WO2020069741A1 - Système de surveillance de réseau - Google Patents

Système de surveillance de réseau

Info

Publication number
WO2020069741A1
WO2020069741A1 PCT/EP2018/076961 EP2018076961W WO2020069741A1 WO 2020069741 A1 WO2020069741 A1 WO 2020069741A1 EP 2018076961 W EP2018076961 W EP 2018076961W WO 2020069741 A1 WO2020069741 A1 WO 2020069741A1
Authority
WO
WIPO (PCT)
Prior art keywords
deception
environment
backend
network surveillance
network
Prior art date
Application number
PCT/EP2018/076961
Other languages
English (en)
Inventor
Avi KRAVITZ
Patrick PACHER
Bernhard SCHILDENDORFER
Original Assignee
Cybertrap Software Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cybertrap Software Gmbh filed Critical Cybertrap Software Gmbh
Priority to PCT/EP2018/076961 priority Critical patent/WO2020069741A1/fr
Publication of WO2020069741A1 publication Critical patent/WO2020069741A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Definitions

  • the present invention relates to the technical field of network surveillance to detect computer network attacks .
  • Targeted attacks are carried out in multiple stages, typically including inter alia
  • Lateral movement involves orientation, movement and
  • propagation includes establishing a foothold within the organization and expanding that foothold to additional systems within the organization.
  • an attacker In order to carry out the lateral movement stage, an attacker, whether a human being who is operating tools within the organization's network, or a tool with “learning” capabilities, learns information about the environment it is operating in, such as network topology and organization structure, learns "where can I go from my current step” and “how can I go from my current step (e.g. required privileges)", and learns implemented security solutions, and then operates in accordance with that data.
  • One method to defend against such attacks termed “honeypots” is to plant and monitor misleading information / decoys / baits, with the objective of the attacker learning of their existence and then consuming those bait resources, and to notify an
  • Access monitoring generates many false alerts, caused by non-malicious access from automatic monitoring systems and by user mistakes.
  • Conventional systems try to mitigate this problem by adding a level of interactivity to the honeypot, and by performing behavioral analysis of suspected malware.
  • An advanced attacker may use different attack techniques to enter a corporate network and to move laterally within the network in order to obtain its resource goals.
  • the advanced attacker m ay begin with a workstation, server or any other network entity to start his lateral movement. He uses different methods to enter the first network node, including inter alia social engineering, existing exploit and/or vulnerability that he knows to exercise, and a Trojan horse or any other malware allowing him to control the first node.
  • Attacker movement from node to node is performed via an "attack vector", which is an object in memory or storage of a first computer that may be used to access a second computer. Attack vectors and may also be known
  • WO 2016/199120 A1 discloses a network
  • surveillance system including a deception management server within a network, including a deployment module managing and planting decoy attack vectors in network resources, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and decoy servers accessible from resources in the network via decoy attack vectors, each decoy server including a forensic alert module causing a real- time forensic application to be transmitted to a destination resource in the network when the decoy server is being accessed by a specific resource in the network via a decoy attack vector, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing that decoy server, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to the deception management server.
  • the invention proposes a network surveillance system with the features of claim 1 and a method of network surveillance with the features of claim 9.
  • the backend system actively generates, in reaction to detected attacker's actions, deception commands to be executed by the deception environment .
  • the invention allows to simulate allegedly real user activities in the deception environment in order to deceive and keep the attacker busy for a long- lasting period.
  • the invention also covers a computer program with program coding means which are suitable for carrying out a method according to the invention as described above when the computer program is run on a computer.
  • the computer program itself as well as stored on a computer-readable medium is claimed .
  • Figure 1 is a schematic block diagram of a network surveillance system of the invention
  • Figure 2 is a scheme illustrating the basic workflow of the network surveillance remote administration of the invention
  • Figure 3 is a scheme illustrating the remote
  • Figure 4 is a scheme illustrating the alert detection and notification process of the invention.
  • Figure 5 shows a deception on demand scheme of the invention .
  • Figure 1 is a highly schematic block diagram illustrating a network surveillance system 10 of the
  • Network surveillance system is destined to be integrated into an existing regular network system, e.g. a corporate network (not shown) .
  • the regular or corporate network may be connected to an external internet and may comprise for example, in a known manner, resources including computers, databases, switches and routers, and mobile devices such as smart phones and tablets, as well as
  • monitors printers, other types of network elements such as relays, and any Internet of Things objects etc.
  • Access to the computers and servers in the regular network may optionally be governed by an access governor, such as a directory service, that authorizes users to access computers and databases based on "credentials".
  • the access governor may be one or more local machine access controllers, or may be one or more authorization servers, such as a database server or an application server.
  • the network surveillance system 10 of the invention comprises a deception environment 12 and a deception backend system 14 (in the following short "backend”) .
  • the deception environment 12 comprises at least one decoy system 16 (in practice it would comprise a
  • Each decoy system 16 (or just short “decoy”) can be realized either as actual hardware or as a virtualized machine (VM) and is accessible within the regular system by attack
  • VM virtualized machine
  • a decoy (system) according to the invention thus is a fully working network node (a "real” computer with “real” operating system etc.) that (arbitrarily) exposes certain
  • the decoy can directly react in response to actions of an attacker by generating virtual objects the attacker is seeking to discover, such as fake documents (that look real to an outsider) , preferably with track down elements (for tracing stolen documents) .
  • each decoy 16 implements an agent software 18 which contains a kernel application 20 called the kernel monitoring driver, and a so-called userland agent software 22.
  • the agent software 18 may be implemented in the operating system as a layer of its own.
  • the agent software 18 is designed to perform monitoring of the deception
  • the deception environment 12 is in communication connection with the backend 14 by means of a messaging communication layer 30.
  • the messaging communication layer 30 can be implemented as a messaging protocol, such as AMQP (Advanced Messaging Queuing Protocol) .
  • AMQP Advanced Messaging Queuing Protocol
  • the communication layer 30 provides a publish/subscribe messaging protocol that is used for the communication between the deception environment 12/decoys 16 and the backend 14.
  • the messaging protocol is used by the Event protocol (Monitoring Events) and Remote Administration Protocol 32.
  • the userland agent 22 can be a platform agnostic userland application that processes and forwards system activity events to the deception backend 14. To this end it uses the above-described Messaging Protocol (AMQP) 30.
  • the userland agent 22 further supports direct system manipulation (including OS-level configuration and service/application installation and management) as will be described in more detail further below.
  • the kernel driver 20 performs system and
  • the kernel driver 20 further communicates with the userland agent 22 using known
  • the kernel driver 20 can also provide an RPC (Remote Procedure Call) like interface that is exposed to the userland agent 22 only.
  • the userland agent 22 is monitored in the kernel space/kernel driver 20. The monitoring level is hidden from the attacker by means of e.g. a hiding component as known to the skilled person .
  • the deception backend 14 is designed to be responsible for processing incoming system activity events (as sent by the agent 18/decoy 16 via the messaging protocol 20), alert detection and notification/reporting as well as managing the deception environment including OS-, service- and data-level configuration and provisioning of the decoys 16.
  • the deception backend 14 can also be capable of
  • the deception backend 14 may run on-premise or as a cloud-native application.
  • the backend 14 may further comprise an administrator or web interface 40 (cf . also Figure 2) .
  • surveillance system 10 comprises a monitor and report
  • the deception environment activity is monitored by the kernel monitoring driver 20 and sent to the deception backend 14 by the userland agent 22.
  • activities monitored are referred to as events which are preferably continuously forwarded to the deception backend 14 for further analysis, alert
  • a remote administration protocol 32 is implemented as an application level protocol.
  • the remote administration is implemented as an application level protocol.
  • the remote administration protocol 32 enables the deception backend 14 to reconfigure the decoys 16, install/manage applications and services, execute arbitrary commands and populate the file system with generated data on the decoys 16.
  • the remote administration protocol 32 provides the base for automatic and intelligent counter-measures, automatic Deception on Demand as well as permutation of the deception environment (cf . further below) .
  • the backend 14 comprises a multitude of modules, namely an alert detection module, an event processing module, a decoy management module, a service/lure management module, a
  • reporting/alerting module and a remote administration module.
  • a remote administration module There can be, of course, a far higher number of various services to be implemented in the backend 14.
  • Figure 2 illustrates a basic workflow scheme of the remote administration of the invention in the network surveillance system 10 of Figure 1.
  • the scheme of Figure 2 shows the interaction between three operative locations of the network surveillance system 10 including an interface 40 for user communication, shown as vertical streams with horizontal arrows indicating the flow direction (of data/signals/communication).
  • a user submits at S210 via administrator/web interface 40 a request for a certain action to the deception backend 14 which, at S220, receives that request and looks up the command definition matching the request, e.g. in a stored table or by means of an
  • the deception backend 14 then initiates the command execution at S222 to the decoys 16 via the remote administration protocol 32.
  • the backend 14 receives that additional input and forwards it to the decoy 16 (at S224) .
  • the decoys 16 receives the additional command input at S232 and executes of the corresponding command handler at S234.
  • the result of the command action is then streamed from the decoy 16 to the backend 14 at S236, i.e. transmitted regularly or continuously.
  • the backend 14 receives the result at S226, and then may wait for the execution to finish before it returns the final result (s) to the administrator via interface 40 where it is displayed at S214.
  • the results may be looped through by the backend to the administrator.
  • the backend 14 may store the result (s) e.g. in a suitable memory module or database for later investigation/auditing at S228.
  • the backend 14 may also perform checking functions and/or validations or the like of the received results.
  • FIG. 3 illustrates the deception command execution of the remote administration according to the invention in more detail.
  • the deception backend 14 sends a command request to the decoy 16 at S222 via the remote administration protocol 32, and the decoy 16 receives that command request at S230 on the level of the userland agent 22.
  • one or more execution engines 24.1, 24.2, ... are provided between the userland agent 22 and the kernel driver 20.
  • the execution engines 24.1, 24.2, ... may, for example, be embedded into the userland agent 22.
  • the remote administration protocol 32 may have support for different command languages that can be executed by the various corresponding execution engines 24.1, 24.2, .... Some examples include Lua, a Domain-Specific-Language, or common scripting environments like Bash/PowerShell .
  • the userland agent 22 selects and/or spawns the appropriate execution engine 24 at S233.
  • the selected execution engine 24 may then request the kernel driver to execute the command at S234.
  • the result of the command action is then handled back to the userland agent 22 (as indicated by the double arrows in Figure 3) in order to be streamed back to the deception backend 14 at S236 as already explained above.
  • the userland agent 22 may for example comprise a "forensic alert module" which is designed to transmit
  • the backend 14 may comprise an alert detection module as shown in Figure 1.
  • Figure 4 is a scheme illustrating the alert detection and notification workflow of the invention.
  • an attacker has landed in the decoy system 16 and is unfolding activities there, these malicious activities are detected and forwarded by the decoy's agent 18 at S410 via "Monitoring Events" of the messaging protocol 30 to the deception backend 14.
  • the deception backend 14 is a scheme illustrating the alert detection and notification workflow of the invention.
  • Metadata (S424) .
  • metadata examples include DNS PTR records (reverse DNS) , process relationship (the process that caused the monitored activity/event, IP
  • An alert detection is then performed at S426.
  • the alert detection can be predormed on the basis of (static) rules or (dynamic) algorithms and/or by the aid of artificial intelligence.
  • An according notification is then sent out at S428 to the administrator; this can be done for example by the web interface 40 or other means like email, SIEM
  • Figure 5 illustrates an embodiment of the so- called deception on demand workflow of the invention.
  • the decoys 16 detects a continuous stream of activities at S410 and forwards the same to the deception backend 14, where the activities are received (S420),
  • the backend 14 In reaction to the detected event (s), the backend 14 then identifies a sequence of desired actions at S520 and
  • administration protocol 32 to the decoy 16. For example, an attacker is looking for a file/document bearing a certain name; in reaction to this detected action/event a command to generate a file with this name is generated and executed, filling the file with fake content and storing the file where the attacker may find it eventually. Further possibilities to keep the attacker occupied would comprise, inter alia, installing of a given program/tool , starting a given service, etc .
  • the decoys 16 receives, at S510, and
  • Command results are gathered and streamed back to the deception backend 14 at S512.
  • the deception backend for receives command results and waits for the actions the funds to complete before a final result may be displayed to the user (cf. steps S226/S214 of Figure 2) . Again that, like in step S228 of Figure 2, the results may be stored for later
  • the main purpose of the above illustrated method “Deception on Demand” is to dynamically adapt the deception environment to further attract the attacker' s attention and lure him deeper into the deception environment of the decoy 16 (thus avoiding harm to actual production systems) .
  • the basic concept of "Deception on Demand” is based on the monitored system activity and the remote administration protocol 32. If the deception backend 14 identifies some attacker activity, it will try to dynamically update the decoys 16 within the deception environment 12 to behave more to what the attacker seems to expect. Some example include dynamically generating files with fake information based on what the attacker searches for, installing new services when e.g. a network/port-scan is detected or dynamically creating users or placing credentials into the memory/credential-store of decoys 16.
  • Deception on Demand permutation is also based on the remote administration protocol. Its purpose is to make decoys 16 look real and avoid fingerprinting (means to identify decoys 16 based on collected and static information) by regularly changing how the decoys' visible surfaces (e.g. IP- Addresses, Hostname, MAC-Addresses , installed and exposed Services) look like. In order to simulate real user activity on the system, it may also randomly change the access and modification timestamps of files, delete them, create new ones or launch common programs (e.g. an office suite for writing documents or a browser for web access) . In order to achieve this, the backend 14 actively generates commands that are suitable to simulate a "real" user behaviour.
  • fingerprinting means to identify decoys 16 based on collected and static information
  • the decoys' visible surfaces e.g. IP- Addresses, Hostname, MAC-Addresses , installed and exposed Services
  • the backend 14 actively generates commands that are suitable to
  • the invention thus provide a bidirectional communication between the deception environment 12 and the deception management backend 14 which allows the system to react directly and without additional user interference to attacker actions, laying out baits and lures, i.e. generating a system environment that keeps the attacker occupied within the deception environment 12.
  • the invention thus offers a system and method that drives a dynamic deception environment while the known system are static machine appearances.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

Système de surveillance de réseau (10), comprenant : un environnement de tromperie (12) comprenant au moins un système de leurre (16); et un système dorsal de tromperie (14), le système dorsal de tromperie (14) étant en connexion de communication avec l'environnement de tromperie (12) par l'intermédiaire d'une couche de communication de messagerie (30). L'environnement de tromperie (12) comprend en outre une fonction de surveillance et de rapport pour traiter et transmettre des informations d'activité de système au système dorsal de tromperie (14) par l'intermédiaire de la couche de communication de messagerie (30); et une fonction de manipulation de système pour exécuter des commandes de tromperie reçues en provenance du système dorsal de tromperie (14) par l'intermédiaire de la couche de communication de messagerie (30).
PCT/EP2018/076961 2018-10-04 2018-10-04 Système de surveillance de réseau WO2020069741A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/076961 WO2020069741A1 (fr) 2018-10-04 2018-10-04 Système de surveillance de réseau

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/076961 WO2020069741A1 (fr) 2018-10-04 2018-10-04 Système de surveillance de réseau

Publications (1)

Publication Number Publication Date
WO2020069741A1 true WO2020069741A1 (fr) 2020-04-09

Family

ID=63787955

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/076961 WO2020069741A1 (fr) 2018-10-04 2018-10-04 Système de surveillance de réseau

Country Status (1)

Country Link
WO (1) WO2020069741A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11818172B1 (en) 2021-08-24 2023-11-14 Amdocs Development Limited System, method, and computer program for a computer attack response service

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8549643B1 (en) * 2010-04-02 2013-10-01 Symantec Corporation Using decoys by a data loss prevention system to protect against unscripted activity
US20150121529A1 (en) * 2012-09-28 2015-04-30 Juniper Networks, Inc. Dynamic service handling using a honeypot
WO2016199120A1 (fr) 2015-06-08 2016-12-15 Illusive Networks Ltd. Système et procédé de création, déploiement et gestion d'une carte d'auteurs d'attaques augmentée
WO2017013589A1 (fr) * 2015-07-21 2017-01-26 Cymmetria, Inc. Technologie d'utilisation de leurres et d'objets de données trompeurs
WO2018025157A1 (fr) * 2016-07-31 2018-02-08 Cymmetria, Inc. Déploiement de campagnes de tromperie à l'aide de fils d'ariane de communication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8549643B1 (en) * 2010-04-02 2013-10-01 Symantec Corporation Using decoys by a data loss prevention system to protect against unscripted activity
US20150121529A1 (en) * 2012-09-28 2015-04-30 Juniper Networks, Inc. Dynamic service handling using a honeypot
WO2016199120A1 (fr) 2015-06-08 2016-12-15 Illusive Networks Ltd. Système et procédé de création, déploiement et gestion d'une carte d'auteurs d'attaques augmentée
WO2017013589A1 (fr) * 2015-07-21 2017-01-26 Cymmetria, Inc. Technologie d'utilisation de leurres et d'objets de données trompeurs
WO2018025157A1 (fr) * 2016-07-31 2018-02-08 Cymmetria, Inc. Déploiement de campagnes de tromperie à l'aide de fils d'ariane de communication

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11818172B1 (en) 2021-08-24 2023-11-14 Amdocs Development Limited System, method, and computer program for a computer attack response service

Similar Documents

Publication Publication Date Title
US11888897B2 (en) Implementing decoys in a network environment
US10623442B2 (en) Multi-factor deception management and detection for malicious actions in a computer network
US10382484B2 (en) Detecting attackers who target containerized clusters
US10567431B2 (en) Emulating shellcode attacks
US9942270B2 (en) Database deception in directory services
US9609019B2 (en) System and method for directing malicous activity to a monitoring system
US10397273B1 (en) Threat intelligence system
US10476891B2 (en) Monitoring access of network darkspace
US9356950B2 (en) Evaluating URLS for malicious content
US11050787B1 (en) Adaptive configuration and deployment of honeypots in virtual networks
WO2016081561A1 (fr) Système et procédé permettant de diriger une activité malveillante vers un système de surveillance
Haseeb et al. A measurement study of iot-based attacks using iot kill chain
WO2020069741A1 (fr) Système de surveillance de réseau

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18782726

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18782726

Country of ref document: EP

Kind code of ref document: A1