Reverse shell network intrusion detection
First Claim
1. A computer-implemented method for use in a database system, the database system including a client system coupled to an internal network receiving communication traffic over a network connection to an external network, the method comprising:
- detecting a secure shell session established by the client system over the network connection with a foreign server coupled to the external network;
monitoring packets in the secure shell session;
determining a transmission direction and a payload size of each of the packets;
analyzing the transmission directions and payload sizes of a first sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets;
a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system;
next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server;
next following the first forward packet, a second reverse packet; and
next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded;
based on the first sequence of packets matching the pattern, assessing a payload size of a response to the first sequence of packets from the client system to the foreign server; and
identifying the secure shell session as hosting a reverse shell session based on the response payload size exceeding a predetermined threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
A client system such as a database system may be vulnerable to intrusion by an unauthorized user or system through a reverse secure shell connection that enables the intruder to execute OS-level or shell commands on the client system. A reverse shell connection may be detected by monitoring and inspecting packet data traffic between the client system or internal network, and an exterior or “foreign” network. In one example of such a process, after detecting a normal shell session originating inside the internal network, a reverse shell connection exploiting the initial shell detection is detected by analyzing the transmission directions and payload sizes of a sequence of the monitored packets relative to a predetermined traffic pattern. The specific pattern may be selected for different operating systems.
-
Citations
18 Claims
-
1. A computer-implemented method for use in a database system, the database system including a client system coupled to an internal network receiving communication traffic over a network connection to an external network, the method comprising:
-
detecting a secure shell session established by the client system over the network connection with a foreign server coupled to the external network; monitoring packets in the secure shell session; determining a transmission direction and a payload size of each of the packets; analyzing the transmission directions and payload sizes of a first sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets; a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system; next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server; next following the first forward packet, a second reverse packet; and next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded; based on the first sequence of packets matching the pattern, assessing a payload size of a response to the first sequence of packets from the client system to the foreign server; and identifying the secure shell session as hosting a reverse shell session based on the response payload size exceeding a predetermined threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
an internal network for packet-switched communications; a client system coupled to the internal network; a network interface component coupled to the internal network to implement packet-switched communications between the internal network and an external network; a network intrusion detection component coupled to the network interface component to detect a reverse secure shell session between the client system and a foreign server coupled to the external network; the intrusion detection component arranged to— inspect packets in a secure shell session traversing the network interface component; analyze transmission directions and payload sizes of a sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets; a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system; next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server; next following the first forward packet, a second reverse packet; and next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded; based on the first sequence of packets matching the pattern, determining a payload size of a response packet transmitted to from the client system to the foreign server; and identifying the secure shell session as hosting a reverse shell session based on the response payload packet size exceeding the payload sizes of the sequence of packets. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitive, tangible media storing a machine-readable script for detecting a reverse secure shell session, the script including instructions executable in a network traffic analyzer to—
-
detect a secure shell session established by the client system over the network connection with a foreign server coupled to the external network; monitor packets in the secure shell session; determine a transmission direction and a payload size of each of the packets; analyze the transmission directions and payload sizes of a first sequence of the packets relative to a predetermined pattern, wherein the predetermined pattern comprises the following sequence of packets; a first reverse packet, wherein a reverse packet is defined as having a transmission direction from the foreign server to the client system; next following the first reverse packet, a first forward packet, wherein a forward packet is defined as having a transmission direction from the client system to the foreign server; next following the first forward packet, a second reverse packet; and next following the second reverse packet, a second forward packet, wherein the first and second forward packets, and the first and second reverse packets, all have a common predetermined payload size, the predetermined payload size corresponding to a single character, encrypted and padded; based on the first sequence of packets matching the pattern, determine a payload size of a response to the first sequence of packets from the client system to the foreign server; and send a message identifying the secure shell session as hosting a reverse shell session based on the response payload size exceeding a predetermined threshold. - View Dependent Claims (15, 16, 17, 18)
-
Specification