Systems and methods for monitoring bait to protect users from security threats
US-2019108333-A1 · Apr 11, 2019 · US
Preventing ransomware from encrypting files on a target machine
US11010469B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11010469-B2 |
| Application number | US-201816130636-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 13, 2018 |
| Priority date | Sep 13, 2018 |
| Publication date | May 18, 2021 |
| Grant date | May 18, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.
First claim
Opening claim text (preview).
What is claimed is: 1. A system, comprising: a processor configured to: monitor file system activities on a computing device; detect an unauthorized activity associated with a honeypot file or a honeypot folder, wherein the honeypot file is a virtual file generated as a spoofed file system response using a filter driver or the honeypot folder is a virtual folder generated as the spoofed file system response using the filter driver, wherein the virtual file is dynamically generated with a spoofed header, a spoofed time stamp, and a spoofed file size using the filter driver; perform an action based on a policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system of claim 1 , wherein the processor is further configured to: detect a file open event associated with the honeypot file. 3. The system of claim 1 , wherein the processor is further configured to: detect a setting file information event associated with the honeypot file. 4. The system of claim 1 , wherein the processor is further configured to: detect a writing into a file event associated with the honeypot file. 5. The system of claim 1 , wherein the processor is further configured to: detect an enumerating a directory event associated with the honeypot folder. 6. The system of claim 1 , wherein the processor is further configured to: generate a plurality of honeypot files. 7. The system of claim 1 , wherein the processor is further configured to: generate a plurality of honeypot folders. 8. The system of claim 1 , wherein the processor is further configured to: generate a plurality of honeypot files in a protected directory. 9. The system of claim 1 , wherein the processor is further configured to: generate a plurality of honeypot folders in a protected directory. 10. The system of claim 1 , wherein the processor is further configured to: kill a process based on the policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder associated with the process. 11. The system of claim 1 , wherein the processor is further configured to: generate an alert based on the policy in response to the unauthorized activity associated with the honeypot file or honeypot folder. 12. The system of claim 1 , wherein detect the unauthorized activity associated with the honeypot file or the honeypot folder further comprises: detect an enumerating directory event on the computing device; allow a default system behavior if the enumerating directory event is associated with a non-protected directory; and inject fake start entries if the enumerating directory event is associated with an enumeration at a beginning of a protected directory or inject fake end entries if the enumerating directory event is associated with an enumeration at an end of the protected directory. 13. A method, comprising: monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or a honeypot folder, wherein the honeypot file is a virtual file generated as a spoofed file system response using a filter driver or the honeypot folder is a virtual folder generated as the spoofed file system response using the filter driver, wherein the virtual file is dynamically generated with a spoofed header, a spoofed time stamp, and a spoofed file size using the filter driver; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder. 14. The method of claim 13 , further comprising detecting a file open event associated with the honeypot file. 15. The method of claim 13 , further comprising detecting a setting file information event associated with the honeypot file. 16. The method of claim 13 , further comprising detecting a writing into a file event associated with the honeypot file. 17. The method of claim 13 , further comprising detecting an enumerating a directory event associated with the honeypot folder. 18. The method of claim 13 , further comprising generating a plurality of honeypot files and/or honeypot folders. 19. The method of claim 13 , further comprising generating a plurality of honeypot files and/or honeypot folders in a protected directory. 20. The method of claim 13 , further comprising killing a process based on the policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder associated with the process. 21. The method of claim 13 , further comprising generating an alert based on the policy in response to the unauthorized activity associated with the honeypot file or honeypot folder. 22. The method of claim 13 , further comprising: detecting an enumerating directory event on the computing device; allowing a default system behavior if the enumerating directory event is associated with a non-protected directory; and injecting fake start entries if the enumerating directory event is associated with an enumeration at a beginning of a protected directory or inject fake end entries if the enumerating directory event is associated with an enumeration at an end of the protected directory. 23. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for: monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or a honeypot folder, wherein the honeypot file is a virtual file generated as a spoofed file system response using a filter driver or the honeypot folder is a virtual folder generated as the spoofed file system response using the filter driver, wherein the virtual file is dynamically generated with a spoofed header, a spoofed time stamp, and a spoofed file size using the filter driver; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or the honeypot folder. 24. The computer program product of claim 23 , further comprising computer instructions for detecting a file open event associated with the honeypot file. 25. The computer program product of claim 23 , further comprising computer instructions for detecting a setting file information event associated with the honeypot file. 26. The computer program product of claim 23 , further comprising computer instructions for detecting a writing into a file event associated with the honeypot file. 27. The computer program product of claim 23 , further comprising computer instructions for detecting an enumerating a directory event associated with the honeypot folder. 28. The computer program product of claim 23 , further comprising computer instructions for generating a plurality of honeypot files and/or honeypot folders. 29. The computer program product of claim 23 , further comprising computer instructions for generating a plurality of honeypot files and/or honeypot folders in a protected directory. 30. The computer program product of claim 23 , further comprising killing a process based on the policy in response to the unauthorized activity associated with the honeypot file or the honeypot fo
Assignees
Inventors
Classifications
- G06F21/554Primary
involving event detection and direct action · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Test or assess a computer or a system · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11010469B2 cover?
- Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an a…
- Who is the assignee on this patent?
- Palo Alto Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 18 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).