Mitigation of malware
US-2015379264-A1 · Dec 31, 2015 · US
Integrity, theft protection and cyber deception using a deception-based filesystem
US2021117543A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021117543-A1 |
| Application number | US-201916718844-A |
| Country | US |
| Kind code | A1 |
| Filing date | Dec 18, 2019 |
| Priority date | Aug 31, 2017 |
| Publication date | Apr 22, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A decoy filesystem that curtails data theft and ensures file integrity protection through deception is described. To protect a base filesystem, the approach herein involves transparently creating multiple levels of stacking to enable various protection features, namely, monitoring file accesses, hiding and redacting sensitive files with baits, and injecting decoys onto fake system views that are purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. In one implementation, a kernel hot-patch is used to seamlessly integrate the new filesystem module into live and existing environments.
First claim
Opening claim text (preview).
1 . A method to protect a base filesystem against attack, comprising: deploying on a per-process basis one or more filesystem overlays, wherein a process associated to a particular filesystem overlay has a distinct view of the base filesystem that is computed as a union of the base filesystem and contents of the particular filesystem overlay; monitoring filesystem access activity to determine whether a process is trusted; and responsive to a determination that a process is not trusted, adjusting the contents of a filesystem overlay to protect the base filesystem from the untrusted process. 2 . The method as described in claim 1 wherein adjusting the contents of a filesystem overlay includes one of: hiding base files of the base filesystem, modifying content of a base file by overlaying a different file with the same name, and injecting one or more new decoy files that are not present in the base filesystem. 3 . The method as described in claim 1 wherein the filesystem overlays are deployed within mount namespaces associated with an operating system kernel. 4 . The method as described in claim 3 further including assigning a process upon creation into a mount namespace according to a trust model. 5 . The method as described in claim 1 wherein a process that is determined to be trusted is afforded full access to the base filesystem. 6 . The method as described in claim 1 wherein monitoring filesystem access activity intercepts filesystem events to monitor file accesses. 7 . An apparatus to protect a base filesystem against attack, comprising: a processor; computer memory holding computer program instructions executed by the processor, the computer program instructions configured to: deploy on a per-process basis one or more filesystem overlays, wherein a process associated to a particular filesystem overlay has a distinct view of the base filesystem that is computed as a union of the base filesystem and contents of the particular filesystem overlay; monitor filesystem access activity to determine whether a process is trusted; and responsive to a determination that a process is not trusted, adjust the contents of a filesystem overlay to protect the base filesystem from the untrusted process. 8 . The apparatus as described in claim 7 wherein the computer program instructions configured to adjust the contents of a filesystem overlay perform one of: hiding base files of the base filesystem, modifying content of a base file by overlaying a different file with the same name, and injecting one or more new decoy files that are not present in the base filesystem. 9 . The apparatus as described in claim 7 wherein the filesystem overlays are deployed within mount namespaces associated with an operating system kernel. 10 . The apparatus as described in claim 9 wherein the computer program instructions are further configured to assign a process upon creation into a mount namespace according to a trust model. 11 . The apparatus as described in claim 7 wherein a process that is determined to be trusted is afforded full access to the base filesystem. 12 . The apparatus as described in claim 7 the computer program instructions that monitor filesystem access activity include computer program instructions configured to intercept filesystem events to monitor file accesses. 13 . A computer program product in a non-transitory computer readable medium, the computer program product holding computer program instructions to protect a base filesystem from attack, the computer program instructions comprising program code configured to: deploy on a per-process basis one or more filesystem overlays, wherein a process associated to a particular filesystem overlay has a distinct view of the base filesystem that is computed as a union of the base filesystem and contents of the particular filesystem overlay; monitor filesystem access activity to determine whether a process is trusted; and responsive to a determination that a process is not trusted, adjust the contents of a filesystem overlay to protect the base filesystem from the untrusted process. 14 . The computer program product as described in claim 13 wherein the computer program instructions configured to adjust the contents of a filesystem overlay perform one of: hiding base files of the base filesystem, modifying content of a base file by overlaying a different file with the same name, and injecting one or more new decoy files that are not present in the base filesystem. 15 . The computer program product as described in claim 13 wherein the filesystem overlays are deployed within mount namespaces associated with an operating system kernel. 16 . The computer program product as described in claim 15 wherein the computer program instructions are further configured to assign a process upon creation into a mount namespace according to a trust model. 17 . The computer program product as described in claim 13 wherein a process that is determined to be trusted is afforded full access to the base filesystem. 18 . The computer program product as described in claim 13 the computer program instructions that monitor filesystem access activity include computer program instructions configured to intercept filesystem events to monitor file accesses.
Assignees
Inventors
Classifications
Detecting or preventing theft or loss · CPC title
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
- G06F21/565Primary
by checking file integrity · CPC title
Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs · CPC title
Test or assess a computer or a system · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021117543A1 cover?
- A decoy filesystem that curtails data theft and ensures file integrity protection through deception is described. To protect a base filesystem, the approach herein involves transparently creating multiple levels of stacking to enable various protection features, namely, monitoring file accesses, hiding and redacting sensitive files with baits, and injecting decoys onto fake system views that ar…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/565. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Apr 22 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).