Protecting critical data and application execution from brute force attacks
US-2019306168-A1 · Oct 3, 2019 · US
Intrusion detection with honeypot keys
US11089056B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11089056-B2 |
| Application number | US-201816146261-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 28, 2018 |
| Priority date | Sep 28, 2018 |
| Publication date | Aug 10, 2021 |
| Grant date | Aug 10, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on one or more computing devices, performs the steps of: creating key material for cryptographic handling of a file at a key management system for an enterprise network, the key material including a key pair having a private encryption key and a public decryption key; providing a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list; cryptographically securing the honeypot file by encrypting the honeypot file with the private encryption key to provide a tagged file; storing the tagged file on a data store in the enterprise network; storing the public decryption key in a central keystore for the enterprise network; detecting a retrieval of the public decryption key from the central keystore, the retrieval associated with an authentication of the tagged file by a device; and initiating a remedial action responsive to detecting the retrieval associated with the authentication of the tagged file by the device, the remedial action including monitoring subsequent network activity within the enterprise network by the device. 2. A method comprising: providing key material for cryptographic handling of a file at a key management system for an enterprise network, the key material including a key pair having a private encryption key and a public decryption key; providing a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list; cryptographically securing the honeypot file with the key material to provide a tagged file; storing the tagged file on a data store in an enterprise network; storing at least a portion of the key material in a central keystore for the enterprise network; detecting a retrieval of the portion of the key material from the central keystore, the retrieval associated with an authentication of the tagged file by a device; and initiating a remedial action responsive to the retrieval associated with the authentication of the tagged file. 3. The method of claim 2 wherein the key material includes an asymmetric key pair. 4. The method of claim 2 wherein cryptographically securing the honeypot file includes using the key material to encrypt the honeypot file. 5. The method of claim 2 wherein cryptographically securing the honeypot file includes using the key material to digitally sign the honeypot file. 6. The method of claim 2 wherein the data store includes at least one of network storage for the enterprise network and a directory on an endpoint in the enterprise network. 7. The method of claim 2 wherein the central keystore includes at least one of a remote cloud resource for the enterprise network, and a third party trusted resource. 8. The method of claim 2 wherein detecting the retrieval of the key material includes at least one of detecting an opening of the tagged file and detecting the retrieval of the key material includes detecting an authentication of the tagged file. 9. The method of claim 2 wherein the retrieval of the key material is requested from a file system extension on an endpoint that controls access to encrypted content. 10. The method of claim 2 wherein the retrieval of the key material is requested from a decryption tool on an endpoint. 11. The method of claim 2 wherein initiating the remedial action includes identifying the device as a malicious intruder. 12. The method of claim 11 wherein the remedial action includes at least one of blacklisting the malicious intruder from the enterprise network, redirecting the malicious intruder to a honeypot, and monitoring activities of the malicious intruder. 13. The method of claim 2 wherein the remedial action includes triggering an alert. 14. The method of claim 2 wherein the data store is on an endpoint of the enterprise network, and wherein the remedial action includes remediating the endpoint. 15. The method of claim 14 wherein remediating the endpoint includes at least one of quarantining the endpoint and pulling one or more keys for access to secure content on the endpoint from the endpoint. 16. The method of claim 2 wherein providing the honeypot file includes selecting a non-confidential file available on the data store and storing the tagged file on the data store as an older version of the honeypot file. 17. The method of claim 2 wherein providing the honeypot file includes providing a crawler that traverses the enterprise network to locate documents having one or more properties suitable for use as the honeypot file. 18. The method of claim 2 further comprising modifying an access control list for the honeypot file to attract unauthorized, malicious users of the enterprise network by limiting the access control list to a small number of users. 19. A system comprising: a data store in an enterprise network; a central keystore for the enterprise network; and a threat management facility executing on a hardware processor and configured to obtain key material including a key pair having a private encryption key and a public decryption key for cryptographic handling of a file from the central keystore, to provide a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list, to cryptographically secure the honeypot file with the key material to provide a tagged file, to store the tagged file on the data store, to detect a retrieval of at least a portion of the key material from the central keystore, the retrieval associated with a decryption of the tagged file by a device, and to initiate a remedial action responsive to the decryption using the portion of the key material.
Assignees
Inventors
Classifications
- H04L63/1491Primary
using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Network security protocols · CPC title
involving event detection and direct action · CPC title
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11089056B2 cover?
- A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, an…
- Who is the assignee on this patent?
- Sophos Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1491. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 10 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).