公开(公告)号：WO2018025157A1

公开(公告)日：2018-02-08

申请号：PCT/IB2017/054650

申请日：2017-07-31

Applicant: CYMMETRIA, INC.

Inventor： EVRON, Gadi ,  SYSMAN, Dean ,  GOLDBERG, Imri ,  UR, Shmuel ,  SHER, Itamar

IPC: G06F11/00 ,  G06F21/00 ,  G06F21/10 ,  G06F21/24 ,  H04L9/00 ,  H04L29/06

CPC classification number: H04L63/1491 ,  G06F11/00 ,  G06F21/00 ,  G06F21/10 ,  G06F21/121 ,  H04L63/1416

Abstract: A computer implemented method of detecting unauthorized access to a protected network by detecting a usage of dynamically updated deception communication, comprising deploying, in a protected network, a plurality of decoy endpoints configured to transmit one or more communication deception data objects encoded according to one or more communication protocols used in the protected network, instructing a first decoy endpoint of the plurality of decoy endpoints to transmit the communication deception data object(s) to a second decoy endpoint of the plurality of decoy endpoints, monitoring the protected network to detect a usage of data contained in the one or more communication deception data object, detecting one or more potential unauthorized operations based on analysis of the detection and initiating one or more actions according to the detection.

Abstract translation: 一种通过检测动态更新欺骗通信的使用来检测对受保护网络的未授权访问的计算机实现方法，包括在受保护网络中部署被配置为发送一个或多个通信的多个诱骗端点 欺骗数据对象，其根据在所述受保护网络中使用的一个或多个通信协议来编码，指示所述多个诱骗端点中的第一诱骗端点将所述通信欺骗数据对象发送到所述多个诱骗端点中的第二诱骗端点， 监视受保护网络以检测包含在一个或多个通信欺骗数据对象中的数据的使用;基于对检测的分析来检测一个或多个潜在的未授权操作;以及根据检测来发起一个或多个动作。

公开(公告)号：WO2017187379A1

公开(公告)日：2017-11-02

申请号：PCT/IB2017/052439

申请日：2017-04-27

Applicant: CYMMETRIA, INC.

Inventor： EVRON, Gadi ,  SYSMAN, Dean ,  GOLDBERG, Imri ,  UR, Shmuel

IPC: G06F21/55 ,  G06F21/50 ,  G06F21/00

Abstract: A computer implemented method of detecting unauthorized access to a protected network from external endpoints, comprising monitoring, at a protected network, communication with one or more external endpoints using one or more access clients to access one or more of a plurality of resources of the protected networked, where one or more deception resources created in the protected network map one or more of the plurality of resources, detecting usage of data contained in one or more of a plurality of deception data objects deployed in the one or more access clients by monitoring an interaction triggered by one or more of the deception data objects with the one or more deception resources when used and identifying one or more potential unauthorized operations based on analysis of the detection.

Abstract translation: 一种用于检测从外部端点对受保护网络的未授权访问的计算机实现的方法，包括：在受保护网络处使用一个或多个访问客户端来访问与一个或多个外部端点的通信以访问一个或多个 其中在所述受保护网络中创建的一个或多个欺骗资源映射所述多个资源中的一个或多个，检测包含在所述受保护网络中部署的多个欺骗数据对象中的一个或多个欺诈数据对象中的数据的使用 一个或多个访问客户端通过监视由一个或多个欺骗数据对象触发的交互与一个或多个欺骗资源在使用时基于对检测的分析识别一个或多个潜在的未授权操作。

公开(公告)号：WO2017216735A1

公开(公告)日：2017-12-21

申请号：PCT/IB2017/053523

申请日：2017-06-14

Applicant: CYMMETRIA, INC.

Inventor： SYSMAN, Dean ,  GOLDBERG, Imri ,  SHER, Itamar ,  PERRY, Jonathan ,  UR, Shmuel

IPC: G06F9/455 ,  G06F11/00 ,  G06F11/07 ,  G06F11/30 ,  G06F12/08 ,  G06F21/22

Abstract: A computer implemented method of detecting execution of unregistered code in a protected networked system, comprising maintaining a pages registry record in a storage of an endpoint in a protected networked system, the pages registry record comprising a registration signature for each of a plurality of registered executable pages, monitoring a plurality of executable pages at a page management level using an adjusted page fault handler of an operating system kernel executed by one or more processors of the endpoint, detecting one or more unregistered executable pages by identifying incompliance of a runtime signature calculated in runtime for the unregistered executable page(s) with respective registration signature stored in the pages registry record and initiating one or more actions in case of the detection of the unregistered executable page(s).

Abstract translation: 一种用于检测受保护的联网系统中的未注册代码的执行的计算机实现的方法，包括：将页面注册表记录维护在受保护的联网系统中的端点的存储装置中，所述页面注册表记录包括注册签名 对于多个注册的可执行页面中的每一个，使用由所述端点的一个或多个处理器执行的操作系统内核的经调整的页面错误处理程序，在页面管理级别监视多个可执行页面;通过以下步骤检测一个或多个未注册的可执行页面： 识别未注册的可执行页面在运行时计算的运行时间签名与存储在页面注册表记录中的相应注册签名的不一致性，并且在检测到未注册的可执行页面的情况下启动一个或多个动作。

公开(公告)号：WO2017013589A1

公开(公告)日：2017-01-26

申请号：PCT/IB2016/054306

申请日：2016-07-20

Applicant: CYMMETRIA, INC.

Inventor： SYSMAN, Dean ,  EVRON, Gadi ,  GOLDBERG, Imri ,  HAREL, Ran ,  UR, Shmuel

IPC: G06F21/56 ,  G06F21/52 ,  H04L12/26

CPC classification number: H04L63/1491 ,  G06F21/554 ,  H04L63/1425

Abstract: A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.

Abstract translation: 一种通过监视动态更新的欺骗环境来检测对受保护网络的未经授权的访问的计算机实现的方法，包括在一个或多个诱饵端点上发射管理多个欺骗应用映射中的一个或多个的一个或多个诱骗操作系统（OS） 在受保护网络中执行的多个应用程序，动态地更新部署在受保护网络中的多个欺骗数据对象的使用指示，以模拟多个欺骗数据对象的使用以访问欺骗应用，其中多个欺骗 数据对象被配置为在使用时触发与欺骗应用的交互，通过基于检测的分析来监视交互并识别一个或多个潜在的未授权操作来检测包含在欺骗数据对象中的数据的使用。