Pre-Grant Publication Number: 20070208822
Please help the USPTO examine the application by evaluating the relevance of the publicly submitted prior art to the patent application.
Peer-to-Patent forwards the Top 10 most relevant prior art submissions and their annotations to the United States Patent and Trademark Office.
Review this prior art and click on the thumbs up (or down) to indicate whether this submission should be forwarded to the USPTO.
If you login then you can add an annotation by typing in the box at the bottom of the screen to comment on the relevance of the prior art to the claims of the patent application.
Review this prior art and click on the thumbs up (or down) to indicate whether this submission should be forwarded to the USPTO.
If you login then you can add an annotation by typing in the box at the bottom of the screen to comment on the relevance of the prior art to the claims of the patent application.
Prior Art Detail
Summary / Description
| Summary / Description | Honeyclients are systems that drive a piece of vulnerable client software to potentially malicious sites, and monitor system behavior for indicators of compromise. Each honeyclient is a virtual host, and drives applications such as web browsers to user-specified URLs, looking for signs of malicious behavior when accessing that URL. The malicious behavior is flagged via an integrity check capability, which monitors for changes in files, registry key values, and processes. Upon detection of suspicious behavior, the honeyclient virtual machine is suspended, a new clone is created, and the spidering process continues. |
Basic Information
| Type of Prior Art | Online Publication |
| URL | http://www.synacklabs.net/honey... |
| Author/Creator | Kathy Wang |
| Title | Using Honeyclients to Detect New Attacks |
| Publication Date | June 18, 2005 |
| Publisher | |
| Directions to Document Location | |
| Additional Information | |
Notes / To Do
| Notes | |
Excerpt
Excerpt The file uploaded was the set of slides used to present honeyclient technology at RECon Conference in June of 2005. In those publicly-released slides, I talked about the implementation of the honeyclient prototype.
The source code for honeyclient technology is publicly available as well. The original prototype's source code is available here:
http://www.synacklabs.net/honeyclient/honeyclient-0.1.1.tar.gz
Since 2005, the honeyclient project team has developed many more capabilities, of which the most recent are available here:
http://www.honeyclient.org/trac/wiki/download |
Relevance
Claims
1
A system comprising:
a browser that is capable of visiting network locations as represented by uniform resource locators (URLs); and
a browser-based vulnerability exploit detector that directs the browser to visit a given URL by making an information request to the given URL; the browser-based vulnerability exploit detector adapted to detect if the given URL accomplishes an exploit on the system after the browser makes the information request to the given URL.
Relevance
Honeyclient technology is prior art to honeymonkeys, and was publicly presented and released before the March 2006 patent filing date that Microsoft submitted.
Honeyclient technology is prior art to honeymonkeys, and was publicly presented and released before the March 2006 patent filing date that Microsoft submitted.
Claim Chart
All
2
The system as recited in Claim 1, wherein the browser-based vulnerability exploit detector comprises a honey monkey module and a tracer module; and wherein the honey monkey module directs the browser to make the information request to the given URL, and the tracer module traces events that occur within the system after the information request is made.
Relevance
Honeyclient prototype (version honeyclient-0.1.1) uses proxy and driver scripts in place of 'honey monkey module' and 'tracer module'. Proxy script directs the browser to make information request to a given URL, and driver script conducts integrity checks on the host to detect changes (events) that occur within the system after the information request is made.
Honeyclient prototype (version honeyclient-0.1.1) uses proxy and driver scripts in place of 'honey monkey module' and 'tracer module'. Proxy script directs the browser to make information request to a given URL, and driver script conducts integrity checks on the host to detect changes (events) that occur within the system after the information request is made.
Claim Chart
All
3
The system as recited in Claim 2, wherein the tracer module produces a trace file that includes at least a list of URLs to which the browser is redirected.
Relevance
The honeyclient (version honeyclient-0.1.1) uses driver in place of 'tracer module' in the claim to create a list of internal and external URLs to direct the browser to visit.
The honeyclient (version honeyclient-0.1.1) uses driver in place of 'tracer module' in the claim to create a list of internal and external URLs to direct the browser to visit.
Claim Chart
All
4
The system as recited in Claim 2, wherein the tracer module produces a trace file that includes at least a list of writes that occur outside a browser sandbox.
Relevance
The honeyclient prototype (version honeyclient-0.1.1) uses driver in place of the 'tracer module' to include a list of writes that occur outside the browser environment.
The honeyclient prototype (version honeyclient-0.1.1) uses driver in place of the 'tracer module' to include a list of writes that occur outside the browser environment.
Claim Chart
All
10
One or more processor-accessible media comprising processor-executable instructions that, when executed, direct a device to perform actions comprising:
visiting a uniform resource locator (URL) of a parent list of redirection URLs;
producing a child list of redirection URLs from the action of visiting;
recursively visiting child URLs of the child list of redirection URLs to discover redirection relationships of the URLs that are visited; and
creating a graph that includes the URLs that are visited and that indicates the discovered redirection relationships.
Relevance
The honeyclient prototype (version honeyclient-0.1.1) uses driver and proxy scripts to create internal and external URL lists upon visiting an initial URL. Each internal URL is visited (spidered) recursively, and upon completion, the next external URL is visited, etc.
The honeyclient prototype (version honeyclient-0.1.1) uses driver and proxy scripts to create internal and external URL lists upon visiting an initial URL. Each internal URL is visited (spidered) recursively, and upon completion, the next external URL is visited, etc.
Claim Chart
All
11
The one or more processor-accessible media as recited in Claim 10, comprising the processor-executable instructions that, when executed, direct the device to perform further actions comprising:
visiting a given URL;
monitoring URL redirections resulting from the action of visiting the given URL; and
tracing the monitored URL redirections to produce the parent list of redirection URLs.
Relevance
The honeyclient prototype (version honeyclient-0.1.1) uses driver and proxy scripts to create internal and external URL lists upon visiting an initial URL. Each internal URL is visited (spidered) recursively, and upon completion, the next external URL is visited, etc.
The honeyclient prototype (version honeyclient-0.1.1) uses driver and proxy scripts to create internal and external URL lists upon visiting an initial URL. Each internal URL is visited (spidered) recursively, and upon completion, the next external URL is visited, etc.
Claim Chart
All
16
A method comprising:
requesting information from a targeted network location as represented by a uniform resource locator (URL);
receiving a response from the targeted URL;
tracing events that occur on a machine;
ascertaining if an illicit event occurred based on the traced events; and
determining that an exploit has been accomplished by the targeted URL if an illicit event is ascertained to have occurred.
Relevance
The honeyclient prototype (version honeyclient-0.1.1) utilizes an algorithm comprising of the following:
Creating a baseline of the state of the honeyclient host system.
Starting with an initial URL to visit (spider).
Receiving a list of external and internal URLs from that initial URL visited.
Checking to see if illicit events have occurred on the honeyclient host, based on comparison of current system state to baseline system state.
Determining the URL that caused the initial illicit event on the host system.
The honeyclient prototype (version honeyclient-0.1.1) utilizes an algorithm comprising of the following:
Creating a baseline of the state of the honeyclient host system.
Starting with an initial URL to visit (spider).
Receiving a list of external and internal URLs from that initial URL visited.
Checking to see if illicit events have occurred on the honeyclient host, based on comparison of current system state to baseline system state.
Determining the URL that caused the initial illicit event on the host system.
Claim Chart
Some
17
The method as recited in Claim 16, further comprising:
waiting a predetermined time period (i) between the receiving and the ascertaining or (ii) between the requesting and the ascertaining.
Relevance
The honeyclient prototype (version honeyclient-0.1.1) waits a pre-determined time period between making the URL requests, receiving URL data from the visited URL, and checking the system state in between URL requests/returns.
The honeyclient prototype (version honeyclient-0.1.1) waits a pre-determined time period between making the URL requests, receiving URL data from the visited URL, and checking the system state in between URL requests/returns.
Claim Chart
All
