Adapting decoy data present in a network

US 9,990,507 B2
Filed: 10/01/2015
Issued: 06/05/2018
Est. Priority Date: 03/25/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed, causing the at least one computing device to at least:

obtain policy data, the policy data specifying decoy data eligible to be inserted in a data store and an access policy for accessing the data store;

obtain a response to an access of the data store, the response to the access of the data store comprising the decoy data among a plurality of non-decoy data;

determine legitimacy of the access of the data store based at least in part upon a comparison between the access policy and a characteristic associated with the access of the data store; and

remove the decoy data from among the plurality of non-decoy data in the response to the access of the data store based at least in part upon the access being legitimate according to the access policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for obtaining policy data specifying decoy data eligible to be inserted within a response to an access of a data store. The decoy data is detected in the response among a plurality of non-decoy data based at least upon the policy data. An action associated with the decoy data is initiated in response to the access of the data store meeting a configurable threshold.

51 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed, causing the at least one computing device to at least:
- obtain policy data, the policy data specifying decoy data eligible to be inserted in a data store and an access policy for accessing the data store;
  
  obtain a response to an access of the data store, the response to the access of the data store comprising the decoy data among a plurality of non-decoy data;
  
  determine legitimacy of the access of the data store based at least in part upon a comparison between the access policy and a characteristic associated with the access of the data store; and
  
  remove the decoy data from among the plurality of non-decoy data in the response to the access of the data store based at least in part upon the access being legitimate according to the access policy.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the program further causes the at least one computing device to at least:
    - obtain signature data to identify the decoy data in the response to the access of the data store, the signature data further specifying an action associated with the decoy data;
      
      detect the decoy data in the response to the access of the data store via a scan of a plurality of data communications of a network with reference to the signature data, one of the data communications comprising the response to the access of the data store; and
      
      initiate the action associated with the decoy data based at least in part upon the detection of the decoy data.
  - 3. The non-transitory computer-readable medium of claim 2, wherein the action comprises interrupting the one of the data communications comprising the response to the access of the data store.

4. A system, comprising:
- at least one computing device connected to a network, the at least one computing device configured to at least;
  
  obtain policy data, the policy data specifying decoy data eligible to be inserted in a data store and an access policy for accessing a data store;
  
  obtain a response to an access of the data store, the response to the access of the data store comprising the decoy data among a plurality of non-decoy data;
  
  determine legitimacy of the access of the data store based at least in part upon a comparison between the access policy and a characteristic associated with the access of the data store; and
  
  remove the decoy data from among the plurality of non-decoy data in the response to the access of the data store based at least in part upon the access being legitimate according to the access policy.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The system of claim 4, wherein the decoy data is inserted into the response without insertion into at least one table in the data store comprising the plurality of non-decoy data.
  - 6. The system of claim 4, wherein the decoy data is inserted into at least one table in the data store comprising the plurality of non-decoy data.
  - 7. The system of claim 4, wherein the at least one computing device is further configured to at least log details about the access of the data store based at least in part upon the legitimacy of the access.
  - 8. The system of claim 4, wherein the at least one computing device is further configured to terminate the access of the data store based at least in part upon the legitimacy of the access.
  - 9. The system of claim 4, wherein the access policy defines a rate of access of the data store.
  - 10. The system of claim 4, wherein the access policy defines at least one attribute that, when included in the response, indicates the access as illegitimate.
  - 11. The system of claim 4, wherein the at least one computing device is further configured to at least:
    - obtain signature data to identify the decoy data previously inserted in the response to the access of the data store, the signature data further specifying an action associated with the decoy data;
      
      detect the decoy data in the response to the access of the data store via a scan of a plurality of data communications of the network with reference to the signature data, one of the data communications comprising the response to the access of the data store; and
      
      initiate the action associated with the decoy data based at least in part upon the detection of the decoy data.
  - 12. The system of claim 11, wherein the action comprises interrupting the one of the data communications comprising the response to the access of the data store.

13. A method, comprising:
- obtaining, by at least one computing device, policy data specifying decoy data eligible to be inserted within a response to an access of a data store and further specifying an access policy threshold associated with a user accessing the data store;
  
  detecting, by the at least one computing device, the decoy data in the response to the access of the data store among a plurality of non-decoy data based at least upon the policy data;
  
  determining, by the at least one computing device, legitimacy of the access of the data store based at least in part upon the access policy threshold;
  
  interrupting, by the at least one computing device, delivery of the response to the access of the data store to a client application when the access does not meet the access policy threshold; and
  
  modifying, by the at least one computing device, the decoy data among a plurality of non-decoy data in the response to the access of the data store when the access meets the access policy threshold.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, further comprising removing, by the at least one computing device, the decoy data from the response when the access meets the access policy threshold.
  - 15. The method of claim 13, further comprising logging, by the at least one computing device, details about the access of the data store when the access does not meet the access policy threshold.
  - 16. The method of claim 13, further comprising inserting, by the at least one computing device, low-priority decoy data within the response to the access of the data store when the access meets the access policy threshold.
  - 17. The method of claim 16, wherein the low-priority decoy data comprises a timestamp.
  - 18. The method of claim 13, wherein the access policy threshold defines a rate of access of the data store.
  - 19. The method of claim 13, further comprising:
    - obtaining, by the at least one computing device, signature data to identify the decoy data in the response to the access of the data store, the signature data being encrypted;
      
      detecting, by the at least one computing device, the decoy data in the response to the access of the data store via a scan of a memory of a second computing device; and
      
      transmitting, by the at least one computing device, a notice to a central reporting site based at least in part upon the detection of the decoy data, the notice including the decoy data.
  - 20. The method of claim 19, wherein the notice further includes at least a portion of the plurality of non-decoy data, the decoy data being detected, but not located among the plurality of non-decoy data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Ramalingam, Harsha, Johansson, Jesper Mikael, Petts, James Connelly, Brezinski, Dominique Imjya
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/872,880
Publication Number

US 20160019395A1
Time in Patent Office

978 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

H04L 63/30   for supporting lawful inter...

Adapting decoy data present in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Adapting decoy data present in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links