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links