System and method for creation, deployment and management of augmented attacker map

US 9,787,715 B2
Filed: 01/11/2017
Issued: 10/10/2017
Est. Priority Date: 06/08/2015
Status: Active Grant

First Claim

Patent Images

1. A system for augmenting an attacker map of a network of resources, comprising:

a deception management server within a network of resources, generating an attacker map for the network, the attacker map depicting a view of the network and comprising one or more lateral attack paths traversing some or all of the resources, each lateral attack path corresponding to one or more successive lateral attack vectors, wherein a lateral attack vector is an object in memory or storage of a first resource of the network that may potentially lead an attacker to a second resource of the network;

a deployment module planting one or more decoy lateral attack vectors in some of all of the resources of the network; and

an access governor authorizing access to resources in the network, and issuing a notification upon recognizing an attempt to access one or more of the resources of the network via one or more of the decoy lateral attack vectors planted by said deception module,wherein said deception management server further generates an augmented attacker map by augmenting the lateral attack paths based on the decoy lateral attack vectors added by said deployment module.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for augmenting an attacker map of a network of resources, including a deception management server within a network of resources, generating an attacker map for the network, the attacker map including one or more attack paths traversing some or all of the resources, each attack path corresponding to one or more successive attack vectors, wherein an attack vector is an object in memory or storage of a first resource of the network that may potentially lead an attacker to a second resource of the network, and a deployment module for planting one or more decoy attack vectors in some of all of the resources of the network, wherein the deception management server generates an augmented attacker map by augmenting the attack paths based on the decoy attack vectors added by the deployment module.

116 Citations

8 Claims

1. A system for augmenting an attacker map of a network of resources, comprising:
- a deception management server within a network of resources, generating an attacker map for the network, the attacker map depicting a view of the network and comprising one or more lateral attack paths traversing some or all of the resources, each lateral attack path corresponding to one or more successive lateral attack vectors, wherein a lateral attack vector is an object in memory or storage of a first resource of the network that may potentially lead an attacker to a second resource of the network;
  
  a deployment module planting one or more decoy lateral attack vectors in some of all of the resources of the network; and
  
  an access governor authorizing access to resources in the network, and issuing a notification upon recognizing an attempt to access one or more of the resources of the network via one or more of the decoy lateral attack vectors planted by said deception module,wherein said deception management server further generates an augmented attacker map by augmenting the lateral attack paths based on the decoy lateral attack vectors added by said deployment module.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 wherein said deployment module adds one or more decoy resources to the network, and wherein one or more of the decoy lateral attack vectors are planted in decoy resources or lead to decoy resources.
  - 3. The system of claim 2, wherein the lateral attack vectors and the decoy lateral attack vectors include at least one member of (i) username and password, (ii) username and authentication ticket, (iii) FTP server address, username and password, (iv) database server address, username and password, and (v) SSH server address, username and password.
  - 4. The system of claim 2, wherein said deception management server renders views of the attacker map and the augmented attacker map.

5. A non-transitory computer readable medium storing instructions, which, when executed by a processor of a management computer, cause the computer:
- to generate an attacker map for a network of resources, the attacker map depicting a view of the network and comprising one or more lateral attack paths traversing some or all of the resources, each lateral attack path corresponding to one or more successive lateral attack vectors, wherein a lateral attack vector is an object in memory or storage of a first resource of the network that may potentially lead an attacker to a second resource of the network;
  
  to plant one or more decoy lateral attack vectors in some or all of the resources of the network; and
  
  to generate an augmented attacker map by augmenting the lateral attack paths based on the decoy lateral attack vectors; and
  
  to issue a notification upon recognizing an attempt to access one or more of the resources of the network via one or more of the decoy attack vectors that were planted.
- View Dependent Claims (6, 7, 8)
- - 6. The computer readable medium of claim 5 wherein the instructions further cause the computer to add one or more decoy resources to the network, wherein one or more of the decoy lateral attack vectors are planted in decoy resources or lead to decoy resources.
  - 7. The computer readable medium of claim 6, wherein the lateral attack vectors and the decoy lateral attack vectors include at least one member of (i) username and password, (ii) username and authentication ticket, (iii) FTP server address, username and password, (iv) database server address, username and password, and (v) SSH server address, username and password.
  - 8. The computer readable medium of claim 6, wherein the instructions further cause the computer to render views of the attacker map and the augmented attacker map.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Iilusve Networks Limited
Original Assignee
Iilusve Networks Limited
Inventors
Touboul, Shlomo, Levin, Hanan, Roubach, Stephane, Mischari, Assaf, Ben David, Itai, Avraham, Itay, Ozer, Adi, Kazaz, Chen, Israeli, Ofer, Vingurt, Olga, Gareh, Liad, Grimberg, Israel, Cohen, Cobby, Sultan, Sharon, Kubovsky, Matan
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US15/403,194
Publication Number

US 20170126737A1
Time in Patent Office

272 Days
Field of Search

726 11, 726 22- 26, 709206, 709220, 709224, 709228, 455410, 714 43
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06N 20/00   Machine learning

H04L 2463/146   Tracing the source of attacks

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

System and method for creation, deployment and management of augmented attacker map

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

116 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for creation, deployment and management of augmented attacker map

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links