Predicting and preventing an attacker's next actions in a breached network

US 9,690,932 B2
Filed: 06/07/2016
Issued: 06/27/2017
Est. Priority Date: 06/08/2015
Status: Active Grant

First Claim

Patent Images

1. A method for cyber security, comprising:

detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein access to the resources via network connections is governed by a firewall, wherein each resource has a domain name server (DNS) record stored on a DNS server, and wherein some of the resources are servers that are accessed via IP addresses;

changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to said detecting;

predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource;

changing, by the decoy management server, those credentials that were predicted to be compromised, in response to said predicting which credentials;

predicting, by the decoy management server, which servers in the network are compromised, based on connections created during the breach;

changing, by the decoy management server, IP addresses of the predicted compromised servers in response to said predicting which servers;

generating firewall rules to block access to the predicted compromised servers from the breached resource, in response to said predicting which servers;

predicting, by the decoy management server, a target subnet, based on real and decoy connections created during the breach; and

isolating, by the decoy management server, the target subnet in response to said predicting a target subnet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for cyber security, including detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein each resource has a domain name server (DNS) record stored on a DNS server, changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to the detecting, predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource, and changing, by the decoy management server, those credentials that were predicted to be compromised, in response to the predicting which credentials.

45 Citations

View as Search Results

9 Claims

1. A method for cyber security, comprising:
- detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein access to the resources via network connections is governed by a firewall, wherein each resource has a domain name server (DNS) record stored on a DNS server, and wherein some of the resources are servers that are accessed via IP addresses;
  
  changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to said detecting;
  
  predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource;
  
  changing, by the decoy management server, those credentials that were predicted to be compromised, in response to said predicting which credentials;
  
  predicting, by the decoy management server, which servers in the network are compromised, based on connections created during the breach;
  
  changing, by the decoy management server, IP addresses of the predicted compromised servers in response to said predicting which servers;
  
  generating firewall rules to block access to the predicted compromised servers from the breached resource, in response to said predicting which servers;
  
  predicting, by the decoy management server, a target subnet, based on real and decoy connections created during the breach; and
  
  isolating, by the decoy management server, the target subnet in response to said predicting a target subnet.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein said changing the DNS record and said changing the predicted compromised credentials are performed automatically.
  - 3. The method of claim 1 wherein said changing the DNS record and said changing the predicted compromised credentials are performed semi-automatically whereby the decoy management server requests confirmation by an administrator of the network prior to changing the DNS record and the predicted compromised credentials.
  - 4. The method of claim 1 wherein said changing the DNS record and said changing the predicted compromised credentials are performed manually whereby the decoy management server recommends these changes to an administrator of the network, who then performs the changes manually.
  - 5. The method of claim 1 comprising:
    - predicting, by the decoy management server, data leakage paths from inside the network to outside the network, based on an open outbound connection during the breach; and
      
      creating, by the decoy management server, firewall rules to block that outbound connection in response to said predicting data leakage paths.
  - 6. The method of claim 1 comprising:
    - predicting, by the decoy management server, data leakage paths from inside the network to outside the network, based on an open outbound connection during the breach; and
      
      creating, by the decoy management server, firewall rules to re-direct that outbound connection to a resource within the network, in response to said predicting data leakage paths.

7. A method for cyber security, comprising:
- detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources, wherein access to the resources via network connections is governed by a firewall, wherein each resource has a domain name server (DNS) record stored on a DNS server, and wherein some of the resources are servers that are accessed via IP addresses;
  
  predicting, by the decoy management server, which resources of the network were exposed to the attacker, based on address pointers stored on the breached resource;
  
  generating firewall rules to block access to the predicted exposed resources from the breached resource, in response to said predicting which resources;
  
  predicting, by the decoy management server, which servers in the network are compromised, based on connections created during the breach;
  
  changing, by the decoy management server, IP addresses of the predicted compromised servers in response to said predicting which servers;
  
  predicting, by the decoy management server, a target subnet, based on real and decoy connections created during the breach; and
  
  isolating, by the decoy management server, the target subnet in response to said predicting a target subnet.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7 comprising:
    - predicting, by the decoy management server, data leakage paths from inside the network to outside the network, based on an open outbound connection during the breach; and
      
      creating, by the decoy management server, firewall rules to block that outbound connection in response to said predicting data leakage paths.
  - 9. The method of claim 7 comprising:
    - predicting, by the decoy management server, data leakage paths from inside the network to outside the network, based on an open outbound connection during the breach; and
      
      creating, by the decoy management server, firewall rules to re-direct that outbound connection to a resource within the network, in response to said predicting data leakage paths.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
illusive networks LTD.
Original Assignee
illusive networks LTD.
Inventors
Avraham, Itay, Ozer, Adi, Kazaz, Chen, Israeli, Ofer, Vingurt, Olga, Gareh, Liad, Grimberg, Israel, Cohen, Cobby, Sultan, Sharon, Kubovsky, Matan, Touboul, Shlomo, Levin, Hanan, Roubach, Stephane, Mischari, Assaf, Ben David, Itai
Primary Examiner(s)
Okeke, Izunna

Application Number

US15/175,054
Publication Number

US 20170149832A1
Time in Patent Office

385 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06N 20/00   Machine learning

H04L 2463/146   Tracing the source of attacks

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Predicting and preventing an attacker's next actions in a breached network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Predicting and preventing an attacker's next actions in a breached network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links