METHODS, SYSTEMS, AND MEDIA FOR BAITING INSIDE ATTACKERS

US 20100077483A1
Filed: 09/23/2009
Published: 03/25/2010
Est. Priority Date: 06/12/2007
Status: Active Grant

First Claim

Patent Images

1. A method for providing trap-based defenses, the method comprising:

generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties;

embedding a beacon into the decoy information; and

inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.

471 Citations

64 Claims

1. A method for providing trap-based defenses, the method comprising:
- generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties;
  
  embedding a beacon into the decoy information; and
  
  inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the one or more document properties comprise at least one of:
    - believable to the attacker, variable, enticing to the attacker, conspicuous to the attacker, detectable, differentiable from the actual information, and non-interfering with a legitimate user.
  - 3. The method of claim 1, further comprising testing the decoy information to determine whether the decoy information complies with the believable document property by presenting the decoy information and the actual information to a user, wherein the user is provided with the opportunity to select whether the decoy information and the actual information are decoys.
  - 4. The method of claim 3, further comprising removing the decoy information from the computing environment in response to receiving a response rate less than a predetermined amount.
  - 5. The method of claim 1, further comprising performing a search through the computing environment for the actual information used for the generation of the decoy information.
  - 6. The method of claim 1, further comprising receiving user input relating to the actual information used for the generation of the decoy information.
  - 7. The method of claim 1, further comprising receiving at least one location within the computing environment to insert the decoy information.
  - 8. The method of claim 1, further comprising analyzing the computing environment to determine where to insert the decoy information.
  - 9. The method of claim 1, wherein the beacon is a decoy token embedded in the decoy information.
  - 10. The method of claim 9, further comprising monitoring for unauthorized usage of the decoy token.
  - 11. The method of claim 1, wherein the beacon is executable code embedded in the decoy information.
  - 12. The method of claim 11, further comprising executing the executable code in response to the attacker accessing the decoy information, wherein the executable code transmits a signal indicating that the decoy information has been accessed.
  - 13. The method of claim 11, further comprising requesting that the attacker permit the execution of the executable code in response to the attacker accessing the decoy information.
  - 14. The method of claim 1, further comprising:
    - receiving the first indication from the embedded beacon in response to the attacker accessing the decoy information; and
      
      transmitting a notification to a legitimate user that provides information relating to the attacker.
  - 15. The method of claim 14, further comprising tracing an attacker in response to receiving the first indication from the embedded beacon.
  - 16. The method of claim 1, wherein the embedded beacon is a passive beacon, the method further comprising:
    - detecting that decoy information with the embedded passive beacon has been used; and
      
      transmitting a notification that provides information relating to the attacker.
  - 17. The method of claim 1, wherein the embedded beacon is configured to operate in connection with a monitoring application, and wherein the monitoring application monitors the computing environment for the signal from the embedded beacon.
  - 18. The method of claim 17, wherein the monitoring application is an antivirus application.
  - 19. The method of claim 1, wherein the decoy information is contained in a decoy document, wherein the actual information is contained in an actual document, and wherein the embedded beacon differentiates between the decoy document and the actual document.
  - 20. The method of claim 19, further comprising:
    - using at least a portion of the embedded beacon and, other document data to generate a pattern that is displayed to a user in response to the user accessing the decoy document; and
      
      presenting an index in response to placing a physical mask over the generated pattern, wherein the physical mask decodes the generated pattern into the index and wherein the index provides an indication as to whether at least a portion of the decoy document contains the decoy information.

21. A method for providing trap-based defenses, the method comprising:
- receiving trace data;
  
  determining protocol types of the received trace data based at least in part on the content of application layer headers contained in the received trace data;
  
  generating one or more candidate flows for each protocol type from the received trace data;
  
  modifying the one or more candidate flows with decoy information; and
  
  inserting the modified candidate flows into a communications network.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The method of claim 21, wherein the trace data is at least one of:
    - anonymous trace data and a network trace containing authentic network traffic.
  - 23. The method of claim 21, further comprising:
    - modifying protocol headers in the one or more candidate flows with the decoy information and modifying protocol payloads in the one or more candidate flows with the decoy information.
  - 24. The method of claim 21, further comprising refreshing the modified candidate flows after a predetermined amount of time has elapsed.
  - 25. The method of claim 21, further comprising:
    - determining network statistics associated with the communications network; and
      
      applying the determined network statistics to the one or more candidate flows.
  - 26. The method of claim 21, wherein the determined network statistics include one or more of a total flow time, an inter-packet time, a response time, and a packet loss.

27. A system for providing trap-based defenses, the system comprising:
- a processor that;
  
  generates decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties;
  
  embeds a beacon into the decoy information; and
  
  inserts the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The system of claim 27, wherein the processor is further configured to test the decoy information to determine whether the decoy information complies with the believable document property by presenting the decoy information and the actual information to a user, wherein the user is provided with the opportunity to select whether the decoy information and the actual information are decoys.
  - 29. The system of claim 28, wherein the processor is further configured to remove the decoy information from the computing environment in response to receiving a response rate less than a predetermined amount.
  - 30. The system of claim 27, wherein the processor is further configured to perform a search through the computing environment for the actual information used for the generation of the decoy information.
  - 31. The system of claim 27, wherein the processor is further configured to receive user input relating to the actual information used for the generation of the decoy information.
  - 32. The system of claim 27, wherein the processor is further configured to receive at least one location within the computing environment to insert the decoy information.
  - 33. The system of claim 27, wherein the processor is further configured to analyze the computing environment to determine where to insert the decoy information.
  - 34. The system of claim 27, wherein the beacon is a decoy token embedded in the decoy information, and wherein the processor is further configured to monitor for unauthorized usage of the decoy token.
  - 35. The system of claim 27, wherein the beacon is executable code embedded in the decoy information, and wherein the processor is further configured to execute the executable code in response to the attacker accessing the decoy information, wherein the executable code transmits a signal indicating that the decoy information has been accessed.
  - 36. The system of claim 35, wherein the processor is further configured to request that the attacker permit the execution of the executable code in response to the attacker accessing the decoy information.
  - 37. The system of claim 27, wherein the processor is further configured to:
    - receive the first indication from the embedded beacon in response to the attacker accessing the decoy information; and
      
      transmit a notification to a legitimate user that provides information relating to the attacker.
  - 38. The system of claim 27, wherein the embedded beacon is a passive beacon, and wherein the processor is further configured to:
    - detect that decoy information with the embedded passive beacon has been used; and
      
      transmit a notification that provides information relating to the attacker.
  - 39. The system of claim 27, wherein the decoy information is contained in a decoy document, wherein the actual information is contained in an actual document, wherein the embedded beacon differentiates between the decoy document and the actual document, and wherein the processor is further configured to:
    - use at least a portion of the embedded beacon and other document data to generate a pattern that is displayed to a user in response to the user accessing the decoy document; and
      
      present an index in response to placing a physical mask over the generated pattern, wherein the physical mask decodes the generated pattern into the index and wherein the index provides an indication as to whether at least a portion of the decoy document contains the decoy information.

40. A system for providing trap-based defenses, the system comprising:
- a processor that;
  
  receives trace data;
  
  determines protocol types of the received trace data based at least in part on the content of application layer headers contained in the received trace data;
  
  generates one or more candidate flows for each protocol type from the received trace data;
  
  modifies the one or more candidate flows with decoy information; and
  
  inserts the modified candidate flows into a communications network.
- View Dependent Claims (41, 42, 43, 44, 45)
- - 41. The system of claim 40, wherein the trace data is at least one of:
    - anonymous trace data and a network trace containing authentic network traffic.
  - 42. The system of claim 40, wherein the processor is further configured to modify protocol headers in the one or more candidate flows with the decoy information and modify protocol payloads in the one or more candidate flows with the decoy information.
  - 43. The system of claim 40, wherein the processor is further configured to refresh the modified candidate flows after a predetermined amount of time has elapsed.
  - 44. The system of claim 40, wherein the processor is further configured to:
    - determine network statistics associated with the communications network; and
      
      apply the determined network statistics to the one or more candidate flows.
  - 45. The system of claim 44, wherein the determined network statistics include one or more of a total flow time, an inter-packet time, a response time, and a packet loss.

46. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for providing trap-based defenses, the method comprising:
- generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties;
  
  embedding a beacon into the decoy information; and
  
  inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
- - 47. The non-transitory computer-readable medium of claim 46, wherein the method further comprises testing the decoy information to determine whether the decoy information complies with the believable document property by presenting the decoy information and the actual information to a user, wherein the user is provided with the opportunity to select whether the decoy information and the actual information are decoys.
  - 48. The non-transitory computer-readable medium of claim 47, wherein the method further comprises removing the decoy information from the computing environment in response to receiving a response rate less than a predetermined amount.
  - 49. The non-transitory computer-readable medium of claim 46, wherein the method further comprises performing a search through the computing environment for the actual information used for the generation of the decoy information.
  - 50. The non-transitory computer-readable medium of claim 46, wherein the method further comprises receiving user input relating to the actual information used for the generation of the decoy information.
  - 51. The non-transitory computer-readable medium of claim 46, wherein the method further comprises receiving at least one location within the computing environment to insert the decoy information.
  - 52. The non-transitory computer-readable medium of claim 46, wherein the method further comprises analyzing the computing environment to determine where to insert the decoy information.
  - 53. The non-transitory computer-readable medium of claim 46, wherein the method further comprises monitoring for unauthorized usage of the decoy token.
  - 54. The non-transitory computer-readable medium of claim 46, wherein the beacon is executable code embedded in the decoy information, and wherein the method further comprises executing the executable code in response to the attacker accessing the decoy information, wherein the executable code transmits a signal indicating that the decoy information has been accessed.
  - 55. The non-transitory computer-readable medium of claim 54, wherein the method further comprises requesting that the attacker permit the execution of the executable code in response to the attacker accessing the decoy information.
  - 56. The non-transitory computer-readable medium of claim 46, wherein the method further comprises:
    - receiving the first indication from the embedded beacon in response to the attacker accessing the decoy information; and
      
      transmitting a notification to a legitimate user that provides information relating to the attacker.
  - 57. The non-transitory computer-readable medium of claim 46, wherein the embedded beacon is a passive beacon, and wherein the method further comprises:
    - detecting that decoy information with the embedded passive beacon has been used; and
      
      transmitting a notification that provides information relating to the attacker.
  - 58. The non-transitory computer-readable medium of claim 46, wherein the decoy information is contained in a decoy document, wherein the actual information is contained in an actual document, wherein the embedded beacon differentiates between the decoy document and the actual document, and wherein the method further comprises:
    - using at least a portion of the embedded beacon and other document data to generate a pattern that is displayed to a user in response to the user accessing the decoy document; and
      
      presenting an index in response to placing a physical mask over the generated pattern, wherein the physical mask decodes the generated pattern into the index and wherein the index provides an indication as to whether at least a portion of the decoy document contains the decoy information.

59. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for providing trap-based defenses, the method comprising:
- receiving trace data;
  
  determining protocol types of the received trace data based at least in part on the content of application layer headers contained in the received trace data;
  
  generating one or more candidate flows for each protocol type from the received trace data;
  
  modifying the one or more candidate flows with decoy information; and
  
  inserting the modified candidate flows into a communications network.
- View Dependent Claims (60, 61, 62, 63, 64)
- - 60. The non-transitory computer-readable medium of claim 59, wherein the trace data is at least one of:
    - anonymous trace data and network trace containing authentic network traffic.
  - 61. The non-transitory computer-readable medium of claim 59, wherein the method further comprises modifying protocol headers in the one or more candidate flows with the decoy information and modifying protocol payloads in the one or more candidate flows with the decoy information.
  - 62. The non-transitory computer-readable medium of claim 59, wherein the method further comprises refreshing the modified candidate flows after a predetermined amount of time has elapsed.
  - 63. The non-transitory computer-readable medium of claim 59, wherein the method further comprises:
    - determining network statistics associated with the communications network; and
      
      applying the determined network statistics to the one or more candidate flows.
  - 64. The non-transitory computer-readable medium of claim 63, wherein the determined network statistics include one or more of total flow time, inter-packet time, response time, and packet loss.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Keromytis, Angelos D., Hershkop, Shlomo, Stolfo, Salvatore J., Kemerlis, Vasileios P., Bowen, Brian M., Prabhu, Pratap V., Ben Salem, Malek

Granted Patent

US 9,009,829 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2123   Dummy operation

H04L 63/1466   Active attacks involving in...

METHODS, SYSTEMS, AND MEDIA FOR BAITING INSIDE ATTACKERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

471 Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS, SYSTEMS, AND MEDIA FOR BAITING INSIDE ATTACKERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

471 Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links