Implementation comparison-based security system

US 10,432,659 B2
Filed: 08/30/2016
Issued: 10/01/2019
Est. Priority Date: 09/11/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a communication interface; and

a processor coupled to the communication interface and configured to;

intercept from each implementation in a plurality of implementations a network message, the network messages received from the respective implementations comprising a related set of network messages;

wherein intercepting comprises receiving network traffic in a network protocol from a client and acting as an intermediary with the respective implementations before sending a responsive action, wherein the network protocol comprises at least one of the following;

SMTP, HTTP, TCP, IP, UDP, RPC, IMAP and TLS;

compare each received network message in the related set of network messages with each other received network messages in the related set of network messages to determine whether any network message in the related set of network messages deviates from any one or more other network messages in the related set of network messages;

wherein comparing comprises determining a protocol stack layer of a network protocol stack for the network protocol to perform a semantic comparison upon;

determine on the fly a statistical mode of the related set of network messages based at least in part through said semantic comparison, wherein the statistical mode of the related set of network messages is a specific network message from the related set of network messages that appears most often; and

determine the responsive action based at least in part on the statistical mode.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An implementation comparison-based security system is disclosed. In various embodiments, respective network messages received from a plurality of implementations are received. The network messages are compared to determine whether any network message in the received set of network messages deviates from any one or more other network messages in the set. A responsive action is determined based at least in part on the results of said comparison.

45 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a communication interface; and
  
  a processor coupled to the communication interface and configured to;
  
  intercept from each implementation in a plurality of implementations a network message, the network messages received from the respective implementations comprising a related set of network messages;
  
  wherein intercepting comprises receiving network traffic in a network protocol from a client and acting as an intermediary with the respective implementations before sending a responsive action, wherein the network protocol comprises at least one of the following;
  
  SMTP, HTTP, TCP, IP, UDP, RPC, IMAP and TLS;
  
  compare each received network message in the related set of network messages with each other received network messages in the related set of network messages to determine whether any network message in the related set of network messages deviates from any one or more other network messages in the related set of network messages;
  
  wherein comparing comprises determining a protocol stack layer of a network protocol stack for the network protocol to perform a semantic comparison upon;
  
  determine on the fly a statistical mode of the related set of network messages based at least in part through said semantic comparison, wherein the statistical mode of the related set of network messages is a specific network message from the related set of network messages that appears most often; and
  
  determine the responsive action based at least in part on the statistical mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein the respective network messages each comprises a response to a request sent to each of the implementations in the plurality of implementations.
  - 3. The system of claim 2, further comprising receiving the request and sending to each of a plurality of implementations a corresponding communication determined based at least in part on the request.
  - 4. The system of claim 1, wherein:
    - the plurality of implementations includes three or more implementations;
      
      the comparison is used to determine the statistical mode; and
      
      a responsive action is determined based at least in part on a determination that an outlier network message included in the set of responses deviates from the statistical mode.
  - 5. The system of claim 1, wherein the communication interface comprises one or more of a network interface, an application programming interface, and a user interface.
  - 6. The system of claim 1, wherein the communication interface comprises an internal interface of a host on which at least a subset of implementations comprising said plurality of implementations are deployed.
  - 7. The system of claim 1, wherein the plurality of implementations comprises a subset of a set of available implementations and the processor is configured to determine the subset.
  - 8. The system of claim 1, wherein the processor is configured to compare the respective network messages received from the implementations in the plurality of implementations at least in part by performing a byte by byte comparison of raw data comprising said network messages.
  - 9. The system of claim 1, wherein the processor is configured to compare the respective network messages at least in part by determining a semantic content of each of said network messages and comparing the semantic content.
  - 10. The system of claim 9, wherein the semantic content is determined at least in part by one or more previous network messages.
  - 11. The system of claim 9, wherein the semantic content is determined at least in part by a current network session state of a network session with which the network messages are associated.
  - 12. The system of claim 1, wherein the processor is configured to compare the respective network messages at one or more protocol stack layers comprising or otherwise associated with each network message.
  - 13. The system of claim 1, wherein the processor is further configured to determine, based at least in part on the comparison, a response to be provided to a requestor associated with the request.
  - 14. The system of claim 1, wherein the processor is configured to participate actively in an interaction between the client and said plurality of implementations.
  - 15. The system of claim 14, wherein the active participation includes terminating a connection with one or both of said client and said plurality of implementations.
  - 16. The system of claim 14, wherein the active participation includes exchanging with the client one or more keys required to access content data comprising the request.
  - 17. The system of claim 1, wherein the request comprises a connection request, the mode response comprises a rejection of the connection request, and the processor is further configured to identify an implementation that accepted the connection request for further evaluation to determine whether a backdoor vulnerability is present.

18. A method, comprising:
- intercepting from each implementation in a plurality of implementations a network message, the network messages received from the respective implementations comprising a related set of network messages;
  
  wherein intercepting comprises receiving network traffic in a network protocol from a client and acting as an intermediary with the respective implementations before sending a responsive action, wherein the network protocol comprises at least one of the following;
  
  SMTP, HTTP, TCP, IP, UDP, RPC, IMAP and TLS;
  
  comparing each received network message in the related set of network messages with each other received network messages in the related set of network messages to determine whether any network message in the related set of network messages deviates from any one or more other network messages in the related set of network messages;
  
  wherein comparing comprises determining a protocol stack layer of a network protocol stack for the network protocol to perform a semantic comparison upon;
  
  determining on the fly a statistical mode of the related set of network messages based at least in part through said semantic comparison, wherein the statistical mode of the related set of network messages is a specific network message from the related set of network messages that appears most often; and
  
  determining the responsive action based at least in part on the statistical mode.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the respective network messages each comprises a response to a request sent to each of the implementations in the plurality of implementations.

20. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for:
- intercepting from each implementation in a plurality of implementations a network message, the network messages received from the respective implementations comprising a related set of network messages;
  
  wherein intercepting comprises receiving network traffic in a network protocol from a client and acting as an intermediary with the respective implementations before sending a responsive action, wherein the network protocol comprises at least one of the following;
  
  SMTP, HTTP, TCP, IP, UDP, RPC, IMAP and TLS;
  
  comparing each received network message in the related set of network messages with each other received network messages in the related set of network messages to determine whether any network message in the related set of network messages deviates from any one or more other network messages in the related set of network messages;
  
  wherein comparing comprises determining a protocol stack layer of a network protocol stack for the network protocol to perform a semantic comparison upon;
  
  determining on the fly a statistical mode of the related set of network messages based at least in part through said semantic comparison, wherein the statistical mode of the related set of network messages is a specific network message from the related set of network messages that appears most often; and
  
  determining the responsive action based at least in part on the statistical mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Curtail, Inc.
Original Assignee
Curtail, Inc.
Inventors
Ross, Robert F.
Primary Examiner(s)
Reza, Mohammad W

Application Number

US15/251,472
Publication Number

US 20170078323A1
Time in Patent Office

1,127 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Implementation comparison-based security system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Implementation comparison-based security system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others