System and method for directing malicous activity to a monitoring system

摘要

A system of client devices and a server system implementing services makes use of credentials to facilitate authentication of the client devices with the server and generates log entries for different accesses to the server system. A monitoring system places credentials and log entries referencing the monitoring system with the credentials and log entries on the client devices without any authentication or actual access attempts by the client devices to the monitoring system. Unauthorized access to the client devices may result in the credentials and log entries to the monitoring system being accessed and used to access the monitoring system. Attempts to exploit the monitoring system using the credentials and log entries is contained within the monitoring system and data is collected to characterize malicious code attempting to exploit the monitoring system. The data is then used to prevent attacks and detect compromised client devices and server systems.

主权项

1. A method comprising:
accessing, by a client device, a service on a first server system; recording, by the client device in a memory device operably coupled thereto, a first record of the accessing of the service on the first server, the first record including an identifier of the first server system and a first description of the accessing of the service; receiving, by the client device, a second record referencing a second server system and a second description mimicking the first description, the second server system implementing services and monitoring functions operable to gather data with respect to unauthorized code accessing the second server system; recording, by the client device, the second record in the memory device; accessing, by the client device using a malicious code module one of accessing and executing on the client device, the second record; accessing, by the malicious code module executing on one of the client device and another device, the second server system using data contained in the second record; monitoring, by the second server, activities of the malicious code module with respect to the second server; and characterizing, by the second server system, the malicious code module according to the monitoring of the activities of the malicious code module; wherein accessing, by the client device, the service on the first server system comprises authenticating the client device with the service on the first server system; and wherein recording the first record in the memory device comprises receiving a first credential for automatically authenticating the client device with the service on the first server system and storing the first credential in the memory device; and wherein the second record is a second credential mimicking data contained in the first credential but referencing the second server.