US 12,445,460 B2
Tracking a potential attacker on an external computer system
Michal Paluch, Cracow (PL); Szymon Kowalczyk, Cracow (PL); Jiri Grunseisen, Brno (CZ); and Marcel Butucea Panait, Brno (CZ)
Assigned to International Business Machines Corporation, Armonk, NY (US)
Filed by INTERNATIONAL BUSINESS MACHINES CORPORATION, Armonk, NY (US)
Filed on Dec. 3, 2021, as Appl. No. 17/457,467.
Prior Publication US 2023/0179606 A1, Jun. 8, 2023
Int. Cl. H04L 9/40 (2022.01); G06N 3/042 (2023.01)
CPC H04L 63/1416 (2013.01) [G06N 3/042 (2023.01); H04L 63/1425 (2013.01); H04L 63/1491 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method for obtaining information about an external computer system having a connection to a computer system, the method comprising:
receiving a series of requests from the external computer system via a network connection, wherein the series of requests comprises initial information about the external computer system;
categorizing the external computer system as a potential threat to the computer system using the series of requests;
in response to a number of received requests from the external computer system categorized as the potential threat exceeding a threshold, generating a computer file, the computer file comprising instructions, wherein the instructions are dynamically generated based on real-time analysis of the external computer system's request patterns and designed for obtaining the information about the external computer system if the instructions are executed on a processor of the external computer system, and wherein the instructions designed for obtaining the information about the external computer system are adapted based on the initial information;
providing data responsive to the series of requests;
sending the data in an initial response without the computer file to the external computer system to cause the external computer system to categorize the computer system as inoffensive and continue sending further requests to the computer system;
sending the data together with the computer file in subsequent responses to the external computer system;
receiving the information about the external computer system generated responsive to the instructions of the computer file;
utilizing an Artificial-Intelligence-Module (AI-module) trained on historic data about malicious traffic that analyzes real-time request data to generate context-specific responses, enhancing ability to identify malicious behaviors;
preserving the information about the external computer system within the computer system by storing the information in an intruder database wherein entries in the intruder database comprise profiles including past attack patterns of former external computing systems;
comparing information about a new external computer system, by the trained AI-module, to the information in the intruder database and adding information about the new external computer system to the intruder database when the new external computer system is classified as a potential threat by the trained AI-module; and
performing a protection measure against the new external computer system.