US Patent 11503073 Live state transition using deception systems

Disclosed herein are methods, systems, and processes to perform live deployment of deception computing systems. An imminent or ongoing malicious attack on a protected host in a network is detected. In response to detecting the imminent or ongoing malicious attack, personality characteristics of the protected host are cloned and a honeypot clone based on the personality characteristics is generated. The honeypot clone is then deployed in the network. A determination is made that the malicious attack includes an interactive session between an attacker associated with the malicious attack and the protected host, and a live state transition is performed between the protected host and the honeypot clone using agent data if the interactive session includes an encrypted protocol or using session state data if the interactive session does not include the encrypted protocol. Attacker data traffic associated with the malicious attack is redirected from the protected host to the honeypot clone and the interactive session is resumed if the redirection of the attacker traffic data transitions within a predetermined time period.