Method and apparatus for dynamic detection of geo-location obfuscation in client-server connections through an IP tunnel

US 10,038,712 B2
Filed: 06/01/2015
Issued: 07/31/2018
Est. Priority Date: 06/02/2014
Status: Active Grant

First Claim

Patent Images

1. A method for dynamically detecting geo-location obfuscation of a client connection between a client and a server, the method comprising:

forcing, by the server, the client connection to use an HTTPS protocol;

extracting a maximum segment size (MSS) parameter of a packet associated with TCP handshake negotiations of the HTTPS protocol;

evaluating, based on comparing a value of the MSS parameter to a database of known MSS values for connections made via tunneling, whether the client connection is made via tunneling;

estimating a risk of geo-location obfuscation associated with the client connection based on a latency analysis of the client connection when the evaluation indicates the client connection is made via tunneling; and

providing a risk assessment, according to the evaluation of whether the client connection is made via tunneling and the estimation of risk, of whether the client connection is made via tunneling so as to obfuscate the geo-location of the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for dynamic detection of fraudulent client connections to a server, in which, for example, the connection is made using an internet protocol (IP) tunneling technology such as networking on a virtual private network (VPN) and making the connection via a VPN tunnel in order to obfuscate the client IP address, in which a user of a client device may employ spoofing of IP-geo location mechanisms and IP classification on the server side. Such a user may have various motivations for obfuscating the client device'"'"'s geo-location by using an IP tunnel when connecting to a server such as gaining access to services that are not allowed in certain locations (e.g., certain movie and television content providers); browsing server data while maintaining a higher level of anonymity; and performing fraudulent actions on the server.

14 Citations

View as Search Results

10 Claims

1. A method for dynamically detecting geo-location obfuscation of a client connection between a client and a server, the method comprising:
- forcing, by the server, the client connection to use an HTTPS protocol;
  
  extracting a maximum segment size (MSS) parameter of a packet associated with TCP handshake negotiations of the HTTPS protocol;
  
  evaluating, based on comparing a value of the MSS parameter to a database of known MSS values for connections made via tunneling, whether the client connection is made via tunneling;
  
  estimating a risk of geo-location obfuscation associated with the client connection based on a latency analysis of the client connection when the evaluation indicates the client connection is made via tunneling; and
  
  providing a risk assessment, according to the evaluation of whether the client connection is made via tunneling and the estimation of risk, of whether the client connection is made via tunneling so as to obfuscate the geo-location of the client.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the evaluation further comprises:
    - determining that the client connection is not made via tunneling when the value of the MSS parameter of the packet is either a standard value or does not match any value in the database of known MSS values for connections made via tunneling.
  - 3. The method of claim 1, wherein the estimation further comprises:
    - determining a round trip time (RTT) between the server and the client by analyzing a communication stack of the client connection.
  - 4. The method of claim 1, wherein the estimation further comprises:
    - retrieving a benchmark RTT, from a second database that relates protocols to benchmark RTT, for a protocol in which the client connection is made.

5. A system comprising:
- a server processor; and
  
  a data storage device including a non-transitory computer-readable medium having computer readable code for instructing the server processor that, when executed by the server processor, causes the server processor to perform operations comprising;
  
  forcing a client to use an HTTPS protocol to make a connection to the server processor;
  
  extracting a client side maximum segment size (MSS) value from TCP handshake negotiations of the HTTPS protocol;
  
  evaluating, based on comparing the client side MSS value to a database of known MSS values for connections made via tunneling, whether the connection is made via tunneling;
  
  estimating a risk of geo-location obfuscation associated with the connection to the server processor, based on a latency analysis of the connection when the evaluation indicates the connection is made via tunneling;
  
  providing a risk assessment, according to the estimation of risk-and the evaluation, of whether the connection is made via tunneling so as to obfuscate a geo-location of the client; and
  
  terminating the connection in response to the evaluation indicating the connection is made via tunneling.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, wherein the evaluation further comprises:
    - determining that the connection is not made via tunneling when a value of the client side MSS value is either a standard value or does not match any value in the database.
  - 7. The system of claim 5, wherein the estimation further comprises:
    - determining a round trip time (RTT) between the server processor and the client by analysis of a communication stack of the client connection.
  - 8. The system of claim 5, wherein the operations further comprise:
    - denying a future connection for some determinate length of time from the client.

9. A non-transitory computer-readable medium comprising instructions which, in response to execution by a computer system, cause the computer system to:
- force a client to use an HTTPS protocol when making a client connection to the computer system;
  
  extract a maximum segment size (MSS) parameter from TCP handshake negotiations of the HTTPS protocol;
  
  determine a match between the MSS parameter and a database of known MSS values for connections made via tunneling, wherein the match indicates that the client connection is made via tunneling;
  
  estimate a risk of geo-location obfuscation associated with the client connection, based on a latency analysis of the client connection when the match indicates that the client connection is made via tunneling;
  
  provide a risk assessment, according to the estimation of risk and the match, of whether the client connection is made via tunneling so as to obfuscate a geo-location of the client; and
  
  terminate the client connection in response to determining the match.
- View Dependent Claims (10)
- - 10. The non-transitory computer-readable medium of claim 9, further comprising instructions which, in response to execution by a computer system, cause the computer system to:
    - determine a round trip time (RTT) between the computer system and the client by analyzing a communication stack of the client connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Inventors
Nathan, Avihay, Arad, Uri, Argon, Oded, Stein, David, Faivishevsky, Lev, Lupo, Roi
Primary Examiner(s)
Sholeman, Abu

Application Number

US14/727,556
Publication Number

US 20150350160A1
Time in Patent Office

1,156 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/0864   Round trip delays

H04L 43/16   Threshold monitoring

H04L 47/36   by determining packet size,...

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

H04L 67/52   specially adapted for the l...

Method and apparatus for dynamic detection of geo-location obfuscation in client-server connections through an IP tunnel

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for dynamic detection of geo-location obfuscation in client-server connections through an IP tunnel

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links