Dynamic security sandboxing based on intruder intent

摘要

A method of security sandboxing which may include detecting an illicit intrusion to a computer on a first computer system; cloning the intruded computer; directing all traffic from the illicit intrusion to the cloned computer; observing activities of the illicit intrusion interacting with the cloned computer; and dynamically adapting the cloned computer to perform activities of predicted interest to the illicit intrusion based on the observed activities of the illicit intrusion. The steps of the method may be performed by one or more computing devices.

主权项

1. A method of security sandboxing comprising:
detecting by a computer an illicit intrusion to the computer on a first computer system; responsive to detecting the illicit intrusion to the computer, cloning the computer to create a copy of the computer; redirecting all traffic from the illicit intrusion to the computer to the cloned computer while directing all traffic not from the illicit intrusion to the computer; observing activities of the illicit intrusion interacting with the cloned computer while directing all traffic not from the illicit intrusion to the computer; and dynamically adapting the cloned computer to perform activities of predicted interest to the illicit intrusion based on the observed activities of the illicit intrusion on the cloned computer while directing all traffic not from the illicit intrusion to the computer, wherein the computer is a virtual machine and the cloned computer is a cloned virtual machine, wherein responsive to activities of the illicit intrusion interacting with the cloned virtual machine, further comprising spawning additional virtual machines on the second computer system supplementing the cloned virtual machine to perform activities of predicted interest to the illicit intrusion, and wherein the steps of the method are performed by one or more computing devices.