×

Reverse shell network intrusion detection

  • US 10,135,847 B2
  • Filed: 05/18/2016
  • Issued: 11/20/2018
  • Est. Priority Date: 05/18/2016
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method for use in a database system, the database system including a client system coupled to an internal network receiving communication traffic over a network connection to an external network, the method comprising:

  • detecting a secure shell session established by the client system over the network connection with a foreign server coupled to the external network;

    monitoring packets in the secure shell session;

    determining a transmission direction and a payload size of each of the packets;

    analyzing the transmission directions and payload sizes of a first sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets;

    a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system;

    next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server;

    next following the first forward packet, a second reverse packet; and

    next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded;

    based on the first sequence of packets matching the pattern, assessing a payload size of a response to the first sequence of packets from the client system to the foreign server; and

    identifying the secure shell session as hosting a reverse shell session based on the response payload size exceeding a predetermined threshold.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×