System and method for cyber threats detection

US 9,516,054 B2
Filed: 04/14/2014
Issued: 12/06/2016
Est. Priority Date: 04/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a cyber threat, the method comprising:

automatically discovering real resources on a network, wherein the real resources provide services and wherein the real resources include at least one of;

a device and a server;

faking at least one real resource discovered on the network wherein faking a resource includes advertising at least one service provided by the faked resource;

detecting an interaction of a malware applications with the faked resource;

capturing code of the malware applications and storing the code on the faked resource;

uploading the code to a server;

analyzing the code, by the server, to produce an analysis result;

determining, for each of the plurality of payloads, a severity score based on the analysis result;

providing a report based on the scores; and

performing at least one action based on the analysis result.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting a cyber-threat according to embodiments of the present invention comprise automatically discovering resources on a network, by a resource detection unit, emulating, by a faked asset creation unit, at least one resource discovered on the network, associating a malware trap sensor with the emulated resource and detecting by the malware trap sensor, a malware related to the emulated resource. The system and method may further comprise uploading data related to the detected malware to a server, analyzing, by the server, uploaded data to produce an analysis result and perform one or more actions based on the analysis result.

Citations

18 Claims

1. A method of detecting a cyber threat, the method comprising:
- automatically discovering real resources on a network, wherein the real resources provide services and wherein the real resources include at least one of;
  
  a device and a server;
  
  faking at least one real resource discovered on the network wherein faking a resource includes advertising at least one service provided by the faked resource;
  
  detecting an interaction of a malware applications with the faked resource;
  
  capturing code of the malware applications and storing the code on the faked resource;
  
  uploading the code to a server;
  
  analyzing the code, by the server, to produce an analysis result;
  
  determining, for each of the plurality of payloads, a severity score based on the analysis result;
  
  providing a report based on the scores; and
  
  performing at least one action based on the analysis result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, comprising analyzing network traffic related to the faked resource to detect an interaction of a malware application with the faked resource.
  - 3. The method of claim 1, wherein automatically discovering resources on the network is performed by one of:
    - a virtual machine and a hardware appliance.
  - 4. The method of claim 1, comprising automatically determining a type of the network and faking at least one resource based on the type.
  - 5. The method of claim 1, wherein faking at least one resource includes running a faked service at an operating system kernel level and wherein detecting an interaction of a malware application with the faked resource includes detecting an interaction with the service.
  - 6. The method of claim 1, comprising faking a system and monitoring network traffic from the faked system to detect data sent by malware.
  - 7. The method of claim 1, comprising:
    - receiving, by a management unit, from one or more malware traps, data and events related to malware applications;
      
      analyzing the code of the malware applications to produce an analysis result;
      
      determining, for each of the malware applications, a severity score based on the analysis result; and
      
      providing a report based on the scores.
  - 8. The method of claim 1, wherein detecting a malware application related to the faked resource, uploading data related to the detected malware application, analyzing the uploaded data and performing an action based on the analysis are performed in real-time.
  - 9. The method of claim 1, comprising storing faked files on a faked resource and detecting an access to the faked files.
  - 10. The method of claim 1, comprising:
    - faking a system;
      
      detecting a login into the faked system;
      
      collecting data related to the login and to an entity related to the login;
      
      sending collected data for analysis by the server; and
      
      performing an action based on the analysis.
  - 11. The method of claim 1, wherein faked resources are created based on user input.
  - 12. The method of claim 7, wherein a severity score is set based on user input.

13. A system for cyber threats detection comprising:
- a server comprising a management unit;
  
  a client network;
  
  an external network; and
  
  a computer comprising a user interface unit;
  
  wherein said client network comprises;
  
  a resource detection unit configured to automatically discover real assets on a network, wherein the real assets provide services and wherein the real assets include at least one of;
  
  a device and a server;
  
  an asset inventory;
  
  a faked assets creation unit configured to fake at least one real asset discovered on the network wherein faking an asset includes advertising at least one service provided by the faked asset;
  
  a plurality of faked assets; and
  
  a malware trap sensor configured to;
  
  detect an interaction of malware applications with a faked asset, and capture code of the malware applications and upload the code to the server;
  
  wherein the server is adapted to analyze the code to produce an analysis result;
  
  determining, for each of the plurality of payloads, a severity score based on the analysis result;
  
  providing a report based on the scores; and
  
  perform at least one action based on the analysis result.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system according to claim 13 wherein said resource detection unit is adapted to maintain and update said asset inventory.
  - 15. The system according to claim 13 wherein said faked assets comprise a malware trap.
  - 16. The system according to claim 13 wherein said resource detection unit includes at least a processor and a memory.
  - 17. The system according to claim 13 wherein said resource detection unit is adapted to automatically discover and identify real resources or real assets on said client network.
  - 18. The system according to claim 13 wherein said faked assets creation unit is adapted to create said faked assets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
Trap Data Security Ltd. (CommVault Systems Incorporated)
Inventors
Malachi, Yuval
Primary Examiner(s)
Tabor, Amare F

Application Number

US14/251,982
Publication Number

US 20150295943A1
Time in Patent Office

967 Days
Field of Search

726/24, 726/23, 726/25, 713/188
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method for cyber threats detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for cyber threats detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links