Reverse shell network intrusion detection

US 10,135,847 B2
Filed: 05/18/2016
Issued: 11/20/2018
Est. Priority Date: 05/18/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for use in a database system, the database system including a client system coupled to an internal network receiving communication traffic over a network connection to an external network, the method comprising:

detecting a secure shell session established by the client system over the network connection with a foreign server coupled to the external network;

monitoring packets in the secure shell session;

determining a transmission direction and a payload size of each of the packets;

analyzing the transmission directions and payload sizes of a first sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets;

a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system;

next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server;

next following the first forward packet, a second reverse packet; and

next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded;

based on the first sequence of packets matching the pattern, assessing a payload size of a response to the first sequence of packets from the client system to the foreign server; and

identifying the secure shell session as hosting a reverse shell session based on the response payload size exceeding a predetermined threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client system such as a database system may be vulnerable to intrusion by an unauthorized user or system through a reverse secure shell connection that enables the intruder to execute OS-level or shell commands on the client system. A reverse shell connection may be detected by monitoring and inspecting packet data traffic between the client system or internal network, and an exterior or “foreign” network. In one example of such a process, after detecting a normal shell session originating inside the internal network, a reverse shell connection exploiting the initial shell detection is detected by analyzing the transmission directions and payload sizes of a sequence of the monitored packets relative to a predetermined traffic pattern. The specific pattern may be selected for different operating systems.

Citations

18 Claims

1. A computer-implemented method for use in a database system, the database system including a client system coupled to an internal network receiving communication traffic over a network connection to an external network, the method comprising:
- detecting a secure shell session established by the client system over the network connection with a foreign server coupled to the external network;
  
  monitoring packets in the secure shell session;
  
  determining a transmission direction and a payload size of each of the packets;
  
  analyzing the transmission directions and payload sizes of a first sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets;
  
  a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system;
  
  next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server;
  
  next following the first forward packet, a second reverse packet; and
  
  next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded;
  
  based on the first sequence of packets matching the pattern, assessing a payload size of a response to the first sequence of packets from the client system to the foreign server; and
  
  identifying the secure shell session as hosting a reverse shell session based on the response payload size exceeding a predetermined threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the predetermined pattern further includes:
    - next following the second forward packet, at least one additional pair of packets having the same predetermined payload size, wherein a pair of packets is defined as a reverse packet followed by a forward packet, so that the predetermined pattern corresponds to a sequence of at least three characters transmitted form the foreign server to the client system.
  - 3. The method of claim 1 wherein detecting the secure shell session includes identifying a type of a shell client component that established the secure shell session, and further comprising a step of selecting the predetermined payload size based on the identified type of shell client component.
  - 4. The method of claim 1 wherein the predetermined pattern further comprises at least one zero payload acknowledgement (ACK) packet having a transmission direction from the client system to the foreign server, immediately following a forward packet.
  - 5. The method of claim 1 wherein the predetermined threshold for the response payload size is greater than the predetermined payload size.
  - 6. The method of claim 1 and further comprising, responsive to identifying the secure shell session as hosting a reverse shell session, taking a predetermined action comprising one or more of a set of actions comprising (a) sending a notification to a predetermined destination, (b) sending a reset command over the network to terminate the shell session, (c) logging the reverse shell session including an identifier of the foreign server, or (d) executing an intrusion script to take other actions.
  - 7. The method of claim 1 and further comprising:
    - responsive to identifying the secure shell session as hosting a reverse shell session, comparing an identifier of the foreign server to a predetermined whitelist of servers authorized to conduct a reverse shell session with the client system; and
      
      executing a selected action based on a result of the comparison.

8. A system comprising:
- an internal network for packet-switched communications;
  
  a client system coupled to the internal network;
  
  a network interface component coupled to the internal network to implement packet-switched communications between the internal network and an external network;
  
  a network intrusion detection component coupled to the network interface component to detect a reverse secure shell session between the client system and a foreign server coupled to the external network;
  
  the intrusion detection component arranged to—
  
  inspect packets in a secure shell session traversing the network interface component;
  
  analyze transmission directions and payload sizes of a sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets;
  
  a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system;
  
  next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server;
  
  next following the first forward packet, a second reverse packet; and
  
  next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded;
  
  based on the first sequence of packets matching the pattern, determining a payload size of a response packet transmitted to from the client system to the foreign server; and
  
  identifying the secure shell session as hosting a reverse shell session based on the response payload packet size exceeding the payload sizes of the sequence of packets.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8 including a network traffic analyzer coupled to the network interface component, wherein the network intrusion detection component comprises a script stored in a non-transitive, tangible machine-readable media for execution in association with the network traffic analyzer.
  - 10. The system of claim 8 wherein the network intrusion detection component is implemented in a server coupled to monitor packet traffic between the internal network and the external network.
  - 11. The system of claim 8 wherein the predetermined pattern further comprises at least one acknowledgement (ACK) packet having a transmission direction from the client system to the foreign server, and interleaved after a forward packet.
  - 12. The system of claim 8 wherein the predetermined pattern comprises the following sequence of packets—
    - (a) a first packet having a transmission direction from the foreign server to the client system, and having a predetermined packet payload size corresponding to a single character, encrypted and padded;
      
      (b) a second packet having a transmission direction from the client system to the foreign server, and having the predetermined packet payload size;
      
      (c) a third packet having a transmission direction from the client system to the foreign server and comprising a zero-bytes ACK packet;
      
      (d) the above sequence (a), (b), (c) repeated at least three times uninterrupted; and
      
      then(e) a next packet having a transmission direction from the client system to the foreign server, and having a payload size greater than the predetermined packet payload size.
  - 13. The system of claim 8 wherein the predetermined packet payload size is 96 bytes.

14. A non-transitive, tangible media storing a machine-readable script for detecting a reverse secure shell session, the script including instructions executable in a network traffic analyzer to—
- detect a secure shell session established by the client system over the network connection with a foreign server coupled to the external network;
  
  monitor packets in the secure shell session;
  
  determine a transmission direction and a payload size of each of the packets;
  
  analyze the transmission directions and payload sizes of a first sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets;
  
  a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system;
  
  next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server;
  
  next following the first forward packet, a second reverse packet; and
  
  next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded;
  
  based on the first sequence of packets matching the pattern, determine a payload size of a response to the first sequence of packets from the client system to the foreign server; and
  
  send a message identifying the secure shell session as hosting a reverse shell session based on the response payload size exceeding a predetermined threshold.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The tangible media of claim 14 wherein the script further includes instructions to, responsive to identifying the secure shell session as hosting a reverse shell session—
    - execute a predetermined action comprising one or more of a set of actions comprising (a) sending a notification to a predetermined address, (b) sending a reset command over the network to terminate the shell session, (c) logging the reverse shell session including an identifier of the foreign server, and (d) executing an intrusion script to take other actions.
  - 16. The tangible media of claim 14 wherein the script includes instructions to identify an operating system of a shell client component that established the secure shell session, and to select the predetermined payload size based at least in part on the identified operating system of the client component.
  - 17. The tangible media of claim 14 wherein the script includes instructions to—
    - access a whitelist of IP addresses;
      
      compare an IP address of the foreign server to the whitelist; and
      
      execute a predetermined action based on the comparison.
  - 18. The tangible media of claim 14 wherein the script includes instructions to—
    - access a blacklist of IP addresses;
      
      compare an IP address of the foreign server to the blacklist; and
      
      execute a predetermined action based on the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Althouse, John Brooke, Salusky, William Roger, Atkinson, Jeffrey S.
Primary Examiner(s)
Chiang, Jason

Application Number

US15/158,367
Publication Number

US 20170339166A1
Time in Patent Office

916 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 1/12   by using return channel

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/01   Protocols

Reverse shell network intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Reverse shell network intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links