US2017134423A1PendingUtilityA1

Decoy and deceptive data object technology

38
Assignee: CYMMETRIA INCPriority: Jul 21, 2015Filed: Jan 25, 2017Published: May 11, 2017
Est. expiryJul 21, 2035(~9 yrs left)· nominal 20-yr term from priority
H04L 63/1425G06F 21/554H04L 63/1491
38
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising:
 launching, on at least one decoy endpoint, at least one decoy operating system (OS) managing at least one of a plurality of deception applications mapping a plurality of applications executed in a protected network;   updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of said plurality of deception data objects for accessing said at least one deception application, said plurality of deception data objects are configured to trigger an interaction with said at least one deception application when used;   detecting usage of data contained in at least one of said plurality of deception data objects by monitoring said interaction; and   identifying at least one potential unauthorized operation based on analysis of said detection.   
     
     
         2 . The computer implemented method of  claim 1 , wherein said decoy endpoint is a member selected from a group consisting of: a physical device comprising at least one processor and a virtual machine. 
     
     
         3 . The computer implemented method of  claim 2 , wherein said virtual machine is hosted by at least one member selected from a group consisting of: a local endpoint, a cloud service and a vendor service. 
     
     
         4 . The computer implemented method of  claim 1 , wherein each of said plurality of deception data objects emulates a valid data object used for interacting with said at least one application. 
     
     
         5 . The computer implemented method of  claim 1 , wherein each of said plurality of deception data objects is a member selected from a group consisting of: a hashed credentials object, a browser cocky, a registry key, a Server Message Block (SMB) mapped share, a Mounted Network Storage element, a configuration file for remote desktop authentication credentials, a source code file with embedded database authentication credentials and a configuration file to a source-code version control system. 
     
     
         6 . The computer implemented method of  claim 1 , wherein said usage indication comprises impersonating that said plurality of deception data objects are used to interact with said at least one deception application. 
     
     
         7 . The computer implemented method of  claim 1 , wherein said at least one potential unauthorized operation is initiated by a member selected from a group consisting of: a user, a process, an automated tool and a machine. 
     
     
         8 . The computer implemented method of  claim 1 , wherein each of said plurality of applications is a member selected from a group consisting of: an application, a tool, a local service and a remote service. 
     
     
         9 . The computer implemented method of  claim 1 , wherein each of said plurality of deception applications is selected by at least one of: a user and an automated tool. 
     
     
         10 . The computer implemented method of  claim 1 , wherein said monitoring comprises at least one of:
 monitoring network activity of at least one of said plurality of deception applications,   monitoring interaction of said at least one deception application with said at least one decoy operating system,   monitoring at least one log record created by said at least one deception application, and   monitoring interaction of at least one of said plurality of deception applications with at least one of a plurality of hardware components in said protected network.   
     
     
         11 . The computer implemented method of  claim 1 , further comprising dividing at least one of: said at least one decoy operating system, said plurality of deception applications and said plurality of deception data objects to a plurality of groups according to at least one characteristic of said protected network. 
     
     
         12 . The computer implemented method of  claim 1 , further comprising providing a plurality of templates for creating at least one of: said at least one decoy operating system, said plurality of deception application and said plurality of deception data objects. 
     
     
         13 . The computer implemented method of  claim 12 , wherein each of said plurality of templates further comprises a definition of a relationship between at least two of: said at least one decoy operating system, said plurality of deception application and said plurality of deception data objects. 
     
     
         14 . The computer implemented method of  claim 12 , further comprising at least one of said plurality of templates is adjusted by at least one user adapting said at least one template according to at least one characteristic of said protected network. 
     
     
         15 . The computer implemented method of  claim 1 , further comprising generating an alert at detection of said at least one potential unauthorized operation. 
     
     
         16 . The computer implemented method of  claim 1 , further comprising generating an alert at detection of a combination of a plurality of potential unauthorized operations to detect a complex sequence of said interaction. 
     
     
         17 . The computer implemented method of  claim 1 , wherein said analysis further comprising preventing false positive analysis to avoid identifying at least one legitimate operation as said at least one potential unauthorized operation. 
     
     
         18 . The computer implemented method of  claim 1 , further comprising analyzing said at least one potential unauthorized operation to identify an activity pattern. 
     
     
         19 . The computer implemented method of  claim 18 , further comprising applying a learning process on said activity pattern to classify said activity pattern in order to improve detection and classification of at least one future potential unauthorized operation. 
     
     
         20 . A system for detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising:
 a program store storing a code; and   at least one processor on at least one decoy endpoint coupled to said program store for executing said stored code, said code comprising:
 code instructions to launch at least one decoy operating system (OS) managing at least one of a plurality of deception applications mapping a plurality of applications executed in a protected network; 
 code instructions to update dynamically a usage indication for a plurality of deception data objects deployed in said protected network to emulate usage of said plurality of deception data objects for accessing said at least one deception application, said plurality of deception data objects are configured to trigger an interaction with said at least one deception application when used; 
 code instructions to detect usage of data contained in at least one of said plurality of deception data objects by monitoring said interaction; and 
 code instructions to identify at least one potential unauthorized operation based on an analysis of said detection. 
   
     
     
         21 . A computer implemented method of containing a malicious attack within a deception environment by directing said malicious attack to a dynamically created deception environment, comprising:
 detecting an attempt of a potential attacker to access a protected network by identifying false access information used by said potential attacker, wherein said false access information is associated with a certain user of said protected network;   creating dynamically a deception environment associated with said certain user within said protected network in response to said attempt, wherein said deception environment comprises at least one member selected from a group consisting of: a false account, a decoy endpoint and a decoy network comprising a plurality of decoy endpoints;   in response to said attempt, granting access to said potential attacker into said deception environment; and   monitoring an attack vector applied by said potential attacker using said false access information in said deception environment.   
     
     
         22 . The computer implemented method of  claim 21 , wherein said decoy endpoint is a member selected from a group consisting of: a local endpoint comprising at least one processor and a virtual machine, wherein said virtual machine is hosted by at least one of: a local endpoint, a cloud service and a vendor service. 
     
     
         23 . The computer implemented method of  claim 21 , wherein said potential attacker is a member selected from a group consisting of: a user, a process, an automated tool and a machine. 
     
     
         24 . The computer implemented method of  claim 21 , wherein said deception environment is created based on public information of said certain user. 
     
     
         25 . The computer implemented method of  claim 24 , wherein said public information is available in at least one networked processing node accessible over at least one network. 
     
     
         26 . The computer implemented method of  claim 21 , wherein said false access information comprises credentials of said certain user. 
     
     
         27 . The computer implemented method of  claim 21 , further comprising said attempt is not reported to said certain user. 
     
     
         28 . The computer implemented method of  claim 21 , wherein said false access information was provided to said potential attacker during a past attempt of said potential attacker to obtain a real version of said false access information of said certain user. 
     
     
         29 . The computer implemented method of  claim 28 , wherein said past attempt is a phishing attack to obtain said real version of said false access information of said certain user. 
     
     
         30 . The computer implemented method of  claim 28 , wherein said past attempt is based on attracting said certain user to register to a fictive service created by said potential attacker to obtain said real version of said false access information of said certain user. 
     
     
         31 . The computer implemented method of  claim 28 , further comprising said past attempt is not reported to said certain user. 
     
     
         32 . The computer implemented method of  claim 21 , wherein said attempt is detected by comparing a password included in said false access information to at least one predicted password created based on an analysis of public information of said certain user. 
     
     
         33 . The computer implemented method of  claim 32 , further comprising evaluating robustness of a real password created by said certain user by comparing said real password to said at least one predicted password and alerting said certain user in case said real password is insufficiently robust, wherein said robustness is determined sufficient in case a variation between said at least one predicted password and said real password exceeds a pre-defined number of characters. 
     
     
         34 . The computer implemented method of  claim 33 , further comprising requesting said certain user to change said real password in case said real password is insufficiently robust. 
     
     
         35 . The computer implemented method of  claim 21 , wherein said attack vector comprises at least one action initiated by said potential attacker. 
     
     
         36 . The computer implemented method of  claim 35 , wherein said attack vector is a multi-stage attack vector comprising a plurality of actions initiated by said potential attacker, at least two of said plurality of actions are executed in at least one mode selected from: a series execution, a parallel execution. 
     
     
         37 . The computer implemented method of  claim 21 , wherein said deception environment is dynamically updated based on analysis of said attack vector in order to deceive said potential attacker to presume said deception environment is a real processing environment, said update includes updating at least one of: an information item of said certain user, a structure of said deception environment and a deployment of said deception environment. 
     
     
         38 . The computer implemented method of  claim 21 , further comprising extending said deception environment dynamically based on analysis of said attack vector in order to contain said attack vector. 
     
     
         39 . A system for containing a malicious attack within a deception environment by directing said malicious attack to a dynamically created deception environment, comprising:
 a program store storing a code; and   at least one processor on at least one decoy endpoint in a deception environment coupled to said program store for executing said stored code, said code comprising:
 code instructions to detect an attempt of a potential attacker to access a protected network by identifying false access information used by said potential attacker, wherein said false access information is associated with a certain user of said protected network; 
 code instructions to create dynamically a deception environment associated with said certain user within said protected network in response to said attempted access, wherein said deception environment comprises at least one member selected from a group consisting of: a false account, a decoy endpoint and a decoy network comprising a plurality of decoy endpoints; 
 code instructions to grant access to said potential attacker into said deception environment; and 
 code instructions to monitor an attack vector applied by said potential attacker using said false access information in said deception environment.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.