Detecting man-in-the-middle attacks
First Claim
1. A method for detecting man-in-the-middle (MITM) attacks, the method comprising:
- monitoring, by a computer system, network configuration traffic among network devices and network management devices of one or more subnets;
storing, by the computer system, first identification information for one or more network management devices referenced in the network configuration traffic;
transmitting, by the computer system, on at least one of the one or more subnets, a broadcast request for network configuration information;
detecting, by the computer system, at least one of (a) multiple responses to the broadcast request from multiple sources and (b) a response that includes second identification information that does not correspond to the first identification information; and
in response to detecting at least one of (a) and (b), determining, by the computer system that a potential MITM attack has occurred;
wherein the broadcast request for network configuration information is a request for a WPAD.dat file;
wherein the first identification information includes a first WPAD.dat file;
wherein the second identification information includes a second WPAD.dat file; and
wherein detecting at least one of (a) and (b) comprises detecting (b);
wherein detecting (b) comprises determining that the second WPAD.dat file is different from the first WPAD.dat file.
3 Assignments
0 Petitions
Accused Products
Abstract
MITM attacks are detected by intercepting network configuration traffic (name resolution, DHCP, ARP, ICMP, etc.) in order to obtain a description of network components. A computer system generates artificial requests for network configuration information and monitors responses. Multiple responses indicate a MITM attack. Responses that are different from previously-recorded responses also indicate a MITM attack. MITM attacks may be confirmed by transmitting fake credentials to a source of a response to a request for network configuration information. If the fake credentials are accepted or are subsequently used in an access attempt, then a MITM attack may be confirmed.
-
Citations
20 Claims
-
1. A method for detecting man-in-the-middle (MITM) attacks, the method comprising:
-
monitoring, by a computer system, network configuration traffic among network devices and network management devices of one or more subnets; storing, by the computer system, first identification information for one or more network management devices referenced in the network configuration traffic; transmitting, by the computer system, on at least one of the one or more subnets, a broadcast request for network configuration information; detecting, by the computer system, at least one of (a) multiple responses to the broadcast request from multiple sources and (b) a response that includes second identification information that does not correspond to the first identification information; and in response to detecting at least one of (a) and (b), determining, by the computer system that a potential MITM attack has occurred; wherein the broadcast request for network configuration information is a request for a WPAD.dat file; wherein the first identification information includes a first WPAD.dat file; wherein the second identification information includes a second WPAD.dat file; and wherein detecting at least one of (a) and (b) comprises detecting (b); wherein detecting (b) comprises determining that the second WPAD.dat file is different from the first WPAD.dat file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for detecting man-in-the-middle (MITM) attacks, the system comprising one or more processors and one or more memory devices coupled to the one or more memory devices, the one or more memory devices storing executable code effective to cause the one or more processors to:
-
monitor network configuration traffic among network devices and network management devices of one or more subnets; store first identification information for one or more network management devices referenced in the network configuration traffic; transmit, on at least one of the one or more subnets, a broadcast request for network configuration information; detect (a) multiple responses to the broadcast request from multiple sources and (b) a response that includes second identification information that does not correspond to the first identification information; and if at least one of (a) and (b) are detected, determine that a potential MITM attack has occurred; wherein the broadcast request for network configuration information is a request for a WPAD.dat file; wherein the first identification information includes a first WPAD.dat file; wherein the second identification information includes a second WPAD.dat file; and wherein the executable code is further effective to cause the one or more processors to detect (b) by detecting that the second WPAD.dat file is different from the first WPAD.dat file. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification