Invention for Systems and Methods for Detecting and Tracking Adversary Trajectory

Invented by Satnam Singh, Mohammad Waseem, Suril Desai, Venkata Babji Sama, Rajendra Gopalakrishna, Acalvio Technologies Inc

The Acalvio Technologies Inc invention works as follows

Background for Systems and Methods for Detecting and Tracking Adversary Trajectory

Information security attacks are a threat to a network. An attack may attempt to steal, destroy, disable, alter, or expose a network resource. It can be difficult to locate such an attack. There is a need to improve the ability of the art to locate an attack.

Provided” are methods including computer-implemented or methods implemented by network devices, devices including networks devices, and computer program products for detecting an adversary’s trajectory. A system can track the trajectory of an enemy to locate weaknesses on machines in a network. This is true even if an adversary has not triggered an alarm. An attack trajectory, in particular, can reveal the path an adversary has taken through a network. The attack trajectory, for example, can reveal an adversary had accessed another computer before the network. This would indicate that the adversary is actually attacking the network.

In some examples, receiving machine information about machines connected to a network is part of a method. Machine information can include information identifying a specific machine. The method may also include receiving information about interactions between the machines. Information about interactions between machines can be included in the interaction information. The method may further comprise determining interactions between machines. Analyzing the interaction information along with the machine information can be used to determine the interactions. The method may also include generating a data structure for adjacency using the interactions. Correlating the interactions can be part of generating the adjacency structure. Correlating the interaction can include associating one machine with another machine that is determined to be an interactivity with the machine.

In some cases, the method also includes receiving new information about the machines’ interactions. New interaction information may include information about new interactions between machines. In some cases, new interactions may occur after receiving the interaction information. The method may also include determining new interactions between machines. In order to determine the one or two new interactions, it is possible to analyze the interaction information as well as the machine information. The method may also include updating the adjacency information structure. The updated adjacency structure can include the one or more interactions.

In some cases, the method also includes the deployment of a deception device in the network. Deception mechanisms can be added to a network in order to attract an attacker. In some cases, the deception can be a service that is emulated on a port. A machine connected to the network can request an interaction. In some cases, the request may be received by a port on the deception device. Receiving deception mechanism interactions can be included in the method. Deception mechanism information can include information about the machine as well as information regarding the interaction between the deception device and the machine. The method may also include identifying a machine from the data structure of adjacency. The method may also include creating an attack trajectory datastructure. The attack trajectory datastructure can be created by determining which machines are directly or indirectly connected to the machine that is in the adjacency structure. The method may also include determining an attacking trajectory path within the attack trajectory datastructure. The attack trajectory can be a path that uses the attack trajectory data structures from the machine to one or more machines.

In some cases, the method also includes generating a graph of an attack. The attack graph may be a visual representation for the attack trajectory data. Each node in the attack graph may be linked to a machine from the plurality. Each edge of an attack graph can represent a interaction between two machines from the plurality. The method may also include highlighting the trajectory on the attack graph. In some cases, the method also includes calculating a probability of a certain portion of the attack path on the graph being an adversary. Calculating the probability may include using authentication logs and network flow information.

In order to give a better understanding of examples, we have included specific details in the description. It will become clear that the examples can be performed without these details. “The figures and descriptions are not meant to be restrictive.

The following description is intended only to provide examples and not to limit the scope of application or configuration. The ensuing examples are intended to provide those in the know with a description that will enable them to implement an example. The function and arrangement can be changed without departing the spirit of the disclosure, as stated in the claims.

Network deception devices, also known as “honeypots”, are a common form of network deception. ?honey tokens,? Honey nets and honey tokens are two of the many ways to defend a network from threats. Other methods of protecting a network include distracting the threat or diverting it. Honeypot-type deception devices can be installed on a network to deceive a specific site, like a business office. Honeypot-type mechanisms are usually configured so that they can’t be distinguished from the active production systems within the network. Deception mechanisms of this type are also configured to appear vulnerable and/or attractive to network threats by having data that appears valuable. Deception mechanisms may look like legitimate components of a site network. However, they are not a part of normal network operation and cannot be accessed by normal users. Deception mechanisms are not used or accessed by normal site users. Therefore, they are suspected of being a network threat.

?Normal? Operation of a Network includes, in general, network activity that is consistent with the purpose of the network. Normal or legitimate network activities can include, for example, the operation of an educational institution, a medical facility, a government office or a home. Normal network activity can also include the non-business-related, casual activity of users of a network, such as accessing personal email and visiting websites on personal time, or using network resources for personal use. Normal network activity includes the operation of security devices such as firewalls and anti-virus software, intrusion detection, intrusion prevention, email filters, adware blocking, etc. Normal operations exclude deception mechanisms because they are not meant to be used in casual or business activities. Deceptions are not usually used by network users or network systems, except for perhaps the most basic administrative tasks. “Access to a deception tool, which is not part of routine network administration tasks, can indicate a network threat.

Threats against a network include active attacks where an attacker interacts with or engages systems within the network in order to steal information or harm the network. The attacker can be either a human or an automated system. Active attacks can include denial-of-service (DoS), distributed-denial-of-service (DDoS), spoofing, and “man-in the-middle” attacks. Attacks involving malformed requests to networks (e.g. Address Resolution Protocol (ARP), pinging of death? etc. Other attacks include buffer, heap or stack overflows, format string attacks and others. Malicious software that is self-replicating or self-triggering can be a threat to a network. The malicious software can be innocuous, until it is activated. Once activated, the software will try to steal data from the network or cause harm to the network. Malicious software spreads itself by infecting other computers on a network. Malicious software includes ransomware, viruses and Trojan horses. It also includes spyware, keyloggers, rootkits and rogue software.

In the information security field, it’s difficult to pinpoint where an attack may have taken place on a particular network. Even when an attack is detected, determining the trajectory is difficult. This disclosure is about using network flow data of a network in order to determine an attack’s trajectory. In some examples, a network can have an adjacency structure generated. In the adjacency structure, a network machine can be included that has interacted a network machine. A machine can be linked to other machines in the adjacency structure when there has been an interaction between the machine and another machine. The adjacency structure can be updated when new interactions on the network occur.

In some cases, the network may also include one or two deception mechanisms.” A deception device can imitate one or multiple services on one port or several ports. When a machine interacts, a deception can indicate an attack. An attack trajectory data structure is generated when the attack occurs. In the attack trajectory structure, a path for an attack trajectory can be determined. In the case of multiple possible trajectories a probability for each trajectory can be calculated to determine whether the trajectory is likely associated with an adversary. “It should be acknowledged that an attack could be detected by other systems than deception mechanisms (e.g. an intrusion detection or prevention system, security information and events manager, etc.).

I. Deception-based Security Systems

FIG. The figure 1 shows an example of how a network-based threat detection and security system 100 can be implemented. The network security system 100 or network threat detection system 100 provides security to a site network using deceptive security measures, some of which are called “honeypots”. Deception center 108, or sensors 110 (also known as deception sensors), installed in the network site 104, can be used to control and insert the deceptive security mechanism. In some implementations the deception center and sensors 110 may interact with the security services provider located outside the site network. The deception centre 108 can also exchange or obtain data from sources on the Internet 150.

Security Mechanisms Designed to Deceive” (sometimes called “honeypots”) They can also be used to deflect and/or divert unauthorized network use away from the actual network assets. Deception-based security mechanisms can be implemented by a computer connected to the system, a program running on the system, or any other device that is connected to the system. A security mechanism can be configured to provide services, either real or simulated, as bait to lure an attacker to the network. Data-based deception-based security measures, also known as “honey tokens”, may take the form data. The real data can be mixed with honey tokens in network devices. “Alternatively, or in addition, emulated data can be provided by emulated services or systems.

Deceptive mechanisms can be used to detect an assault on the network. Deceptive security measures are usually configured to look like they’re legitimate components of a network. However, these security mechanisms are not part of normal network operation. Normal network activity is unlikely to allow access to security mechanisms. Any access to the security mechanisms over the network is therefore suspect.

The network system 100 can deploy deceptive security measures in a dynamic and targeted manner. The system 100 scans the site network and determines its topology using the deception centre 108. The deception centre 108 can then decide which devices should be emulated with security mechanisms. This includes the type and behavior. Security mechanisms can be configured and selected to specifically attract network attackers’ attention. Security mechanisms can also be deployed and selected based on suspicious network activity. Security mechanisms can be removed, modified or replaced in response activity on the network. This is done to divert, isolate and confirm the activity.

The site network 104 can be installed in many places, including a business office, a school, a hospital, a government building, or a home. Site network 104 can be described as local area network (LAN), or a collection of LANS. Site networks 104 can be a single site that belongs to an organization with multiple sites in different geographical locations. The deception center 108 can provide network security for one site network 104 or multiple sites networks 104 that belong to the same organization.

The site network 104 contains the network devices and users that are part of an organization’s network. Site network 104 can include network infrastructure such as routers and switches, hubs, wireless basestations, repeaters or network controllers. Site network 104 can also include computing devices, such as desktop computers, laptops, tablet computers and smartphones, among other things. “The site network 104 can also include analog and digital electronic devices that have network interfaces such as TVs, entertainment systems and thermostats.

The deception center 108 is responsible for network security of the site network (or multiple sites networks) 104. It does this by installing security mechanisms in the site 104 and monitoring it through these mechanisms. In various implementations, the deception centre 108 can communicate with sensors installed in the site 104 using network tunnels. The tunnels 120, as described below, may allow the site network 104 to be located on a different subnetwork (?subnet?) The site network can be located on a separate network or even remote.