Search

US-20260127285-A1 - SYSTEM AND METHOD FOR DETECTING AND/OR BLOCKING MALWARE ATTACKS USING DECOYS

US20260127285A1US 20260127285 A1US20260127285 A1US 20260127285A1US-20260127285-A1

Abstract

In an approach to detecting and/or blocking malware attacks using decoys, one or more decoy files are created, files, where the one or more decoy files never return a read acknowledgement when read, thereby crippling at least a portion of a malware. The one or more decoy files are propagated to a system. Responsive to the malware initiating a read process on any of the one or more decoy files, the malware is detected.

Inventors

  • Gabe HOOGENBOOM
  • Jeffrey A. LAU

Assignees

  • BATTELLE MEMORIAL INSTITUTE

Dates

Publication Date
20260507
Application Date
20260105

Claims (20)

  1. 1 - 20 . (canceled)
  2. 21 . A computer-implemented method for detecting and blocking malware attacks, the method comprising: creating, by one or more computer processors, one or more decoy files, wherein each of the one or more decoy files is an empty first in, first out (FIFO) pipe; propagating, by the one or more computer processors, the one or more decoy files to a system; and responsive to a malware initiating a read process on any of the one or more decoy files, detecting, by the one or more computer processors, the malware.
  3. 22 . The method of claim 21 , further comprising: detecting, by the one or more computer processors, that the malware has attempted to read any of the one or more decoy files; and signaling, by the one or more computer processors, to the system that the malware has been detected.
  4. 23 . The method of claim 22 , wherein detecting that the malware has attempted to read any of the one or more decoy files does not require a monitoring process.
  5. 24 . The method of claim 23 , wherein any of the one or more decoy files are a symbolic link (symlink) to the FIFO.
  6. 25 . The method of claim 23 , wherein creating the one or more decoy files further comprises: creating, by the one or more computer processors, a software module in an operating system; and creating, by the one or more computer processors, the FIFO using the software module in the operating system.
  7. 26 . The method of claim 23 , wherein creating the one or more decoy files further comprises: creating, by the one or more computer processors, a Linux virtual machine on a Windows system; and creating, by the one or more computer processors, the FIFO using a make FIFO command (mkfifo) of the Linux virtual machine.
  8. 27 . The method of claim 23 , wherein responsive to detecting that the malware has initiated the read process on any of the one or more decoy files, detecting the malware further comprises: preventing, by the one or more computer processors, any write process from writing to the FIFO to leave the FIFO empty, wherein the read process cannot complete while the FIFO is empty.
  9. 28 . The method of claim 23 , wherein responsive to detecting that the malware has initiated the read process on any of the one or more decoy files, detecting the malware further comprises: creating, by the one or more computer processors, a write process that writes continuously to the FIFO, wherein the read process cannot complete due to the write process continuously writing to the FIFO.
  10. 29 . The method of claim 21 , wherein the one or more decoy files are propagated based on research and analysis of the malware attacks.
  11. 30 . The method of claim 29 , wherein a number and location of the decoy files may be optimized based on the research and the analysis of the malware attacks.
  12. 31 . A system for detecting and/or blocking malware attacks, the system comprising: one or more computer processors; one or more computer readable storage media; and program instructions stored on the one or more computer readable storage media for execution by at least one of the one or more computer processors, the stored program instructions including instructions to: create one or more decoy files, wherein each of the one or more decoy files is an empty first in, first out (FIFO) pipe; propagate the one or more decoy files to a target system; and responsive to a malware initiating a read process on any of the one or more decoy files, detect the malware.
  13. 32 . The system of claim 31 , further comprises one or more of the following program instructions, stored on the one or more computer readable storage media, to: detect that the malware has attempted to read any of the one or more decoy files; and signal to the system that the malware has been detected.
  14. 33 . The system of claim 31 , wherein detecting that the malware has attempted to read any of the one or more decoy files does not require a monitoring process.
  15. 34 . The system of claim 33 , wherein each of the one or more decoy files are a symbolic link (symlink) to the FIFO.
  16. 35 . The system of claim 33 , wherein create the one or more decoy files further comprises one or more of the following program instructions, stored on the one or more computer readable storage media, to: create a software module in an operating system; and create the FIFO using the software module in the operating system.
  17. 36 . The system of claim 33 , wherein create the one or more decoy files further comprises one or more of the following program instructions, stored on the one or more computer readable storage media, to: create a Linux virtual machine on a Windows system; and create the FIFO using a make FIFO command (mkfifo) of the Linux virtual machine.
  18. 37 . The system of claim 33 , wherein responsive to detecting that the malware has initiated the read process on any of the one or more decoy files, detect the malware further comprises one or more of the following program instructions, stored on the one or more computer readable storage media, to: prevent a write process from writing to the FIFO to leave the FIFO empty, wherein the read process cannot complete due to the FIFO is empty.
  19. 38 . The system of claim 33 , wherein responsive to detecting that the malware has initiated the read process on any of the one or more decoy files, detect the malware further comprises one or more of the following program instructions, stored on the one or more computer readable storage media, to: create a write process that writes continuously to the FIFO, wherein the read process cannot complete due to the write process continuously writing to the FIFO.
  20. 39 . The system of claim 31 , wherein the one or more decoy files are propagated based on research and analysis of the malware attacks.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS The present application claims the benefit of the filing date of U.S. Provisional Application Ser. No. 63/377,845, filed Sep. 30, 2022, the entire teachings of which application is hereby incorporated herein by reference. TECHNICAL FIELD The present application relates generally to cyber security and, more particularly, to a system and method for detecting and/or blocking malware attacks using decoys. BACKGROUND Malware is intrusive software that may damage and/or destroy computers and computer systems, and/or obtain private information. Malware is a contraction for “malicious software.” Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy. Examples of common malware includes viruses, worms, spyware, adware, and ransomware. Ransomware is a type of malware that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware, collectively called crypto-ransomware, are used to extort payment from the victim. In these instances, the ransomware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. Ransomware is a top threat to public and private organizations that cripples operations and demands large sums under the threat of losing/leaking proprietary information and personally identifiable information (PII). In cyber security, a decoy may be used to distract cybercriminals from actual targets. The decoy, e.g., a honeypot, is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a decoy consists of data (for example, in a network site) that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. BRIEF DESCRIPTION OF THE DRAWINGS Reference should be made to the following detailed description which should be read in conjunction with the following figures, wherein like numerals represent like parts. FIG. 1 is a functional block diagram illustrating a distributed data processing environment consistent with the present disclosure. FIG. 2 is an example illustrating one possible method for a ransomware attack on a computer. FIG. 3 is a sequence diagram depicting operations for the program for detecting and/or blocking malware attacks using decoys, on the distributed data processing environment of FIG. 1, consistent with the present disclosure. FIG. 4 depicts a block diagram of components of the computing device executing the program within the distributed data processing environment of FIG. 1, consistent with the present disclosure. DETAILED DESCRIPTION The present disclosure is not limited in its application to the details of construction and the arrangement of components set forth in the following description or illustrated in the drawings. The examples described herein may be capable of other embodiments and of being practiced or being carried out in various ways. Also, it may be appreciated that the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting as such may be understood by one of skill in the art. Throughout the present disclosure, like reference characters may indicate like structure throughout the several views, and such structure need not be separately discussed. Furthermore, any particular feature(s) of a particular exemplary embodiment may be equally applied to any other exemplary embodiment(s) of this specification as suitable. In other words, features between the various exemplary embodiments described herein are interchangeable, and not exclusive. Traditional methods to block malware attempts, such as ransomware, may include the use of honeypots that are monitored by a separate process that will expose adversarial processes when they access the honeypot file. The problem with the traditional solutions is that adversaries can detect and avoid the monitoring process. In addition, these existing honeypot methods merely provide detection notifications. There exists a need to block malware attempts that is difficult or impossible to detect and to mitigate the attack to prevent damage inflicted by the malware. Disclosed herein is a system and computer-implemented method for detecting and/or blocking malware attacks using decoys. The disclosed system and computer-implemented method trap malware on attempts to read and prevent or delay the attacker from encrypting real files. The disclosed solutions do not require a monitoring process and ar