Detecting man-in-the-middle attacks

US 10,250,636 B2
Filed: 07/07/2016
Issued: 04/02/2019
Est. Priority Date: 07/07/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting man-in-the-middle (MITM) attacks, the method comprising:

monitoring, by a computer system, network configuration traffic among network devices and network management devices of one or more subnets;

storing, by the computer system, first identification information for one or more network management devices referenced in the network configuration traffic;

transmitting, by the computer system, on at least one of the one or more subnets, a broadcast request for network configuration information;

detecting, by the computer system, at least one of (a) multiple responses to the broadcast request from multiple sources and (b) a response that includes second identification information that does not correspond to the first identification information; and

in response to detecting at least one of (a) and (b), determining, by the computer system that a potential MITM attack has occurred;

wherein the broadcast request for network configuration information is a request for a WPAD.dat file;

wherein the first identification information includes a first WPAD.dat file;

wherein the second identification information includes a second WPAD.dat file; and

wherein detecting at least one of (a) and (b) comprises detecting (b);

wherein detecting (b) comprises determining that the second WPAD.dat file is different from the first WPAD.dat file.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

MITM attacks are detected by intercepting network configuration traffic (name resolution, DHCP, ARP, ICMP, etc.) in order to obtain a description of network components. A computer system generates artificial requests for network configuration information and monitors responses. Multiple responses indicate a MITM attack. Responses that are different from previously-recorded responses also indicate a MITM attack. MITM attacks may be confirmed by transmitting fake credentials to a source of a response to a request for network configuration information. If the fake credentials are accepted or are subsequently used in an access attempt, then a MITM attack may be confirmed.

Citations

20 Claims

1. A method for detecting man-in-the-middle (MITM) attacks, the method comprising:
- monitoring, by a computer system, network configuration traffic among network devices and network management devices of one or more subnets;
  
  storing, by the computer system, first identification information for one or more network management devices referenced in the network configuration traffic;
  
  transmitting, by the computer system, on at least one of the one or more subnets, a broadcast request for network configuration information;
  
  detecting, by the computer system, at least one of (a) multiple responses to the broadcast request from multiple sources and (b) a response that includes second identification information that does not correspond to the first identification information; and
  
  in response to detecting at least one of (a) and (b), determining, by the computer system that a potential MITM attack has occurred;
  
  wherein the broadcast request for network configuration information is a request for a WPAD.dat file;
  
  wherein the first identification information includes a first WPAD.dat file;
  
  wherein the second identification information includes a second WPAD.dat file; and
  
  wherein detecting at least one of (a) and (b) comprises detecting (b);
  
  wherein detecting (b) comprises determining that the second WPAD.dat file is different from the first WPAD.dat file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein:
    - the network configuration traffic includes at least one of Net BIOS (basic input output system) Name Service (NBNS) traffic, Link-Local Multicast Name Resolution (LLMNR) traffic, and Multicast Domain Name System (mDNS) traffic.
  - 3. The method of claim 2, wherein detecting (a) comprises detecting responses to at least one of an NBNS request, LLMNR requests, and mDNS request from multiple internet protocol (IP) addresses.
  - 4. The method of claim 3, wherein detecting at least one of (a) and (b) comprises detecting (b), detecting (b) further comprising:
    - determining, by the computer system, that the response resolves a domain name to an IP address where a previously-received response resolved a different domain name to the IP address.
  - 5. The method of claim 3, wherein detecting at least one of (a) and (b) comprises detecting (b), (b) the method further comprising:
    - determining, by the computer system, that a first IP address is referenced in the network configuration traffic;
      
      determining, by the computer system, that a second IP address in the multiple IP addresses is different from the first IP address;
      
      in response to determining that the second IP address is different from the first IP address, determining, by the computer system, that the second IP address is a source of the potential MITM attack.
  - 6. The method of claim 5, further comprising:
    - transmitting, by the computer system, fake credentials to the second IP address;
      
      determining, by the computer system, that authentication using the fake credentials was successful; and
      
      in response to determining that authentication using the fake credentials was successful, determining that an MITM attack has occurred.
  - 7. The method of claim 5, further comprising:
    - transmitting, by the computer system, fake credentials to the second IP address;
      
      monitoring, by the computer system, one or more logs of one or more servers among the network devices; and
      
      determining, by the computer system, that a log of the one or more logs references the fake credentials; and
      
      in response to determining that the log of the one or more logs references the fake credentials, determining that an MITM attack has occurred.
  - 8. The method of claim 1, wherein transmitting the broadcast request for network configuration information comprises an address resolution protocol (ARP) request.
  - 9. The method of claim 8, wherein storing the first identification information for the one or more network management devices referenced in the network configuration traffic comprises storing a table including a plurality of entries, each entry of the plurality of entries mapping an internet protocol (IP) addresses and machine access code (MAC) pair;
    - wherein detecting at least one of (a) and (b) comprises detecting (b);
      
      wherein detecting (b) comprises receiving an ARP request including at least an IP address and MAC pair that conflicts with an entry of the plurality of entries.
  - 10. The method of claim 1, wherein storing the first identification information for the one or more network management devices referenced in the network configuration traffic comprises storing, for each subnet of the one or more subnets, a first default gateway referenced in one or more dynamic host configuration protocol (DHCP) offers transmitted on the each subnet;
    - wherein detecting at least one of (a) and (b) comprises detecting (b);
      
      wherein detecting (b) comprises detecting a DHCP offer on a first subnet of the one or more subnets referencing a second default gateway that is different from the first default gateway stored for the first subnet.
  - 11. The method of claim 1, wherein storing the first identification information for the one or more network management devices referenced in the network configuration traffic comprises storing, for each subnet of the one or more subnets, a first domain name service (DNS) server referenced in one or more dynamic host configuration protocol (DHCP) offers transmitted on the each subnet;
    - wherein detecting at least one of (a) and (b) comprises detecting (b);
      
      wherein detecting (b) comprises detecting a DHCP offer on a first subnet of the one or more subnets referencing a second DNS server that is different from the first DNS server for the first subnet.
  - 12. The method of claim 1, wherein the network configuration traffic comprises first router advertisement messages;
    - wherein transmitting the broadcast request for network configuration information comprises transmitting a router solicitation message;
      
      wherein detecting at least one of (a) and (b) comprises detecting (a);
      
      wherein detecting (a) comprises receiving more than one response to the router solicitation message.

13. A system for detecting man-in-the-middle (MITM) attacks, the system comprising one or more processors and one or more memory devices coupled to the one or more memory devices, the one or more memory devices storing executable code effective to cause the one or more processors to:
- monitor network configuration traffic among network devices and network management devices of one or more subnets;
  
  store first identification information for one or more network management devices referenced in the network configuration traffic;
  
  transmit, on at least one of the one or more subnets, a broadcast request for network configuration information;
  
  detect (a) multiple responses to the broadcast request from multiple sources and (b) a response that includes second identification information that does not correspond to the first identification information; and
  
  if at least one of (a) and (b) are detected, determine that a potential MITM attack has occurred;
  
  wherein the broadcast request for network configuration information is a request for a WPAD.dat file;
  
  wherein the first identification information includes a first WPAD.dat file;
  
  wherein the second identification information includes a second WPAD.dat file; and
  
  wherein the executable code is further effective to cause the one or more processors to detect (b) by detecting that the second WPAD.dat file is different from the first WPAD.dat file.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein:
    - the network configuration traffic includes at least one of Net BIOS (basic input output system) Name Service (NBNS) traffic, Link-Local Multicast Name Resolution (LLMNR) traffic, and Multicast Domain Name System (mDNS) traffic;
      
      wherein the executable code is further effective to cause the one or more processors to detect (a) by detecting responses to at least one of an NBNS request, LLMNR requests, and mDNS request from multiple internet protocol (IP) addresses.
  - 15. The system of claim 14, wherein the executable code is further effective to cause the one or more processors to:
    - determine that a first IP address is referenced in the network configuration traffic;
      
      if a second IP address in the multiple IP addresses is different from the first IP address, determine that the second IP address is a source of the potential MITM attack.
  - 16. The system of claim 15, wherein the executable code is further effective to cause the one or more processors to:
    - transmit fake credentials to the second IP address;
      
      if authentication using the fake credentials was successful, determine that an MITM attack has occurred.
  - 17. The system of claim 15, wherein the executable code is further effective to cause the one or more processors to:
    - transmit fake credentials to the second IP address;
      
      monitor one or more logs of one or more servers among the network devices; and
      
      if a log of the one or more logs references the fake credentials, determine that an MITM attack has occurred.
  - 18. The system of claim 13, wherein the executable code is further effective to cause the one or more processors to transmit the broadcast request for network configuration information by transmitting an address resolution protocol (ARP) request.
  - 19. The system of claim 18, wherein the executable code is further effective to cause the one or more processors to store the first identification information for the one or more network management devices referenced in the network configuration traffic by storing a table including a plurality of entries, each entry of the plurality of entries mapping an internet protocol (IP) addresses and machine access code (MAC) pair;
    - wherein the executable code is further effective to cause the one or more processors to detect (b) by receiving an ARP request including at least an IP address and MAC pair that conflicts with an entry of the plurality of entries.
  - 20. The system of claim 13, wherein the executable code is further effective to cause the one or more processors to store the first identification information for the one or more network management devices referenced in the network configuration traffic comprises storing, for each subnet of the one or more subnets, a first default gateway referenced in one or more dynamic host configuration protocol (DHCP) offers transmitted on the each subnet;
    - wherein the executable code is further effective to cause the one or more processors to detect (b) by detecting a DHCP offer on a first subnet of the one or more subnets referencing a second default gateway that is different from the first default gateway stored for the first subnet;
      
      wherein the executable code is further effective to cause the one or more processors to store the first identification information for the one or more network management devices referenced in the network configuration traffic comprises storing, for each subnet of the one or more subnets, a first domain name service (DNS) server referenced in one or more dynamic host configuration protocol (DHCP) offers transmitted on the each subnet;
      
      wherein the executable code is further effective to cause the one or more processors to detect (b) by detecting a DHCP offer on a first subnet of the one or more subnets referencing a second DNS server that is different from the first DNS server for the first subnet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SentinelOne Inc.
Original Assignee
Attivo Networks, Inc.
Inventors
Vissamsetty, Venu, Lakshmanan, Muthukumar, Penupolu, Sreenivasa Sudheendra, Rungta, Ankur
Primary Examiner(s)
Simitoski, Michael

Application Number

US15/204,779
Publication Number

US 20180013788A1
Time in Patent Office

999 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 2463/144   Detection or countermeasure...

H04L 61/103   across network layers, e.g....

H04L 61/4511   using domain name system [DNS]

H04L 61/5014   using dynamic host configur...

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

Detecting man-in-the-middle attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting man-in-the-middle attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links