System and method for directing malicous activity to a monitoring system

US 9,609,019 B2
Filed: 11/20/2014
Issued: 03/28/2017
Est. Priority Date: 05/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

accessing, by a client device, a service on a first server system;

recording, by the client device in a memory device operably coupled thereto, a first record of the accessing of the service on the first server, the first record including an identifier of the first server system and a first description of the accessing of the service;

receiving, by the client device, a second record referencing a second server system and a second description mimicking the first description, the second server system implementing services and monitoring functions operable to gather data with respect to unauthorized code accessing the second server system;

recording, by the client device, the second record in the memory device;

accessing, by the client device using a malicious code module one of accessing and executing on the client device, the second record;

accessing, by the malicious code module executing on one of the client device and another device, the second server system using data contained in the second record;

monitoring, by the second server, activities of the malicious code module with respect to the second server; and

characterizing, by the second server system, the malicious code module according to the monitoring of the activities of the malicious code module;

wherein accessing, by the client device, the service on the first server system comprises authenticating the client device with the service on the first server system; and

wherein recording the first record in the memory device comprises receiving a first credential for automatically authenticating the client device with the service on the first server system and storing the first credential in the memory device; and

wherein the second record is a second credential mimicking data contained in the first credential but referencing the second server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system of client devices and a server system implementing services makes use of credentials to facilitate authentication of the client devices with the server and generates log entries for different accesses to the server system. A monitoring system places credentials and log entries referencing the monitoring system with the credentials and log entries on the client devices without any authentication or actual access attempts by the client devices to the monitoring system. Unauthorized access to the client devices may result in the credentials and log entries to the monitoring system being accessed and used to access the monitoring system. Attempts to exploit the monitoring system using the credentials and log entries is contained within the monitoring system and data is collected to characterize malicious code attempting to exploit the monitoring system. The data is then used to prevent attacks and detect compromised client devices and server systems.

Citations

7 Claims

1. A method comprising:
- accessing, by a client device, a service on a first server system;
  
  recording, by the client device in a memory device operably coupled thereto, a first record of the accessing of the service on the first server, the first record including an identifier of the first server system and a first description of the accessing of the service;
  
  receiving, by the client device, a second record referencing a second server system and a second description mimicking the first description, the second server system implementing services and monitoring functions operable to gather data with respect to unauthorized code accessing the second server system;
  
  recording, by the client device, the second record in the memory device;
  
  accessing, by the client device using a malicious code module one of accessing and executing on the client device, the second record;
  
  accessing, by the malicious code module executing on one of the client device and another device, the second server system using data contained in the second record;
  
  monitoring, by the second server, activities of the malicious code module with respect to the second server; and
  
  characterizing, by the second server system, the malicious code module according to the monitoring of the activities of the malicious code module;
  
  wherein accessing, by the client device, the service on the first server system comprises authenticating the client device with the service on the first server system; and
  
  wherein recording the first record in the memory device comprises receiving a first credential for automatically authenticating the client device with the service on the first server system and storing the first credential in the memory device; and
  
  wherein the second record is a second credential mimicking data contained in the first credential but referencing the second server.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein recording the first and second records comprises making entries in a same log file.
  - 3. The method of claim 1, wherein recording the first and second records comprises storing the first and second records in one of the same cache file and the same cache folder.
  - 4. The method of claim 1, wherein the engagement module and sinkhole module are executed within a single host operating system instance.
  - 5. The method of claim 1, further comprising:
    - detecting generation of traffic by the malicious module;
      
      identifying a service requested by the traffic; and
      
      instantiating a sinkhole module and provisioning the sinkhole module with the service in response to detecting generation of the traffic and identifying the service requested by the traffic.

6. A system comprising one or more processing devices and one or more memory devices operably coupled to the one or more processing devices, the one or more memory devices storing executable code effective to cause the one or more processors to:
- access, by a client device, a service on a first server system;
  
  record, by the client device, in a memory device operably coupled thereto, a first record of the accessing of the service on the first server, the first record including an identifier of the first server system and a first description of the accessing of the service;
  
  receive, by the client device, a second record referencing a second server system and a second description mimicking the first description, the second server system implementing services and monitoring functions operable to gather data with respect to unauthorized code accessing the second server system;
  
  record, by the client device, the second record in the memory device;
  
  access, by the client device using a malicious code module one of accessing and executing on the client device, the second record;
  
  access, by the malicious code module executing on one of the client device and another device, the second server system using data contained in the second record;
  
  monitor, by the second server, activities of the malicious code module with respect to the second server; and
  
  characterize, by the second server system, the malicious code module according to the monitoring of the activities of the malicious code module;
  
  wherein the executable code is further effective to cause the one or more processing devices to access, by the client device, the service on the first server system by authenticating the client device with the service on the first server system; and
  
  wherein the executable code is further effective to cause the one or more processing devices to record the first record in the memory device by receiving a first credential for automatically authenticating the client device with the service on the first server system and storing the first credential in the memory device; and
  
  wherein the second record is a second credential mimicking data contained in the first credential but referencing the second server.

7. A non-transitory computer readable medium storing executable code effective to cause a processing device to:
- access, by a client device, a service on a first server system;
  
  record, by the client device, in a memory device operably coupled thereto, a first record of the accessing of the service on the first server, the first record including an identifier of the first server system and a first description of the accessing of the service;
  
  receive, by the client device, a second record referencing a second server system and a second description mimicking the first description, the second server system implementing services and monitoring functions operable to gather data with respect to unauthorized code accessing the second server system;
  
  record, by the client device, the second record in the memory device;
  
  access, by the client device using a malicious code module one of accessing and executing on the client device, the second record;
  
  access, by the malicious code module executing on one of the client device and another device, the second server system using data contained in the second record;
  
  monitor, by the second server, activities of the malicious code module with respect to the second server; and
  
  characterize, by the second server system, the malicious code module according to the monitoring of the activities of the malicious code module;
  
  wherein the executable code is further effective to cause the one or more processing devices to access, by the client device, the service on the first server system by authenticating the client device with the service on the first server system; and
  
  wherein the executable code is further effective to cause the one or more processing devices to record the first record in the memory device by receiving a first credential for automatically authenticating the client device with the service on the first server system and storing the first credential in the memory device; and
  
  wherein the second record is a second credential mimicking data contained in the first credential but referencing the second server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SentinelOne Inc.
Original Assignee
Attivo Networks, Inc.
Inventors
Vissamsetty, Venu, Buruganahalli, Shivakumar
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US14/549,112
Publication Number

US 20150326588A1
Time in Patent Office

859 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/142   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method for directing malicous activity to a monitoring system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for directing malicous activity to a monitoring system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links