Field of the invention

[0001] The present invention relates to the technical field of network surveillance to detect computer network attacks .

Description of the Related Art

[0002] It is known in the field to provide within regular corporate computer networks a system for network surveillance to detect attackers. One of the most prominent threats that organizations face is a targeted attack; i.e., an individual or group of individuals that attacks the organization for a specific purpose, such as stealing data, using data and systems, modifying data and systems, and sabotaging data and systems. Targeted attacks are carried out in multiple stages, typically including inter alia

reconnaissance, penetration, lateral movement and payload. Lateral movement involves orientation, movement and

propagation, and includes establishing a foothold within the organization and expanding that foothold to additional systems within the organization.

[0003] In order to carry out the lateral movement stage, an attacker, whether a human being who is operating tools within the organization's network, or a tool with "learning" capabilities, learns information about the environment it is operating in, such as network topology and organization structure, learns "where can I go from my current step" and "how can I go from my current step (e.g. required privileges)", and learns implemented security solutions, and then operates in accordance with that data. One method to defend against such attacks, termed "honeypots", is to plant and monitor misleading information / decoys / baits, with the objective of the attacker learning of their existence and then consuming those bait resources, and to notify an

administrator of the malicious activity.

[0004] Conventional honeypot systems operate by

monitoring access to a supervised element in a computer network. Access monitoring generates many false alerts, caused by non-malicious access from automatic monitoring systems and by user mistakes. Conventional systems try to mitigate this problem by adding a level of interactivity to the honeypot, and by performing behavioral analysis of suspected malware.

[0005] An advanced attacker may use different attack techniques to enter a corporate network and to move laterally within the network in order to obtain its resource goals. The advanced attacker m ay begin with a workstation, server or any other network entity to start his lateral movement. He uses different methods to enter the first network node, including inter alia social engineering, existing exploit and/or vulnerability that he knows to exercise, and a Trojan horse or any other malware allowing him to control the first node. Once an attacker has taken control of a first node in a corporate network, he uses different advance attack

techniques for orientation and propagation and discovery of additional ways to reach other network nodes in the corporate network. Attacker movement from node to node is performed via an "attack vector", which is an object in memory or storage of a first computer that may be used to access a second computer. Attack vectors and may also be known

software/hardware vulnerabilities or even Zero-day exploits.

[0006] WO 2016/199120 A1 discloses a network

surveillance system including a deception management server within a network, including a deployment module managing and planting decoy attack vectors in network resources, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and decoy servers accessible from resources in the network via decoy attack vectors, each decoy server including a forensic alert module causing a real- time forensic application to be transmitted to a destination resource in the network when the decoy server is being accessed by a specific resource in the network via a decoy attack vector, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing that decoy server, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to the deception management server.

Summary of the Invention

[0007] Based on this, the invention proposes a network surveillance system with the features of claim 1 and a method of network surveillance with the features of claim 9.

[0008] According to the invention, a network

surveillance is provided which allows for a dynamic

adaptation of the deception environment in order to keep the attacker who has intruded the deception system busy. This is achieved by implementing a bidirectional communication between the deception environment and a deception backend system. According to the invention, the backend system actively generates, in reaction to detected attacker's actions, deception commands to be executed by the deception environment .

[0009] Therefore, the invention allows to simulate allegedly real user activities in the deception environment in order to deceive and keep the attacker busy for a long- lasting period.

[0010] The invention also covers a computer program with program coding means which are suitable for carrying out a method according to the invention as described above when the computer program is run on a computer. The computer program itself as well as stored on a computer-readable medium is claimed .

[0011] Further features and embodiments of the invention will become apparent from the description and the

accompanying drawings .

[0012] It will be understood that the features mentioned above and those described hereinafter can be used not only in the combination specified but also in other combinations or on their own, without departing from the scope of the present invention .

[0013] The invention is schematically illustrated in the drawings by means of an embodiment by way of example and is hereinafter explained in detail with reference to the

drawings. It is understood that the description is in no way limiting on the scope of the present invention and is merely an illustration of a preferred embodiment of the invention.

Brief description of the Drawings [0014] In the drawings,

Figure 1 is a schematic block diagram of a network surveillance system of the invention;

Figure 2 is a scheme illustrating the basic workflow of the network surveillance remote administration of the invention;

Figure 3 is a scheme illustrating the remote

administration deception command execution of the invention;

Figure 4 is a scheme illustrating the alert detection and notification process of the invention; and

Figure 5 shows a deception on demand scheme of the invention .

Detailed Description

[0015] Figure 1 is a highly schematic block diagram illustrating a network surveillance system 10 of the

invention. Network surveillance system is destined to be integrated into an existing regular network system, e.g. a corporate network (not shown) . The regular or corporate network may be connected to an external internet and may comprise for example, in a known manner, resources including computers, databases, switches and routers, and mobile devices such as smart phones and tablets, as well as

monitors, printers, other types of network elements such as relays, and any Internet of Things objects etc.

[0016] Access to the computers and servers in the regular network may optionally be governed by an access governor, such as a directory service, that authorizes users to access computers and databases based on "credentials". The access governor may be one or more local machine access controllers, or may be one or more authorization servers, such as a database server or an application server.

[0017] In addition to the known resources of a regular company/enterprise network, the invention provide for a network surveillance system 10 as depicted schematically in Figure 1. The network surveillance system 10 of the invention comprises a deception environment 12 and a deception backend system 14 (in the following short "backend") .

[0018] The deception environment 12 comprises at least one decoy system 16 (in practice it would comprise a

multitude of decoy systems, for exemplary reasons two decoy systems 16 are depicted in the drawing of Figure 1) . Each decoy system 16 (or just short "decoy") can be realized either as actual hardware or as a virtualized machine (VM) and is accessible within the regular system by attack

vectors. Its aim is to provide a fake environment for a potential attacker in order to keep the attacker occupied and away from the real enterprise network. Attackers can be baited into the environment e.g. by using exposed and

vulnerable services and lures placed on production systems. A decoy (system) according to the invention thus is a fully working network node (a "real" computer with "real" operating system etc.) that (arbitrarily) exposes certain

vulnerabilities or ways to get infected by an attacker. The aim is thus - as already known from the prior art - to deliberately let an attacker into the system, but with the difference that in connection with the messaging

communication layer as further described in more detail below, the decoy can directly react in response to actions of an attacker by generating virtual objects the attacker is seeking to discover, such as fake documents (that look real to an outsider) , preferably with track down elements (for tracing stolen documents) .

[0019] To this end, each decoy 16 implements an agent software 18 which contains a kernel application 20 called the kernel monitoring driver, and a so-called userland agent software 22. The agent software 18 may be implemented in the operating system as a layer of its own. The agent software 18 is designed to perform monitoring of the deception

environment activity and manipulation of the system and its services/applications as will be described in more detail below .

[0020] The deception environment 12 is in communication connection with the backend 14 by means of a messaging communication layer 30. The messaging communication layer 30 can be implemented as a messaging protocol, such as AMQP (Advanced Messaging Queuing Protocol) . The messaging

communication layer 30 provides a publish/subscribe messaging protocol that is used for the communication between the deception environment 12/decoys 16 and the backend 14. The messaging protocol is used by the Event protocol (Monitoring Events) and Remote Administration Protocol 32.

[0021] The userland agent 22 can be a platform agnostic userland application that processes and forwards system activity events to the deception backend 14. To this end it uses the above-described Messaging Protocol (AMQP) 30. The userland agent 22 further supports direct system manipulation (including OS-level configuration and service/application installation and management) as will be described in more detail further below. [0022] The kernel driver 20 performs system and

application activity monitoring including IO/Filesystem activity, process and thread activity, network communications and registry manipulations. The kernel driver 20 further communicates with the userland agent 22 using known

communication techniques (IOCTL, Device-Files, ...) . The kernel driver 20 can also provide an RPC (Remote Procedure Call) like interface that is exposed to the userland agent 22 only. The userland agent 22 is monitored in the kernel space/kernel driver 20. The monitoring level is hidden from the attacker by means of e.g. a hiding component as known to the skilled person .

[0023] The deception backend 14 is designed to be responsible for processing incoming system activity events (as sent by the agent 18/decoy 16 via the messaging protocol 20), alert detection and notification/reporting as well as managing the deception environment including OS-, service- and data-level configuration and provisioning of the decoys 16. The deception backend 14 can also be capable of

dynamically generating lures/baits that trap attackers into the deception environment 12. The deception backend 14 may run on-premise or as a cloud-native application. The

architecture can be modelled around a micro-service concept.

[0024] For external communication purposes, the backend 14 may further comprise an administrator or web interface 40 (cf . also Figure 2) .

[0025] According to the invention, the network

surveillance system 10 comprises a monitor and report

function. To this end, the deception environment activity is monitored by the kernel monitoring driver 20 and sent to the deception backend 14 by the userland agent 22. In the course of the further description, activities monitored are referred to as events which are preferably continuously forwarded to the deception backend 14 for further analysis, alert

detection, reporting and possible further activities as will be described in more details further on below.

[0026] On top of the messaging communication layer 30, a remote administration protocol 32 is implemented as an application level protocol. The remote administration

protocol 32 enables the deception backend 14 to reconfigure the decoys 16, install/manage applications and services, execute arbitrary commands and populate the file system with generated data on the decoys 16. The remote administration protocol 32 provides the base for automatic and intelligent counter-measures, automatic Deception on Demand as well as permutation of the deception environment (cf . further below) .

[0027] In the depicted embodiment, the backend 14 comprises a multitude of modules, namely an alert detection module, an event processing module, a decoy management module, a service/lure management module, a

reporting/alerting module, and a remote administration module. There can be, of course, a far higher number of various services to be implemented in the backend 14.

[0028] Figure 2 illustrates a basic workflow scheme of the remote administration of the invention in the network surveillance system 10 of Figure 1.

[0029] The scheme of Figure 2 shows the interaction between three operative locations of the network surveillance system 10 including an interface 40 for user communication, shown as vertical streams with horizontal arrows indicating the flow direction (of data/signals/communication). [0030] A user (security administrator) submits at S210 via administrator/web interface 40 a request for a certain action to the deception backend 14 which, at S220, receives that request and looks up the command definition matching the request, e.g. in a stored table or by means of an

"intelligent" algorithm. The deception backend 14 then initiates the command execution at S222 to the decoys 16 via the remote administration protocol 32. The decoys 16

receives, at S230, the command request, and executes the corresponding command handler at S234.

[0031] In case the user performs an additional command input at S212, the backend 14 receives that additional input and forwards it to the decoy 16 (at S224) . The decoys 16 receives the additional command input at S232 and executes of the corresponding command handler at S234.

[0032] The result of the command action is then streamed from the decoy 16 to the backend 14 at S236, i.e. transmitted regularly or continuously. The backend 14 receives the result at S226, and then may wait for the execution to finish before it returns the final result (s) to the administrator via interface 40 where it is displayed at S214. Alternatively, the results may be looped through by the backend to the administrator. In addition, the backend 14 may store the result (s) e.g. in a suitable memory module or database for later investigation/auditing at S228. The backend 14 may also perform checking functions and/or validations or the like of the received results.

[0033] Figure 3 illustrates the deception command execution of the remote administration according to the invention in more detail. [0034] As already laid out above that, the deception backend 14 sends a command request to the decoy 16 at S222 via the remote administration protocol 32, and the decoy 16 receives that command request at S230 on the level of the userland agent 22. As depicted in Figure 3, one or more execution engines 24.1, 24.2, ... (two shown in Figure 3 for exemplary purposes) are provided between the userland agent 22 and the kernel driver 20. The execution engines 24.1, 24.2, ... may, for example, be embedded into the userland agent 22.

[0035] The remote administration protocol 32 may have support for different command languages that can be executed by the various corresponding execution engines 24.1, 24.2, .... Some examples include Lua, a Domain-Specific-Language, or common scripting environments like Bash/PowerShell . The userland agent 22 then selects and/or spawns the appropriate execution engine 24 at S233. The selected execution engine 24 may then request the kernel driver to execute the command at S234. The result of the command action is then handled back to the userland agent 22 (as indicated by the double arrows in Figure 3) in order to be streamed back to the deception backend 14 at S236 as already explained above.

[0036] The userland agent 22 may for example comprise a "forensic alert module" which is designed to transmit

detected system activity to the deception backend 14 which in turn analyses the detected activity to identify alerts (such as processes, certain file accesses, registry manipulations, etc.) . To this end, the backend 14 may comprise an alert detection module as shown in Figure 1.

[0037] Figure 4 is a scheme illustrating the alert detection and notification workflow of the invention. [0038] In case an attacker has landed in the decoy system 16 and is unfolding activities there, these malicious activities are detected and forwarded by the decoy's agent 18 at S410 via "Monitoring Events" of the messaging protocol 30 to the deception backend 14. The deception backend 14

receives the system activities at S420 and processes the detected event at S422. This may comprise rule review, validation including filtering to eliminate standard

processes .

[0039] Each event is processed and enriched with

metadata (S424) . Examples for metadata that may be attached are DNS PTR records (reverse DNS) , process relationship (the process that caused the monitored activity/event, IP

addresses, various file hashes (e.g. SHA256; collected by using the Remote Administration Protocol) or an evilness score .

[0040] An alert detection is then performed at S426. The alert detection can be predormed on the basis of (static) rules or (dynamic) algorithms and/or by the aid of artificial intelligence. An according notification is then sent out at S428 to the administrator; this can be done for example by the web interface 40 or other means like email, SIEM

(security information and event management) . The

administrator receives the notification at S430 and then may start forensic analysis at S432.

[0041] Figure 5 illustrates an embodiment of the so- called deception on demand workflow of the invention.

[0042] As before (cf. the description above with regard to Figure 4), the decoys 16 detects a continuous stream of activities at S410 and forwards the same to the deception backend 14, where the activities are received (S420),

processed (S422) and enriched with metadata (S424) . In reaction to the detected event (s), the backend 14 then identifies a sequence of desired actions at S520 and

generates according appropriate remote administration

commands at S522 to be transmitted via the remote

administration protocol 32 to the decoy 16. For example, an attacker is looking for a file/document bearing a certain name; in reaction to this detected action/event a command to generate a file with this name is generated and executed, filling the file with fake content and storing the file where the attacker may find it eventually. Further possibilities to keep the attacker occupied would comprise, inter alia, installing of a given program/tool , starting a given service, etc .

[0043] The decoys 16 receives, at S510, and

selects/spawns an appropriate execution engine (cf.

description above in connection with Figure 3) . Command results are gathered and streamed back to the deception backend 14 at S512. The deception backend for receives command results and waits for the actions the funds to complete before a final result may be displayed to the user (cf. steps S226/S214 of Figure 2) . Again that, like in step S228 of Figure 2, the results may be stored for later

investigation/auditing (not shown in Figure 5).

[0044] The main purpose of the above illustrated method "Deception on Demand" is to dynamically adapt the deception environment to further attract the attacker' s attention and lure him deeper into the deception environment of the decoy 16 (thus avoiding harm to actual production systems) . The basic concept of "Deception on Demand" is based on the monitored system activity and the remote administration protocol 32. If the deception backend 14 identifies some attacker activity, it will try to dynamically update the decoys 16 within the deception environment 12 to behave more to what the attacker seems to expect. Some example include dynamically generating files with fake information based on what the attacker searches for, installing new services when e.g. a network/port-scan is detected or dynamically creating users or placing credentials into the memory/credential-store of decoys 16.

[0045] Another aspect of the invention is called

"permutation". Similar to the above described method of

"Deception on Demand", permutation is also based on the remote administration protocol. Its purpose is to make decoys 16 look real and avoid fingerprinting (means to identify decoys 16 based on collected and static information) by regularly changing how the decoys' visible surfaces (e.g. IP- Addresses, Hostname, MAC-Addresses , installed and exposed Services) look like. In order to simulate real user activity on the system, it may also randomly change the access and modification timestamps of files, delete them, create new ones or launch common programs (e.g. an office suite for writing documents or a browser for web access) . In order to achieve this, the backend 14 actively generates commands that are suitable to simulate a "real" user behaviour.

[0046] The invention thus provide a bidirectional communication between the deception environment 12 and the deception management backend 14 which allows the system to react directly and without additional user interference to attacker actions, laying out baits and lures, i.e. generating a system environment that keeps the attacker occupied within the deception environment 12. Other than in the prior art, the invention thus offers a system and method that drives a dynamic deception environment while the known system are static machine appearances.