Detection of invalid port accesses in port-scrambling-based networks

US 10,333,956 B2
Filed: 05/15/2018
Issued: 06/25/2019
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a plurality of computer devices connected to a network, wherein each computer device retaining a replica of a whitelist of programs, wherein each computer device is configured to selectively scramble ports of outgoing communications transmitted over the network, wherein the selective scrambling of ports is performed based on the whitelist, wherein each computer device is configured to descramble ports of incoming communications received from the network; and

a server device connected to the network, wherein said server device is configured to monitor for an invalid port access, wherein the invalid port access is a communication transmitted over the network being directed at a target port of a computer device and wherein an unscrambled port obtained after descrambling the target port is not assigned to any application program that is being executed by the computer device, wherein said server device is configured to log the invalid port access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method, system and product for detection of invalid port accesses in port-scrambling-based networks. The network may comprise a plurality of computers, each of which is configured to selectively scramble port of outgoing communications transmitted over the network and to descramble ports of incoming communications received from the network. The selective scrambling of ports may be based on a whitelist of programs. Invalid port accesses are monitored for. Invalid port accesses may be a communication transmitted over the network directing at a port, wherein an unscrambled port obtained after descrambling the port, is an invalid port. Invalid port accesses may be logged and actions may be taken to mitigate potential security risk represented thereby.

13 Citations

20 Claims

1. A system comprising:
- a plurality of computer devices connected to a network, wherein each computer device retaining a replica of a whitelist of programs, wherein each computer device is configured to selectively scramble ports of outgoing communications transmitted over the network, wherein the selective scrambling of ports is performed based on the whitelist, wherein each computer device is configured to descramble ports of incoming communications received from the network; and
  
  a server device connected to the network, wherein said server device is configured to monitor for an invalid port access, wherein the invalid port access is a communication transmitted over the network being directed at a target port of a computer device and wherein an unscrambled port obtained after descrambling the target port is not assigned to any application program that is being executed by the computer device, wherein said server device is configured to log the invalid port access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the server device is configured to distribute replicas of the whitelist to the plurality of computer devices.
  - 3. The system of claim 1, wherein each computer device is configured to utilize a transformation function for port scrambling and for port descrambling, wherein the transformation function depends on the whitelist.
  - 4. The system of claim 1, wherein each computer device is configured to perform the selective scrambling in response to a detection that a program initiating the outgoing communication is listed in the whitelist.
  - 5. The system of claim 1, wherein the server device is configured to generate and distribute a time-dependent key that is replaced periodically and valid for a limited time duration, wherein each computer device is configured to utilize a transformation function for port scrambling and for port descrambling, wherein the transformation function depends on the time-dependent key.
  - 6. The system of claim 5, wherein in response to identification of the invalid port access, avoiding distribution of new time-dependent keys to a computer device that is responsible for the invalid port access, whereby preventing the computer device from correctly scrambling and descrambling ports.
  - 7. The system of claim 1, wherein the server device is configured to identify repeated or successive attempts to access invalid or neighboring ports by a same computer.
  - 8. The system of claim 1 further comprising:
    - a component device directly connected to the network, wherein the component device is configured to utilize ports of incoming messages as is without descrambling;
      
      wherein each of said plurality of computer devices is configured to avoid scrambling ports of an outgoing communication when the outgoing communication targets the component device, andwherein each of said plurality of computer devices is configured to avoid descrambling ports of incoming communications transmitted by the component.
  - 9. The system of claim 8, wherein the component device is one of:
    - a firewall component and a gateway component.
  - 10. The system of claim 1, wherein said server device is operatively coupled with monitoring agents deployed on each of said plurality of computers, wherein the monitoring agents are configured to intercept communications to identify invalid port accesses.
  - 11. The system of claim 1, wherein in response to identification of the invalid port access, said server device is configured to take an action to mitigate a potential security risk associated with the invalid port access.
  - 12. The system of claim 1, wherein in response to identification of the invalid port access, preventing a computer device responsible for the invalid port access from effectively communicating with the plurality of computer devices.

13. A computer program product comprising a non-transitory computer readable medium retaining program instructions which program instructions when read by a processor, cause the processor to perform a method carried out in a computer network environment comprising a plurality of computer devices, each of which being configured for selectively scrambling ports of outgoing communications and for descrambling ports of incoming communications, the method comprising:
- monitoring communications in the network;
  
  identifying an invalid port access attempt, wherein the invalid port access attempt is a communication that is directed at a target port of a computer device and wherein an unscrambled port obtained after descrambling the target port, is not assigned to any application program that is being executed by the computer device; and
  
  logging the invalid port access attempt.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer program product of claim 13, wherein said logging comprises logging a program and a computer device responsible for the invalid port access attempt, wherein the program is a program executed by the computer device and caused the communication to be transmitted.
  - 15. The computer program product of claim 14, wherein the program is excluded from a whitelist, wherein each of the plurality of computer devices retaining the whitelist, wherein each of the plurality of computer devices is configured to scramble ports only of outgoing communications transmitted by programs listed in the whitelist.
  - 16. The computer program product of claim 13, wherein the method comprises preventing effective communications by a computer device responsible for the invalid port access attempt, whereby mitigating potential security risk from the computer.
  - 17. The computer program product of claim 16, wherein a server device is configured to distribute a time-dependent key used by each of the plurality of computers for scrambling and descrambling ports, wherein preventing effective communications by the computer device comprises avoiding sending an up-to-date the time-dependent key to the computer.

18. A server device comprising:
- a processor and a coupled memory,wherein the server device is connected to a network, wherein a plurality of computer devices are connected to the network, wherein each computer device is configured to selectively scramble ports of outgoing communications transmitted over the network, wherein each computer device is configured to descramble ports of incoming communications received from the network, wherein each computer retaining a whitelist of programs, wherein the selective scrambling of ports is performed based on the whitelist; and
  
  wherein said server device is configured to monitor for an invalid port access, wherein the invalid port access is a communication transmitted over the network being directed at a target port of a computer device and wherein an unscrambled port obtained after descrambling the target port is not assigned to any application program that is being executed by the computer device, wherein said server device is configured to log the invalid port access.
- View Dependent Claims (19, 20)
- - 19. The server of claim 18, wherein said server device is configured to periodically generate a time-dependent key and distribute the time-dependent key over the network, wherein each of the plurality of computer devices is configured to utilize a transformation function and an inverse function thereof for scrambling and descrambling of ports, respectively, wherein the transformation function depends on the time-dependent key.
  - 20. The server device of claim 19, wherein the transformation function depends on the whitelist and on the time-dependent key, whereby modification of a local copy of the whitelist on a computer device, prevents the computer device from effectively communicating over the network with other computer devices of the plurality of computer devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber 2.0 (2015) LTD.
Original Assignee
Cyber 2.0 (2015) LTD.
Inventors
Haelion, Erez Kaplan
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/980,719
Publication Number

US 20180270257A1
Time in Patent Office

406 Days
Field of Search

726 1, 726 2, 726 23, 726 25, 370242, 370252, 370392, 370401, 709222, 709225, 709227, 709245, 709250, 713153, 713160, 713161
US Class Current
CPC Class Codes

G06F 21/14   against software analysis o...

G06F 21/44   Program or device authentic...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/162   at the data link layer

H04L 67/146   Markers for unambiguous ide...

H04L 67/54   Presence management, e.g. m...

Detection of invalid port accesses in port-scrambling-based networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of invalid port accesses in port-scrambling-based networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links