Managing dynamic deceptive environments

US 9,553,886 B2
Filed: 06/07/2016
Issued: 01/24/2017
Est. Priority Date: 06/08/2015
Status: Active Grant

First Claim

Patent Images

1. A deception management system (DMS) to detect attackers within a dynamically changing network of computer resources, comprising:

a deployment governor dynamically designating deception policies, each deception policy comprising one or more decoy attack vectors, one or more computer resources of the network in which the one or more decoy attack vectors are generated, and a schedule for generating the one or more decoy attack vectors in the one or more resources, wherein an attack vector is an object in a first resource of the network that has a potential to be used by an attacker to access or discover a second resource of the network, and wherein the network of resources is dynamically changing;

a deception adaptor dynamically extracting characteristics of the network;

a deception diversifier dynamically triggering changes in the deception policy based on changes in the network as detected from the network characteristics extracted by said deception adaptor, and enabling an administrator of the network to set levels of deception diversity across resources in the network; and

a deception deployer dynamically generating one or more decoy attack vectors in the one or more resources in the network, in accordance with the current deception policy and in accordance with the levels of diversity set by the administrator.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A deception management system to detect attackers within a dynamically changing network, including a deployment governor dynamically designating a deception policy that includes one or more decoy attack vectors, one or more resources of the network in which the decoy attack vectors are generated, and a schedule for generating the decoy attack vectors in the resources, wherein an attack vector is an object in a first resource that may be used by an attacker to access or discover a second resource, and wherein the network of resources is dynamically changing, a deception deployer dynamically generating decoy attack vectors on resources in the network, in accordance with the current deception policy, a deception adaptor dynamically extracting characteristics of the network, and a deception diversifier dynamically triggering changes in the deception policy based on changes in the network as detected from the network characteristics extracted by the deception adaptor.

66 Citations

View as Search Results

14 Claims

1. A deception management system (DMS) to detect attackers within a dynamically changing network of computer resources, comprising:
- a deployment governor dynamically designating deception policies, each deception policy comprising one or more decoy attack vectors, one or more computer resources of the network in which the one or more decoy attack vectors are generated, and a schedule for generating the one or more decoy attack vectors in the one or more resources, wherein an attack vector is an object in a first resource of the network that has a potential to be used by an attacker to access or discover a second resource of the network, and wherein the network of resources is dynamically changing;
  
  a deception adaptor dynamically extracting characteristics of the network;
  
  a deception diversifier dynamically triggering changes in the deception policy based on changes in the network as detected from the network characteristics extracted by said deception adaptor, and enabling an administrator of the network to set levels of deception diversity across resources in the network; and
  
  a deception deployer dynamically generating one or more decoy attack vectors in the one or more resources in the network, in accordance with the current deception policy and in accordance with the levels of diversity set by the administrator.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The DMS of claim 1 further comprising a deployment monitor collecting information about a current deployment of decoys across the network, and presenting this information to the administrator in an interactive way whereby the administrator is able to interactively change a deployment policy via said deployment governor.
  - 3. The DMS of claim 1 wherein the characteristics of the network extracted by said deception adaptor comprise at least one member of:
    - management tools, asset management, configuration management, user management, device management, installed applications, tools and data.
  - 4. The DMS of claim 1 wherein the network comprises one or more decoy servers accessible from the one or more resources in the network via the one or more of the decoy attack vectors generated in the resources by said deception deployer.
  - 5. The DMS of claim 1, wherein the one or more decoy attack vectors include at least one member of:
    - a username and a password,an RDP (Remote Desktop Protocol) username and a password,a username and an authentication ticket,an FTP (File Transfer Protocol) server address and a username and a password,a database server address and a username and a password,an SSH (Secure Shell) server address and a username and a password, anda web browser URL (Uniform Resource Location).
  - 6. The DMS of claim 1, wherein said deception diversifier analyzes the network based on information said diversifier receives from one or more of the following network resource management and administration modules:
    - directory access, user management, asset management, configuration management, resource management, device management, storage management, application management, and file management.
  - 7. The DMS of claim 1, further comprising an attack risk inspector inspecting the network to find real attack vectors that exist in the network and that have a potential to be used by the attacker, and wherein said deployment governor designates deception policies having the one or more decoy attack vectors that resemble the real attack vectors found by said attack risk inspector.

8. A method for detecting attackers within a dynamically changing network of computer resources, comprising:
- repeatedly designating a current deception policy that comprises one or more decoy attack vectors, one or more computer resources of the network in which the one or more decoy attack vectors are generated, and a schedule for generating the one or more decoy attack vectors in the one or more resources, wherein an attack vector is an object in a first resource of the network that has a potential to be used by an attacker to access or discover a second resource of the network, and wherein the network of resources is dynamically changing, comprising specifying levels of deception diversity across resources in the network, the levels being set by an administrator of the network;
  
  repeatedly generating one or more decoy attack vectors in one or more resources in the network, in accordance with the current deception policy and in accordance with the specified levels of deception diversity;
  
  repeatedly extracting characteristics of the network; and
  
  repeatedly triggering changes in the deception policy based on changes in the network as detected from the thus-extracted network characteristics.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising:
    - collecting information about a current deployment of decoys across the network; and
      
      interactively presenting the collected information to the administrator,wherein said repeatedly designating comprises changing a deployment policy in response to changes made by the administrator to the presented information.
  - 10. The method of claim 8 wherein said repeatedly generating one or more decoy attack vectors further comprises:
    - identifying the one or more decoy attack vectors that were removed from the one or more resources or that are improperly deployed; and
      
      regenerating the identified the one or more decoy attack vectors on those the one or more resources.
  - 11. The method of claim 10 wherein said identifying the one or more decoy attack vectors identifies the one or more decoy attack vectors that were removed upon machine re-boot.
  - 12. The method of claim 8, wherein the attack vectors include at least one member of (i) a username and a password, (ii) an RDP (Remote Desktop Protocol) username and a password, (iii) a username and an authentication ticket, (iv) an FTP (File Transfer Protocol) server address, a username and a password, (v) a database server address, a username and a password, and (vi) an SSH (Secure Shell) server address, a username and a password.
  - 13. The method of claim 8, wherein said repeatedly extracting extracts characteristics of the network based on information received from one or more of the following network resource management and administration modules:
    - directory access, user management, asset management, configuration management, resource management, device management, storage management, application management, and file management.
  - 14. The method of claim 8 further comprising inspecting the network to find real attack vectors that exist in the network and that have a potential to be used by the attacker, and wherein said repeatedly designating the current deception policy further designates the current deception policy having decoy attack vectors that resemble the real attack vectors found by said inspecting.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
illusive networks LTD.
Original Assignee
illusive networks LTD.
Inventors
Touboul, Shlomo, Levin, Hanan, Roubach, Stephane, Mischari, Assaf, Ben David, Itai, Avraham, Itay, Ozer, Adi, Kazaz, Chen, Israeli, Ofer, Vingurt, Olga, Gareh, Liad, Grimberg, Israel, Cohen, Cobby, Sultan, Sharon, Kubovsky, Matan
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/175,048
Publication Number

US 20160359882A1
Time in Patent Office

231 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06N 20/00   Machine learning

H04L 2463/146   Tracing the source of attacks

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Managing dynamic deceptive environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Managing dynamic deceptive environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links