	US 12,118,086 B2
	Deception-based responses to security attacks
Adam S. Meyers, Washington, DC (US); Dmitri Alperovitch, Gaithersburg, MD (US); George Robert Kurtz, Ladera Ranch, CA (US); David F. Diehl, Minneapolis, MN (US); and Sven Krasser, Los Angeles, CA (US)
Assigned to CrowdStrike, Inc., Sunnyvale, CA (US)
Filed by CrowdStrike, Inc., Sunnyvale, CA (US)
Filed on May 27, 2020, as Appl. No. 16/885,169.
Application 16/885,169 is a continuation of application No. 13/784,720, filed on Mar. 4, 2013, granted, now 10,713,356.
Prior Publication US 2020/0285739 A1, Sep. 10, 2020
Int. Cl. G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06F 21/62 (2013.01); H04L 9/40 (2022.01); H04L 61/4511 (2022.01)

CPC G06F 21/56 (2013.01) [G06F 21/554 (2013.01); G06F 21/6209 (2013.01); H04L 61/4511 (2022.05); H04L 63/1491 (2013.01); G06F 2221/2111 (2013.01); G06F 2221/2129 (2013.01)]

16 Claims

1. A computer-implemented method comprising:

receiving a domain name resolution request from a requesting process operating on a device;

determining that a domain name included in the domain name resolution request is indicative of malicious activity;

responding to the domain name resolution request with a network address of a monitored server posing as an adversary server associated with the requesting process to prompt an adversary communication to the monitored server instead of the adversary server;

transitioning an attack associated with the requesting process from the device to the monitored server;

monitoring activities of the attack on the monitored server;

enabling the monitored server to load deceptive information onto a memory of the monitored server; and

enabling an attacker associated with the attack to acquire the deceptive information from the monitored server through the adversary communication.