公开(公告)号：US10509905B2

公开(公告)日：2019-12-17

申请号：US15695952

申请日：2017-09-05

Applicant: Attivo Networks Inc.

Inventor： Anil Gupta ,  Harinath Vishwanath Ramchetty ,  Venu Vissamsetty

IPC: G06F21/56 ,  G06F21/55 ,  G06F16/14 ,  G06F16/16 ,  G06F16/17

Abstract: Endpoints in a network environment include remote file systems mounted thereto that reference a file system generator that responds to file system commands with deception data. Requests to list the contents of a directory are intercepted, such as while a response is passed up through an IO stack. The response is modified to include references to deception files and directories that do not actually exist on the system hosting the file system generator. The number of the deception files and directories may be randomly selected. Requests to read deception files are answered by generating a file having a file type corresponding to the deception file. Deception files may be written back to the system by an attacker and then deleted.

公开(公告)号：US09769204B2

公开(公告)日：2017-09-19

申请号：US14458026

申请日：2014-08-12

Applicant: Attivo Networks Inc.

Inventor： Venu Vissamsetty ,  Shivakumar Buruganahalli

IPC: H04L29/06

CPC classification number: H04L63/1491 ,  H04L63/08 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/145 ,  H04L2463/142 ,  H04L2463/144

Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. The Sinkhole module may implement a proxy mode in which traffic received by the Sinkhole module is transmitted to a destination specified in the traffic but modified to reference the Sinkhole as the source. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

公开(公告)号：US11038658B2

公开(公告)日：2021-06-15

申请号：US16420074

申请日：2019-05-22

Applicant: Attivo Networks Inc.

Inventor： Venu Vissamsetty ,  Muthukumar Lakshmanan

IPC: H04L5/00 ,  H04L29/06 ,  H04L12/721 ,  H04L29/12 ,  H04L12/823

Abstract: An endpoint executes a deflection service that detects failed connection attempts (TCP RST packets) and evaluates whether they are likely the result of a reconnaissance attack. If an inbound connection fails, a connection request packet (TCP SYN) is sent to a decoy server that includes data from the TCP RST packet. The decoy server then completes a connection handshake with a destination of the TCP RST packet and engages a process at the destination. If an outbound connection fails, the deflection service facilitates a connection between a process executing on the endpoint and the decoy server and associated with a destination port referenced by the TCP RST packet.

公开(公告)号：US10542044B2

公开(公告)日：2020-01-21

申请号：US15142860

申请日：2016-04-29

Applicant: Attivo Networks Inc.

Inventor： Venu Vissamsetty ,  Srikant Vissamsetti ,  Nitin Jyoti ,  Harinath Vishwanath Ramchetty

IPC: H04L29/06

Abstract: A system reports credentials on nodes of a network. Nodes are assigned to security silos. If a credential reported from a node is found to match a credential found on a node outside of its security silo or be for authentication with a node outside the its security an alert is generated, unless proper precautions are generated. Credentials may be reported as one-way hashes of credentials. Security silos may be automatically generated to segregate at-risk nodes from critical servers based on the presence or use of email clients and browsers. Precautions that may be used to suppress alerts, such as using KERBEROS TGT.

公开(公告)号：US10476891B2

公开(公告)日：2019-11-12

申请号：US14805202

申请日：2015-07-21

Applicant: Attivo Networks Inc.

Inventor： Venu Vissamsetty ,  Srikant Vissamsetti ,  Shivakumar Buruganahalli

IPC: H04L29/06

Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Dark space in a network (unused IP addresses, unused ports and absent applications, and invalid usernames and passwords) is consumed by a BotSink such that attempts to access Darkspace resources will be directed to the BotSink, which will engage the source host of such attempts.

公开(公告)号：US10567431B2

公开(公告)日：2020-02-18

申请号：US15157082

申请日：2016-05-17

Applicant: Attivo Networks Inc.

Inventor： Venu Vissamsetty ,  Navtej Singh ,  Sachin Kajekar

IPC: H04L29/06

Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

公开(公告)号：US10375110B2

公开(公告)日：2019-08-06

申请号：US15153471

申请日：2016-05-12

Applicant: Attivo Networks Inc.

Inventor： Venu Vissamsetty ,  Srikant Vissamsetti ,  Muthukumar Lakshmanan ,  Harinath Vishwanath Ramchetty ,  Vinod Kumar A. Porwal

IPC: H04L29/06

Abstract: Endpoints in a computer network create connections to a deception server without sending any payload data. The connections create records of the connection on the endpoints, by which an attacker accesses the deception server. Received packets that include payload data are determined to be unauthorized. The deception server acquires IP addresses in various VLANS and provides these IP addresses to the endpoints over a secure channel. The connections from the endpoints to the deception server are not performed on the secure channel. IP addresses acquired by the deception server are not assigned to an interface. Instead, NAT is used to route packets including the IP addresses to various engagement servers. Each IP address is assigned a unique hostname in order to appear as multiple distinct servers. The deception server further generates broadcast traffic to generate other records that may be used to lure an attacker to the deception server.

公开(公告)号：US09356950B2

公开(公告)日：2016-05-31

申请号：US14466646

申请日：2014-08-22

Applicant: Attivo Networks Inc.

Inventor： Venu Vissamsetty ,  Shivakumar Buruganahalli

IPC: G06F15/16 ,  G06F11/00 ,  H04L29/06

CPC classification number: H04L63/1433 ,  G06F21/552 ,  H04L63/02 ,  H04L63/1491 ,  H04L2463/144 ,  H04L2463/146

Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Requests by a user system for a resource at a URL may be received by a firewall, a honey client module may access the URL and permit installation of malicious code or other malicious activities. In response to detecting malicious activities, the honey client module characterizes the malicious activity to generate a descriptor used to detect malicious code in other systems. The URL may also be blacklisted by the firewall.

Abstract translation: 系统包括一个或多个暴露于恶意代码感染的“BotMagnet”模块。 BotMagnets可以包括一个或多个虚拟机，其可以在不暴露敏感数据或网络的其他部分的情况下安装和执行恶意代码的操作系统。 特别地，出站流量可以被发送到实现由出站流量请求的服务的Sinkhole模块，并且向BotMagnet中执行的恶意代码发送响应。 用户系统在URL处的资源的请求可以由防火墙接收，蜂蜜客户端模块可以访问URL并允许安装恶意代码或其他恶意活动。 为了响应检测到恶意活动，蜂蜜客户端模块表征恶意活动，以生成用于检测其他系统中的恶意代码的描述符。 该URL也可能被防火墙列入黑名单。

公开(公告)号：US20150128246A1

公开(公告)日：2015-05-07

申请号：US14074532

申请日：2013-11-07

Applicant: Attivo Networks Inc.

Inventor： Marc Feghali ,  Albert Young ,  Mano Murthy ,  John F. Wakerly ,  Harihara Mahesh ,  Atul Shrivastava

IPC: H04L29/06

CPC classification number: H04L63/0209

Abstract: A system is disclosed for protecting a network against malicious attacks or attempts for unauthorized access. A network is connected to an external network by a number of firewalls. Inspectors detect packets blocked by the firewalls and some or all of the packets are detected to a labyrinth configured to emulated an operational network and response to the packets in order to engage an attacker. Blocked packets may be detected by comparing packets entering and exiting a firewall. Packets for which a corresponding packets are not received within a transit delay may be identified as blocked. Entering and exiting packets may be compared by comparing only header information. A central module may receive information from the inspectors and generate statistical information and generate instructions for the inspectors, such as blacklists of addresses known to be used by attackers.

Abstract translation: 公开了一种用于保护网络免受恶意攻击或未经授权访问的尝试的系统。 网络通过多个防火墙连接到外部网络。 检查员检测到防火墙阻塞的数据包，并且部分或全部数据包被检测到迷宫，配置为模拟操作网络并对数据包做出响应，以便与攻击者接触。 可以通过比较进入和退出防火墙的数据包来检测阻塞的数据包。 在传输延迟内没有接收到相应分组的分组可能被识别为被阻塞。 可以通过仅比较报头信息来比较输入和退出数据包。 中央模块可以从检查员接收信息并产生统计信息并为检查员生成指令，例如已知攻击者使用的地址的黑名单。

公开(公告)号：US20230319087A1

公开(公告)日：2023-10-05

申请号：US18182979

申请日：2023-03-13

Applicant: Attivo Networks Inc.

Inventor： Harinath Vishwanath Ramchetty ,  Anil Gupta

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/0823 ,  H04L63/0807

Abstract: In some embodiments, a computer-implemented method for preventing credential passing attacks comprising: receiving an input; determining whether the input is a credential access command, wherein the determination comprises searching for occurrences of references to executables related to adding, reading, copying, or performing actions with respect to a credential, if the input is determined to be a credential access command, performing anomaly detection, wherein performing the anomaly detection comprises evaluating whether a user is a valid domain user, whether an elapsed time of the credential is greater than a maximum lifetime of the credential, and whether a privilege attribute certificate of the credential is valid, determining that an anomaly exists if the command was generated by an invalid domain user; an elapsed time of a credential is greater than a maximum lifetime, or the privilege attribute certificate of the credential is invalid, and performing mitigation of the anomaly.