Method, system, and apparatus for detecting and preventing targeted attacks

US 10,091,235 B1
Filed: 06/07/2016
Issued: 10/02/2018
Est. Priority Date: 06/07/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting a request from a computing device of a member of an organization in connection with a communication session between the computing device of the member of the organization and at least one additional computing device;

identifying, within the request, a Uniform Resource Locator (URL) that the computing device of the member of the organization is attempting to access;

computing a unique identifier that represents the URL identified within the request;

comparing the unique identifier that represents the URL against a database that includes unique identifiers that represent URLs embedded in emails received by members of the organization;

determining, based at least in part on the comparison, that the URL identified within the request was included in an email received by the member of the organization;

in response to determining that the URL was included in an email received by the member of the organization, elevating a threat level of the communication session between the computing device of the member of the organization and the additional computing device; and

in response to elevating the threat level of the communication session, selectively performing a Layer 7 Deep Packet Inspection (DPI) on the communication session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method may include (1) detecting a request from a computing device of a member of an organization in connection with a communication session between the computing device and at least one additional computing device, (2) identifying, within the request, a URL that the computing device is attempting to access, (3) computing a unique identifier that represents the URL, (4) comparing the unique identifier against a database that includes unique identifiers that represent URLs embedded in emails received by members of the organization, (5) determining, based at least in part on the comparison, that the URL was included in an email received by the member of the organization, and then in response, (6) elevating a threat level of the communication session between the computing device and the additional computing device. Various other methods, systems, and apparatuses are also disclosed.

30 Citations

View as Search Results

18 Claims

1. A method comprising:
- detecting a request from a computing device of a member of an organization in connection with a communication session between the computing device of the member of the organization and at least one additional computing device;
  
  identifying, within the request, a Uniform Resource Locator (URL) that the computing device of the member of the organization is attempting to access;
  
  computing a unique identifier that represents the URL identified within the request;
  
  comparing the unique identifier that represents the URL against a database that includes unique identifiers that represent URLs embedded in emails received by members of the organization;
  
  determining, based at least in part on the comparison, that the URL identified within the request was included in an email received by the member of the organization;
  
  in response to determining that the URL was included in an email received by the member of the organization, elevating a threat level of the communication session between the computing device of the member of the organization and the additional computing device; and
  
  in response to elevating the threat level of the communication session, selectively performing a Layer 7 Deep Packet Inspection (DPI) on the communication session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein elevating the threat level of the communication session comprises:
    - determining that the URL facilitates a download of a file to the computing device; and
      
      quarantining the file downloaded to the computing device.
  - 3. The method of claim 2, wherein quarantining the file comprises:
    - inspecting the file for malware;
      
      determining that the file includes malware; and
      
      in response to determining that the file includes malware, quarantining the file.
  - 4. The method of claim 1, wherein elevating the threat level of the communication session comprises adding, to the database, a record that identifies at least one of:
    - a host of a resource corresponding to the URL;
      
      the computing device attempting to access the URL;
      
      the member of the organization whose computing device is attempting to access the URL; and
      
      a result of a Layer 7 DPI performed on the communication session.
  - 5. The method of claim 1, further comprising:
    - identifying emails received by the member of the organization;
      
      identifying, within at least one of the emails, at least one payload that includes a URL;
      
      computing a unique identifier that represents the URL identified in the payload; and
      
      storing, within the database, the unique identifier that represents the URL identified in the payload.
  - 6. The method of claim 5, wherein the payload comprises at least one of:
    - an attachment of the email; and
      
      a body of the email.
  - 7. The method of claim 1, wherein the communication session comprises a HyperText Transfer Protocol (HTTP) session.
  - 8. The method of claim 1, further comprising:
    - detecting another request from another computing device of another member of the organization in connection with another communication session between the other computing device of the other member of the organization and at least one further computing device;
      
      identifying, within the other request, a URL that the other computing device of the other member of the organization is attempting to access;
      
      computing a unique identifier that represents the other URL identified within the other request;
      
      comparing the unique identifier that represents the other URL identified within the other request against the database that includes the unique identifiers that represent the URLs embedded in the emails received by the members of the organization;
      
      determining, based at least in part on the comparison, that the other URL identified within the other request was not included in another email received by the other member of the organization; and
      
      in response to determining that the other URL was not included in the other email received by the other member of the organization, enabling the other communication session to continue without elevating a threat level of the other communication session.
  - 9. The method of claim 8, wherein enabling the other communication session to continue without elevating the threat level of the other communication session comprises refusing to perform a Layer 7 DPI on the communication session due at least in part to the threat level of the communication session not having been elevated.
  - 10. The method of claim 8, wherein enabling the other communication session to continue without elevating the threat level of the other communication session comprises at least one of:
    - refusing to quarantine a file downloaded to the computing device via the URL; and
      
      refusing to inspect the file for malware.

11. A system comprising:
- a detection module, stored in memory, that detects a request from a computing device of a member of an organization in connection with a communication session between the computing device of the member of the organization and at least one additional computing device;
  
  an identification module, stored in memory, that identifies, within the request, a Uniform Resource Locator (URL) that the computing device of the member of the organization is attempting to access;
  
  a computation module, stored in memory, that computes a unique identifier that represents the URL identified within the request;
  
  a determination module, stored in memory, that;
  
  compares the unique identifier that represents the URL against a database that includes unique identifiers that represent URLs embedded in emails received by members of the organization;
  
  determines, based at least in part on the comparison, that the URL identified within the request was included in an email received by the member of the organization;
  
  a security module, stored in memory, that;
  
  elevates, in response to the determination that the URL was included in an email received by the member of the organization, a threat level of the communication session between the computing device of the member of the organization and the additional computing device; and
  
  selectively performs, in response to elevating the threat level of the communication session, a Layer 7 Deep Packet Inspection (DPI) on the communication session; and
  
  at least one physical processor configured to execute the detection module, the identification module, the computation module, the determination module, and the security module.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein the security module:
    - determines that the URL facilitates a download of a file to the computing device; and
      
      quarantines the file downloaded to the computing device.
  - 13. The system of claim 12, wherein the security module:
    - inspect the file for malware; and
      
      quarantine the file in response to a determination that the file includes malware.
  - 14. The system of claim 11, further comprising a database module, stored in memory, that adds, to the database, a record that identifies at least one of:
    - a host of a resource corresponding to the URL;
      
      the computing device attempting to access the URL;
      
      the member of the organization whose computing device is attempting to access the URL; and
      
      a result of a Layer 7 DPI performed on the communication session; and
      
      the physical processor is further configured to execute the database module.
  - 15. The system of claim 11, wherein:
    - the identification module;
      
      identifies emails received by the member of the organization; and
      
      identifies, within at least one of the emails, at least one payload that includes a URL;
      
      the computation module computes a unique identifier that represents the URL identified in the payload; and
      
      further comprising a database module, stored in memory, that stores, within the database, the unique identifier that represents the URL identified in the payload; and
      
      the physical processor is further configured to execute the database module.
  - 16. The system of claim 15, wherein the payload comprises at least one of:
    - an attachment of the email; and
      
      a body of the email.
  - 17. The system of claim 11, wherein the communication session comprises a HyperText Transfer Protocol (HTTP) session.

18. An apparatus comprising:
- a storage device that stores a database that includes unique identifiers that represent Uniform Resource Locator (URLs) embedded in emails received by members of an organization; and
  
  a physical processing unit communicatively coupled to the storage device, wherein the physical processing unit;
  
  detects a request from a computing device of a member of an organization in connection with a communication session between the computing device of the member of the organization and at least one additional computing device;
  
  identifies, within the request, a URL that the computing device of the member of the organization is attempting to access;
  
  computes a unique identifier that represents the URL identified within the request;
  
  compares the unique identifier that represents the URL against a database that includes unique identifiers that represent URLs embedded in emails received by members of the organization;
  
  determines, based at least in part on the comparison, that the URL identified within the request was included in an email received by the member of the organization;
  
  elevates, in response to determining that the URL was included in an email received by the member of the organization, a threat level of the communication session between the computing device of the member of the organization and the additional computing device; and
  
  selectively performs, in response to elevating the threat level of the communication session, a Layer 7 Deep Packet Inspection (DPI) on the communication session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Kushwaha, Deepak, Joshi, Mohit, Tutliani, Puneet
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/175,568
Time in Patent Office

847 Days
Field of Search
US Class Current
CPC Class Codes

H04L 51/08   Annexed information, e.g. a...

H04L 51/212   using filtering or selectiv...

H04L 63/0245   Filtering by information in...

H04L 63/1483   service impersonation, e.g....

Method, system, and apparatus for detecting and preventing targeted attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method, system, and apparatus for detecting and preventing targeted attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others