Microsoft Files Patent for HoneyMonkey Exploit Finder
Microsoft has filed a patent claim for the Strider HoneyMonkey malware/exploit detection system created by its internal research unit.
The claim, currently being reviewed at Peer-to-Patent, is a clear signal that the two-year-old research project could soon find itself in a software product coming out of the Redmond, Wash., software vendor.
The HoneyMonkey system, first discussed in August 2005, is best described as an automated Web patrol that uses multiple Windows computers -- some unpatched and some fully updated -- to streamline the process of finding zero-day Web-based exploits.
When it was first introduced, Microsoft explained how researchers were able to use HoneyMonkeys to find 752 unique URLs (hosted on 287 sites) that were firing drive-by exploits at Internet Explorer users. From those URLs, the system was able to confirm that active exploits were infecting Windows XP machines, including one for a fully patched system running the company's newly hardened XP SP2 (Service Pack 2).
The entire system consists of a "pipeline of monkey programs" running on VMs (Virtual Machines) with different patch levels in order to detect exploit sites with different capabilities.
The extract from the patent filing explains:
A network can be explored to investigate exploitive behavior. For example, network sites may be actively explored by a honey monkey system to detect if they are capable of accomplishing exploits, including browser-based exploits, on a machine. Also, the accomplishment of exploits may be detected by tracing events occurring on a machine after visiting a network site and analyzing the traced events for illicit behavior. Alternatively, site redirections between and among uniform resource locators (URLs) may be explored to discover relationships between sites that are visited.
The USPTO (United States Patent and Trademark Office), in partnership with Peer-to-Patent, has set up a wiki to solicit prior art claims on Microsoft's invention claim.