Methods, systems, and media for baiting inside attackers

US 9,501,639 B2
Filed: 03/09/2015
Issued: 11/22/2016
Est. Priority Date: 06/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method for providing trap-based defenses, the method comprising:

generating, using a computing device, a plurality of decoy items from user-selected data items that are selected from data items stored in a computing environment, wherein a decoy item includes at least a portion of a data item and a beacon and wherein code embedded within the beacon causes a signal that includes identifying information associated with an attacker computing device to be transmitted to a remote server in response to detecting unauthorized access of the decoy item by the attacker computing device;

placing the plurality of decoy items into the computing environment, wherein the code embedded within the beacon is executed;

receiving an indication from the remote server relating to the unauthorized access of the decoy item by the attacker computing device, wherein the code embedded within the beacon of the decoy item causes the signal that included the identifying information associated with the attacker computing device to be transmitted to the remote server in response to detecting access of the decoy item;

in response to receiving the indication of the unauthorized access of the decoy item by the attacker computing device, determining the data item of the data items stored in the computing environment that corresponds to the decoy item that was accessed; and

transmitting a notification to a user of the computing device that the decoy item was accessed, wherein the notification includes the identifying information associated with the attacker computing device and the data item corresponding to the decoy item that was accessed.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.

106 Citations

View as Search Results

12 Claims

1. A method for providing trap-based defenses, the method comprising:
- generating, using a computing device, a plurality of decoy items from user-selected data items that are selected from data items stored in a computing environment, wherein a decoy item includes at least a portion of a data item and a beacon and wherein code embedded within the beacon causes a signal that includes identifying information associated with an attacker computing device to be transmitted to a remote server in response to detecting unauthorized access of the decoy item by the attacker computing device;
  
  placing the plurality of decoy items into the computing environment, wherein the code embedded within the beacon is executed;
  
  receiving an indication from the remote server relating to the unauthorized access of the decoy item by the attacker computing device, wherein the code embedded within the beacon of the decoy item causes the signal that included the identifying information associated with the attacker computing device to be transmitted to the remote server in response to detecting access of the decoy item;
  
  in response to receiving the indication of the unauthorized access of the decoy item by the attacker computing device, determining the data item of the data items stored in the computing environment that corresponds to the decoy item that was accessed; and
  
  transmitting a notification to a user of the computing device that the decoy item was accessed, wherein the notification includes the identifying information associated with the attacker computing device and the data item corresponding to the decoy item that was accessed.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - receiving access to the data items stored in the computing environment; and
      
      selecting a subset of the data items to generate the plurality of decoy items.
  - 3. The method of claim 1, wherein the beacon provides an indication that differentiates the decoy item from the data item.
  - 4. The method of claim 1, further comprising tracing the attacker computing device that accessed the decoy item in response to receiving the indication.

5. A system for providing trap-based defenses, the system comprising:
- a computing device that;
  
  generates a plurality of decoy items from user-selected data items that are selected from data items stored in a computing environment, wherein a decoy item includes at least a portion of a data item and a beacon and wherein code embedded within the beacon causes a signal that includes identifying information associated with an attacker computing device to be transmitted to a remote server in response to detecting unauthorized access of the decoy item by the attacker computing device;
  
  places the plurality of decoy items into the computing environment, wherein the code embedded within the beacon is executed;
  
  receives an indication from the remote server relating to the unauthorized access of the decoy item by the attacker computing device, wherein the code embedded within the beacon of the decoy item caused the signal that included the identifying information associated with the attacker computing device to be transmitted to the remote server in response to detecting access of the decoy item;
  
  in response to receiving the indication of the unauthorized access of the decoy item by the attacker computing device, determines the data item of the data items stored in the computing environment that corresponds to the decoy item that was accessed; and
  
  transmits a notification to a user of the computing device that the decoy item was accessed, wherein the notification includes the identifying information associated with the attacker computing device and the data item corresponding to the decoy item that was accessed.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, wherein the hardware processor is further configured to:
    - receive access to the data items stored in the computing environment; and
      
      select a subset of the data items to generate the plurality of decoy items.
  - 7. The system of claim 5, wherein the beacon provides an indication that differentiates the decoy item from the data item.
  - 8. The system of claim 5, wherein the hardware processor is further configured to trace the attacker computing device that accessed the decoy item in response to receiving the indication.

9. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a hardware processor, cause the hardware processor to perform a method for providing trap-based defenses, the method comprising:
- generating a plurality of decoy items from user-selected data items that are selected from data items stored in a computing environment, wherein a decoy item includes at least a portion of a data item and a beacon and wherein code embedded within the beacon causes a signal that includes identifying information associated with an attacker computing device to be transmitted to a remote server in response to detecting unauthorized access of the decoy item by the attacker computing device;
  
  placing the plurality of decoy items into the computing environment, wherein the code embedded within the beacon is executed;
  
  receiving an indication from the remote server relating to the unauthorized access of the decoy item by the attacker computing device, wherein the code embedded within the beacon of the decoy item causes the signal that included the identifying information associated with the attacker computing device to be transmitted to the remote server in response to detecting access of the decoy item;
  
  in response to receiving the indication of the unauthorized access of the decoy item by the attacker computing device, determining the data item of the data items stored in the computing environment that corresponds to the decoy item that was accessed; and
  
  transmitting a notification to a user of the computing device that the decoy item was accessed, wherein the notification includes the identifying information associated with the attacker computing device and the data item corresponding to the decoy item that was accessed.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer-readable medium of claim 9, wherein the method further comprises:
    - receiving access to the data items stored in the computing environment; and
      
      selecting a subset of the data items to generate the plurality of decoy items.
  - 11. The non-transitory computer-readable medium of claim 9, wherein the beacon provides an indication that differentiates the decoy item from the data item.
  - 12. The non-transitory computer-readable medium of claim 9, wherein the method further comprises tracing the attacker computing device that accessed the decoy item in response to receiving the indication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Stolfo, Salvatore J., Keromytis, Angelos D., Bowen, Brian M., Hershkop, Shlomo, Kemerlis, Vasileios P., Prabhu, Pratap V., Ben Salem, Malek
Primary Examiner(s)
SHAW, PETER C

Application Number

US14/642,401
Publication Number

US 20160012222A1
Time in Patent Office

624 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2123   Dummy operation

H04L 63/1466   Active attacks involving in...

Methods, systems, and media for baiting inside attackers

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and media for baiting inside attackers

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links