Detection of proxy server

US 10,069,837 B2
Filed: 07/07/2016
Issued: 09/04/2018
Est. Priority Date: 07/09/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising a proxy detector device able to determine that a proxy server is utilized by an end-user using a computing device over a communication network for accessing a trusted server comprising:

the proxy server detector device determining whether;

(I) the end-user device is communicating indirectly with the trusted server via the proxy server, or (II) the end-user device is communicating directly with the trusted server via a proxy-less communication route;

further comprising;

a Secure Socket Layer (SSL) header cipher collector device, to collect SSL header ciphers that are actually used by the end-user device communicating with the trusted server;

an SSL header cipher matcher, to detect a discrepancy between;

(I) collected SSL header ciphers that are actually used by the end-user device, and (II) a set of SSL cipher headers that are declared by a browser of said end-user device;

wherein the proxy server detector is to determine that a proxy server exists, between the end-user device and the trusted server, based on said discrepancy between;

(I) collected SSL header ciphers that are actually used by the end-user device, and (II) the set of SSL cipher headers that are declared by a browser of said end-user device; and

wherein when system determines that the discrepancy exists between the collected SSL header ciphers and the set of SSL ciphers which characterize the current interaction session of the current end user, the system determines that illegitimate spoofing of data is performed by the end-user device, and a fraud signal is transmitted to one or more other units of system indicating a cyber-attack.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods of detecting whether an electronic device or computerized device or computer, is communicating with a computerized service or a trusted server directly and without an intermediary web-proxy, or indirectly by utilizing a proxy server or web-proxy. The system searches for particular characteristics or attributes, that characterize a proxy-based communication session or channel and that do not characterize a direct non-proxy-based communication session or channel; or conversely, the system searches for particular characteristics or attributes, that characterize a direct non-proxy-based communication session or channel and that do not characterize a proxy-based communication session or channel; and based on these characteristics, determines whether or not a proxy server exists and operates.

Citations

26 Claims

1. A system comprising a proxy detector device able to determine that a proxy server is utilized by an end-user using a computing device over a communication network for accessing a trusted server comprising:
- the proxy server detector device determining whether;
  
  (I) the end-user device is communicating indirectly with the trusted server via the proxy server, or (II) the end-user device is communicating directly with the trusted server via a proxy-less communication route;
  
  further comprising;
  
  a Secure Socket Layer (SSL) header cipher collector device, to collect SSL header ciphers that are actually used by the end-user device communicating with the trusted server;
  
  an SSL header cipher matcher, to detect a discrepancy between;
  
  (I) collected SSL header ciphers that are actually used by the end-user device, and (II) a set of SSL cipher headers that are declared by a browser of said end-user device;
  
  wherein the proxy server detector is to determine that a proxy server exists, between the end-user device and the trusted server, based on said discrepancy between;
  
  (I) collected SSL header ciphers that are actually used by the end-user device, and (II) the set of SSL cipher headers that are declared by a browser of said end-user device; and
  
  wherein when system determines that the discrepancy exists between the collected SSL header ciphers and the set of SSL ciphers which characterize the current interaction session of the current end user, the system determines that illegitimate spoofing of data is performed by the end-user device, and a fraud signal is transmitted to one or more other units of system indicating a cyber-attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The system of claim 1, comprising:
    - a transport channel failure injector to inject a Negative Acknowledgment (NACK) into a transport channel that connects the trusted server and the end-user device;
      
      a Round-Trip Time (RTT) measurer, to measure a first RTT value that corresponds to a first RTT between the end-user device and the trusted server when a cached resource is requested, and to further measure a second RTT value that corresponds to a first RTT between the end-user device and the trusted server when a non-cached resource is requested;
      
      an RTT comparator to compare the first RTT value and the second RTT value;
      
      wherein the proxy server detector is to determine that a proxy server more-probably exists, between the end-user device and the trusted server, based on comparison of the first RTT value and the second RTT value.
  - 3. The system of claim 1, comprising:
    - a transport channel failure injector to inject a Negative Acknowledgment (NACK) into a transport channel that connects the trusted server and the end-user device;
      
      a Round-Trip Time (RTT) measurer, to measure a first RTT value that corresponds to a first RTT between the end-user device and the trusted server when a cached resource is requested, and to further measure a second RTT value that corresponds to a first RTT between the end-user device and the trusted server when a non-cached resource is requested;
      
      an RTT comparator to compare the first RTT value and the second RTT value;
      
      a proxy detector to determine that a proxy server more-probably exists, between the end-user device and the trusted server, if the first RTT value differs from the second RTT value by at least a pre-defined threshold difference.
  - 4. The system of claim 1, comprising:
    - a transport channel failure injector to inject a Reset (RST) packet into a transport channel that connects the trusted server and the end-user device;
      
      a Round-Trip Time (RTT) measurer, to measure a first RTT value that corresponds to a first RTT between the end-user device and the trusted server when a cached resource is requested, and to further measure a second RTT value that corresponds to a first RTT between the end-user device and the trusted server when a non-cached resource is requested;
      
      an RTT comparator to compare the first RTT value and the second RTT value;
      
      wherein the proxy server detector to determine that a proxy server more-probably exists, between the end-user device and the trusted server, based on comparison of the first RTT value and the second RTT value.
  - 5. The system of claim 1, comprising:
    - a transport channel failure injector to inject a Reset (RST) packet into a transport channel that connects a trusted server and an end-user device;
      
      a Round-Trip Time (RTT) measurer, to measure a first RTT value that corresponds to a first RTT between the end-user device and the trusted server when a cached resource is requested, and to further measure a second RTT value that corresponds to a first RTT between the end-user device and the trusted server when a non-cached resource is requested;
      
      an RTT comparator to compare the first RTT value and the second RTT value;
      
      wherein the proxy server detector to determine that a proxy server more-probably exists, between the end-user device and the trusted server, if the first RTT value differs from the second RTT value by at least a pre-defined threshold difference.
  - 6. The system of claim 1, comprising:
    - a Secure Socket Layer (SSL) header cipher collector, to collect SSL header ciphers that are actually used by the end-user device communicating with the trusted server;
      
      an SSL header cipher matcher, to detect a discrepancy between;
      
      (I) collected SSL header ciphers that are actually used by the end-user device, and (II) a set of SSL cipher headers that are declared by a browser of said end-user device;
      
      a spoofing detector to determine that identity spoofing is performed relative to said end-user device, based on said discrepancy between;
      
      (I) collected SSL header ciphers that are actually used by the end-user device, and (II) the set of SSL cipher headers that are declared by a browser of said end-user device.
  - 7. The system of claim 1, comprising:
    - a requests generator to generate a batch of TCP/IP requests;
      
      a TCP source-port identifier to identify a TCP source-port for each of the TCP/IP;
      
      a TCP source-port entropy analyzer to analyze a distribution of TCP source-ports associated with said batch;
      
      wherein the proxy server detector is to determine, based on entropy analysis of the distribution of TCP source-ports associated with said batch, that a proxy server more-probably exists, between the end-user device and the trusted server.
  - 8. The system of claim 1, comprising:
    - a requests generator to generate a batch of TCP/IP requests;
      
      a TCP source-port identifier to identify a TCP source-port for each of the TCP/IP;
      
      a TCP source-port sequencing analyzer to analyze a sequencing of TCP source-ports associated with said batch;
      
      wherein the proxy server detector to determine, based on sequencing analysis of the sequencing of TCP source-ports associated with said batch, that a proxy server more-probably exists, between the end-user device and the trusted server.
  - 9. The system of claim 1, comprising:
    - a local-time extractor to extract, locally at the end-user device, a local time zone that is reported locally at the end-user device;
      
      a geo-location mismatch detector, to detect a mismatch between;
      
      (I) the local time zone as extracted locally at the end-user device, and (II) an alleged local time zone obtained from geo-location of an originating Internet Protocol (IP) address associated with the end-user device;
      
      wherein the proxy server detector to determine that a proxy server more-probably exists, between the end-user device and the trusted server, based on a mismatch between;
      
      (I) the local time zone as extracted locally at the end-user device, and (II) the alleged local time zone obtained from geo-location of an originating Internet Protocol (IP) address associated with the end-user device.
  - 10. The system of claim 1, comprising:
    - a preferred-language extractor to extract, locally at the end-user device, an identifier of a preferred natural language that is reported locally at the end-user device;
      
      a geo-location mismatch detector, to detect that (I) the preferred natural language as extracted locally at the end-user device, is not an official language of (II) a geographical region associated with an originating Internet Protocol (IP) address associated with the end-user device;
      
      wherein the proxy server detector is to determine that a proxy server more-probably exists, between the end-user device and the trusted server, based on a determination that (I) the preferred natural language as extracted locally at the end-user device, is not an official language of (II) the geographical region associated with an originating Internet Protocol (IP) address associated with the end-user device.
  - 11. The system of claim 1, comprising:
    - an HTTP-header modifier to modify an HTTP header, that is intended for transmission to the end-user device, to be an HTTP-violating non-HTTP-compliant header;
      
      wherein the proxy server detector to perform an evaluation of a response of the end-user device to said HTTP-violating non-HTTP-compliant header, and to determine whether or not a proxy server more-probably exists, between the end-user device and the trusted server, based on said evaluation results.
  - 12. The system of claim 1, comprising:
    - an HTTP-header duplicator to modify an original HTTP header, that is intended for transmission to the end-user device, into a duplicate HTTP header that comprises two or more duplicate copies of said original HTTP header;
      
      wherein the proxy server detector is to perform an evaluation of a response of the end-user device to said duplicate HTTP header, and to determine whether or not a proxy server more-probably exists, between the end-user device and the trusted server, based on said evaluation results;
      
      wherein, if the proxy server detector evaluates that no error signal was received back from the end-user device in response to the duplicate HTTP header, then the proxy server detector is to determine that a proxy server more probably exists;
      
      wherein, if the proxy server detector evaluates that an error signal was received back from the end-user device in response to the duplicate HTTP header, then the proxy server detector is to determine that a proxy server more probably does not exist.
  - 13. The system of claim 1, comprising:
    - a reverse Domain Name Server (DNS) query module,(a) to perform a reverse DNS query on an Internet Protocol (IP) address of the end-user device,(b) to determine whether or not a reverse IP record exists for said IP address,(c) to determine that a proxy server more-probably exists, between the end-user device and the trusted server, based on determining that a reverse IP record exists for said IP address.
  - 14. The system of claim 1, comprising:
    - an HTTP header analyzer,(a) to perform analysis of an incoming HTTP header that is received from said end-user device;
      
      (b) to determine that said incoming HTTP header was modified relative to an expected HTTP header;
      
      (c) to determine that a proxy server more-probably exists, between the end-user device and the trusted server, based on determining that said incoming HTTP header was modified relative to the expected HTTP header.
  - 15. The system of claim 1, comprising:
    - an HTTP header analyzer,(a) to perform analysis of an incoming HTTP header that is received from said end-user device;
      
      (b) to determine that said incoming HTTP header was modified relative to an expected HTTP header, by detecting a particular content-item in a Via field of said incoming HTTP header;
      
      (c) to determine that a proxy server more-probably exists, between the end-user device and the trusted server, based on determining that said incoming HTTP header was modified relative to the expected HTTP header.
  - 16. The system of claim 1, comprising:
    - an HTTP header analyzer,(a) to perform analysis of an incoming HTTP header that is received from said end-user device;
      
      (b) to determine that said incoming HTTP header was modified relative to an expected HTTP header, by detecting a particular content-item in a X-Forwarded For (XFF) field of said incoming HTTP header;
      
      (c) to determine that a proxy server more-probably exists, between the end-user device and the trusted server, based on determining that said incoming HTTP header was modified relative to the expected HTTP header.
  - 17. The system of claim 1, comprising:
    - a browser identity detector,(a) to analyze transmission channel parameters, that exclude a User Agent field reported by the end-user device;
      
      (b) based on analysis of transmission channel parameters, and without relying on a User Agent field reported by the end-user device, to determine an actual browser identity of the end-user device;
      
      (c) to determine a mismatch between;
      
      (I) a reported browser identity as reported by the User Agent field of the end-user device, and (II) the actual browser identity of the end-user device as determined by the browser identity detector without relying on the User Agent field reported by the end-user device;
      
      (d) based on said mismatch, to determine that a proxy server more-probably exists between the end-user device and the trusted server.
  - 18. The system of claim 1, comprising:
    - an Operating System detector,(a) to analyze transmission channel parameters, that exclude a User Agent field reported by the end-user device;
      
      (b) based on analysis of transmission channel parameters, and without relying on a User Agent field reported by the end-user device, to determine an actual Operating System identity of the end-user device;
      
      (c) to determine a mismatch between;
      
      (I) a reported Operating System identity as reported by the User Agent field of the end-user device, and (II) the actual Operating System identity of the end-user device as determined by the Operating System detector without relying on the User Agent field reported by the end-user device;
      
      (d) based on said mismatch, to determine that a proxy server more-probably exists between the end-user device and the trusted server.
  - 19. The system of claim 1, comprising:
    - a ports connector and analyzer,(a) to attempt to connect through a particular port to an originating Internet Protocol (IP) address) of the end-user device;
      
      (b) to determine that a proxy server exists and is utilized, if a response is received to said attempt to connect through said particular port to said originating IP address of the end-user device.
  - 20. The system of claim 1, comprising:
    - a ports connector and analyzer,(a) to attempt to connect through a particular port to an originating Internet Protocol (IP) address) of the end-user device, wherein said particular port comprises a port selected from the group consisting of;
      
      port 80, port 8080, port 443, port 8888;
      
      (b) to determine that a proxy server exists and is utilized, if a response is received to said attempt to connect through said particular port to said originating IP address of the end-user device.
  - 21. The system of claim 1, comprising:
    - a Domain Name Server (DNS) failed requests manager,(a) to send to the end-user device an outgoing request for a resource, wherein the outgoing request is sent from a one-time subdomain of a domain that is controlled by a trusted server;
      
      (b) to ignore incoming queries to resolve said one-time subdomain, that are received from Domain Name Servers;
      
      (c) to detect an incoming attempt to resolve directly said one-time subdomain;
      
      (d) based on detecting said incoming attempt to resolve directly said one-time subdomain, to determine that a proxy server exists and is utilized.
  - 22. The system of claim 1, comprising:
    - a proxy lists scraper and analyzer, (a) to scrape a list of proxy servers and their characteristics, and (b) to analyze incoming traffic from an end-user device, and (c) and to determine that a proxy server exists by identifying a proxy server characteristic in said incoming traffic.
  - 23. The system of claim 1, comprising:
    - a non-relayed-data sender, (a) to send to said end-user device a data-item that is not relayed by proxy servers; and
      
      (b) based on a local determination in said end-user device, that said data-item was not received at the end-user device, to determine that a proxy server exists.
  - 24. The system of claim 1, comprising:
    - an Internet Protocol (IP) addresses manager,(a) to determine IP addresses of multiple sessions that originate from different end-user devices;
      
      (b) to detect a particular IP address which is reported as originating IP address for at least K different end-user devices, wherein K is a pre-defined positive threshold value;
      
      (c) to determine that said particular IP address belongs to a proxy server.
  - 25. The system of claim 1, wherein the proxy server detector is to determine that traffic from the end-user device is incoming to a trusted server from an exit node of The Onion Router (TOR) network;
    - and to determine that the end-user device utilizes TOR network as web proxy.
  - 26. The system of claim 1, comprising:
    - an HTTP to WebSockets upgrader and inspector module,(a) to attempt to upgrade an HTTP connection to a WebSockets connection,(b) to detect that said attempt fails even though end-user device parameters indicate support for WebSockets, and(c) to determine that more probably a proxy server exists between the end-user device and the trusted server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocatch Ltd.
Original Assignee
Biocatch Ltd.
Inventors
Turgeman, Avi, Lehmann, Yaron, Azizi, Yaron, Novick, Itai
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/203,817
Publication Number

US 20170012988A1
Time in Patent Office

789 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 1/1664   the supervisory signal bein...

H04L 2001/0097   Relays

H04L 45/02   Topology update or discovery

H04L 45/74   Address processing for routing

H04L 47/283   in response to processing d...

H04L 5/0055   Physical resource allocatio...

H04L 61/4511   using domain name system [DNS]

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 67/56   Provisioning of proxy servi...

H04L 67/561   Adding application-function...

H04L 69/16   Implementation or adaptatio...

H04L 69/22   Parsing or analysis of headers

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/128   Anti-malware arrangements, ...

H04W 12/61   Time-dependent

Detection of proxy server

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of proxy server

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links