MONITORING ACCESS OF NETWORK DARKSPACE

摘要

A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Dark space in a network (unused IP addresses, unused ports and absent applications, and invalid usernames and passwords) is consumed by a BotSink such that attempts to access Darkspace resources will be directed to the BotSink, which will engage the source host of such attempts.

主权项

1. A method for detecting unauthorized access of a network environment, the method comprising:
monitoring, by a security computer system, access of authentically allocated network resources; detecting, by security computer system, one or more access requests referencing one or more dark space resources, the one or more dark space resources being network resources that have not been allocated authentically within the network environment; in response to detecting the one or more access requests—
allocating, by security computer system, to a decoy system the one or more dark space resources;routing, by security computer system, at least one of the one or more access requests and a subsequent request referencing the one or more dark space resources to the decoy system;monitoring, by security computer system, actions taken on the decoy system responsive to the at least one of the one or more access requests and the subsequent request;determining, by security computer system, that the actions taken on the decoy system indicate malicious activity;in response to determining that the actions taken on the decoy system indicate malicious activity, instructing one or more computer systems of the network environment to block access by a source of the one or more access requests.