Techniques for detecting advanced security threats
First Claim
Patent Images
1. A method for detecting a security threat comprising:
- receiving resource information from a backend server via a network indicating a defined resource to be generated on a plurality of clients, wherein the defined resource to be generated is specified by the backend server based on at least one computing resource characteristic and at least one known usage of at least a first client of the plurality of clients, and wherein the first client is separate from the backend server and associated with a known threat;
generating the defined resource at the plurality of clients respectively based on the received resource information, wherein the defined resource is a decoy resource different from the received resource information and monitored differently from other client resources;
implementing the decoy resource automatically on each respective client of the plurality of clients, wherein the implemented decoy resource simulates on the respective client one of a physical computing resource of at least the first client and a virtualized computing resource of at least the first client available to applications executing on at least the first client;
monitoring system behavior of the respective client having the decoy resource implemented thereon;
determining by the respective client whether a security event involving the implemented decoy resource has occurred based on the monitored system behavior of the respective client including the at least one computing characteristic and the at least one known usage of at least the first client; and
generating a report at the respective client including detailed information regarding the security event and the monitored system behavior of the respective client when it has been determined that the security event has occurred and sending the report to the backend server.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting advanced security threats are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting a security threat including generating a resource at a client, implementing the resource on the client, monitoring system behavior of the client having the resource implemented thereon, determining whether a security event involving the implemented resource has occurred based on the monitored system behavior, and generating a report when it has been determined that the security event has occurred.
150 Citations
20 Claims
-
1. A method for detecting a security threat comprising:
-
receiving resource information from a backend server via a network indicating a defined resource to be generated on a plurality of clients, wherein the defined resource to be generated is specified by the backend server based on at least one computing resource characteristic and at least one known usage of at least a first client of the plurality of clients, and wherein the first client is separate from the backend server and associated with a known threat; generating the defined resource at the plurality of clients respectively based on the received resource information, wherein the defined resource is a decoy resource different from the received resource information and monitored differently from other client resources; implementing the decoy resource automatically on each respective client of the plurality of clients, wherein the implemented decoy resource simulates on the respective client one of a physical computing resource of at least the first client and a virtualized computing resource of at least the first client available to applications executing on at least the first client; monitoring system behavior of the respective client having the decoy resource implemented thereon; determining by the respective client whether a security event involving the implemented decoy resource has occurred based on the monitored system behavior of the respective client including the at least one computing characteristic and the at least one known usage of at least the first client; and generating a report at the respective client including detailed information regarding the security event and the monitored system behavior of the respective client when it has been determined that the security event has occurred and sending the report to the backend server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for detecting a security threat comprising:
-
generating, at a backend server, resource information specifying a defined resource based on at least one computing resource characteristic and at least one known usage of at least a first client of a plurality of clients, and wherein the first client is separate from the backend server and associated with a known threat; transmitting the resource information from the backend server to the plurality of clients via a network; generating the defined resource at the plurality of clients respectively based on the resource information received at the respective plurality of clients, wherein the defined resource is a decoy resource different from the resource information and monitored differently from other resources; implementing the decoy resource automatically on each respective client of the plurality of clients based on the generated resource information, wherein the implemented decoy resource simulates one of a physical computing resource of at least the first client and a virtualized computing resource of at least the first client available to applications executing on at least the first client; determining whether a report has been received from one of the plurality of clients indicating that a security event involving the decoy resource implemented at the one of the plurality of clients has occurred; analyzing the received report; and determining an appropriate action to be performed based on the report analysis. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A system for detecting a security threat comprising:
-
a backend server comprising one or more first computer processors communicatively coupled to a network; and a plurality of clients each comprising one or more second computer processors and a memory communicatively coupled to the network, wherein the plurality of clients are separate from the backend server and associated with a known threat, wherein the one or more first computer processors are configured to; transmit resource information from the backend server to the plurality of clients via the network indicating a defined resource to be generated on the plurality of clients respectively, wherein the defined resource to be generated is based on at least one computing resource characteristic and at least one known usage of at least a first client of the plurality of clients; and wherein the one or more second computer processors are configured to; generate the defined resource at the plurality of clients respectively based on the resource information, wherein the defined resource is a decoy resource different from the resource information and monitored differently from other resources; implement the decoy resource automatically on each respective client of the plurality of clients, wherein the implemented decoy resource simulates one of a physical computing resource of at least the first client and a virtualized computing resource available of at least the first client to applications executing on at least the first client; monitor system behavior of the respective client having the decoy resource implemented thereon; determine by the respective client whether a security event involving the implemented decoy resource has occurred based on the monitored system behavior of the respective client including the at least one computing characteristic and the at least one known usage of at least the first client; and generate a report at the respective client including detailed information regarding the security event and the associated system behavior of the respective client when it has been determined that the security event has occurred and sending the report to the backend server.
-
Specification