Method and system for protection against information stealing software

US 9,015,842 B2
Filed: 03/19/2008
Issued: 04/21/2015
Est. Priority Date: 03/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring a plurality of electronic devices to detect infection by unwanted software, the method comprising:

installing, using a management unit executing on a processor and in communication with the plurality of electronic devices, a software agent on each of the plurality of electronic devices, each of the software agents configured to perform a login session using a bait that contains artificial sensitive information, and configured to insert parameters into the bait prior to transmission of an electronic output of the plurality of electronic devices;

monitoring, using a traffic analyzer executing on an electronic device, the electronic output; and

analyzing, using a decision system executing on a processor and in communication with the traffic analyzer, the electronic output in response to the bait to determine the existence of unwanted software based on the electronic output including a transmission of the bait unrelated to the login session to another electronic device.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software.

213 Citations

18 Claims

1. A method for monitoring a plurality of electronic devices to detect infection by unwanted software, the method comprising:
- installing, using a management unit executing on a processor and in communication with the plurality of electronic devices, a software agent on each of the plurality of electronic devices, each of the software agents configured to perform a login session using a bait that contains artificial sensitive information, and configured to insert parameters into the bait prior to transmission of an electronic output of the plurality of electronic devices;
  
  monitoring, using a traffic analyzer executing on an electronic device, the electronic output; and
  
  analyzing, using a decision system executing on a processor and in communication with the traffic analyzer, the electronic output in response to the bait to determine the existence of unwanted software based on the electronic output including a transmission of the bait unrelated to the login session to another electronic device.
- View Dependent Claims (2, 3, 4, 5, 12, 15)
- - 2. The method of claim 1, wherein the electronic output is analyzed by correlating the output with the bait.
  - 3. The method of claim 2, wherein the correlation is performed by comparing information of the bait with traffic over a computer network in order to decide about the existence and the location of unwanted software.
  - 4. The method of claim 1, further comprising:
    - storing information about the bait in a database; and
      
      comparing information from a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software.
  - 5. The method of claim 1, further comprising:
    - providing the artificial sensitive information with the bait to a target site;
      
      configuring the artificial sensitive information to identify the electronic device; and
      
      monitoring the target site for detection of the artificial sensitive information to determine the existence of unwanted software on the electronic device.
  - 12. The method of claim 1, wherein the software agent performs a login session by inputting a sequence of keystrokes.
  - 15. The method of claim 1, wherein the parameters are keywords included in the bait.

6. A system for monitoring a plurality of electronic devices to detect infection by unwanted software, the system comprising:
- an electronic processor operably coupled to a memory, the memory storing processor instructions implementing a management unit that is in communication with the plurality of electronic devices, the management unit configured to install a software agent on each of the plurality of electronic devices, wherein each of the software agents are configured to perform a login session using a bait that contains artificial sensitive information and insert parameters into the bait before transmission of an electronic output of the plurality of electronic devices;
  
  an electronic processor operably coupled to a memory, the memory storing processor instructions implementing a traffic analyzer and in communication with the computer network, the traffic analyzer configured to monitor the electronic output of the plurality of electronic devices; and
  
  an electronic processor operably coupled to a memory, the memory storing processor instructions implementing a decision system that is in communication with the traffic analyzer, the decision system configured to determine the existence of unwanted software based on a transmission of the bait unrelated to the login session by one of the plurality of electronic devices to another electronic device.
- View Dependent Claims (7, 13, 14, 16)
- - 7. The system of claim 6, further comprising a network gateway in communication with the computer network wherein the traffic analyzer is installed on the network gateway.
  - 13. The system of claim 6, wherein the software agent performs a login session by inputting a sequence of keystrokes.
  - 14. The system of claim 6, wherein the software agent performs a login session on a website.
  - 16. The system of claim 6, wherein the parameters are keywords included in the bait.

8. A method for monitoring a first group of electronic devices to detect infection by unwanted software, the method comprising:
- installing a software agent on each of the electronic devices of the first group, the software agent being configured to perform a login session using a bait that contains artificial sensitive information for each one of the electronic devices of the first group, wherein the software agent is further configured to insert parameters into the bait prior to transmission of a first electronic output of the first group of electronic devices;
  
  monitoring, using a first electronic device, the first electronic output to a network from at least one electronic device of the first group;
  
  monitoring, using the first electronic device, a second electronic output to the network from at least one of the electronic devices of a second group of electronic devices; and
  
  analyzing the first and second electronic output to identify that the first electronic output includes a transmission of the bait unrelated to the login session to a third electronic device to determine the existence of unwanted software within the first group.
- View Dependent Claims (9, 17)
- - 9. The method of claim 8, wherein the second group of electronic devices is used as a baseline for analyzing the first electronic output in order to determine the existence of unwanted software.
  - 17. The method of claim 8, wherein the parameters are keywords included in the bait.

10. A system for monitoring a first group of electronic devices to detect infection by unwanted software, the system comprising:
- an electronic processor operably coupled to a memory, the memory storing processor instructions implementing a management unit for installing a software agent on each of the electronic devices of the first group, the software agent being configured to perform a login session using a bait that contains artificial sensitive information on each of the electronic devices of the first group, and to insert parameters into the bait prior to transmission of an electronic output by the first group of electronic devices;
  
  an electronic processor operably coupled to a memory, the memory storing processor instructions implementing a traffic analyzer executing on a first electronic device and in communication with the first group and a second group of electronic devices by a computer network, the traffic analyzer configured to analyze the electronic output from the first group and an electronic output from the second group of electronic devices; and
  
  an electronic processor operably coupled to a memory, the memory storing processor instructions implementing a decision system in communication with the traffic analyzer, the decision system configured to compare the output of the first group of electronic devices with the output from the second group of electronic devices in order to identify that the electronic output of the first group of electronic devices includes a transmission of the bait unrelated to the login session to a third electronic device to determine the existence of unwanted software within the first group.
- View Dependent Claims (11, 18)
- - 11. The system of claim 10, further comprising a gateway wherein the traffic analyzer is installed on the gateway.
  - 18. The system of claim 10, wherein the parameters are keywords included in the bait.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Troyansky, Lidror, Bruckner, Sharon, Hubbard, Daniel Lyle
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US12/051,579
Publication Number

US 20090241196A1
Time in Patent Office

2,589 Days
Field of Search

726/22, 726/25, 726/23, 726/26, 726/24, 713/187, 713/188, 709/224, 709/229
US Class Current

726/25
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Method and system for protection against information stealing software

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

213 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protection against information stealing software

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

213 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links