Method and apparatus for dynamic detection of geo-location obfuscation in client-server connections through an IP tunnel
First Claim
1. A method for dynamically detecting geo-location obfuscation of a client connection between a client and a server, the method comprising:
- forcing, by the server, the client connection to use an HTTPS protocol;
extracting a maximum segment size (MSS) parameter of a packet associated with TCP handshake negotiations of the HTTPS protocol;
evaluating, based on comparing a value of the MSS parameter to a database of known MSS values for connections made via tunneling, whether the client connection is made via tunneling;
estimating a risk of geo-location obfuscation associated with the client connection based on a latency analysis of the client connection when the evaluation indicates the client connection is made via tunneling; and
providing a risk assessment, according to the evaluation of whether the client connection is made via tunneling and the estimation of risk, of whether the client connection is made via tunneling so as to obfuscate the geo-location of the client.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are disclosed for dynamic detection of fraudulent client connections to a server, in which, for example, the connection is made using an internet protocol (IP) tunneling technology such as networking on a virtual private network (VPN) and making the connection via a VPN tunnel in order to obfuscate the client IP address, in which a user of a client device may employ spoofing of IP-geo location mechanisms and IP classification on the server side. Such a user may have various motivations for obfuscating the client device'"'"'s geo-location by using an IP tunnel when connecting to a server such as gaining access to services that are not allowed in certain locations (e.g., certain movie and television content providers); browsing server data while maintaining a higher level of anonymity; and performing fraudulent actions on the server.
14 Citations
10 Claims
-
1. A method for dynamically detecting geo-location obfuscation of a client connection between a client and a server, the method comprising:
-
forcing, by the server, the client connection to use an HTTPS protocol; extracting a maximum segment size (MSS) parameter of a packet associated with TCP handshake negotiations of the HTTPS protocol; evaluating, based on comparing a value of the MSS parameter to a database of known MSS values for connections made via tunneling, whether the client connection is made via tunneling; estimating a risk of geo-location obfuscation associated with the client connection based on a latency analysis of the client connection when the evaluation indicates the client connection is made via tunneling; and providing a risk assessment, according to the evaluation of whether the client connection is made via tunneling and the estimation of risk, of whether the client connection is made via tunneling so as to obfuscate the geo-location of the client. - View Dependent Claims (2, 3, 4)
-
-
5. A system comprising:
-
a server processor; and a data storage device including a non-transitory computer-readable medium having computer readable code for instructing the server processor that, when executed by the server processor, causes the server processor to perform operations comprising; forcing a client to use an HTTPS protocol to make a connection to the server processor; extracting a client side maximum segment size (MSS) value from TCP handshake negotiations of the HTTPS protocol; evaluating, based on comparing the client side MSS value to a database of known MSS values for connections made via tunneling, whether the connection is made via tunneling; estimating a risk of geo-location obfuscation associated with the connection to the server processor, based on a latency analysis of the connection when the evaluation indicates the connection is made via tunneling; providing a risk assessment, according to the estimation of risk-and the evaluation, of whether the connection is made via tunneling so as to obfuscate a geo-location of the client; and terminating the connection in response to the evaluation indicating the connection is made via tunneling. - View Dependent Claims (6, 7, 8)
-
-
9. A non-transitory computer-readable medium comprising instructions which, in response to execution by a computer system, cause the computer system to:
-
force a client to use an HTTPS protocol when making a client connection to the computer system; extract a maximum segment size (MSS) parameter from TCP handshake negotiations of the HTTPS protocol; determine a match between the MSS parameter and a database of known MSS values for connections made via tunneling, wherein the match indicates that the client connection is made via tunneling; estimate a risk of geo-location obfuscation associated with the client connection, based on a latency analysis of the client connection when the match indicates that the client connection is made via tunneling; provide a risk assessment, according to the estimation of risk and the match, of whether the client connection is made via tunneling so as to obfuscate a geo-location of the client; and terminate the client connection in response to determining the match. - View Dependent Claims (10)
-
Specification