US 11,934,948 B1
Adaptive deception system
Kimberly J Ferguson-Walter, San Diego, CA (US); and Sunny James Fugate, San Diego, CA (US)
Assigned to The Government of the United States as represented by the Director, National Security Agency
Filed by The Government of the United States as represented by the Director, National Security Agency, Fort George G. Meade, MD (US)
Filed on Jul. 15, 2020, as Appl. No. 16/930,046.
Claims priority of provisional application 62/874,806, filed on Jul. 16, 2019.
Int. Cl. H04L 29/06 (2006.01); G06N 3/04 (2023.01); G06N 3/08 (2023.01); H04L 9/40 (2022.01)
CPC G06N 3/08 (2013.01) [G06N 3/04 (2013.01); H04L 63/1491 (2013.01)] 19 Claims
OG exemplary drawing
 
1. A method of defending a production network from a cyber-attack, the method comprising the steps of:
providing an adaptive deception system comprising:
a deception management system in communication with a management network, including a monitor and a manager, and hosting at least one container system service; the container system service including at least one deception device available for deployment to a production network; and
a control system including:
at least one sensor in communication with said monitor, and
at least one actuator in communication with said manager;
receiving, by one of said at least one sensor, production device properties defining production devices of the production network;
receiving, by one of said at least one sensor, deception device properties defining the at least one deception device of the production network;
utilizing said monitor to make deception management system observations and providing said deception management system observations to one of said at least one sensor;
aggregating said deception management system observations to derive attacker observations;
processing by said control system said production device properties, said deception device properties, said deception management system observations, and said derived attacker observations, to provide a hypothesis test adaption specification defining a hypothesis to be tested;
activating said actuators to implement said hypothesis test adaption specification;
updating said deception management system in accordance with said hypothesis test adaption specification;
receiving, by one of said at least one sensor, new production device properties defining production devices of the production network;
receiving, by one of said at least one sensor, new deception device properties defining the at least one deception device of the production network;
utilizing said monitor to make new deception management system observations and providing said new deception management system observations to one of said at least one sensor; and
processing by said control system said new production device properties, said new deception device properties, and said new deception management system observations, to evaluate said hypothesis.