Managing dynamic deceptive environments

US 9,742,805 B2
Filed: 01/15/2017
Issued: 08/22/2017
Est. Priority Date: 06/08/2015
Status: Active Grant

First Claim

Patent Images

1. A deception management system (DMS) to detect attackers within a network of computer resources, comprising:

a deception deployer planting one or more decoy attack vectors in memory or storage of one or more real resources in the network, an attack vector, of the one or more decoy attack vectors, being an object in a real resource of the network that has a potential to lead an attacker to access or discover a decoy resource of the network;

a deception adaptor self-triggering modification of activity logs of login access and data editing for one or more decoy resources, the one or more decoy resources appearing to the attacker as being active in the network; and

an access governor authorizing access to resources in the network, and issuing a notification upon recognizing an attempt to access one or more of the decoy resources of the network via one or more of the decoy attack vectors planted by said deception deployer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A deception management system (DMS) to detect attackers within a network of computer resources, including a discovery tool auto-learning the network naming conventions for user names, workstation names, server names and shared folder names, and a deception deployer generating one or more decoy attack vectors in the one or more resources in the network based on the network conventions learned by the discovery tool, so that the decoy attack vectors conform with the network conventions, wherein an attack vector is an object in a first resource of the network that has a potential to lead an attacker to access or discover a second resource of the network.

100 Citations

View as Search Results

12 Claims

1. A deception management system (DMS) to detect attackers within a network of computer resources, comprising:
- a deception deployer planting one or more decoy attack vectors in memory or storage of one or more real resources in the network, an attack vector, of the one or more decoy attack vectors, being an object in a real resource of the network that has a potential to lead an attacker to access or discover a decoy resource of the network;
  
  a deception adaptor self-triggering modification of activity logs of login access and data editing for one or more decoy resources, the one or more decoy resources appearing to the attacker as being active in the network; and
  
  an access governor authorizing access to resources in the network, and issuing a notification upon recognizing an attempt to access one or more of the decoy resources of the network via one or more of the decoy attack vectors planted by said deception deployer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The DMS of claim 1 wherein said deception deployer generates the one or more decoy resources.
  - 3. The DMS of claim 1 further comprising a discovery tool inspecting the network to find real attack vectors that exist in real resources of the network and that have a potential to lead the attacker to access or discover other real resources of the network, and wherein said deception deployer plants decoy attack vectors that resemble the real attack vectors found by said discovery tool.
  - 4. The DMS of claim 3 wherein said discovery tool learns characteristics of the network comprising at least one member of management tools, asset management, configuration management, user management, device management, installed applications, tools and data, and wherein the one or more decoy attack vectors planted by said deception deployer conform with the network characteristics.
  - 5. The DMS of claim 4, wherein said discovery tool learns the characteristics of the network based on information extracted from one or more of the following network resource management and administration modules:
    - directory access, user management, asset management, configuration management, resource management, device management, storage management, application management, and file management.
  - 6. The DMS of claim 1, wherein the one or more decoy attack vectors planted by said deception deployer include at least one member ofa username and a password,an RDP (Remote Desktop Protocol) username and a password,a username and an authentication ticket,an FTP (File Transfer Protocol) server address and a username and a password,a database server address and a username and a password, andan SSH (Secure Shell) server address and a username and a password.

7. A method for detecting attackers within a network of computer resources, comprising:
- planting one or more decoy attack vectors in memory or storage of one or more real resources in the network, an attack vector, of the one or more decoy attacked vectors, being an object in a real resource of the network that has a potential to lead an attacker to access or discover a decoy resource of the network;
  
  self-triggering modification of activity logs of login access and data editing for one or more decoy resources, the one or more decoy resources appearing to the attacker as being active in the network; and
  
  issuing a notification upon recognizing an attempt to access one or more of the decoy resources of the network via one or more of the decoy attack vectors planted by said planting.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 further comprising generating the one or more decoy resources.
  - 9. The method of claim 7 further comprising inspecting the network to find real attack vectors that exist in real resources of the network and that have a potential to lead the attacker to access or discover other real resources of the network, and wherein said planting plants decoy attack vectors that resemble the real attack vectors found by said inspecting.
  - 10. The method of claim 7 further comprising learning characteristics of the network comprising at least one member of management tools, asset management, configuration management, user management, device management, installed applications, tools and data, and wherein the one or more decoy attack vectors planted by said planting conform with the network characteristics.
  - 11. The method of claim 10, wherein said learning learns the characteristics of the network based on information extracted from one or more of the following network resource management and administration modules:
    - directory access, user management, asset management, configuration management, resource management, device management, storage management, application management, and file management.
  - 12. The method of claim 7, wherein the one or more decoy attack vectors planted by said planting include at least one member ofa username and a password,an RDP (Remote Desktop Protocol) username and a password,a username and an authentication ticket,an FTP (File Transfer Protocol) server address and a username and a password,a database server address and a username and a password, andan SSH (Secure Shell) server address and a username and a password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
illusive networks LTD.
Original Assignee
illusive networks LTD.
Inventors
Touboul, Shlomo, Levin, Hanan, Roubach, Stephane, Mischari, Assaf, Ben David, Itai, Avraham, Itay, Ozer, Adi, Kazaz, Chen, Israeli, Ofer, Vingurt, Olga, Gareh, Liad, Grimberg, Israel, Cohen, Cobby, Sultan, Sharon, Kubovsky, Matan
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/406,731
Publication Number

US 20170134421A1
Time in Patent Office

219 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06N 20/00   Machine learning

H04L 2463/146   Tracing the source of attacks

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Managing dynamic deceptive environments

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

Managing dynamic deceptive environments

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others