US20080016570A1 - System and method for analyzing unauthorized intrusion into a computer network - Google Patents

System and method for analyzing unauthorized intrusion into a computer network Download PDF

Info

Publication number
US20080016570A1
US20080016570A1 US11/788,795 US78879507A US2008016570A1 US 20080016570 A1 US20080016570 A1 US 20080016570A1 US 78879507 A US78879507 A US 78879507A US 2008016570 A1 US2008016570 A1 US 2008016570A1
Authority
US
United States
Prior art keywords
attack
network
operating system
signature
virtualized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/788,795
Other versions
US20140373144A9 (en
Inventor
Alen Capalik
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/488,743 external-priority patent/US8429746B2/en
Application filed by Individual filed Critical Individual
Priority to US11/788,795 priority Critical patent/US20140373144A9/en
Publication of US20080016570A1 publication Critical patent/US20080016570A1/en
Priority to EP08745858.4A priority patent/EP2149087B1/en
Priority to JP2010504185A priority patent/JP5351883B2/en
Priority to AU2008242296A priority patent/AU2008242296B2/en
Priority to EP15174670.8A priority patent/EP2953049B1/en
Priority to PCT/US2008/060336 priority patent/WO2008130923A1/en
Priority to CA2689126A priority patent/CA2689126C/en
Priority to CA3013171A priority patent/CA3013171C/en
Priority to JP2013173175A priority patent/JP5579907B2/en
Priority to US14/542,376 priority patent/US9866584B2/en
Publication of US20140373144A9 publication Critical patent/US20140373144A9/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2123Dummy operation

Definitions

  • the invention relates to the field of methods and systems for protecting computer networks and is more particularly, but not by way of limitation, directed to decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems.
  • Computer networks typically interface with the Internet or other public computer systems and are thus vulnerable to attacks, unwanted intrusions and unauthorized access.
  • One threat to networks is the so-called zero-day attack that exploits security vulnerabilities unknown to the system operators.
  • Conventional network security systems include a firewall that generally prevents unauthorized access to the network or its computers.
  • Conventional systems also include intrusion detection systems (IDS) and intrusion prevention systems (IPS) that typically contain a library of signatures of malware payloads, which enable them to detect those defined exploits attempting to access production systems.
  • IDS intrusion detection systems
  • IPS intrusion prevention systems
  • the problem lies in the static nature of the conventional IDS and IPS signatures coupled with the ability of determined attackers to launch new undefined or zero-day automated attacks to gain access to the network. While an intrusion prevention system (IPS) equipped with behavioral signatures providing the ability to capture behavioral patterns offers a higher level of protection, these have similar drawbacks in that behavioral signatures are still static in nature and limited in their ability to stop zero-day attacks.
  • IPS intrusion prevention system
  • honeynet is made up of two or more honeypots on a network.
  • measures typically are made up of a computer, data or network site that appears to be part of the network and appears to be one or more valuable targets, but which is actually an isolated component located away from production networks. These are typically passive measures effective against spammers and other low-level attacks.
  • Such systems typically run emulated operating systems and services and are generally not useful against sophisticated attackers who can detect and effectively avoid the honeynet, never unloading their zero-day attack or payload for the honeynet to capture and analyze. Also, if the conventional honeynet configuration is not sufficiently separated from the network system, an attacker can use the honeynet to gain access to the network.
  • emulated or software based honeypots examples include “honeyd” which is a GPL licensed daemon that is utilized to simulate network structures.
  • emulated software based honeypots include “mwcollect” and “nepenthes” which are also released under the GPL license and which are utilized to collect malware. The “mwcollect” and “nepenthes” packages extract information on obtaining the malware binaries from the exploit payload.
  • the invention comprises a modular decoy network appliance, which runs fully functional operating systems on client hardware modules.
  • the modular arrangement comprises front-end fully functional operating system modules and a separate processing back-end module.
  • the front-end presents a standard fully functional operating system, such as Windows® or a flavor of Linux®, or Sun Microsystems Solaris® that returns a standard operating system fingerprint when it is scanned by tools that attackers typically use to identify vulnerable systems. The attacker is thus lured into accessing the identified operating system and running custom or known exploits on that system.
  • a standard fully functional operating system such as Windows® or a flavor of Linux®, or Sun Microsystems Solaris® that returns a standard operating system fingerprint when it is scanned by tools that attackers typically use to identify vulnerable systems. The attacker is thus lured into accessing the identified operating system and running custom or known exploits on that system.
  • the front-end module includes a sentinel kernel driver (or a more generalized executable module) that is hidden from system scanners as it is removed from kernel module listings or registry in Windows. Thus, the kernel does not indicate the sentinel kernel driver is running.
  • the sentinel kernel driver monitors connections to the operating system as well as activity on the operating system and activity on services running on the operating system. When an attacker connects to a port, the sentinel kernel driver captures the data coming through the socket. Generally all relevant data coming through the socket is captured. In most cases this means whatever data is received as part of an incoming attack is captured by the sentinel driver. Captured data is sent as a slew of common UDP packets to the back end processing module over the fabric network connection separate from the vulnerable front-end modules. In this manner, there is no way for the intruder to know that his or her communications with the operating system are being analyzed.
  • the captured data which contains the attack-identifying information, is sent to the back-end or processing module though the backplane fabric of the appliance using Layer 2 Ethernet communication protocol.
  • the processing module is separate and independent from the client operating system modules and communicates the processed information to security administrators through a network port connected to the private and secure VLAN. Unbeknownst to the intruder, the exploit is thus captured, transferred and analyzed.
  • the processing module With the received data, the processing module generates a report of the attack.
  • the report consists of user-friendly information that paints a picture of the attack for a system administrator. This may include information on which sockets were accessed, what happened at a particular socket, the key strokes entered or bytes transferred to the port, what files were transferred, registry changes, how the attack was run, what happened on the primary network, on its servers or how the network services were affected.
  • the report may also include information on the location of the attacker or the attacker's service provider. Graphical representations of key information and interactive mapping of the attack locales by region or country may be utilized in one or more embodiments of the invention.
  • the processing module is used to generate an attack signature by analyzing all the data passed through the socket.
  • the signature is generated by analyzing the attack payload including the keystrokes or transferred bytes and any files uploaded to the client operating system of an ASCII or binary nature.
  • the files uploaded are assumed to be of a malicious nature created to deliver a malicious payload in the form of a compiled program or an interpreted script.
  • the signature generation engine analyzes all the keystrokes or bytes delivered through the socket and creates a pattern signature which when applied to an IDS or IPS system, enables the IDS or IPS systems to detect the attack if repeated on production systems.
  • the attack signatures can be viewed by a system administrator to determine the appropriate course of action.
  • the system administrator can instruct the signature to be uploaded to the intrusion detection system (IDS) or intrusion prevention system (IPS) for the protected network where it is added to the IDS's or IPS's library of signatures to protect production systems.
  • the signature may be uploaded or saved in a third party system that maintains all known exploits. In this manner, other systems may be notified through secure channels of an impending threat. For example, by transferring the signature to a centralized server that communicates with multiple installations, the intruder may be thwarted before attacking other systems in other companies.
  • a production network's library of signatures can be updated in real-time as the attacker modifies its illicit activity or a new attack is launched.
  • the embodiment can also maintain a database of any and all attack signatures generated.
  • Another embodiment provides a system and method for analyzing unauthorized intrusion into a computer network. Access is allowed through one or more open ports to one or more virtualized decoy operating systems running on a hypervisor operating system hosted on a decoy network device. This may be done by opening a port on one of the virtualized decoy operating systems.
  • a network attack on the virtualized operating system is then intercepted by a virtual-machine-based rootkit module running on the hypervisor operating system.
  • the attack-identifying information is communicated through a private network interface channel and stored on a database server as forensic data.
  • a signature generation engine uses this forensic data to generate a signature of the attack.
  • An intrusion prevention system then uses the attack signature to identify and prevent subsequent attacks
  • FIG. 1 illustrates a block diagram of an embodiment of the system
  • FIG. 2 illustrates a flow chart of an embodiment of the processing that occurs on processing module 40 ;
  • FIG. 3 illustrates a human readable summary of an example attack
  • FIG. 4 illustrates an XML formatted attack signature generated from the attack summarized in FIG. 3 for transmittal to an IDS or IPS;
  • FIG. 5 illustrates a block diagram of another embodiment of the system.
  • FIG. 1 illustrates attacker activity 10 directed at protected computer network 20 .
  • attack 10 is scanning for an open port on computer network 20 in an attempt to make a connection and then access one or more protected network devices 20 a on network 20 .
  • Monitor/intercept module 30 comprises fully functioning decoy operating system 32 that monitors each of the access ports for network 20 .
  • Any operating system may be used as decoy operating system 32 including Windows®, Sun Microsystems Solaris® or any version of Linux® known to persons skilled in the art. All known operating systems are within the scope of the present invention.
  • FIG. 1 shows one monitoring/intercept module 30 in the foreground, however any number of homogeneous or heterogeneous monitoring/intercept modules may be utilized (shown as a stack behind monitor/intercept module 30 ).
  • a Windows® monitoring/intercept module 30 and LINUX® monitoring/intercept module 30 may be employed.
  • Monitoring/intercept module 30 also includes sentinel kernel driver 34 which will be described in further detail below.
  • Protected network devices 20 a are accessed through IDS/IPS with Library of Signatures 62 in one or more embodiments of the invention.
  • the system also includes processing module 40 for obtaining and analyzing exploits.
  • the fully functional decoy operating system 32 intercepts the connection and returns a standard operating system fingerprint.
  • decoy 30 may be configured to respond to any such incorrect address since the connection is assumed to be malicious as there is no hardware on protected network 20 at that address.
  • the response may be configured to utilize any existing hardware module having a given operating system and version within monitoring/intercept module 30 .
  • an FTP port access for Windows® may return a particular character sequence that is different than an FTP response for LINUX®.
  • An FTP access to a Windows® port for example may return a response “>ftp: connect: Connection refused”.
  • This characters sequence may be slightly different on LINUX® and hence allows the intruder to determine what type of operating system is at a particular network address.
  • different versions of Windows® may respond with slightly different character sequences which allows the intruder to determine the specific version of the operating system or to determine a possible range of versions for the responding operating system.
  • the instigator of attack 10 is thus lured into accessing decoy 100 , which includes monitor/intercept module 30 , and running custom or known exploits for the observed operating system.
  • the attacker activity proceeds to interact with decoy 100 , the attacker provides decoy 100 with the data used to obtain control of decoy 100 , which is recorded and analyzed without knowledge of the attacker.
  • attack 10 All scans by attack 10 receive real-world operating system information, thus leading the instigator of the attack 10 to believe that there is a potentially vulnerable system responding and thus luring attack 10 into communicating with monitor/intercept module 30 . Since real hardware is utilized, the attacker is attacking an actual physical system and thus has no idea that the system is actually an instrumented honeypot that monitors the attackers every move.
  • Monitor/intercept module 30 includes sentinel kernel driver 34 .
  • sentinel kernel driver 34 is a combination of custom root-kit code that on Windows® based operating systems removes pointers from Microsoft® client/server runtime server subsystem (CSRSS.exe). This coupled with removing sentinel kernel driver 34 from the Windows® registry effectively hides sentinel kernel driver 34 and all its drivers from attack 10 .
  • the kernel pointers are removed making the kernel unable to link to a running process, effectively hiding sentinel kernel driver 34 and all its libraries from attack 10 .
  • Sentinel kernel driver 34 monitors all data coming through the socket and is derived from an open source code, such as libpcap, known to persons skilled in the art.
  • sentinel 34 monitors and captures information from the connection including port numbers, data streams, keystrokes, file uploads and any other data transfers.
  • Processing module 40 may optionally include a sentinel server that receives information from the sentinel kernel driver and deposits the information in a database for later analysis.
  • the monitor/intercept module 30 is a front-end module or series of modules and the captured data is sent to processing module 40 though the backplane of the appliance or appliances through a layer 2 Ethernet communications link not available to the attacker such as an IP connection or any other hardware dependent custom communication protocol known to persons skilled in the art.
  • Processing module 40 is part of a secure and separate administrative network 42 .
  • the signature may be sent from the back end processing module 40 to IDS/IPS 62 through a second network connection which is used by the processing module 40 to directly interact with IDS/IPS 62 .
  • the sentinel kernel driver may utilize replay functionality to replay the attacks on the operating system in reverse to clean up the operating system to its pre-attack state. In this manner, the attack can be thwarted and the operating system thus does not become a tool of the hacker.
  • processing starts at 200 and waits for activity from sentinel kernel driver 34 at step 43 .
  • processing module 40 generates a report of the attack that includes attack-identifying information (See FIG. 3 ). This report is for the use and review by a system administrator who is responsible for administering protected network 20 .
  • the attack may contain one or more data transfers or keystrokes for example, which are analyzed at step 46 .
  • determination whether to generate an attack signature is made at step 48 and the attack signature is generated at step 52 (See FIG. 4 ). If the attacker for example is unsuccessful at gaining access or if there is no data transfer for example, then the attack inquiry may be ended at step 50 . Any generated attack signature is sent to the IDS/IPS at step 56 and processing continues at step 43 .
  • the report is written, and is displayed in an web-based visualization interface and can include information about which sockets were accessed by attack 10 , what happened at a particular socket, the key strokes entered or data transferred, what files were transferred, how the attack 10 was run, what happened on monitor/intercept module 30 and how decoy operating system 32 and any related network services were affected.
  • the report may also include information on the location of the instigator of attack 10 or the service provider used for attack 10 . Graphical representations of key information and interactive mapping of attack locales by region or country may also be included in the report.
  • the attack-identifying information is analyzed for known attack patterns and non-standard patterns such as repeating binary patterns, keystroke patterns, downloaded daemons or errors such as buffer overflow attempts.
  • the attack may be categorized and analyzed to determine for example how an attack gains control of decoy operating system 32 .
  • Any method of analyzing the incoming data such as binary matching, neural network matching or keyword matching or any other method of matching attack-identifying information is in keeping with the spirit of the invention.
  • step 48 a decision is made as to whether to generate an attack signature. If no harmful operations occurred as a result of attack 10 or when no known attack patterns are found, then no further attack inquiry would be needed as shown in step 50 .
  • the processing module 40 can then take on the next input of captured information from the monitor/intercept module 30 .
  • an attack signature is generated as illustrated in step 52 .
  • Processing module 40 may generate a signature whenever data is found to be transferred through the socket in one or more embodiments of the invention. Alternatively, if the attack signature already exists or if the data transfer is of a nature that indicates probing rather than attack, then the attack signature may not be generated. For example, processing module 40 may not generate a signature when it is found that no data has been transferred through the socket even though the socket may have been opened and closed without data transfer.
  • the signature can be reviewed by the system administrator who decides to send the attack signature, shown in step 56 , to the intrusion detection system (IDS) or intrusion prevention system (IPS) for the protected network 20 through a standard network connection including a wireless connection that is generally not sent on protected network 20 or any other network that the attacker may observe.
  • IDS intrusion detection system
  • IPS intrusion prevention system
  • Embodiments of step 56 may save the generated attack signatures in a database for future use or further analysis by system administrators.
  • the signatures may also be sent to a proprietary global database of attack signatures for further analysis.
  • Any IDS/IPS may be utilized in one or more embodiments of the invention. Existing IDS/IPS systems for example may be interfaced with in order to integrate with existing solutions.
  • FIG. 3 illustrates a human readable summary of an example attack.
  • Line 300 shows that the file “msprexe.exe” is copied into the “System” directory.
  • Line 301 shows a first registry entry created by the attack.
  • Line 302 shows a second registry entry created by the attack. Any other changes to the system may be shown, as part of the attack-identifying information and the information shown in FIG. 3 is exemplary only.
  • FIG. 4 illustrates an XML formatted attack signature generated from the attack summarized in FIG. 3 for transmittal to an IDS or IPS.
  • XML block 400 includes tags that define the attack signature in the format of the particular IDS or IPS. Any tags used by any IDS or IPS are in keeping with the spirit of the invention and the tags shown in FIG. 4 are exemplary only. For example any ports, protocols, severity levels, alarm levels, signature name or any other quantity may be utilized to inform an IDS or IPS of an attack signature.
  • FIG. 5 Another embodiment of a system for analyzing and preventing unauthorized intrusion into a computer network is shown in FIG. 5 .
  • This embodiment is directed to an improved method and system for analyzing unauthorized intrusion into a decoy computer network, the analysis of which is used to prevent unauthorized access into a protected computer network.
  • An embodiment of such a system is illustrated in FIG. 5 , while the method remains as shown in the flowchart in FIG. 2 above.
  • the system 500 includes a decoy computer network 502 and a protected computer network 504 , each comprising one or more separate computing devices.
  • the decoy computer network 502 includes a virtualized operating system module 506 for monitoring the decoy network 502 , and a processing module 508 for obtaining, analyzing, and responding to exploits.
  • modules may be hosted on the same computing device or on separate computing devices. However, for ease of explanation, these modules will be described below as being hosted on separate computing devices. Furthermore, although not shown, one skilled in the art will appreciate that each of these computing devices may include one or more processors, input/output devices, communication circuitry, power sources, memory (both physical, e.g., RAM, and disks, e.g., hard disk drives), and any other physical hardware necessary for hosting and running the aforementioned modules. In some embodiments, the modules 506 and 508 are as present in physical memory once the system has been booted and is operational.
  • the virtualized operating system module 506 includes a hypervisor operating system 510 (also known as a virtual machine monitor operating system) that provides a virtualization platform that allows multiple virtual operating systems to be run on a host computing device at the same time.
  • the hypervisor operating system 510 is a LINUX-based system.
  • One or more fully-functioning “guest” virtualized operating systems 512 are run on the hypervisor operating system 510 at a level above the hardware. As will be described in detail below, these virtualized operating systems 512 act as decoy operating systems to attract attacker activity 550 .
  • Any operating system may be used as guest decoy operating system 512 , including but not limited to WINDOWS, SUN MICROSYSTEMS, SOLARIS, or any version of LINUX known to persons skilled in the art, as well as any combination of the aforementioned. It should be appreciated that all known operating systems are within the scope of the present invention. There is also no limit to either the number of virtualized guest decoy operating systems 512 or the number of virtualized guest operating system modules 506 that may be utilized.
  • the hypervisor operating system 510 includes a hypervisor kernel 516 , which in some embodiments is also Linux-based.
  • the hypervisor kernel 516 is that part of the hypervisor operating system 510 that resides in physical memory at all times and provides the basic services to the hypervisor operating system 510 .
  • the hypervisor kernel 516 is the part of the operating system that activates the hardware directly or interfaces with another software layer that, in turn, drives the hardware.
  • the virtualized decoy operating systems 512 access the physical memory assigned to them by the hypervisor operating system via the hypervisor kernel 516 .
  • the hypervisor kernel 516 includes a hypervisor virtual machine kernel module 518 that supports virtualization of the “guest” decoy operating systems 512 .
  • the hypervisor kernel 516 also includes virtual-machine-based rootkit module 520 coupled to the hypervisor virtual machine kernel module 516 .
  • the virtual-machine-based rootkit module 520 is a set of software tools that conceal running processes, files or system data from the virtualized decoy operating systems 512 .
  • the virtual-machine-based rootkit module 520 is part of introspection module 538 , which performs introspection into the physical memory segments assigned to each of the virtualized decoy operating systems 512 .
  • Virtual-machine-based rootkit userland processes 522 run on top of the virtual-machine-based rootkit module 520 . Together, the rootkit module 520 and its associated userland processes 522 constitute the system's introspection module 538 (described further below). Virtual-machine-based rootkit userland processes 522 also pass data from the introspection module 538 to the processing module 508 .
  • attacker activity 550 is directed at the decoy computer network 502 through one or more ports of each of the virtualized decoy operating systems 512 that are left open as a gateway for attacker activity 550 .
  • the decoy network 502 can be configured to respond to connection attempts made at network addresses that do not exist on the protected network 504 . Connections to these non-existent network addresses are assumed to be malicious, since no production hardware exists on the protected network 504 at these addresses. Decoys 512 (in the form of a virtualized operating system) may be configured to respond to any such non-existent network address.
  • the attacker activity 550 scans for an open port, ostensibly in an attempt to make a network connection and then access one or more computing devices on the protected computer network 504 .
  • the attacker activity 550 scans for open ports at non-existent network addresses, however, the attacker is presented with a virtualized decoy operating system 512 instead.
  • an FTP port access request for WINDOWS may return a specific character sequence that differs from an FTP response for LINUX.
  • an FTP access request to a WINDOWS port may return a response “>ftp: connect: Connection refused.” This character sequence may be slightly different from that generated by LINUX.
  • WINDOWS may respond with slightly different, version-specific character sequences. Since attackers often use these sequences to identify what type of operating system is at a particular network address and the version (or range of possible versions) for that operating system, the fact that virtualized decoy operating systems 512 generate authentic responses makes them realistic decoys and encourages intruders to access them. The instigator of the attack 550 is thus lured into accessing the decoy 512 , which is overseen by the hypervisor operating system 510 running on the hardware-based, virtualized operating system module 506 . Attacker activity 550 may then initiate custom or known exploits for the observed operating system. When the attacker activity 550 proceeds to interact with the decoy 512 , the attacker provides the decoy 512 with the data used to obtain control of the decoy 512 . These data are recorded and analyzed without the knowledge of the attacker, as described further below.
  • the virtualized guest operating system module 506 includes the virtual machine-based rootkit module 520 and its associated userland processes 522 . Since both the virtual machine-based rootkit module 520 and its associated userland processes 522 run completely outside the virtualized decoy operating systems 512 , they remain hidden from the instigator of the attack, with no discoverable impact on the decoy operating systems' 512 performance.
  • the virtual machine-based rootkit module 520 and its associated userland processes 522 constitute an introspection module 538 (also known as a virtual machine-based memory introspection analysis tool) that monitors and introspects into the virtualized decoy operating systems' memory segments. This occurs from within the hypervisor operating system 510 .
  • the introspection module 538 introspects and gathers information on any virtualized operating system supported by the hypervisor operating system 510 .
  • the introspection module 538 comprising the virtual-machine-based rootkit module 520 and its associated userland processes 522 examines the memory assigned to virtualized decoy operating systems 512 in order to acquire low-level data about the interaction between the decoy operating systems and attack activity 500 .
  • the introspection module 538 examines the memory of virtualized decoy operating systems 512 by means of three functional components: a code region selector, a trace instrumentor, and a trace analyzer. Regular expressions (also known as ‘regex’) are used throughout the process to identify, describe, and profile the contents of the virtualized decoy's memory segments.
  • the code selector identifies regions of code in memory that are of interest for further introspection.
  • Regions of interest may include, but are not limited to, system calls, the arguments of system calls, the returns of system calls, device and memory input-output, driver information, library calls, branching information, instruction pointer jumps, and raw network information.
  • the instrumentor copies the memory traces of interest identified by the code selector and then profiles and instruments them.
  • the trace analyzer takes the instrumented traces and uses them to replay the memory behavior of the decoy operating system 512 .
  • the introspection module 538 examines the contents of the decoy operating systems' 512 memory segments in an instrumented context that generates and retrieves forensic data for analysis by the processing module 508 .
  • the introspection module 538 monitors and captures information from the connection, including port numbers, data streams, file uploads, keystrokes, ASCII or binary files, malicious payloads, memory manipulation attempts, and any other data transfers or malicious attempts.
  • the captured information, containing attack-identifying information, is then sent from the introspection module 538 to the processing module 508 by means of a virtual machine-based rootkit userland process 522 .
  • the processing module 508 includes an operating system kernel 526 , which in some embodiments is also LINUX based.
  • the processing module 508 also includes a database, such as a relational database server 528 , and a signature-generation engine 530 .
  • the signature-generation engine 530 communicates with the introspection module 538 over a private network interface communications channel 534 and accepts custom-formatted protocol packets named BAT (Blade Activity Transfer).
  • the private network interface communications channel 524 may be a persistent Layer 3 TCP socket communications link that cannot be seen or accessed by the attacker (such as an IP connection or any other hardware-dependent custom communication protocol known to persons skilled in the art).
  • the processing module 508 is part of a secure and separate administrative network.
  • the introspection module 538 captures (through introspection) attack information.
  • the attack information is then communicated through the private network interface channel 524 and stored on the relational database server 528 as forensic data for later analysis.
  • the signature-generation engine 530 then uses this forensic data to generate a signature of the attack.
  • the entire process from attack detection through signature generation may occur automatically, i.e., without any human intervention, at a timescale ranging from nearly immediate to several minutes.
  • the intrusion prevention system (described below) uses the attack signature to identify and prevent subsequent attacks.
  • the protected computer network 504 includes an IDS/IPS library of signatures 534 and an IDS/IPS system 542 coupled to multiple protected network devices 536 .
  • Suitable IDS/IPS systems 542 include Cisco Systems' IPS 4200 Series, Juniper's IDP 200 , and Enterasys' Dragon IDS Network Sensor.
  • the signature may be sent from the back-end processing module 508 to the intrusion detection and/or prevention (IDS/IPS) signature library 534 through a second network connection 540 , which is used by the processing module 508 to directly interact with the IDS/IPS system 542 .
  • the virtual-machine-based rootkit module 520 may easily clean the virtualized decoy operating system 512 at any time by removing the running system image of the compromised virtualized decoy operating system and replacing it with a pre-attack system image.
  • the virtual-machine-based rootkit module 520 can cleanse or reset the virtualized decoy operating system of any malicious software or payload, removing the possibility that attacker(s) can use that virtualized decoy operating system 512 for further attacks on other networks. In this manner, the attack can be thwarted, and the operating system does not become a tool of the attacker(s).
  • This procedure may also be automated, i.e., may occur without further human intervention.
  • processing starts at Step 200 and waits for activity from the introspection module 538 at Step 43 .
  • the processing module 508 generates a report of the attack that includes attack-identifying information (See FIG. 3 ). This report is for review and use by a system administrator responsible for the security of a protected network 504 .
  • the attack may contain, but is not limited to, one or more data transfers or keystrokes, which are analyzed at Step 46 .
  • a determination can be made at Step 48 as to whether an attack signature should be generated, and the attack signature is created at step 52 (See FIG. 4 ). If the attacker, for example, is unsuccessful at gaining access, or if there is no data transfer, the attack inquiry may be ended at Step 50 . Any attack signature generated is sent to the IDS/IPS signature library 534 at Step 56 , and processing continues at Step 43 .
  • the report of the attack is written and then displayed via a visualization interface 532 and can include information about which sockets were accessed by the attack 550 , what happened at a particular socket, the keystrokes entered or data transferred, what files were transferred, how the attack 550 was run, what happened on the virtualized operating system module 506 , and how the virtualized decoy operating systems 512 running on the hypervisor operating system 510 and any related network services were affected.
  • the visualization interface 532 is AJAX- and/or FLASH-based.
  • the report may also include information on the location of the instigator of the attack 550 or the service provider used for the attack. Graphical representations of key information and interactive mapping of attack locales by region or country may also be included in the report.
  • the visualization interface may also be used to analyze, configure, and automate the system's response to attack activity 550 on timescales ranging from near-immediate to several minutes from the initiation of an attack.
  • the attack-identifying information is analyzed for known attack patterns as well as non-standard patterns, such as repeating binary patterns, keystroke patterns, downloaded daemons, or errors (such as buffer overflow attempts, malicious payloads attempting to execute arbitrary code on the system, memory overwriting attempts, stack attacks, and heap attacks).
  • the attack 550 may be categorized and analyzed to determine, for example, how an attack gained control of the decoy operating system(s) 512 . Any method of analyzing the incoming data such as binary matching, neural-network matching, keyword matching, or any other method of matching attack-identifying information is in keeping with the spirit of the invention.
  • Pattern-matching techniques involving neural networks are characterized in Carl Looney's Pattern Recognition Using Neural Networks. Theory and Algorithms for Engineers and Engineers (Oxford University Press USA, New York, N.Y., 1997) and Christopher Bishop's Neural Networks for Pattern Recognition (Oxford University Press USA, New York, N.Y., 1995), among other sources familiar to those skilled in the art.
  • Step 48 a decision is made as to whether to generate an attack signature. If no harmful operations occurred as a result of an attack, or when no known attack patterns are found, then no further attack inquiry would be needed (as shown at Step 50 ).
  • the processing module 508 may then take on the next input of captured information from the introspection module 538 running on the hardware-based, virtualized operating system module 506 .
  • an attack signature is generated as illustrated in Step 52 .
  • the processing module 508 may generate a signature whenever data is found to be transferred through the socket. Alternatively, if the attack signature already exists, or if the data transfer is of a nature that indicates probing rather than attack, then the attack signature may not be generated. For example, the processing module 508 may not generate a signature when it is found that no data has been transferred through the socket, even though the socket may have been opened and closed.
  • the conditions under which the processing module 508 generates an attack can be configured and automated by an administrator.
  • the signature can be reviewed by the system administrator, who decides whether to send the attack signature (shown at Step 56 ) to the intrusion detection system (IDS) or intrusion prevention system (IPS) for the protected network 504 .
  • the attack signature is sent through a standard network connection or via a wireless connection and is generally sent on a private portion of the protected network 504 that the attacker cannot observe.
  • the generated attack signature is thus applied to the IDS/IPS library of signatures 534 , thereby updating the information contained in the signature library and preventing the attacker from accessing the protected network 504 .
  • Embodiments of the invention may save the attack signatures created at Step 52 in a relational database server 528 for future use or analysis by system administrators.
  • the signatures may also be sent to a proprietary global database of attack signatures for further analysis, storage, and distribution.
  • Any IDS/IPS system may be utilized in one or more embodiments of the invention.
  • the invention may be interfaced with existing IDS/IPS systems, for example to integrate it with existing solutions.
  • FIG. 3 illustrates a human-readable summary of an example attack.
  • Line 300 shows that the file “msprexe.exe” is copied into the “System” directory.
  • Line 301 shows a first registry entry created by the attack.
  • Line 302 shows a second registry entry created by the attack. Any other changes to the system may be shown as part of the attack-identifying information, and the information shown in FIG. 3 is exemplary only.
  • FIG. 4 illustrates an attack signature generated from the attack summarized in FIG. 3 and formatted in XML for transmission to an IDS or IPS.
  • XML Block 400 includes tags that define the attack signature in the format of the particular IDS or IPS. Any tags used by any IDS or IPS are in keeping with the spirit of the invention, and the tags shown in FIG. 4 are exemplary only. For example, any ports, protocols, severity levels, alarm levels, signature name, or any other quantity, may be utilized to inform an IDS or IPS of an attack signature.

Abstract

The method analyzes unauthorized intrusion into a computer network. Access is allowed through one or more open ports to one or more virtualized decoy operating systems running on a hypervisor operating system hosted on a decoy network device. This may be done by opening a port on one of the virtualized decoy operating systems. A network attack on the virtualized operating system is then intercepted by an introspection module running on the hypervisor operating system. The attack-identifying information is communicated through a private network interface channel and stored on a database server as forensic data. A signature-generation engine uses this forensic data to generate a signature of the attack. An intrusion prevention system then uses the attack signature to identify and prevent subsequent attacks. A web-based visualization interface facilitates configuration of the system and analysis of (and response to) forensic data generated by the introspection module and the signature generation engine, as well as that stored in the processing module's relational databases.

Description

  • This is a Continuation-In-Part, and claims priority to and the benefit of: U.S. Ser. No. 11/488,743, entitled “Decoy Network Technology With Automatic Signature Generation for Intrusion Detection and Intrusion Prevention Systems” filed on Jul. 17, 2006, the entire disclosure of which is incorporated herein by reference.
    • FIELD
  • The invention relates to the field of methods and systems for protecting computer networks and is more particularly, but not by way of limitation, directed to decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems.
    • BACKGROUND
  • Computer networks typically interface with the Internet or other public computer systems and are thus vulnerable to attacks, unwanted intrusions and unauthorized access. One threat to networks is the so-called zero-day attack that exploits security vulnerabilities unknown to the system operators.
  • Conventional network security systems include a firewall that generally prevents unauthorized access to the network or its computers. Conventional systems also include intrusion detection systems (IDS) and intrusion prevention systems (IPS) that typically contain a library of signatures of malware payloads, which enable them to detect those defined exploits attempting to access production systems. When a connection is attempted to a network port, the IDS or IPS examines the low-level IP data packets and compares them to its library of signatures for a match. When a match is identified the IDS or IPS provides notification of the match.
  • The problem lies in the static nature of the conventional IDS and IPS signatures coupled with the ability of determined attackers to launch new undefined or zero-day automated attacks to gain access to the network. While an intrusion prevention system (IPS) equipped with behavioral signatures providing the ability to capture behavioral patterns offers a higher level of protection, these have similar drawbacks in that behavioral signatures are still static in nature and limited in their ability to stop zero-day attacks.
  • Still another type of network security systems utilizes a honeynet arrangement to attract and then trap a suspected attacker. A honeynet is made up of two or more honeypots on a network. Such measures typically are made up of a computer, data or network site that appears to be part of the network and appears to be one or more valuable targets, but which is actually an isolated component located away from production networks. These are typically passive measures effective against spammers and other low-level attacks. Such systems typically run emulated operating systems and services and are generally not useful against sophisticated attackers who can detect and effectively avoid the honeynet, never unloading their zero-day attack or payload for the honeynet to capture and analyze. Also, if the conventional honeynet configuration is not sufficiently separated from the network system, an attacker can use the honeynet to gain access to the network. Examples of emulated or software based honeypots include “honeyd” which is a GPL licensed daemon that is utilized to simulate network structures. Another example of emulated software based honeypots include “mwcollect” and “nepenthes” which are also released under the GPL license and which are utilized to collect malware. The “mwcollect” and “nepenthes” packages extract information on obtaining the malware binaries from the exploit payload.
  • Because each of the problems and limitations discussed above exist in the prior art devices and systems, there is a need for methods and systems that adequately protect networks from new and undefined attacks and that allow for real-time updates to a network's library of attack signatures.
    • SUMMARY
  • One or more embodiments of the invention are directed to an improved method and system for protecting computer networks. In one embodiment, the invention comprises a modular decoy network appliance, which runs fully functional operating systems on client hardware modules. The modular arrangement comprises front-end fully functional operating system modules and a separate processing back-end module.
  • The front-end presents a standard fully functional operating system, such as Windows® or a flavor of Linux®, or Sun Microsystems Solaris® that returns a standard operating system fingerprint when it is scanned by tools that attackers typically use to identify vulnerable systems. The attacker is thus lured into accessing the identified operating system and running custom or known exploits on that system.
  • The front-end module includes a sentinel kernel driver (or a more generalized executable module) that is hidden from system scanners as it is removed from kernel module listings or registry in Windows. Thus, the kernel does not indicate the sentinel kernel driver is running. The sentinel kernel driver monitors connections to the operating system as well as activity on the operating system and activity on services running on the operating system. When an attacker connects to a port, the sentinel kernel driver captures the data coming through the socket. Generally all relevant data coming through the socket is captured. In most cases this means whatever data is received as part of an incoming attack is captured by the sentinel driver. Captured data is sent as a slew of common UDP packets to the back end processing module over the fabric network connection separate from the vulnerable front-end modules. In this manner, there is no way for the intruder to know that his or her communications with the operating system are being analyzed.
  • The captured data, which contains the attack-identifying information, is sent to the back-end or processing module though the backplane fabric of the appliance using Layer 2 Ethernet communication protocol. The processing module is separate and independent from the client operating system modules and communicates the processed information to security administrators through a network port connected to the private and secure VLAN. Unbeknownst to the intruder, the exploit is thus captured, transferred and analyzed.
  • With the received data, the processing module generates a report of the attack. The report consists of user-friendly information that paints a picture of the attack for a system administrator. This may include information on which sockets were accessed, what happened at a particular socket, the key strokes entered or bytes transferred to the port, what files were transferred, registry changes, how the attack was run, what happened on the primary network, on its servers or how the network services were affected. The report may also include information on the location of the attacker or the attacker's service provider. Graphical representations of key information and interactive mapping of the attack locales by region or country may be utilized in one or more embodiments of the invention.
  • The processing module is used to generate an attack signature by analyzing all the data passed through the socket. The signature is generated by analyzing the attack payload including the keystrokes or transferred bytes and any files uploaded to the client operating system of an ASCII or binary nature. The files uploaded are assumed to be of a malicious nature created to deliver a malicious payload in the form of a compiled program or an interpreted script. In the event that no malicious files are uploaded to the operating system, the signature generation engine analyzes all the keystrokes or bytes delivered through the socket and creates a pattern signature which when applied to an IDS or IPS system, enables the IDS or IPS systems to detect the attack if repeated on production systems. Once generated, the attack signatures can be viewed by a system administrator to determine the appropriate course of action. The system administrator can instruct the signature to be uploaded to the intrusion detection system (IDS) or intrusion prevention system (IPS) for the protected network where it is added to the IDS's or IPS's library of signatures to protect production systems. In one or more embodiments of the invention, the signature may be uploaded or saved in a third party system that maintains all known exploits. In this manner, other systems may be notified through secure channels of an impending threat. For example, by transferring the signature to a centralized server that communicates with multiple installations, the intruder may be thwarted before attacking other systems in other companies.
  • A production network's library of signatures can be updated in real-time as the attacker modifies its illicit activity or a new attack is launched. The embodiment can also maintain a database of any and all attack signatures generated. Other and further advantages will be disclosed and identified in the description and claims and will be apparent to persons skilled in the art.
  • Another embodiment provides a system and method for analyzing unauthorized intrusion into a computer network. Access is allowed through one or more open ports to one or more virtualized decoy operating systems running on a hypervisor operating system hosted on a decoy network device. This may be done by opening a port on one of the virtualized decoy operating systems. A network attack on the virtualized operating system is then intercepted by a virtual-machine-based rootkit module running on the hypervisor operating system. The attack-identifying information is communicated through a private network interface channel and stored on a database server as forensic data. A signature generation engine uses this forensic data to generate a signature of the attack. An intrusion prevention system then uses the attack signature to identify and prevent subsequent attacks
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates a block diagram of an embodiment of the system;
  • FIG. 2 illustrates a flow chart of an embodiment of the processing that occurs on processing module 40;
  • FIG. 3 illustrates a human readable summary of an example attack;
  • FIG. 4 illustrates an XML formatted attack signature generated from the attack summarized in FIG. 3 for transmittal to an IDS or IPS; and
  • FIG. 5 illustrates a block diagram of another embodiment of the system.
    • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
  • The following descriptions of embodiments of the invention are exemplary, rather than limiting, and many variations and modifications are within the scope and spirit of the invention. Although numerous specific details are set forth in order to provide a thorough understanding of the present invention, it will be apparent to one of ordinary skill in the art, that embodiments of the invention may be practiced without these specific details. In other instances, well-known features have not been described in detail in order to avoid unnecessarily obscuring the present invention.
  • One or more embodiments of the invention are directed to an improved method and system for protecting computer networks. One embodiment is illustrated in FIG. 1, which illustrates attacker activity 10 directed at protected computer network 20. As in a typical attack, attack 10 is scanning for an open port on computer network 20 in an attempt to make a connection and then access one or more protected network devices 20 a on network 20.
  • Attack 10 is monitored by decoy 100 that includes at least one monitor/intercept module 30. Monitor/intercept module 30 comprises fully functioning decoy operating system 32 that monitors each of the access ports for network 20. Any operating system may be used as decoy operating system 32 including Windows®, Sun Microsystems Solaris® or any version of Linux® known to persons skilled in the art. All known operating systems are within the scope of the present invention. FIG. 1 shows one monitoring/intercept module 30 in the foreground, however any number of homogeneous or heterogeneous monitoring/intercept modules may be utilized (shown as a stack behind monitor/intercept module 30). For example, in one embodiment of the invention a Windows® monitoring/intercept module 30 and LINUX® monitoring/intercept module 30 may be employed. There is no limit to the number of monitoring/intercept modules that may be utilized in the system and other embodiments may employ homogeneous decoy operating systems 32 that are of the same or of different versions. Monitoring/intercept module 30 also includes sentinel kernel driver 34 which will be described in further detail below. Protected network devices 20 a are accessed through IDS/IPS with Library of Signatures 62 in one or more embodiments of the invention. The system also includes processing module 40 for obtaining and analyzing exploits.
  • When attack 10 connects to an access port of network 20, the fully functional decoy operating system 32 intercepts the connection and returns a standard operating system fingerprint. For example when connecting to an address that does not exist on protected network 20, decoy 30 may be configured to respond to any such incorrect address since the connection is assumed to be malicious as there is no hardware on protected network 20 at that address. The response may be configured to utilize any existing hardware module having a given operating system and version within monitoring/intercept module 30. For example, an FTP port access for Windows® may return a particular character sequence that is different than an FTP response for LINUX®. An FTP access to a Windows® port for example may return a response “>ftp: connect: Connection refused”. This characters sequence may be slightly different on LINUX® and hence allows the intruder to determine what type of operating system is at a particular network address. In addition, different versions of Windows® may respond with slightly different character sequences which allows the intruder to determine the specific version of the operating system or to determine a possible range of versions for the responding operating system. The instigator of attack 10 is thus lured into accessing decoy 100, which includes monitor/intercept module 30, and running custom or known exploits for the observed operating system. When attacker activity proceeds to interact with decoy 100, the attacker provides decoy 100 with the data used to obtain control of decoy 100, which is recorded and analyzed without knowledge of the attacker.
  • All scans by attack 10 receive real-world operating system information, thus leading the instigator of the attack 10 to believe that there is a potentially vulnerable system responding and thus luring attack 10 into communicating with monitor/intercept module 30. Since real hardware is utilized, the attacker is attacking an actual physical system and thus has no idea that the system is actually an instrumented honeypot that monitors the attackers every move.
  • Monitor/intercept module 30 includes sentinel kernel driver 34. In one embodiment, sentinel kernel driver 34 is a combination of custom root-kit code that on Windows® based operating systems removes pointers from Microsoft® client/server runtime server subsystem (CSRSS.exe). This coupled with removing sentinel kernel driver 34 from the Windows® registry effectively hides sentinel kernel driver 34 and all its drivers from attack 10. On Unix® based operating systems, the kernel pointers are removed making the kernel unable to link to a running process, effectively hiding sentinel kernel driver 34 and all its libraries from attack 10. Sentinel kernel driver 34 monitors all data coming through the socket and is derived from an open source code, such as libpcap, known to persons skilled in the art.
  • When an attacker connects to a port, and begins interacting with decoy operating system 32, sentinel 34 monitors and captures information from the connection including port numbers, data streams, keystrokes, file uploads and any other data transfers.
  • The captured information, or attack-identifying information, is then sent for processing to processing module 40 as illustrated in FIG. 1. Processing module 40 may optionally include a sentinel server that receives information from the sentinel kernel driver and deposits the information in a database for later analysis. In one embodiment, the monitor/intercept module 30 is a front-end module or series of modules and the captured data is sent to processing module 40 though the backplane of the appliance or appliances through a layer 2 Ethernet communications link not available to the attacker such as an IP connection or any other hardware dependent custom communication protocol known to persons skilled in the art. Processing module 40 is part of a secure and separate administrative network 42. In one or more embodiments the signature may be sent from the back end processing module 40 to IDS/IPS 62 through a second network connection which is used by the processing module 40 to directly interact with IDS/IPS 62. The sentinel kernel driver may utilize replay functionality to replay the attacks on the operating system in reverse to clean up the operating system to its pre-attack state. In this manner, the attack can be thwarted and the operating system thus does not become a tool of the hacker.
  • As shown in FIG. 2, processing starts at 200 and waits for activity from sentinel kernel driver 34 at step 43. In step 44, processing module 40 generates a report of the attack that includes attack-identifying information (See FIG. 3). This report is for the use and review by a system administrator who is responsible for administering protected network 20. The attack may contain one or more data transfers or keystrokes for example, which are analyzed at step 46. By observing whether the attacker is successful in interacting with the system, i.e., if the system is responding in a manner that shows that the attacker has gained access, then determination whether to generate an attack signature is made at step 48 and the attack signature is generated at step 52 (See FIG. 4). If the attacker for example is unsuccessful at gaining access or if there is no data transfer for example, then the attack inquiry may be ended at step 50. Any generated attack signature is sent to the IDS/IPS at step 56 and processing continues at step 43.
  • In one embodiment of the invention, the report is written, and is displayed in an web-based visualization interface and can include information about which sockets were accessed by attack 10, what happened at a particular socket, the key strokes entered or data transferred, what files were transferred, how the attack 10 was run, what happened on monitor/intercept module 30 and how decoy operating system 32 and any related network services were affected. The report may also include information on the location of the instigator of attack 10 or the service provider used for attack 10. Graphical representations of key information and interactive mapping of attack locales by region or country may also be included in the report.
  • In step 46, the attack-identifying information is analyzed for known attack patterns and non-standard patterns such as repeating binary patterns, keystroke patterns, downloaded daemons or errors such as buffer overflow attempts. By observing the operations performed on decoy operating system 32 the attack may be categorized and analyzed to determine for example how an attack gains control of decoy operating system 32. Any method of analyzing the incoming data such as binary matching, neural network matching or keyword matching or any other method of matching attack-identifying information is in keeping with the spirit of the invention.
  • In step 48, a decision is made as to whether to generate an attack signature. If no harmful operations occurred as a result of attack 10 or when no known attack patterns are found, then no further attack inquiry would be needed as shown in step 50. The processing module 40 can then take on the next input of captured information from the monitor/intercept module 30.
  • If a determination is made that attack signature generation is warranted, an attack signature is generated as illustrated in step 52. Processing module 40 may generate a signature whenever data is found to be transferred through the socket in one or more embodiments of the invention. Alternatively, if the attack signature already exists or if the data transfer is of a nature that indicates probing rather than attack, then the attack signature may not be generated. For example, processing module 40 may not generate a signature when it is found that no data has been transferred through the socket even though the socket may have been opened and closed without data transfer. Once the attack signature is generated, the signature can be reviewed by the system administrator who decides to send the attack signature, shown in step 56, to the intrusion detection system (IDS) or intrusion prevention system (IPS) for the protected network 20 through a standard network connection including a wireless connection that is generally not sent on protected network 20 or any other network that the attacker may observe. This is accomplished by applying the generated attack signature to the IDS/IPS library of signatures to update the information contained in the library of signatures to prevent the attacker from accessing the primary network with a zero-day attack.
  • Embodiments of step 56 may save the generated attack signatures in a database for future use or further analysis by system administrators. The signatures may also be sent to a proprietary global database of attack signatures for further analysis. Any IDS/IPS may be utilized in one or more embodiments of the invention. Existing IDS/IPS systems for example may be interfaced with in order to integrate with existing solutions.
  • FIG. 3 illustrates a human readable summary of an example attack. Line 300 shows that the file “msprexe.exe” is copied into the “System” directory. Line 301 shows a first registry entry created by the attack. Line 302 shows a second registry entry created by the attack. Any other changes to the system may be shown, as part of the attack-identifying information and the information shown in FIG. 3 is exemplary only.
  • FIG. 4 illustrates an XML formatted attack signature generated from the attack summarized in FIG. 3 for transmittal to an IDS or IPS. XML block 400 includes tags that define the attack signature in the format of the particular IDS or IPS. Any tags used by any IDS or IPS are in keeping with the spirit of the invention and the tags shown in FIG. 4 are exemplary only. For example any ports, protocols, severity levels, alarm levels, signature name or any other quantity may be utilized to inform an IDS or IPS of an attack signature.
  • Another embodiment of a system for analyzing and preventing unauthorized intrusion into a computer network is shown in FIG. 5. This embodiment is directed to an improved method and system for analyzing unauthorized intrusion into a decoy computer network, the analysis of which is used to prevent unauthorized access into a protected computer network. An embodiment of such a system is illustrated in FIG. 5, while the method remains as shown in the flowchart in FIG. 2 above.
  • The system 500, as shown in FIG. 5, includes a decoy computer network 502 and a protected computer network 504, each comprising one or more separate computing devices. The decoy computer network 502 includes a virtualized operating system module 506 for monitoring the decoy network 502, and a processing module 508 for obtaining, analyzing, and responding to exploits.
  • These modules may be hosted on the same computing device or on separate computing devices. However, for ease of explanation, these modules will be described below as being hosted on separate computing devices. Furthermore, although not shown, one skilled in the art will appreciate that each of these computing devices may include one or more processors, input/output devices, communication circuitry, power sources, memory (both physical, e.g., RAM, and disks, e.g., hard disk drives), and any other physical hardware necessary for hosting and running the aforementioned modules. In some embodiments, the modules 506 and 508 are as present in physical memory once the system has been booted and is operational.
  • The virtualized operating system module 506 includes a hypervisor operating system 510 (also known as a virtual machine monitor operating system) that provides a virtualization platform that allows multiple virtual operating systems to be run on a host computing device at the same time. In some embodiments, the hypervisor operating system 510 is a LINUX-based system. One or more fully-functioning “guest” virtualized operating systems 512 are run on the hypervisor operating system 510 at a level above the hardware. As will be described in detail below, these virtualized operating systems 512 act as decoy operating systems to attract attacker activity 550. Any operating system may be used as guest decoy operating system 512, including but not limited to WINDOWS, SUN MICROSYSTEMS, SOLARIS, or any version of LINUX known to persons skilled in the art, as well as any combination of the aforementioned. It should be appreciated that all known operating systems are within the scope of the present invention. There is also no limit to either the number of virtualized guest decoy operating systems 512 or the number of virtualized guest operating system modules 506 that may be utilized.
  • Also running on the hypervisor operating system 510 are normal hypervisor operating system userland processes 514. The hypervisor operating system 510 includes a hypervisor kernel 516, which in some embodiments is also Linux-based. The hypervisor kernel 516 is that part of the hypervisor operating system 510 that resides in physical memory at all times and provides the basic services to the hypervisor operating system 510. The hypervisor kernel 516 is the part of the operating system that activates the hardware directly or interfaces with another software layer that, in turn, drives the hardware. The virtualized decoy operating systems 512 access the physical memory assigned to them by the hypervisor operating system via the hypervisor kernel 516.
  • The hypervisor kernel 516 includes a hypervisor virtual machine kernel module 518 that supports virtualization of the “guest” decoy operating systems 512. The hypervisor kernel 516 also includes virtual-machine-based rootkit module 520 coupled to the hypervisor virtual machine kernel module 516. The virtual-machine-based rootkit module 520 is a set of software tools that conceal running processes, files or system data from the virtualized decoy operating systems 512. As described in further detail below, the virtual-machine-based rootkit module 520 is part of introspection module 538, which performs introspection into the physical memory segments assigned to each of the virtualized decoy operating systems 512.
  • Virtual-machine-based rootkit userland processes 522 run on top of the virtual-machine-based rootkit module 520. Together, the rootkit module 520 and its associated userland processes 522 constitute the system's introspection module 538 (described further below). Virtual-machine-based rootkit userland processes 522 also pass data from the introspection module 538 to the processing module 508.
  • In use, attacker activity 550 is directed at the decoy computer network 502 through one or more ports of each of the virtualized decoy operating systems 512 that are left open as a gateway for attacker activity 550. For example, the decoy network 502 can be configured to respond to connection attempts made at network addresses that do not exist on the protected network 504. Connections to these non-existent network addresses are assumed to be malicious, since no production hardware exists on the protected network 504 at these addresses. Decoys 512 (in the form of a virtualized operating system) may be configured to respond to any such non-existent network address. As in a typical attack, the attacker activity 550 scans for an open port, ostensibly in an attempt to make a network connection and then access one or more computing devices on the protected computer network 504. When the attacker activity 550 scans for open ports at non-existent network addresses, however, the attacker is presented with a virtualized decoy operating system 512 instead.
  • When the attacker activity 550 connects to a virtualized decoy operating system 512 through an open port, the attacker sees a fully-functional standard operating system fingerprint. Since the virtualized operating system module 506 can be configured to present any operating system as a fully-functional virtualized decoy 512, responses to connection requests from attacker activity 550 are guaranteed to be authentic for the operating system running on that decoy. For example, an FTP port access request for WINDOWS may return a specific character sequence that differs from an FTP response for LINUX. Similarly, an FTP access request to a WINDOWS port may return a response “>ftp: connect: Connection refused.” This character sequence may be slightly different from that generated by LINUX. Further, different versions of WINDOWS may respond with slightly different, version-specific character sequences. Since attackers often use these sequences to identify what type of operating system is at a particular network address and the version (or range of possible versions) for that operating system, the fact that virtualized decoy operating systems 512 generate authentic responses makes them realistic decoys and encourages intruders to access them. The instigator of the attack 550 is thus lured into accessing the decoy 512, which is overseen by the hypervisor operating system 510 running on the hardware-based, virtualized operating system module 506. Attacker activity 550 may then initiate custom or known exploits for the observed operating system. When the attacker activity 550 proceeds to interact with the decoy 512, the attacker provides the decoy 512 with the data used to obtain control of the decoy 512. These data are recorded and analyzed without the knowledge of the attacker, as described further below.
  • All scans by the attacker activity 550 receive real-world operating system and service information, leading the instigator of the attack 550 to believe that there is a potentially vulnerable system responding. The attacker is thus lured into communicating with virtualized operating system module 506 and its virtualized decoy operating systems and services. Since real hardware is utilized, the attacker is essentially attacking an actual physical system and, therefore, cannot tell that the system is actually an instrumented honeypot that monitors the attacker activity 550 from the introspection module 538 described below.
  • As described above, the virtualized guest operating system module 506 includes the virtual machine-based rootkit module 520 and its associated userland processes 522. Since both the virtual machine-based rootkit module 520 and its associated userland processes 522 run completely outside the virtualized decoy operating systems 512, they remain hidden from the instigator of the attack, with no discoverable impact on the decoy operating systems' 512 performance. In one embodiment, the virtual machine-based rootkit module 520 and its associated userland processes 522 constitute an introspection module 538 (also known as a virtual machine-based memory introspection analysis tool) that monitors and introspects into the virtualized decoy operating systems' memory segments. This occurs from within the hypervisor operating system 510. The introspection module 538 introspects and gathers information on any virtualized operating system supported by the hypervisor operating system 510.
  • The introspection module 538 comprising the virtual-machine-based rootkit module 520 and its associated userland processes 522 examines the memory assigned to virtualized decoy operating systems 512 in order to acquire low-level data about the interaction between the decoy operating systems and attack activity 500. The introspection module 538 examines the memory of virtualized decoy operating systems 512 by means of three functional components: a code region selector, a trace instrumentor, and a trace analyzer. Regular expressions (also known as ‘regex’) are used throughout the process to identify, describe, and profile the contents of the virtualized decoy's memory segments. The code selector identifies regions of code in memory that are of interest for further introspection. Regions of interest may include, but are not limited to, system calls, the arguments of system calls, the returns of system calls, device and memory input-output, driver information, library calls, branching information, instruction pointer jumps, and raw network information. The instrumentor copies the memory traces of interest identified by the code selector and then profiles and instruments them. The trace analyzer takes the instrumented traces and uses them to replay the memory behavior of the decoy operating system 512. In this manner, the introspection module 538 examines the contents of the decoy operating systems' 512 memory segments in an instrumented context that generates and retrieves forensic data for analysis by the processing module 508.
  • When an attacker connects to a network port and begins interacting with a virtualized decoy operating system 512, the introspection module 538 monitors and captures information from the connection, including port numbers, data streams, file uploads, keystrokes, ASCII or binary files, malicious payloads, memory manipulation attempts, and any other data transfers or malicious attempts.
  • The captured information, containing attack-identifying information, is then sent from the introspection module 538 to the processing module 508 by means of a virtual machine-based rootkit userland process 522.
  • The processing module 508 includes an operating system kernel 526, which in some embodiments is also LINUX based. The processing module 508 also includes a database, such as a relational database server 528, and a signature-generation engine 530. In some embodiments, the signature-generation engine 530 communicates with the introspection module 538 over a private network interface communications channel 534 and accepts custom-formatted protocol packets named BAT (Blade Activity Transfer). The private network interface communications channel 524 may be a persistent Layer 3 TCP socket communications link that cannot be seen or accessed by the attacker (such as an IP connection or any other hardware-dependent custom communication protocol known to persons skilled in the art). Thus, the processing module 508 is part of a secure and separate administrative network.
  • In use, the introspection module 538 captures (through introspection) attack information. The attack information is then communicated through the private network interface channel 524 and stored on the relational database server 528 as forensic data for later analysis. The signature-generation engine 530 then uses this forensic data to generate a signature of the attack. The entire process from attack detection through signature generation may occur automatically, i.e., without any human intervention, at a timescale ranging from nearly immediate to several minutes. The intrusion prevention system (described below) uses the attack signature to identify and prevent subsequent attacks.
  • The protected computer network 504 includes an IDS/IPS library of signatures 534 and an IDS/IPS system 542 coupled to multiple protected network devices 536. Suitable IDS/IPS systems 542 include Cisco Systems' IPS 4200 Series, Juniper's IDP 200, and Enterasys' Dragon IDS Network Sensor.
  • In one or more embodiments, the signature may be sent from the back-end processing module 508 to the intrusion detection and/or prevention (IDS/IPS) signature library 534 through a second network connection 540, which is used by the processing module 508 to directly interact with the IDS/IPS system 542. The virtual-machine-based rootkit module 520 may easily clean the virtualized decoy operating system 512 at any time by removing the running system image of the compromised virtualized decoy operating system and replacing it with a pre-attack system image. Thus the virtual-machine-based rootkit module 520 can cleanse or reset the virtualized decoy operating system of any malicious software or payload, removing the possibility that attacker(s) can use that virtualized decoy operating system 512 for further attacks on other networks. In this manner, the attack can be thwarted, and the operating system does not become a tool of the attacker(s). This procedure may also be automated, i.e., may occur without further human intervention.
  • As shown in FIG. 2, processing starts at Step 200 and waits for activity from the introspection module 538 at Step 43. At Step 44, the processing module 508 generates a report of the attack that includes attack-identifying information (See FIG. 3). This report is for review and use by a system administrator responsible for the security of a protected network 504. The attack may contain, but is not limited to, one or more data transfers or keystrokes, which are analyzed at Step 46. By observing whether the attacker is successful in interacting with the system (i.e., if the system is responding in a manner that shows that the attacker has gained access), a determination can be made at Step 48 as to whether an attack signature should be generated, and the attack signature is created at step 52 (See FIG. 4). If the attacker, for example, is unsuccessful at gaining access, or if there is no data transfer, the attack inquiry may be ended at Step 50. Any attack signature generated is sent to the IDS/IPS signature library 534 at Step 56, and processing continues at Step 43.
  • In one embodiment of the invention, the report of the attack is written and then displayed via a visualization interface 532 and can include information about which sockets were accessed by the attack 550, what happened at a particular socket, the keystrokes entered or data transferred, what files were transferred, how the attack 550 was run, what happened on the virtualized operating system module 506, and how the virtualized decoy operating systems 512 running on the hypervisor operating system 510 and any related network services were affected. In some embodiments, the visualization interface 532 is AJAX- and/or FLASH-based. The report may also include information on the location of the instigator of the attack 550 or the service provider used for the attack. Graphical representations of key information and interactive mapping of attack locales by region or country may also be included in the report. The visualization interface may also be used to analyze, configure, and automate the system's response to attack activity 550 on timescales ranging from near-immediate to several minutes from the initiation of an attack.
  • At Step 46, the attack-identifying information is analyzed for known attack patterns as well as non-standard patterns, such as repeating binary patterns, keystroke patterns, downloaded daemons, or errors (such as buffer overflow attempts, malicious payloads attempting to execute arbitrary code on the system, memory overwriting attempts, stack attacks, and heap attacks). By observing the operations performed on the decoy operating system(s) 512, the attack 550 may be categorized and analyzed to determine, for example, how an attack gained control of the decoy operating system(s) 512. Any method of analyzing the incoming data such as binary matching, neural-network matching, keyword matching, or any other method of matching attack-identifying information is in keeping with the spirit of the invention. Pattern-matching techniques involving neural networks, for example, are characterized in Carl Looney's Pattern Recognition Using Neural Networks. Theory and Algorithms for Engineers and Scientists (Oxford University Press USA, New York, N.Y., 1997) and Christopher Bishop's Neural Networks for Pattern Recognition (Oxford University Press USA, New York, N.Y., 1995), among other sources familiar to those skilled in the art.
  • At Step 48, a decision is made as to whether to generate an attack signature. If no harmful operations occurred as a result of an attack, or when no known attack patterns are found, then no further attack inquiry would be needed (as shown at Step 50). The processing module 508 may then take on the next input of captured information from the introspection module 538 running on the hardware-based, virtualized operating system module 506.
  • If a determination is made that attack signature generation is warranted, an attack signature is generated as illustrated in Step 52. In one or more embodiments of the invention, the processing module 508 may generate a signature whenever data is found to be transferred through the socket. Alternatively, if the attack signature already exists, or if the data transfer is of a nature that indicates probing rather than attack, then the attack signature may not be generated. For example, the processing module 508 may not generate a signature when it is found that no data has been transferred through the socket, even though the socket may have been opened and closed. The conditions under which the processing module 508 generates an attack can be configured and automated by an administrator. Once the attack signature is generated, the signature can be reviewed by the system administrator, who decides whether to send the attack signature (shown at Step 56) to the intrusion detection system (IDS) or intrusion prevention system (IPS) for the protected network 504. The attack signature is sent through a standard network connection or via a wireless connection and is generally sent on a private portion of the protected network 504 that the attacker cannot observe. The generated attack signature is thus applied to the IDS/IPS library of signatures 534, thereby updating the information contained in the signature library and preventing the attacker from accessing the protected network 504.
  • Embodiments of the invention may save the attack signatures created at Step 52 in a relational database server 528 for future use or analysis by system administrators. The signatures may also be sent to a proprietary global database of attack signatures for further analysis, storage, and distribution. Any IDS/IPS system may be utilized in one or more embodiments of the invention. The invention may be interfaced with existing IDS/IPS systems, for example to integrate it with existing solutions.
  • As explained above, FIG. 3 illustrates a human-readable summary of an example attack. Line 300 shows that the file “msprexe.exe” is copied into the “System” directory. Line 301 shows a first registry entry created by the attack. Line 302 shows a second registry entry created by the attack. Any other changes to the system may be shown as part of the attack-identifying information, and the information shown in FIG. 3 is exemplary only.
  • As explained above, FIG. 4 illustrates an attack signature generated from the attack summarized in FIG. 3 and formatted in XML for transmission to an IDS or IPS. XML Block 400 includes tags that define the attack signature in the format of the particular IDS or IPS. Any tags used by any IDS or IPS are in keeping with the spirit of the invention, and the tags shown in FIG. 4 are exemplary only. For example, any ports, protocols, severity levels, alarm levels, signature name, or any other quantity, may be utilized to inform an IDS or IPS of an attack signature.
  • While embodiments and alternatives have been disclosed and discussed, the invention herein is not limited to the particular disclosed embodiments or alternatives but encompasses the full breadth and scope of the invention including equivalents, and the invention is not limited except as set forth in and encompassed by the full breadth and scope of the claims herein.

Claims (23)

1. A method for analyzing unauthorized intrusion into a computer network, the method comprising:
allowing access to an apparently vulnerable virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device;
using an introspection module comprising a virtual-machine-based rootkit module and its associated userland processes running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and
generating forensic data on the network attack from the attack-identifying information.
2. The method of claim 1, further comprising:
generating an attack signature from the forensic data; and
providing the attack signature to an intrusion prevention system configured to control access to a protected network using the attack signature to identify subsequent attacks.
3. The method of claim 2, further comprising controlling access to the protected network using the attack signature.
4. The method of claim 2, wherein the attack signature is automatically generated by the system without human intervention.
5. The method of claim 1, further comprising, before the allowing, opening a port on the virtualized decoy operating system through which the network attack is made.
6. The method of claim 1, further comprising:
allowing access to an additional virtualized decoy operating system running on the hypervisor operating system;
using the virtual-machine-based rootkit module to intercept an additional network attack on the additional virtualized operating system, wherein the additional network attack includes additional attack-identifying information; and
generating additional forensic data on the additional network attack from the additional attack-identifying information.
7. The method of claim 6, further comprising:
generating an additional attack signature from the additional forensic data; and
providing the additional attack signature to an intrusion prevention system configured to control access to a protected network using the attack-identifying information.
8. The method of claim 1, wherein the virtualized decoy operating system and the additional virtualized decoy operating system are different types of operating systems.
9. The method of claim 1, wherein said forensic data is generated based on an attack payload including keystrokes, ASCII, or binary files.
10. The method of claim 1, wherein the attack forensics are generated if an attacker is able to successfully gain access to the virtualized decoy operating system.
11. The method of claim 1, further comprising providing a report of said network attack to a network administrator.
12. The method of claim 1, further comprising storing the attack forensics in a database.
13. A system for analyzing unauthorized intrusion into a computer network, the system comprising:
a virtualized operating system module comprising:
a hypervisor operating system comprising:
at least one virtualized decoy operating system;
a virtual-machine-based rootkit configured to intercept a network attack on the virtualized operating system, wherein the network attack includes transmission of attack-identifying information; and
a processing module electrically coupled to the introspection module via a network interface communication channel, wherein the processing module comprises: a database configured to store forensic data on the network attack.
14. The system of claim 13, wherein the processing module further comprises an attack signature-generation engine configured to generate an attack signature from the forensic data on the network attack, wherein attack signatures may be generated on a timescale ranging from near-immediate to several minutes after initiation of an attack.
15. The system of claim 14, wherein the processing module further comprises a web-based visualization interface that facilitates configuration of the system and forensic analysis of captured attack information by administrators.
16. The system of claim 15, further comprising an intrusion prevention system electrically coupled to the signature-generation engine.
17. The system of claim 13, wherein the intrusion detection system is configured to prevent unauthorized intrusion into a protected computer network.
18. The system of claim 13, wherein the network interface communication channel is a private channel.
19. The system of claim 13, wherein the virtualized operating system module includes multiple virtualized decoy operating systems on the hypervisor operating system.
20. The system of claim 13, wherein the attack forensics are based on an attack payload including keystrokes or ASCII or binary files.
21. The system of claim 13, wherein the virtualized operating system module and the processing module are contained in memory on the same or separate computing devices that each includes a processor.
22. A computing device configured for analyzing unauthorized intrusion into a computer network, the device comprising:
a processor; and
memory coupled to the processor, wherein the memory comprises procedures for:
allowing access to a virtualized decoy operating system running on a hypervisor operating system hosted on a decoy network device;
using an introspection module running on the hypervisor operating system to intercept a network attack on the virtualized operating system, wherein the network attack includes attack-identifying information; and
generating forensic data on the network attack from the attack-identifying information.
23. The computing device of claim 22, further comprising a web-based visualization module comprising procedures for:
analyzing forensic data generated by the introspection module and the signature generation engine, as well as that stored in the processing module's relational databases; and
configuring the system, wherein an administrator can tune the system's behavior, including its pattern matching facilities, as well as automate the system's response to attack-identifying information captured by the introspection module and automate its response to forensic data generated by the signature-generation engine and any information stored on the processing module's relational databases.
US11/788,795 2006-05-22 2007-04-20 System and method for analyzing unauthorized intrusion into a computer network Abandoned US20140373144A9 (en)

Priority Applications (10)

Application Number Priority Date Filing Date Title
US11/788,795 US20140373144A9 (en) 2006-05-22 2007-04-20 System and method for analyzing unauthorized intrusion into a computer network
CA3013171A CA3013171C (en) 2007-04-20 2008-04-15 System and method for analyzing unauthorized intrusion into a computer network
CA2689126A CA2689126C (en) 2007-04-20 2008-04-15 System and method for analyzing unauthorized intrusion into a computer network
AU2008242296A AU2008242296B2 (en) 2007-04-20 2008-04-15 System and method for analyzing unauthorized intrusion into a computer network
JP2010504185A JP5351883B2 (en) 2007-04-20 2008-04-15 System and method for analyzing unauthorized intrusion into a computer network
EP08745858.4A EP2149087B1 (en) 2007-04-20 2008-04-15 System and method for analyzing unauthorized intrusion into a computer network
EP15174670.8A EP2953049B1 (en) 2007-04-20 2008-04-15 System and method for analyzing unathorized intrusion into a computer network
PCT/US2008/060336 WO2008130923A1 (en) 2007-04-20 2008-04-15 System and method for analyzing unauthorized intrusion into a computer network
JP2013173175A JP5579907B2 (en) 2007-04-20 2013-08-23 System and method for analyzing unauthorized intrusion into a computer network
US14/542,376 US9866584B2 (en) 2006-05-22 2014-11-14 System and method for analyzing unauthorized intrusion into a computer network

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US80254306P 2006-05-22 2006-05-22
US11/488,743 US8429746B2 (en) 2006-05-22 2006-07-17 Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems
US11/788,795 US20140373144A9 (en) 2006-05-22 2007-04-20 System and method for analyzing unauthorized intrusion into a computer network

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/488,743 Continuation-In-Part US8429746B2 (en) 2006-05-22 2006-07-17 Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/542,376 Continuation US9866584B2 (en) 2006-05-22 2014-11-14 System and method for analyzing unauthorized intrusion into a computer network

Publications (2)

Publication Number Publication Date
US20080016570A1 true US20080016570A1 (en) 2008-01-17
US20140373144A9 US20140373144A9 (en) 2014-12-18

Family

ID=38950746

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/788,795 Abandoned US20140373144A9 (en) 2006-05-22 2007-04-20 System and method for analyzing unauthorized intrusion into a computer network
US14/542,376 Active - Reinstated US9866584B2 (en) 2006-05-22 2014-11-14 System and method for analyzing unauthorized intrusion into a computer network

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/542,376 Active - Reinstated US9866584B2 (en) 2006-05-22 2014-11-14 System and method for analyzing unauthorized intrusion into a computer network

Country Status (6)

Country Link
US (2) US20140373144A9 (en)
EP (2) EP2149087B1 (en)
JP (2) JP5351883B2 (en)
AU (1) AU2008242296B2 (en)
CA (2) CA2689126C (en)
WO (1) WO2008130923A1 (en)

Cited By (133)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080320561A1 (en) * 2007-06-22 2008-12-25 Suit John M Method and System for Collaboration Involving Enterprise Nodes
US20080320499A1 (en) * 2007-06-22 2008-12-25 Suit John M Method and System for Direct Insertion of a Virtual Machine Driver
US20080320592A1 (en) * 2007-06-22 2008-12-25 Suit John M Method and system for cloaked observation and remediation of software attacks
US20090019545A1 (en) * 2005-12-12 2009-01-15 Finjan Software, Ltd. Computer security method and system with input parameter validation
US20090049546A1 (en) * 2007-08-17 2009-02-19 International Business Machines Corporation Method and Apparatus for Detection of Malicious Behavior in Mobile Ad-Hoc Networks
US20090183173A1 (en) * 2007-06-22 2009-07-16 Daniel Lee Becker Method and system for determining a host machine by a virtual machine
US20090182928A1 (en) * 2007-06-22 2009-07-16 Daniel Lee Becker Method and system for tracking a virtual machine
US20090238088A1 (en) * 2008-03-19 2009-09-24 Oki Electric Industry Co., Ltd. Network traffic analyzing device, network traffic analyzing method and network traffic analyzing system
EP2106085A1 (en) 2008-03-24 2009-09-30 Hewlett-Packard Development Company, L.P. System and method for securing a network from zero-day vulnerability exploits
US20090271494A1 (en) * 2008-04-25 2009-10-29 International Business Machines Corporation Method, System and Program Product for Providing Server Security Via A Security Sensor Application Shared by Multiple Operating System Partitions
US20100077078A1 (en) * 2007-06-22 2010-03-25 Fortisphere, Inc. Network traffic analysis using a dynamically updating ontological network description
US20100175132A1 (en) * 2009-01-05 2010-07-08 Andrew Zawadowskiy Attack-resistant verification of auto-generated anti-malware signatures
US20100263049A1 (en) * 2009-04-14 2010-10-14 Microsoft Corporation Vulnerability detection based on aggregated primitives
WO2011155941A1 (en) * 2010-06-10 2011-12-15 Hewlett-Packard Development Company, L.P. Virtual machine
US20120023572A1 (en) * 2010-07-23 2012-01-26 Q-Track Corporation Malicious Attack Response System and Associated Method
US8156541B1 (en) * 2007-10-17 2012-04-10 Mcafee, Inc. System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via VLAN trunking
US20120117267A1 (en) * 2010-04-01 2012-05-10 Lee Hahn Holloway Internet-based proxy service to limit internet visitor connection speed
US20120254951A1 (en) * 2011-03-31 2012-10-04 International Business Machines Corporation Providing protection against unauthorized network access
US20120304244A1 (en) * 2011-05-24 2012-11-29 Palo Alto Networks, Inc. Malware analysis system
CN103034806A (en) * 2011-09-30 2013-04-10 腾讯科技(深圳)有限公司 Method and terminal for processing operation
US20130117849A1 (en) * 2011-11-03 2013-05-09 Ali Golshan Systems and Methods for Virtualized Malware Detection
US20130159999A1 (en) * 2011-12-15 2013-06-20 Industrial Technology Research Institute System and method for generating application-level dependencies in one or more virtual machines
US8484739B1 (en) * 2008-12-15 2013-07-09 Symantec Corporation Techniques for securely performing reputation based analysis using virtualization
US8539570B2 (en) 2007-06-22 2013-09-17 Red Hat, Inc. Method for managing a virtual machine
US20130346630A1 (en) * 2011-12-08 2013-12-26 Honeywell International Inc. Connected home control system with auto router port configuration and ddns registration
US8695096B1 (en) 2011-05-24 2014-04-08 Palo Alto Networks, Inc. Automatic signature generation for malicious PDF files
US8745745B2 (en) 2012-06-26 2014-06-03 Lynuxworks, Inc. Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features
US8752174B2 (en) 2010-12-27 2014-06-10 Avaya Inc. System and method for VoIP honeypot for converged VoIP services
US8806629B1 (en) * 2008-01-02 2014-08-12 Cisco Technology, Inc. Automatic generation of policy-driven anti-malware signatures and mitigation of DoS (denial-of-service) attacks
US20140245444A1 (en) * 2013-02-22 2014-08-28 Bitdefender IPR Management Ltd. Memory Introspection Engine for Integrity Protection of Virtual Machines
US20140317737A1 (en) * 2013-04-22 2014-10-23 Korea Internet & Security Agency Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system
US8943594B1 (en) 2013-06-24 2015-01-27 Haystack Security LLC Cyber attack disruption through multiple detonations of received payloads
US9001661B2 (en) 2006-06-26 2015-04-07 Palo Alto Networks, Inc. Packet classification in a network security device
US9049247B2 (en) 2010-04-01 2015-06-02 Cloudfare, Inc. Internet-based proxy service for responding to server offline errors
US20150169338A1 (en) * 2012-12-06 2015-06-18 Dell Products L.P. Mapping virtual devices to computing nodes
US20150186641A1 (en) * 2013-12-30 2015-07-02 Intuit Inc. Method and system for intrusion and extrusion detection
US20150205962A1 (en) * 2014-01-23 2015-07-23 Cylent Systems, Inc. Behavioral analytics driven host-based malicious behavior and data exfiltration disruption
US9117078B1 (en) * 2008-09-17 2015-08-25 Trend Micro Inc. Malware behavior analysis and policy creation
US9165142B1 (en) * 2013-01-30 2015-10-20 Palo Alto Networks, Inc. Malware family identification using profile signatures
US9203855B1 (en) 2014-05-15 2015-12-01 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as hypervisor, detection and interception of code or instruction execution including API calls, and/or other features
US9213840B2 (en) 2014-05-15 2015-12-15 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, APIs of interest, and/or other features
US9245117B2 (en) 2014-03-31 2016-01-26 Intuit Inc. Method and system for comparing different versions of a cloud based application in a production environment using segregated backend systems
US9246935B2 (en) 2013-10-14 2016-01-26 Intuit Inc. Method and system for dynamic and comprehensive vulnerability management
US9276945B2 (en) 2014-04-07 2016-03-01 Intuit Inc. Method and system for providing security aware applications
US9280369B1 (en) 2013-07-12 2016-03-08 The Boeing Company Systems and methods of analyzing a software component
US9292688B2 (en) 2012-09-26 2016-03-22 Northrop Grumman Systems Corporation System and method for automated machine-learning, zero-day malware detection
US9313281B1 (en) 2013-11-13 2016-04-12 Intuit Inc. Method and system for creating and dynamically deploying resource specific discovery agents for determining the state of a cloud computing environment
US9319415B2 (en) 2014-04-30 2016-04-19 Intuit Inc. Method and system for providing reference architecture pattern-based permissions management
US9325726B2 (en) 2014-02-03 2016-04-26 Intuit Inc. Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment
US9332028B2 (en) * 2013-01-25 2016-05-03 REMTCS Inc. System, method, and apparatus for providing network security
US9330263B2 (en) 2014-05-27 2016-05-03 Intuit Inc. Method and apparatus for automating the building of threat models for the public cloud
US9336025B2 (en) 2013-07-12 2016-05-10 The Boeing Company Systems and methods of analyzing a software component
US9342620B2 (en) 2011-05-20 2016-05-17 Cloudflare, Inc. Loading of web resources
US9354960B2 (en) 2010-12-27 2016-05-31 Red Hat, Inc. Assigning virtual machines to business application service groups based on ranking of the virtual machines
US9374389B2 (en) 2014-04-25 2016-06-21 Intuit Inc. Method and system for ensuring an application conforms with security and regulatory controls prior to deployment
US9390267B2 (en) 2014-05-15 2016-07-12 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
US9396082B2 (en) 2013-07-12 2016-07-19 The Boeing Company Systems and methods of analyzing a software component
US9473481B2 (en) 2014-07-31 2016-10-18 Intuit Inc. Method and system for providing a virtual asset perimeter
US9479521B2 (en) 2013-09-30 2016-10-25 The Boeing Company Software network behavior analysis and identification system
US9477572B2 (en) 2007-06-22 2016-10-25 Red Hat, Inc. Performing predictive modeling of virtual machine relationships
US9501345B1 (en) 2013-12-23 2016-11-22 Intuit Inc. Method and system for creating enriched log data
US9525700B1 (en) 2013-01-25 2016-12-20 REMTCS Inc. System and method for detecting malicious activity and harmful hardware/software modifications to a vehicle
US9553886B2 (en) 2015-06-08 2017-01-24 Illusive Networks Ltd. Managing dynamic deceptive environments
US20170026398A1 (en) * 2013-01-16 2017-01-26 Light Cyber Ltd. Identifying anomalous messages
WO2017013589A1 (en) * 2015-07-21 2017-01-26 Cymmetria, Inc. Decoy and deceptive data object technology
US9569330B2 (en) 2007-06-22 2017-02-14 Red Hat, Inc. Performing dependency analysis on nodes of a business application service group
US20170163660A1 (en) * 2013-05-03 2017-06-08 Webroot Inc. Method and apparatus for providing forensic visibility into systems and networks
US20170201536A1 (en) * 2010-01-06 2017-07-13 Damballa, Inc. Method and system for detecting malware
US9727440B2 (en) 2007-06-22 2017-08-08 Red Hat, Inc. Automatic simulation of virtual machine performance
US9742804B2 (en) * 2015-10-28 2017-08-22 National Technology & Engineering Solutions Of Sandia, Llc Computer network defense system
US9832216B2 (en) 2014-11-21 2017-11-28 Bluvector, Inc. System and method for network data characterization
WO2017216735A1 (en) * 2016-06-14 2017-12-21 Cymmetria, Inc. Employing code signing as a tool in cyber-security deception
US9852290B1 (en) 2013-07-12 2017-12-26 The Boeing Company Systems and methods of analyzing a software component
US9866581B2 (en) 2014-06-30 2018-01-09 Intuit Inc. Method and system for secure delivery of information to computing environments
US9894088B2 (en) 2012-08-31 2018-02-13 Damballa, Inc. Data mining to identify malicious activity
US9900322B2 (en) 2014-04-30 2018-02-20 Intuit Inc. Method and system for providing permissions management
US9922190B2 (en) 2012-01-25 2018-03-20 Damballa, Inc. Method and system for detecting DGA-based malware
US9923909B2 (en) 2014-02-03 2018-03-20 Intuit Inc. System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
US9930065B2 (en) 2015-03-25 2018-03-27 University Of Georgia Research Foundation, Inc. Measuring, categorizing, and/or mitigating malware distribution paths
US20180088980A1 (en) * 2014-07-30 2018-03-29 Microsoft Technology Licensing, Llc Hypervisor-hosted virtual machine forensics
US9948671B2 (en) 2010-01-19 2018-04-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US10027688B2 (en) 2008-08-11 2018-07-17 Damballa, Inc. Method and system for detecting malicious and/or botnet-related domain names
US10044748B2 (en) 2005-10-27 2018-08-07 Georgia Tech Research Corporation Methods and systems for detecting compromised computers
US10050986B2 (en) 2013-06-14 2018-08-14 Damballa, Inc. Systems and methods for traffic classification
US10075460B2 (en) 2013-10-16 2018-09-11 REMTCS Inc. Power grid universal detection and countermeasure overlay intelligence ultra-low latency hypervisor
US10075461B2 (en) 2015-05-31 2018-09-11 Palo Alto Networks (Israel Analytics) Ltd. Detection of anomalous administrative actions
US10084806B2 (en) 2012-08-31 2018-09-25 Damballa, Inc. Traffic simulation to identify malicious activity
US10095866B2 (en) 2014-02-24 2018-10-09 Cyphort Inc. System and method for threat risk scoring of security threats
US10102082B2 (en) 2014-07-31 2018-10-16 Intuit Inc. Method and system for providing automated self-healing virtual assets
US10133607B2 (en) 2007-06-22 2018-11-20 Red Hat, Inc. Migration of network entities to a cloud infrastructure
US10225280B2 (en) 2014-02-24 2019-03-05 Cyphort Inc. System and method for verifying and detecting malware
US20190075124A1 (en) * 2017-09-04 2019-03-07 ITsMine Ltd. System and method for conducting a detailed computerized surveillance in a computerized environment
CN109840419A (en) * 2017-11-29 2019-06-04 财团法人资讯工业策进会 Computer installation and recognize its software container behavior whether Yi Chang method
US10326778B2 (en) 2014-02-24 2019-06-18 Cyphort Inc. System and method for detecting lateral movement and data exfiltration
US10333951B1 (en) * 2017-07-31 2019-06-25 EMC IP Holding Company LLC Method and system for implementing golden container storage
US10333976B1 (en) 2018-07-23 2019-06-25 Illusive Networks Ltd. Open source intelligence deceptions
US10333977B1 (en) 2018-08-23 2019-06-25 Illusive Networks Ltd. Deceiving an attacker who is harvesting credentials
US10356106B2 (en) 2011-07-26 2019-07-16 Palo Alto Networks (Israel Analytics) Ltd. Detecting anomaly action within a computer network
US10382483B1 (en) 2018-08-02 2019-08-13 Illusive Networks Ltd. User-customized deceptions and their deployment in networks
US10382484B2 (en) 2015-06-08 2019-08-13 Illusive Networks Ltd. Detecting attackers who target containerized clusters
US10404747B1 (en) * 2018-07-24 2019-09-03 Illusive Networks Ltd. Detecting malicious activity by using endemic network hosts as decoys
US10432665B1 (en) 2018-09-03 2019-10-01 Illusive Networks Ltd. Creating, managing and deploying deceptions on mobile devices
US10528730B2 (en) 2014-06-26 2020-01-07 Nec Corporation Analysis device, analysis method, and storage medium in which analysis program is recorded
US10547674B2 (en) 2012-08-27 2020-01-28 Help/Systems, Llc Methods and systems for network flow analysis
US10581859B2 (en) 2017-08-07 2020-03-03 International Business Machines Corporation Detection and prevention of attempts to access sensitive information in real-time
US10609066B1 (en) 2016-11-23 2020-03-31 EMC IP Holding Company LLC Automated detection and remediation of ransomware attacks involving a storage device of a computer network
US10686829B2 (en) 2016-09-05 2020-06-16 Palo Alto Networks (Israel Analytics) Ltd. Identifying changes in use of user credentials
US10735466B2 (en) * 2016-02-23 2020-08-04 nChain Holdings Limited Reactive and pre-emptive security system for the protection of computer networks and systems
US10757133B2 (en) 2014-02-21 2020-08-25 Intuit Inc. Method and system for creating and deploying virtual assets
US10764309B2 (en) 2018-01-31 2020-09-01 Palo Alto Networks, Inc. Context profiling for malware detection
US10805326B1 (en) * 2016-11-21 2020-10-13 Alert Logic, Inc. Systems and methods for threat visualization with signature composure, spatial scale and temporal expansion
US10824715B2 (en) 2014-07-01 2020-11-03 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, anti-fingerprinting, and/or other features
US10999304B2 (en) 2018-04-11 2021-05-04 Palo Alto Networks (Israel Analytics) Ltd. Bind shell attack detection
US11012492B1 (en) 2019-12-26 2021-05-18 Palo Alto Networks (Israel Analytics) Ltd. Human activity detection in computing device transmissions
US11030314B2 (en) 2018-07-31 2021-06-08 EMC IP Holding Company LLC Storage system with snapshot-based detection and remediation of ransomware attacks
US11070569B2 (en) 2019-01-30 2021-07-20 Palo Alto Networks (Israel Analytics) Ltd. Detecting outlier pairs of scanned ports
US11126720B2 (en) 2012-09-26 2021-09-21 Bluvector, Inc. System and method for automated machine-learning, zero-day malware detection
US11159538B2 (en) 2018-01-31 2021-10-26 Palo Alto Networks, Inc. Context for malware forensics and detection
US11171970B2 (en) 2018-05-01 2021-11-09 Royal Bank Of Canada System and method for reducing false positive security events
US11184378B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Scanner probe detection
US11184377B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Malicious port scan detection using source profiles
US11184376B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Port scan detection using destination profiles
US11294700B2 (en) 2014-04-18 2022-04-05 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets
US11316872B2 (en) 2019-01-30 2022-04-26 Palo Alto Networks (Israel Analytics) Ltd. Malicious port scan detection using port profiles
US11336690B1 (en) * 2019-11-15 2022-05-17 National Technology & Engineering Solutions Of Sandia, Llc Threat emulation framework
US11405410B2 (en) 2014-02-24 2022-08-02 Cyphort Inc. System and method for detecting lateral movement and data exfiltration
US11494216B2 (en) 2019-08-16 2022-11-08 Google Llc Behavior-based VM resource capture for forensics
US11509680B2 (en) 2020-09-30 2022-11-22 Palo Alto Networks (Israel Analytics) Ltd. Classification of cyber-alerts into security incidents
US11588849B2 (en) 2021-01-27 2023-02-21 Bank Of America Corporation System for providing enhanced cryptography based response mechanism for malicious attacks
CN116723055A (en) * 2023-08-08 2023-09-08 中国电信股份有限公司 Vulnerability detection method and device, storage medium and electronic equipment
US11782745B2 (en) 2014-07-01 2023-10-10 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, anti-fingerprinting and/or other features
US11799880B2 (en) 2022-01-10 2023-10-24 Palo Alto Networks (Israel Analytics) Ltd. Network adaptive alert prioritization system
US11956212B2 (en) 2021-03-31 2024-04-09 Palo Alto Networks, Inc. IoT device application workload capture

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5713445B2 (en) * 2011-06-24 2015-05-07 日本電信電話株式会社 Communication monitoring system and method, communication monitoring device, virtual host device, and communication monitoring program
US20130028443A1 (en) * 2011-07-28 2013-01-31 Apple Inc. Devices with enhanced audio
JP2013236687A (en) * 2012-05-11 2013-11-28 We Are Engineering Kk Computer game
US8955143B1 (en) * 2012-09-04 2015-02-10 Amazon Technologies, Inc. Use of decoy data in a data store
US9619346B2 (en) 2013-10-31 2017-04-11 Assured Information Security, Inc. Virtual machine introspection facilities
US9996374B2 (en) 2015-06-16 2018-06-12 Assured Information Security, Inc. Deployment and installation of updates in a virtual environment
US11093613B2 (en) 2015-08-25 2021-08-17 Volexity, Inc. Systems methods and devices for memory analysis and visualization
US10142365B2 (en) * 2016-01-22 2018-11-27 The Boeing Company System and methods for responding to cybersecurity threats
CN105721446A (en) * 2016-01-26 2016-06-29 浪潮电子信息产业股份有限公司 Remote desktop anti-brute force attack intercepting method based on WINDOWS operating system
US10284598B2 (en) 2016-01-29 2019-05-07 Sophos Limited Honeypot network services
US10257226B2 (en) * 2016-03-24 2019-04-09 802 Secure, Inc. Identifying and trapping wireless based attacks on networks using deceptive network emulation
JP7058464B2 (en) * 2016-11-11 2022-04-22 ヤフー株式会社 Anti-fraud system and anti-fraud method
EP3355188B1 (en) 2017-01-31 2021-08-25 OpenSynergy GmbH Instrument display on a car dashboard by checking frames of a gui by a realtime os
US10599838B2 (en) 2017-05-08 2020-03-24 Micron Technology, Inc. Crypto-ransomware compromise detection
US10785258B2 (en) 2017-12-01 2020-09-22 At&T Intellectual Property I, L.P. Counter intelligence bot

Citations (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5339426A (en) * 1991-05-29 1994-08-16 Toshiba America Information Systems, Inc. System and method for resume processing initialization
US5621886A (en) * 1995-06-19 1997-04-15 Intel Corporation Method and apparatus for providing efficient software debugging
US5664159A (en) * 1994-03-08 1997-09-02 Exponential Technology, Inc. Method for emulating multiple debug breakpoints by page partitioning using a single breakpoint register
US5740413A (en) * 1995-06-19 1998-04-14 Intel Corporation Method and apparatus for providing address breakpoints, branch breakpoints, and single stepping
US6009274A (en) * 1996-12-13 1999-12-28 3Com Corporation Method and apparatus for automatically updating software components on end systems over a network
US20010011254A1 (en) * 1998-12-15 2001-08-02 Jonathan Clark Distributed execution software license server
US6360327B1 (en) * 1999-03-12 2002-03-19 Compaq Information Technologies Group, L.P. System with control registers for managing computer legacy peripheral devices using an advanced configuration power interface software power management system
US20020099752A1 (en) * 1999-02-19 2002-07-25 George B Markos Method and apparatus for providing configuration information using a queued direct input-output device
US6446062B1 (en) * 1999-12-23 2002-09-03 Bull Hn Information Systems Inc. Method and apparatus for improving the performance of a generated code cache search operation through the use of static key values
US20020194437A1 (en) * 2001-06-14 2002-12-19 International Business Machines Corporation Methodology to stress and test LPAR isolation features
US20030023656A1 (en) * 2001-07-27 2003-01-30 International Business Machines Corporation Method and system for deadlock detection and avoidance
US20030120935A1 (en) * 2001-12-20 2003-06-26 Coretrace Corporation Kernel-based network security infrastructure
US20040025052A1 (en) * 2000-07-26 2004-02-05 David Dickenson Distributive access controller
US20040153672A1 (en) * 2002-11-18 2004-08-05 Arm Limited Switching between secure and non-secure processing modes
US20040177269A1 (en) * 2002-11-18 2004-09-09 Arm Limited Apparatus and method for managing access to a memory
US20040225877A1 (en) * 2003-05-09 2004-11-11 Zezhen Huang Method and system for protecting computer system from malicious software operation
US20050229250A1 (en) * 2004-02-26 2005-10-13 Ring Sandra E Methodology, system, computer readable medium, and product providing a security software suite for handling operating system exploitations
US20060018466A1 (en) * 2004-07-12 2006-01-26 Architecture Technology Corporation Attack correlation using marked information
US20060136720A1 (en) * 2004-12-21 2006-06-22 Microsoft Corporation Computer security management, such as in a virtual machine or hardened operating system
US20060288414A1 (en) * 2003-03-17 2006-12-21 Seiko Epson Corporation Method and system for preventing virus infection
US20060294592A1 (en) * 2005-06-28 2006-12-28 Microsoft Corporation Automated rootkit detector
US20070002689A1 (en) * 2005-04-18 2007-01-04 Daniel Mateescu System and method of data source detection
US20070101431A1 (en) * 2005-10-31 2007-05-03 Microsoft Corporation Identifying malware that employs stealth techniques
US7222366B2 (en) * 2002-01-28 2007-05-22 International Business Machines Corporation Intrusion event filtering
US20070180529A1 (en) * 2006-01-30 2007-08-02 Microsoft Corporation Bypassing software services to detect malware
US20070180450A1 (en) * 2006-01-24 2007-08-02 Citrix Systems, Inc. Methods and systems for selecting a method for execution, by a virtual machine, of an application program
US20070240221A1 (en) * 2006-04-06 2007-10-11 George Tuvell Non-Signature Malware Detection System and Method for Mobile Platforms
US20070250930A1 (en) * 2004-04-01 2007-10-25 Ashar Aziz Virtual machine with dynamic data flow analysis
US20080005782A1 (en) * 2004-04-01 2008-01-03 Ashar Aziz Heuristic based capture with replay to virtual machine
US20080016571A1 (en) * 2006-07-11 2008-01-17 Larry Chung Yao Chang Rootkit detection system and method
US20080127114A1 (en) * 2006-11-28 2008-05-29 Amit Vasudevan Framework for stealth dynamic coarse and fine-grained malware analysis
US7392543B2 (en) * 2003-06-30 2008-06-24 Symantec Corporation Signature extraction system and method
US20080177994A1 (en) * 2003-01-12 2008-07-24 Yaron Mayer System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows
US7464407B2 (en) * 2002-08-20 2008-12-09 Nec Corporation Attack defending system and attack defending method
US20080320594A1 (en) * 2007-03-19 2008-12-25 Xuxian Jiang Malware Detector
US7581219B2 (en) * 2002-06-07 2009-08-25 Intel Corporation Transitioning between virtual machine monitor domains in a virtual machine environment
US7596654B1 (en) * 2006-01-26 2009-09-29 Symantec Operating Corporation Virtual machine spanning multiple computers
US20090307273A1 (en) * 2008-06-06 2009-12-10 Tecsys Development, Inc. Using Metadata Analysis for Monitoring, Alerting, and Remediation
US20100042632A1 (en) * 2008-08-12 2010-02-18 Tecsys Development, Inc. Log File Time Sequence Stamping
US20100095281A1 (en) * 2008-10-14 2010-04-15 Riverside Research Institute Internal Function Debugger
US20110060947A1 (en) * 2009-09-09 2011-03-10 Zhexuan Song Hardware trust anchor
US20110179136A1 (en) * 2007-10-17 2011-07-21 Dispersive Networks, Inc. Apparatus, systems and methods utilizing dispersive networking
US7996836B1 (en) * 2006-12-29 2011-08-09 Symantec Corporation Using a hypervisor to provide computer security
US20110239291A1 (en) * 2010-03-26 2011-09-29 Barracuda Networks, Inc. Detecting and Thwarting Browser-Based Network Intrusion Attacks For Intellectual Property Misappropriation System and Method
US20120179904A1 (en) * 2011-01-11 2012-07-12 Safenet, Inc. Remote Pre-Boot Authentication
US20120331553A1 (en) * 2006-04-20 2012-12-27 Fireeye, Inc. Dynamic signature creation and enforcement
US8365180B2 (en) * 2005-06-28 2013-01-29 Xanavi Informatics Corporation Information terminal, computer resource managing method, and virtual machine execution switching method
US8448170B2 (en) * 2009-11-25 2013-05-21 Novell, Inc. System and method for providing annotated service blueprints in an intelligent workload management system
US20130238785A1 (en) * 2012-03-06 2013-09-12 Rackspace Us, Inc. System and Method for Metadata Discovery and Metadata-Aware Scheduling
US8539582B1 (en) * 2004-04-01 2013-09-17 Fireeye, Inc. Malware containment and security analysis on connection
US8572613B1 (en) * 2009-12-28 2013-10-29 Amazon Technologies, Inc. Comparison of virtual computing states by performing identified repeatable computations in a changing virtual computing environment
US20130304903A1 (en) * 2012-05-09 2013-11-14 Rackspace Us, Inc. Market-Based Virtual Machine Allocation
US20140026121A1 (en) * 2012-07-20 2014-01-23 Sonatype, Inc. Method and system for correcting portion of software application
US8683548B1 (en) * 2011-09-30 2014-03-25 Emc Corporation Computing with policy engine for multiple virtual machines

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6279113B1 (en) 1998-03-16 2001-08-21 Internet Tools, Inc. Dynamic signature inspection-based network intrusion detection
WO2002071227A1 (en) * 2001-03-01 2002-09-12 Cyber Operations, Llc System and method for anti-network terrorism
AU2003279517A1 (en) 2003-08-11 2005-02-25 Telecom Italia S.P.A. Method and system for detecting unauthorised use of a communication network
US8776050B2 (en) 2003-08-20 2014-07-08 Oracle International Corporation Distributed virtual machine monitor for managing multiple virtual resources across multiple physical nodes
JP2005316779A (en) * 2004-04-28 2005-11-10 Intelligent Cosmos Research Institute Unauthorized access detector, detection rule generation device, detection rule generation method, and detection rule generation program
US7627898B2 (en) 2004-07-23 2009-12-01 Microsoft Corporation Method and system for detecting infection of an operating system
US20060101516A1 (en) * 2004-10-12 2006-05-11 Sushanthan Sudaharan Honeynet farms as an early warning system for production networks
JP2006243878A (en) * 2005-03-01 2006-09-14 Matsushita Electric Ind Co Ltd Unauthorized access detection system
JP2008537267A (en) 2005-04-18 2008-09-11 ザ トラスティーズ オブ コロンビア ユニヴァーシティ イン ザ シティ オブ ニューヨーク System and method for detecting and deterring attacks using honeypots
US8327353B2 (en) * 2005-08-30 2012-12-04 Microsoft Corporation Hierarchical virtualization with a multi-level virtualization mechanism
JP2007079815A (en) * 2005-09-13 2007-03-29 Canon Inc Autoimmune protection system
US7774363B2 (en) 2005-12-29 2010-08-10 Nextlabs, Inc. Detecting behavioral patterns and anomalies using information usage data
US8949826B2 (en) 2006-10-17 2015-02-03 Managelq, Inc. Control and management of virtual systems
US20080222729A1 (en) 2007-03-05 2008-09-11 Songqing Chen Containment of Unknown and Polymorphic Fast Spreading Worms
US8631147B2 (en) 2007-03-12 2014-01-14 Citrix Systems, Inc. Systems and methods for configuring policy bank invocations
US20100153693A1 (en) 2008-12-17 2010-06-17 Microsoft Corporation Code execution with automated domain switching
CN102447723B (en) 2010-10-12 2015-09-09 运软网络科技(上海)有限公司 Client-side virtualization framework
US8959492B2 (en) 2010-12-14 2015-02-17 Ngmoco, Llc Communication protocol between a high-level language and a native language
US8813227B2 (en) 2011-03-29 2014-08-19 Mcafee, Inc. System and method for below-operating system regulation and control of self-modifying code
US9262246B2 (en) 2011-03-31 2016-02-16 Mcafee, Inc. System and method for securing memory and storage of an electronic device with a below-operating system security agent
US9003408B2 (en) 2012-09-28 2015-04-07 Adventium Enterprises Providing virtual machine services by isolated virtual machines

Patent Citations (57)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5339426A (en) * 1991-05-29 1994-08-16 Toshiba America Information Systems, Inc. System and method for resume processing initialization
US5664159A (en) * 1994-03-08 1997-09-02 Exponential Technology, Inc. Method for emulating multiple debug breakpoints by page partitioning using a single breakpoint register
US5621886A (en) * 1995-06-19 1997-04-15 Intel Corporation Method and apparatus for providing efficient software debugging
US5740413A (en) * 1995-06-19 1998-04-14 Intel Corporation Method and apparatus for providing address breakpoints, branch breakpoints, and single stepping
US6009274A (en) * 1996-12-13 1999-12-28 3Com Corporation Method and apparatus for automatically updating software components on end systems over a network
US6343280B2 (en) * 1998-12-15 2002-01-29 Jonathan Clark Distributed execution software license server
US20010011254A1 (en) * 1998-12-15 2001-08-02 Jonathan Clark Distributed execution software license server
US20020099752A1 (en) * 1999-02-19 2002-07-25 George B Markos Method and apparatus for providing configuration information using a queued direct input-output device
US6360327B1 (en) * 1999-03-12 2002-03-19 Compaq Information Technologies Group, L.P. System with control registers for managing computer legacy peripheral devices using an advanced configuration power interface software power management system
US6446062B1 (en) * 1999-12-23 2002-09-03 Bull Hn Information Systems Inc. Method and apparatus for improving the performance of a generated code cache search operation through the use of static key values
US20040025052A1 (en) * 2000-07-26 2004-02-05 David Dickenson Distributive access controller
US20020194437A1 (en) * 2001-06-14 2002-12-19 International Business Machines Corporation Methodology to stress and test LPAR isolation features
US20030023656A1 (en) * 2001-07-27 2003-01-30 International Business Machines Corporation Method and system for deadlock detection and avoidance
US20030120935A1 (en) * 2001-12-20 2003-06-26 Coretrace Corporation Kernel-based network security infrastructure
US7222366B2 (en) * 2002-01-28 2007-05-22 International Business Machines Corporation Intrusion event filtering
US7581219B2 (en) * 2002-06-07 2009-08-25 Intel Corporation Transitioning between virtual machine monitor domains in a virtual machine environment
US7464407B2 (en) * 2002-08-20 2008-12-09 Nec Corporation Attack defending system and attack defending method
US20040153672A1 (en) * 2002-11-18 2004-08-05 Arm Limited Switching between secure and non-secure processing modes
US20040177269A1 (en) * 2002-11-18 2004-09-09 Arm Limited Apparatus and method for managing access to a memory
US20080177994A1 (en) * 2003-01-12 2008-07-24 Yaron Mayer System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows
US20060288414A1 (en) * 2003-03-17 2006-12-21 Seiko Epson Corporation Method and system for preventing virus infection
US20040225877A1 (en) * 2003-05-09 2004-11-11 Zezhen Huang Method and system for protecting computer system from malicious software operation
US7392543B2 (en) * 2003-06-30 2008-06-24 Symantec Corporation Signature extraction system and method
US20050229250A1 (en) * 2004-02-26 2005-10-13 Ring Sandra E Methodology, system, computer readable medium, and product providing a security software suite for handling operating system exploitations
US20080005782A1 (en) * 2004-04-01 2008-01-03 Ashar Aziz Heuristic based capture with replay to virtual machine
US8539582B1 (en) * 2004-04-01 2013-09-17 Fireeye, Inc. Malware containment and security analysis on connection
US20120174186A1 (en) * 2004-04-01 2012-07-05 Ashar Aziz Policy Based Capture with Replay to Virtual Machine
US20070250930A1 (en) * 2004-04-01 2007-10-25 Ashar Aziz Virtual machine with dynamic data flow analysis
US20060018466A1 (en) * 2004-07-12 2006-01-26 Architecture Technology Corporation Attack correlation using marked information
US20060136720A1 (en) * 2004-12-21 2006-06-22 Microsoft Corporation Computer security management, such as in a virtual machine or hardened operating system
US20070002689A1 (en) * 2005-04-18 2007-01-04 Daniel Mateescu System and method of data source detection
US20060294592A1 (en) * 2005-06-28 2006-12-28 Microsoft Corporation Automated rootkit detector
US8365180B2 (en) * 2005-06-28 2013-01-29 Xanavi Informatics Corporation Information terminal, computer resource managing method, and virtual machine execution switching method
US20070101431A1 (en) * 2005-10-31 2007-05-03 Microsoft Corporation Identifying malware that employs stealth techniques
US20070180450A1 (en) * 2006-01-24 2007-08-02 Citrix Systems, Inc. Methods and systems for selecting a method for execution, by a virtual machine, of an application program
US7596654B1 (en) * 2006-01-26 2009-09-29 Symantec Operating Corporation Virtual machine spanning multiple computers
US20070180529A1 (en) * 2006-01-30 2007-08-02 Microsoft Corporation Bypassing software services to detect malware
US20070240221A1 (en) * 2006-04-06 2007-10-11 George Tuvell Non-Signature Malware Detection System and Method for Mobile Platforms
US20120331553A1 (en) * 2006-04-20 2012-12-27 Fireeye, Inc. Dynamic signature creation and enforcement
US20080016571A1 (en) * 2006-07-11 2008-01-17 Larry Chung Yao Chang Rootkit detection system and method
US20080127114A1 (en) * 2006-11-28 2008-05-29 Amit Vasudevan Framework for stealth dynamic coarse and fine-grained malware analysis
US7996836B1 (en) * 2006-12-29 2011-08-09 Symantec Corporation Using a hypervisor to provide computer security
US20080320594A1 (en) * 2007-03-19 2008-12-25 Xuxian Jiang Malware Detector
US20110179136A1 (en) * 2007-10-17 2011-07-21 Dispersive Networks, Inc. Apparatus, systems and methods utilizing dispersive networking
US20090307273A1 (en) * 2008-06-06 2009-12-10 Tecsys Development, Inc. Using Metadata Analysis for Monitoring, Alerting, and Remediation
US20100042632A1 (en) * 2008-08-12 2010-02-18 Tecsys Development, Inc. Log File Time Sequence Stamping
US20100095281A1 (en) * 2008-10-14 2010-04-15 Riverside Research Institute Internal Function Debugger
US20110060947A1 (en) * 2009-09-09 2011-03-10 Zhexuan Song Hardware trust anchor
US8448170B2 (en) * 2009-11-25 2013-05-21 Novell, Inc. System and method for providing annotated service blueprints in an intelligent workload management system
US8572613B1 (en) * 2009-12-28 2013-10-29 Amazon Technologies, Inc. Comparison of virtual computing states by performing identified repeatable computations in a changing virtual computing environment
US20110239291A1 (en) * 2010-03-26 2011-09-29 Barracuda Networks, Inc. Detecting and Thwarting Browser-Based Network Intrusion Attacks For Intellectual Property Misappropriation System and Method
US20130254870A1 (en) * 2010-03-26 2013-09-26 Barracuda Networks, Inc. Detecting and Thwarting Browser-Based Network Intrusion Attacks By a Virtual Machine Monitoring System, Apparatus, and Method
US20120179904A1 (en) * 2011-01-11 2012-07-12 Safenet, Inc. Remote Pre-Boot Authentication
US8683548B1 (en) * 2011-09-30 2014-03-25 Emc Corporation Computing with policy engine for multiple virtual machines
US20130238785A1 (en) * 2012-03-06 2013-09-12 Rackspace Us, Inc. System and Method for Metadata Discovery and Metadata-Aware Scheduling
US20130304903A1 (en) * 2012-05-09 2013-11-14 Rackspace Us, Inc. Market-Based Virtual Machine Allocation
US20140026121A1 (en) * 2012-07-20 2014-01-23 Sonatype, Inc. Method and system for correcting portion of software application

Cited By (236)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10044748B2 (en) 2005-10-27 2018-08-07 Georgia Tech Research Corporation Methods and systems for detecting compromised computers
US9294493B2 (en) 2005-12-12 2016-03-22 Finjan, Inc. Computer security method and system with input parameter validation
US20090019545A1 (en) * 2005-12-12 2009-01-15 Finjan Software, Ltd. Computer security method and system with input parameter validation
US9001661B2 (en) 2006-06-26 2015-04-07 Palo Alto Networks, Inc. Packet classification in a network security device
US9495152B2 (en) 2007-06-22 2016-11-15 Red Hat, Inc. Automatic baselining of business application service groups comprised of virtual machines
US8566941B2 (en) 2007-06-22 2013-10-22 Red Hat, Inc. Method and system for cloaked observation and remediation of software attacks
US20090182928A1 (en) * 2007-06-22 2009-07-16 Daniel Lee Becker Method and system for tracking a virtual machine
US8539570B2 (en) 2007-06-22 2013-09-17 Red Hat, Inc. Method for managing a virtual machine
US8949827B2 (en) 2007-06-22 2015-02-03 Red Hat, Inc. Tracking a virtual machine
US8984504B2 (en) 2007-06-22 2015-03-17 Red Hat, Inc. Method and system for determining a host machine by a virtual machine
US20100077078A1 (en) * 2007-06-22 2010-03-25 Fortisphere, Inc. Network traffic analysis using a dynamically updating ontological network description
US9477572B2 (en) 2007-06-22 2016-10-25 Red Hat, Inc. Performing predictive modeling of virtual machine relationships
US8336108B2 (en) 2007-06-22 2012-12-18 Red Hat, Inc. Method and system for collaboration involving enterprise nodes
US20090183173A1 (en) * 2007-06-22 2009-07-16 Daniel Lee Becker Method and system for determining a host machine by a virtual machine
US9569330B2 (en) 2007-06-22 2017-02-14 Red Hat, Inc. Performing dependency analysis on nodes of a business application service group
US9588821B2 (en) 2007-06-22 2017-03-07 Red Hat, Inc. Automatic determination of required resource allocation of virtual machines
US20080320592A1 (en) * 2007-06-22 2008-12-25 Suit John M Method and system for cloaked observation and remediation of software attacks
US8127290B2 (en) 2007-06-22 2012-02-28 Red Hat, Inc. Method and system for direct insertion of a virtual machine driver
US8429748B2 (en) 2007-06-22 2013-04-23 Red Hat, Inc. Network traffic analysis using a dynamically updating ontological network description
US20080320499A1 (en) * 2007-06-22 2008-12-25 Suit John M Method and System for Direct Insertion of a Virtual Machine Driver
US8191141B2 (en) * 2007-06-22 2012-05-29 Red Hat, Inc. Method and system for cloaked observation and remediation of software attacks
US20080320561A1 (en) * 2007-06-22 2008-12-25 Suit John M Method and System for Collaboration Involving Enterprise Nodes
US9727440B2 (en) 2007-06-22 2017-08-08 Red Hat, Inc. Automatic simulation of virtual machine performance
US10133607B2 (en) 2007-06-22 2018-11-20 Red Hat, Inc. Migration of network entities to a cloud infrastructure
US8122505B2 (en) * 2007-08-17 2012-02-21 International Business Machines Corporation Method and apparatus for detection of malicious behavior in mobile ad-hoc networks
US20090049546A1 (en) * 2007-08-17 2009-02-19 International Business Machines Corporation Method and Apparatus for Detection of Malicious Behavior in Mobile Ad-Hoc Networks
US20120180131A1 (en) * 2007-10-17 2012-07-12 Mcafee, Inc., A Delaware Corporation System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via vlan trunking
US8156541B1 (en) * 2007-10-17 2012-04-10 Mcafee, Inc. System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via VLAN trunking
US8528092B2 (en) * 2007-10-17 2013-09-03 Mcafee, Inc. System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via VLAN trunking
US8806629B1 (en) * 2008-01-02 2014-08-12 Cisco Technology, Inc. Automatic generation of policy-driven anti-malware signatures and mitigation of DoS (denial-of-service) attacks
US20090238088A1 (en) * 2008-03-19 2009-09-24 Oki Electric Industry Co., Ltd. Network traffic analyzing device, network traffic analyzing method and network traffic analyzing system
US9264441B2 (en) 2008-03-24 2016-02-16 Hewlett Packard Enterprise Development Lp System and method for securing a network from zero-day vulnerability exploits
EP2106085A1 (en) 2008-03-24 2009-09-30 Hewlett-Packard Development Company, L.P. System and method for securing a network from zero-day vulnerability exploits
US7844744B2 (en) * 2008-04-25 2010-11-30 International Business Machines Corporation Providing server security via a security sensor application shared by multiple operating system partitions
US20090271494A1 (en) * 2008-04-25 2009-10-29 International Business Machines Corporation Method, System and Program Product for Providing Server Security Via A Security Sensor Application Shared by Multiple Operating System Partitions
US10027688B2 (en) 2008-08-11 2018-07-17 Damballa, Inc. Method and system for detecting malicious and/or botnet-related domain names
US9117078B1 (en) * 2008-09-17 2015-08-25 Trend Micro Inc. Malware behavior analysis and policy creation
US8484739B1 (en) * 2008-12-15 2013-07-09 Symantec Corporation Techniques for securely performing reputation based analysis using virtualization
US8474044B2 (en) * 2009-01-05 2013-06-25 Cisco Technology, Inc Attack-resistant verification of auto-generated anti-malware signatures
US20100175132A1 (en) * 2009-01-05 2010-07-08 Andrew Zawadowskiy Attack-resistant verification of auto-generated anti-malware signatures
US20100263049A1 (en) * 2009-04-14 2010-10-14 Microsoft Corporation Vulnerability detection based on aggregated primitives
US9231964B2 (en) 2009-04-14 2016-01-05 Microsoft Corporation Vulnerability detection based on aggregated primitives
US20170201536A1 (en) * 2010-01-06 2017-07-13 Damballa, Inc. Method and system for detecting malware
US10257212B2 (en) * 2010-01-06 2019-04-09 Help/Systems, Llc Method and system for detecting malware
US9948671B2 (en) 2010-01-19 2018-04-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US10922377B2 (en) * 2010-04-01 2021-02-16 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US20160014087A1 (en) * 2010-04-01 2016-01-14 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US10621263B2 (en) * 2010-04-01 2020-04-14 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US10585967B2 (en) 2010-04-01 2020-03-10 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10243927B2 (en) 2010-04-01 2019-03-26 Cloudflare, Inc Methods and apparatuses for providing Internet-based proxy services
US9009330B2 (en) * 2010-04-01 2015-04-14 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US10855798B2 (en) 2010-04-01 2020-12-01 Cloudfare, Inc. Internet-based proxy service for responding to server offline errors
US9049247B2 (en) 2010-04-01 2015-06-02 Cloudfare, Inc. Internet-based proxy service for responding to server offline errors
US9369437B2 (en) 2010-04-01 2016-06-14 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10853443B2 (en) 2010-04-01 2020-12-01 Cloudflare, Inc. Internet-based proxy security services
US10169479B2 (en) * 2010-04-01 2019-01-01 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US10872128B2 (en) 2010-04-01 2020-12-22 Cloudflare, Inc. Custom responses for resource unavailable errors
US10452741B2 (en) 2010-04-01 2019-10-22 Cloudflare, Inc. Custom responses for resource unavailable errors
US11494460B2 (en) 2010-04-01 2022-11-08 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10102301B2 (en) 2010-04-01 2018-10-16 Cloudflare, Inc. Internet-based proxy security services
US10984068B2 (en) 2010-04-01 2021-04-20 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10313475B2 (en) 2010-04-01 2019-06-04 Cloudflare, Inc. Internet-based proxy service for responding to server offline errors
US10671694B2 (en) 2010-04-01 2020-06-02 Cloudflare, Inc. Methods and apparatuses for providing internet-based proxy services
US9548966B2 (en) 2010-04-01 2017-01-17 Cloudflare, Inc. Validating visitor internet-based security threats
US11675872B2 (en) 2010-04-01 2023-06-13 Cloudflare, Inc. Methods and apparatuses for providing internet-based proxy services
US11321419B2 (en) * 2010-04-01 2022-05-03 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US11244024B2 (en) 2010-04-01 2022-02-08 Cloudflare, Inc. Methods and apparatuses for providing internet-based proxy services
US9634993B2 (en) 2010-04-01 2017-04-25 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US9634994B2 (en) 2010-04-01 2017-04-25 Cloudflare, Inc. Custom responses for resource unavailable errors
US9628581B2 (en) 2010-04-01 2017-04-18 Cloudflare, Inc. Internet-based proxy service for responding to server offline errors
US20120117267A1 (en) * 2010-04-01 2012-05-10 Lee Hahn Holloway Internet-based proxy service to limit internet visitor connection speed
US9565166B2 (en) 2010-04-01 2017-02-07 Cloudflare, Inc. Internet-based proxy service to modify internet responses
WO2011155941A1 (en) * 2010-06-10 2011-12-15 Hewlett-Packard Development Company, L.P. Virtual machine
CN102947814A (en) * 2010-06-10 2013-02-27 惠普发展公司,有限责任合伙企业 Virtual machine
US9052965B2 (en) 2010-06-10 2015-06-09 Hewlett-Packard Development Company, L.P. Virtual machine for execution on multiple computing systems
US20120023572A1 (en) * 2010-07-23 2012-01-26 Q-Track Corporation Malicious Attack Response System and Associated Method
US8752174B2 (en) 2010-12-27 2014-06-10 Avaya Inc. System and method for VoIP honeypot for converged VoIP services
US9354960B2 (en) 2010-12-27 2016-05-31 Red Hat, Inc. Assigning virtual machines to business application service groups based on ranking of the virtual machines
US20120254951A1 (en) * 2011-03-31 2012-10-04 International Business Machines Corporation Providing protection against unauthorized network access
US8683589B2 (en) 2011-03-31 2014-03-25 International Business Machines Corporation Providing protection against unauthorized network access
US8677484B2 (en) * 2011-03-31 2014-03-18 International Business Machines Corporation Providing protection against unauthorized network access
US9769240B2 (en) 2011-05-20 2017-09-19 Cloudflare, Inc. Loading of web resources
US9342620B2 (en) 2011-05-20 2016-05-17 Cloudflare, Inc. Loading of web resources
US8695096B1 (en) 2011-05-24 2014-04-08 Palo Alto Networks, Inc. Automatic signature generation for malicious PDF files
US20120304244A1 (en) * 2011-05-24 2012-11-29 Palo Alto Networks, Inc. Malware analysis system
US9047441B2 (en) * 2011-05-24 2015-06-02 Palo Alto Networks, Inc. Malware analysis system
US10356106B2 (en) 2011-07-26 2019-07-16 Palo Alto Networks (Israel Analytics) Ltd. Detecting anomaly action within a computer network
CN103034806A (en) * 2011-09-30 2013-04-10 腾讯科技(深圳)有限公司 Method and terminal for processing operation
US9792430B2 (en) * 2011-11-03 2017-10-17 Cyphort Inc. Systems and methods for virtualized malware detection
US20130117849A1 (en) * 2011-11-03 2013-05-09 Ali Golshan Systems and Methods for Virtualized Malware Detection
US9749285B2 (en) * 2011-12-08 2017-08-29 Honeywell International Inc. Connected home control system with auto router port configuration and DDNS registration
US20130346630A1 (en) * 2011-12-08 2013-12-26 Honeywell International Inc. Connected home control system with auto router port configuration and ddns registration
US20130159999A1 (en) * 2011-12-15 2013-06-20 Industrial Technology Research Institute System and method for generating application-level dependencies in one or more virtual machines
US8881145B2 (en) * 2011-12-15 2014-11-04 Industrial Technology Research Institute System and method for generating application-level dependencies in one or more virtual machines
US9922190B2 (en) 2012-01-25 2018-03-20 Damballa, Inc. Method and system for detecting DGA-based malware
US11861005B2 (en) 2012-06-26 2024-01-02 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features
US10671727B2 (en) 2012-06-26 2020-06-02 Lynx Software Technologies, Inc. Systems and methods involving features of securely handling attempts to perform boot modifications(s) via a separation kernel hypervisor
US8745745B2 (en) 2012-06-26 2014-06-03 Lynuxworks, Inc. Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features
US9607151B2 (en) 2012-06-26 2017-03-28 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features
US10547674B2 (en) 2012-08-27 2020-01-28 Help/Systems, Llc Methods and systems for network flow analysis
US9894088B2 (en) 2012-08-31 2018-02-13 Damballa, Inc. Data mining to identify malicious activity
US10084806B2 (en) 2012-08-31 2018-09-25 Damballa, Inc. Traffic simulation to identify malicious activity
US9292688B2 (en) 2012-09-26 2016-03-22 Northrop Grumman Systems Corporation System and method for automated machine-learning, zero-day malware detection
US9665713B2 (en) 2012-09-26 2017-05-30 Bluvector, Inc. System and method for automated machine-learning, zero-day malware detection
US11126720B2 (en) 2012-09-26 2021-09-21 Bluvector, Inc. System and method for automated machine-learning, zero-day malware detection
US9864614B2 (en) * 2012-12-06 2018-01-09 Dell Products L.P. Mapping virtual devices to computing nodes
US20150169338A1 (en) * 2012-12-06 2015-06-18 Dell Products L.P. Mapping virtual devices to computing nodes
US9979742B2 (en) * 2013-01-16 2018-05-22 Palo Alto Networks (Israel Analytics) Ltd. Identifying anomalous messages
US9979739B2 (en) 2013-01-16 2018-05-22 Palo Alto Networks (Israel Analytics) Ltd. Automated forensics of computer systems using behavioral intelligence
US20170026398A1 (en) * 2013-01-16 2017-01-26 Light Cyber Ltd. Identifying anomalous messages
US9332028B2 (en) * 2013-01-25 2016-05-03 REMTCS Inc. System, method, and apparatus for providing network security
US9525700B1 (en) 2013-01-25 2016-12-20 REMTCS Inc. System and method for detecting malicious activity and harmful hardware/software modifications to a vehicle
US20160048683A1 (en) * 2013-01-30 2016-02-18 Palo Alto Networks, Inc. Malware family identification using profile signatures
US9165142B1 (en) * 2013-01-30 2015-10-20 Palo Alto Networks, Inc. Malware family identification using profile signatures
US9542556B2 (en) * 2013-01-30 2017-01-10 Palo Alto Networks, Inc. Malware family identification using profile signatures
US20140245444A1 (en) * 2013-02-22 2014-08-28 Bitdefender IPR Management Ltd. Memory Introspection Engine for Integrity Protection of Virtual Machines
US8875295B2 (en) * 2013-02-22 2014-10-28 Bitdefender IPR Management Ltd. Memory introspection engine for integrity protection of virtual machines
US20140317737A1 (en) * 2013-04-22 2014-10-23 Korea Internet & Security Agency Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system
US10257224B2 (en) * 2013-05-03 2019-04-09 Webroot Inc. Method and apparatus for providing forensic visibility into systems and networks
US20170163660A1 (en) * 2013-05-03 2017-06-08 Webroot Inc. Method and apparatus for providing forensic visibility into systems and networks
US10050986B2 (en) 2013-06-14 2018-08-14 Damballa, Inc. Systems and methods for traffic classification
US10021136B2 (en) 2013-06-24 2018-07-10 Haystack Security LLC Cyber attack disruption through multiple detonations of received payloads
US8943594B1 (en) 2013-06-24 2015-01-27 Haystack Security LLC Cyber attack disruption through multiple detonations of received payloads
US9852290B1 (en) 2013-07-12 2017-12-26 The Boeing Company Systems and methods of analyzing a software component
US9336025B2 (en) 2013-07-12 2016-05-10 The Boeing Company Systems and methods of analyzing a software component
US9396082B2 (en) 2013-07-12 2016-07-19 The Boeing Company Systems and methods of analyzing a software component
US9280369B1 (en) 2013-07-12 2016-03-08 The Boeing Company Systems and methods of analyzing a software component
US9479521B2 (en) 2013-09-30 2016-10-25 The Boeing Company Software network behavior analysis and identification system
US9516064B2 (en) 2013-10-14 2016-12-06 Intuit Inc. Method and system for dynamic and comprehensive vulnerability management
US9246935B2 (en) 2013-10-14 2016-01-26 Intuit Inc. Method and system for dynamic and comprehensive vulnerability management
US10075460B2 (en) 2013-10-16 2018-09-11 REMTCS Inc. Power grid universal detection and countermeasure overlay intelligence ultra-low latency hypervisor
US9313281B1 (en) 2013-11-13 2016-04-12 Intuit Inc. Method and system for creating and dynamically deploying resource specific discovery agents for determining the state of a cloud computing environment
US9501345B1 (en) 2013-12-23 2016-11-22 Intuit Inc. Method and system for creating enriched log data
US9323926B2 (en) * 2013-12-30 2016-04-26 Intuit Inc. Method and system for intrusion and extrusion detection
US20150186641A1 (en) * 2013-12-30 2015-07-02 Intuit Inc. Method and system for intrusion and extrusion detection
US20150205962A1 (en) * 2014-01-23 2015-07-23 Cylent Systems, Inc. Behavioral analytics driven host-based malicious behavior and data exfiltration disruption
US9923909B2 (en) 2014-02-03 2018-03-20 Intuit Inc. System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
US10360062B2 (en) 2014-02-03 2019-07-23 Intuit Inc. System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
US9325726B2 (en) 2014-02-03 2016-04-26 Intuit Inc. Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment
US9686301B2 (en) 2014-02-03 2017-06-20 Intuit Inc. Method and system for virtual asset assisted extrusion and intrusion detection and threat scoring in a cloud computing environment
US11411984B2 (en) 2014-02-21 2022-08-09 Intuit Inc. Replacing a potentially threatening virtual asset
US10757133B2 (en) 2014-02-21 2020-08-25 Intuit Inc. Method and system for creating and deploying virtual assets
US10326778B2 (en) 2014-02-24 2019-06-18 Cyphort Inc. System and method for detecting lateral movement and data exfiltration
US11902303B2 (en) 2014-02-24 2024-02-13 Juniper Networks, Inc. System and method for detecting lateral movement and data exfiltration
US11405410B2 (en) 2014-02-24 2022-08-02 Cyphort Inc. System and method for detecting lateral movement and data exfiltration
US10225280B2 (en) 2014-02-24 2019-03-05 Cyphort Inc. System and method for verifying and detecting malware
US10095866B2 (en) 2014-02-24 2018-10-09 Cyphort Inc. System and method for threat risk scoring of security threats
US9459987B2 (en) 2014-03-31 2016-10-04 Intuit Inc. Method and system for comparing different versions of a cloud based application in a production environment using segregated backend systems
US9245117B2 (en) 2014-03-31 2016-01-26 Intuit Inc. Method and system for comparing different versions of a cloud based application in a production environment using segregated backend systems
US9276945B2 (en) 2014-04-07 2016-03-01 Intuit Inc. Method and system for providing security aware applications
US9596251B2 (en) 2014-04-07 2017-03-14 Intuit Inc. Method and system for providing security aware applications
US11294700B2 (en) 2014-04-18 2022-04-05 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets
US10055247B2 (en) 2014-04-18 2018-08-21 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets
US9374389B2 (en) 2014-04-25 2016-06-21 Intuit Inc. Method and system for ensuring an application conforms with security and regulatory controls prior to deployment
US9319415B2 (en) 2014-04-30 2016-04-19 Intuit Inc. Method and system for providing reference architecture pattern-based permissions management
US9900322B2 (en) 2014-04-30 2018-02-20 Intuit Inc. Method and system for providing permissions management
US9203855B1 (en) 2014-05-15 2015-12-01 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as hypervisor, detection and interception of code or instruction execution including API calls, and/or other features
US11782766B2 (en) 2014-05-15 2023-10-10 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, APIs of interest, and/or other features
US9940174B2 (en) 2014-05-15 2018-04-10 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, APIs of interest, and/or other features
US9213840B2 (en) 2014-05-15 2015-12-15 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, APIs of interest, and/or other features
US9648045B2 (en) 2014-05-15 2017-05-09 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as hypervisor, detection and interception of code or instruction execution including API calls, and/or other features
US10095538B2 (en) 2014-05-15 2018-10-09 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
US10789105B2 (en) 2014-05-15 2020-09-29 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, APIs of interest, and/or other features
US10051008B2 (en) 2014-05-15 2018-08-14 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as hypervisor, detection and interception of code or instruction execution including API calls, and/or other features
US9390267B2 (en) 2014-05-15 2016-07-12 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
US9742794B2 (en) 2014-05-27 2017-08-22 Intuit Inc. Method and apparatus for automating threat model generation and pattern identification
US9330263B2 (en) 2014-05-27 2016-05-03 Intuit Inc. Method and apparatus for automating the building of threat models for the public cloud
US11436325B2 (en) 2014-06-26 2022-09-06 Nec Corporation Analysis device, analysis method, and storage medium in which analysis program is recorded
US10528730B2 (en) 2014-06-26 2020-01-07 Nec Corporation Analysis device, analysis method, and storage medium in which analysis program is recorded
US10050997B2 (en) 2014-06-30 2018-08-14 Intuit Inc. Method and system for secure delivery of information to computing environments
US9866581B2 (en) 2014-06-30 2018-01-09 Intuit Inc. Method and system for secure delivery of information to computing environments
US11782745B2 (en) 2014-07-01 2023-10-10 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, anti-fingerprinting and/or other features
US10824715B2 (en) 2014-07-01 2020-11-03 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, anti-fingerprinting, and/or other features
US20180088980A1 (en) * 2014-07-30 2018-03-29 Microsoft Technology Licensing, Llc Hypervisor-hosted virtual machine forensics
US10169071B2 (en) * 2014-07-30 2019-01-01 Microsoft Technology Licensing, Llc Hypervisor-hosted virtual machine forensics
US9473481B2 (en) 2014-07-31 2016-10-18 Intuit Inc. Method and system for providing a virtual asset perimeter
US10102082B2 (en) 2014-07-31 2018-10-16 Intuit Inc. Method and system for providing automated self-healing virtual assets
US9832216B2 (en) 2014-11-21 2017-11-28 Bluvector, Inc. System and method for network data characterization
US9930065B2 (en) 2015-03-25 2018-03-27 University Of Georgia Research Foundation, Inc. Measuring, categorizing, and/or mitigating malware distribution paths
US10075461B2 (en) 2015-05-31 2018-09-11 Palo Alto Networks (Israel Analytics) Ltd. Detection of anomalous administrative actions
US9553886B2 (en) 2015-06-08 2017-01-24 Illusive Networks Ltd. Managing dynamic deceptive environments
US9954878B2 (en) 2015-06-08 2018-04-24 Illusive Networks Ltd. Multi-factor deception management and detection for malicious actions in a computer network
US9553885B2 (en) 2015-06-08 2017-01-24 Illusive Networks Ltd. System and method for creation, deployment and management of augmented attacker map
US9794283B2 (en) 2015-06-08 2017-10-17 Illusive Networks Ltd. Predicting and preventing an attacker's next actions in a breached network
US10623442B2 (en) 2015-06-08 2020-04-14 Illusive Networks Ltd. Multi-factor deception management and detection for malicious actions in a computer network
US10382484B2 (en) 2015-06-08 2019-08-13 Illusive Networks Ltd. Detecting attackers who target containerized clusters
US9690932B2 (en) 2015-06-08 2017-06-27 Illusive Networks Ltd. Predicting and preventing an attacker's next actions in a breached network
US9712547B2 (en) 2015-06-08 2017-07-18 Illusive Networks Ltd. Automatically generating network resource groups and assigning customized decoy policies thereto
US9985989B2 (en) 2015-06-08 2018-05-29 Illusive Networks Ltd. Managing dynamic deceptive environments
US10291650B2 (en) 2015-06-08 2019-05-14 Illusive Networks Ltd. Automatically generating network resource groups and assigning customized decoy policies thereto
US9742805B2 (en) 2015-06-08 2017-08-22 Illusive Networks Ltd. Managing dynamic deceptive environments
US10097577B2 (en) 2015-06-08 2018-10-09 Illusive Networks, Ltd. Predicting and preventing an attacker's next actions in a breached network
US9787715B2 (en) 2015-06-08 2017-10-10 Iilusve Networks Ltd. System and method for creation, deployment and management of augmented attacker map
US10142367B2 (en) 2015-06-08 2018-11-27 Illusive Networks Ltd. System and method for creation, deployment and management of augmented attacker map
WO2017013589A1 (en) * 2015-07-21 2017-01-26 Cymmetria, Inc. Decoy and deceptive data object technology
US10270807B2 (en) * 2015-07-21 2019-04-23 Cymmetria, Inc. Decoy and deceptive data object technology
US9742804B2 (en) * 2015-10-28 2017-08-22 National Technology & Engineering Solutions Of Sandia, Llc Computer network defense system
US10735466B2 (en) * 2016-02-23 2020-08-04 nChain Holdings Limited Reactive and pre-emptive security system for the protection of computer networks and systems
WO2017216735A1 (en) * 2016-06-14 2017-12-21 Cymmetria, Inc. Employing code signing as a tool in cyber-security deception
US10686829B2 (en) 2016-09-05 2020-06-16 Palo Alto Networks (Israel Analytics) Ltd. Identifying changes in use of user credentials
US10805326B1 (en) * 2016-11-21 2020-10-13 Alert Logic, Inc. Systems and methods for threat visualization with signature composure, spatial scale and temporal expansion
US10609066B1 (en) 2016-11-23 2020-03-31 EMC IP Holding Company LLC Automated detection and remediation of ransomware attacks involving a storage device of a computer network
US10333951B1 (en) * 2017-07-31 2019-06-25 EMC IP Holding Company LLC Method and system for implementing golden container storage
US10581859B2 (en) 2017-08-07 2020-03-03 International Business Machines Corporation Detection and prevention of attempts to access sensitive information in real-time
US11212288B2 (en) 2017-08-07 2021-12-28 International Business Machines Corporation Detection and prevention of attempts to access sensitive information in real-time
US20190075124A1 (en) * 2017-09-04 2019-03-07 ITsMine Ltd. System and method for conducting a detailed computerized surveillance in a computerized environment
US11750623B2 (en) * 2017-09-04 2023-09-05 ITsMine Ltd. System and method for conducting a detailed computerized surveillance in a computerized environment
CN109840419A (en) * 2017-11-29 2019-06-04 财团法人资讯工业策进会 Computer installation and recognize its software container behavior whether Yi Chang method
US11159538B2 (en) 2018-01-31 2021-10-26 Palo Alto Networks, Inc. Context for malware forensics and detection
US11863571B2 (en) 2018-01-31 2024-01-02 Palo Alto Networks, Inc. Context profiling for malware detection
US11949694B2 (en) 2018-01-31 2024-04-02 Palo Alto Networks, Inc. Context for malware forensics and detection
US11283820B2 (en) 2018-01-31 2022-03-22 Palo Alto Networks, Inc. Context profiling for malware detection
US10764309B2 (en) 2018-01-31 2020-09-01 Palo Alto Networks, Inc. Context profiling for malware detection
US10999304B2 (en) 2018-04-11 2021-05-04 Palo Alto Networks (Israel Analytics) Ltd. Bind shell attack detection
US11171970B2 (en) 2018-05-01 2021-11-09 Royal Bank Of Canada System and method for reducing false positive security events
US11212299B2 (en) * 2018-05-01 2021-12-28 Royal Bank Of Canada System and method for monitoring security attack chains
US10333976B1 (en) 2018-07-23 2019-06-25 Illusive Networks Ltd. Open source intelligence deceptions
US10404747B1 (en) * 2018-07-24 2019-09-03 Illusive Networks Ltd. Detecting malicious activity by using endemic network hosts as decoys
US11030314B2 (en) 2018-07-31 2021-06-08 EMC IP Holding Company LLC Storage system with snapshot-based detection and remediation of ransomware attacks
US10382483B1 (en) 2018-08-02 2019-08-13 Illusive Networks Ltd. User-customized deceptions and their deployment in networks
US10333977B1 (en) 2018-08-23 2019-06-25 Illusive Networks Ltd. Deceiving an attacker who is harvesting credentials
US10432665B1 (en) 2018-09-03 2019-10-01 Illusive Networks Ltd. Creating, managing and deploying deceptions on mobile devices
US11184378B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Scanner probe detection
US11316872B2 (en) 2019-01-30 2022-04-26 Palo Alto Networks (Israel Analytics) Ltd. Malicious port scan detection using port profiles
US11184376B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Port scan detection using destination profiles
US11184377B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Malicious port scan detection using source profiles
US11070569B2 (en) 2019-01-30 2021-07-20 Palo Alto Networks (Israel Analytics) Ltd. Detecting outlier pairs of scanned ports
US11494216B2 (en) 2019-08-16 2022-11-08 Google Llc Behavior-based VM resource capture for forensics
US11336690B1 (en) * 2019-11-15 2022-05-17 National Technology & Engineering Solutions Of Sandia, Llc Threat emulation framework
US11012492B1 (en) 2019-12-26 2021-05-18 Palo Alto Networks (Israel Analytics) Ltd. Human activity detection in computing device transmissions
US11509680B2 (en) 2020-09-30 2022-11-22 Palo Alto Networks (Israel Analytics) Ltd. Classification of cyber-alerts into security incidents
US11722518B2 (en) 2021-01-27 2023-08-08 Bank Of America Corporation System for providing enhanced cryptography based response mechanism for malicious attacks
US11588849B2 (en) 2021-01-27 2023-02-21 Bank Of America Corporation System for providing enhanced cryptography based response mechanism for malicious attacks
US11956212B2 (en) 2021-03-31 2024-04-09 Palo Alto Networks, Inc. IoT device application workload capture
US11799880B2 (en) 2022-01-10 2023-10-24 Palo Alto Networks (Israel Analytics) Ltd. Network adaptive alert prioritization system
CN116723055A (en) * 2023-08-08 2023-09-08 中国电信股份有限公司 Vulnerability detection method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CA2689126C (en) 2018-09-11
US20140373144A9 (en) 2014-12-18
CA2689126A1 (en) 2008-10-30
EP2149087A4 (en) 2014-07-09
AU2008242296B2 (en) 2012-06-14
JP2010525459A (en) 2010-07-22
WO2008130923A1 (en) 2008-10-30
US9866584B2 (en) 2018-01-09
EP2149087B1 (en) 2015-08-05
EP2149087A1 (en) 2010-02-03
US20150074811A1 (en) 2015-03-12
CA3013171C (en) 2020-03-10
JP5351883B2 (en) 2013-11-27
CA3013171A1 (en) 2008-10-30
AU2008242296A1 (en) 2008-10-30
EP2953049B1 (en) 2016-09-14
JP2013240114A (en) 2013-11-28
JP5579907B2 (en) 2014-08-27
EP2953049A1 (en) 2015-12-09

Similar Documents

Publication Publication Date Title
US9866584B2 (en) System and method for analyzing unauthorized intrusion into a computer network
US8656493B2 (en) Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems
US9954872B2 (en) System and method for identifying unauthorized activities on a computer system using a data structure model
US11082435B1 (en) System and method for threat detection and identification
Dang et al. Understanding fileless attacks on linux-based iot devices with honeycloud
Jaramillo Malware detection and mitigation techniques: Lessons learned from Mirai DDOS attack
US10560434B2 (en) Automated honeypot provisioning system
Alata et al. Lessons learned from the deployment of a high-interaction honeypot
US20180152470A1 (en) Method of improving network security by learning from attackers for detecting network system's weakness
Mohammadzad et al. Using rootkits hiding techniques to conceal honeypot functionality
Nazario Botnet tracking: Tools, techniques, and lessons learned
Ojugo et al. Forging A Smart Dependable Data Integrity And Protection System Through Hybrid-Integration Honeypot In Web and Database Server
Yoshioka et al. Malware sandbox analysis for secure observation of vulnerability exploitation
Jaramillo Detecting malware capabilities with Foss: lessons learned through a real-life incident
Junewon Acquiring digital evidence from Botnet attacks: procedures and methods
Li et al. Understanding IoT Security with HoneyCloud
Arbatov Development of Hybrid Honeynet for Malware Analysis

Legal Events

Date Code Title Description
AS Assignment

Owner name: NEURALIQ, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CAPALIK, ALEN;REEL/FRAME:023322/0784

Effective date: 20091002

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: COUNTERTACK INC., CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:NEURALIQ, INC.;REEL/FRAME:036074/0499

Effective date: 20120105

AS Assignment

Owner name: GOSECURE, INC., CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:COUNTERTACK, INC.;REEL/FRAME:065082/0223

Effective date: 20190321