Methods and systems for detecting and preventing network connection compromise

US 10,440,053 B2
Filed: 05/30/2017
Issued: 10/08/2019
Est. Priority Date: 05/31/2016
Status: Active Grant

First Claim

Patent Images

1. A method for preventing the use of a first connection, the method comprising:

(i) inspecting, by a client-side proxy on a computing device, a communication from an application on the computing device to a destination, the communication originating from the computing device and configured to use the first connection to send content to the destination, the inspecting of the communication being completed before the first connection is used and the inspecting including a determination of whether the content contains predetermined content; and

(ii) when the determination is that the content contains the predetermined content;

creating, by the client-side proxy before the first connection is used, a second connection, the client-side proxy creating the second connection through a server to the destination, the second connection being more secure than the first connection, andmodifying, by the client-side proxy, the communication to use the second connection instead of using the first connection to send the content, including the predetermined content, to the destination.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The security of network connections on a computing device is protected by detecting and preventing compromise of the network connections, including man-in-the-middle (MITM) attacks. Active probing and other methods are used to detect the attacks. Responses to detection include one or more of displaying a warning to a user of the computing device, providing an option to disconnect the network connection, blocking the network connection, switching to a different network connection, applying a policy, and sending anomaly information to a security server.

229 Citations

40 Claims

1. A method for preventing the use of a first connection, the method comprising:
- (i) inspecting, by a client-side proxy on a computing device, a communication from an application on the computing device to a destination, the communication originating from the computing device and configured to use the first connection to send content to the destination, the inspecting of the communication being completed before the first connection is used and the inspecting including a determination of whether the content contains predetermined content; and
  
  (ii) when the determination is that the content contains the predetermined content;
  
  creating, by the client-side proxy before the first connection is used, a second connection, the client-side proxy creating the second connection through a server to the destination, the second connection being more secure than the first connection, andmodifying, by the client-side proxy, the communication to use the second connection instead of using the first connection to send the content, including the predetermined content, to the destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - determining, by the client-side proxy from the inspecting before the first connection is used, that the first connection is to be used;
      
      detecting, by the client-side proxy, that the first connection is compromised before the creating, by the client-side proxy, the second connection to the destination; and
      
      modifying, by the client-side proxy after the communication, a second communication from the application so that the modified second communication uses the second connection.
  - 3. The method of claim 2, wherein the detecting, by the client-side proxy, that the first connection is compromised is based on one or more of:
    - (i) a probe of the first connection;
      
      (ii) a failure of a certificate from the destination to match a previous certificate from the destination;
      
      or(iii) a presence of one or more of;
      
      an addresses, or an identifier that is not specified in a policy for the first connection.
  - 4. The method of claim 1 further comprising:
    - determining, by the client-side proxy before the first connection is used, whether data associated with the application on the computing device indicates that the communication will be encrypted; and
      
      wherein the creating, by the client-side proxy before the first connection is used, the second connection to the destination includes;
      
      creating, by the client-side proxy, the second connection to the destination when the determination is that the received data indicates that the communication will be encrypted.
  - 5. The method of claim 1, wherein the inspecting, by the client-side proxy, the communication further includes:
    - (i) determining, by the client-side proxy, whether the communication or the first connection is subject to a policy; and
      
      (ii) performing the remaining steps of the method when the client-side proxy determines that the communication or the first connection is subject to the policy.
  - 6. The method of claim 5, wherein the policy is specified by an administrator or a user of the computing device.
  - 7. The method of claim 5, wherein the policy determines the remaining steps of the method are to be performed based on a risk level.
  - 8. The method of claim 7, wherein the risk level is associated with one or more of:
    - the communication, the first connection, or the computing device.
  - 9. The method of claim 7, wherein the risk level is based on one or more of:
    - a geographic location of the computing device;
      
      an assessed security state of the computing device;
      
      or an assessed value of information stored on the computing device.
  - 10. The method of claim 1, wherein the application created the first connection, wherein the determining whether the content contains predetermined content includes obtaining, by the client-side proxy from an operating system on the computing device, an identity of the application.

11. A method for preventing the use of a first connection, the method comprising:
- (i) inspecting, by a client-side proxy on a computing device, a communication from an application on the computing device to a destination, the communication originating from the computing device and configured to use the first connection to send content to the destination, the inspecting of the communication being completed before the first connection is used and the inspecting including a determination of whether the content contains predetermined content; and
  
  (ii) when the determination is that the content contains the predetermined content;
  
  creating, by the client-side proxy before the first connection is used, a second connection to the destination, the second connection being more secure than the first connection,performing, by the client-side proxy before the first connection is used, a handshake with the destination using the second connection,recording, by the client-side proxy before the first connection is used, session information associated with the handshake,breaking, by the client-side proxy before the first connection is used, the second connection,making, by the client-side proxy before the first connection is used, a third connection to the destination, the third connection being made using the recorded session information, andmodifying, by the client-side proxy before the first connection is used, the communication so that the modified communication uses the third connection to send the content, including the predetermined content, to the destination.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 further comprising:
    - determining before the first connection is used, by the client-side proxy from the inspecting, that the first connection is to be used;
      
      detecting, by the client-side proxy before the first connection is used, that the first connection is compromised before the creating, by the client-side proxy, the second connection to the destination; and
      
      modifying, by the client-side proxy after the communication, a second communication from the application on the computing device so that the modified second communication uses the third connection.
  - 13. The method of claim 12, wherein the detecting, by the client-side proxy, that the first connection is compromised is based on one or more of:
    - (i) a probe of the first connection;
      
      (ii) a failure of a certificate from the destination to match a previous certificate from the destination;
      
      or(iii) a presence of one or more of;
      
      an address, or an identifier that is not specified in a policy for the first connection.
  - 14. The method of claim 11, wherein the inspecting, by the client-side proxy, the communication further includes:
    - (i) determining, by the client-side proxy, whether the communication or the first connection is subject to a policy; and
      
      (ii) performing the remaining steps of the method when the client-side proxy determines that the communication or the first connection is subject to the policy.
  - 15. The method of claim 14, wherein the policy is based on a risk level associated with one or more of:
    - the communication, the first connection, or the computing device.
  - 16. The method of claim 14, wherein the policy is specified by an administrator or a user of the computing device.
  - 17. The method of claim 16, wherein the policy determines the remaining steps of the method are to be performed based on a risk level.
  - 18. The method of claim 17, wherein the risk level is based on one or more of:
    - a geographic location of the computing device;
      
      an assessed security state of the computing device;
      
      or an assessed value of information stored on the computing device.
  - 19. The method of claim 11 further comprising:
    - determining, by the client-side proxy before the first connection is used, whether data associated with the application on the computing device indicate that the communication will be encrypted; and
      
      wherein the creating, by the client-side proxy before the first connection is used, the second connection to the destination includes;
      
      creating, by the client-side proxy, the second connection to the destination when the determination is that the received data indicate that the communication will be encrypted.
  - 20. The method of claim 11, wherein the application created the first connection, wherein the determining whether the content contains predetermined content includes obtaining, by the client-side proxy from an operating system on the computing device, an identity of the application.

21. A non-transitory, computer-readable storage medium having stored thereon a plurality of instructions, which, when executed by a processor, cause the processor to:
- (i) inspect, by a client-side proxy on a computing device, a communication from an application on the computing device to a destination, the communication originating from the computing device and configured to use the first connection to send content to the destination, the inspecting of the communication being completed before the first connection is used and the inspecting including a determination of whether the content contains predetermined content; and
  
  (ii) when the determination is that the content contains the predetermined content;
  
  create, by the client-side proxy before the first connection is used, a second connection, the client-side proxy creating the second connection through a server to the destination, the second connection being more secure than the first connection, andmodify, by the client-side proxy, the communication to use the second connection instead of using the first connection to send the content, including the predetermined content, to the destination.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory, computer-readable storage medium of claim 21, the instructions further causing the processor to:
    - determine, by the client-side proxy from the inspecting before the first connection is used, that the first connection is to be used;
      
      detect, by the client-side proxy, that the first connection is compromised before the creating, by the client-side proxy, the second connection to the destination; and
      
      modify, by the client-side proxy after the communication, a second communication from the application so that the modified second communication uses the second connection.
  - 23. The non-transitory, computer-readable storage medium of claim 22, wherein the instruction to detect, by the client-side proxy, that the first connection is compromised, is based on one or more of:
    - (i) a probe of the first connection;
      
      (ii) a failure of a certificate from the destination to match a previous certificate from the destination;
      
      or(iii) a presence of one or more of;
      
      an address, or an identifier that is not specified in a policy for the first connection.
  - 24. The non-transitory, computer-readable storage medium of claim 21, the instructions further causing the processor to:
    - determine, by the client-side proxy before the first connection is used, whether data associated with the application on the computing device indicates that the communication will be encrypted; and
      
      wherein the instruction to create, by the client-side proxy before the first connection is used, the second connection to the destination includes an instruction to;
      
      create, by the client-side proxy, the second connection to the destination when the determination is that the received data indicates that the communication will be encrypted.
  - 25. The non-transitory, computer-readable storage medium of claim 21, wherein the instruction to inspect, by the client-side proxy, the communication further includes instructions to:
    - (i) determine, by the client-side proxy, whether the communication or the first connection is subject to a policy; and
      
      (ii) perform the remaining steps of the method when the client-side proxy determines that the communication or the first connection is subject to the policy.
  - 26. The non-transitory, computer-readable storage medium of claim 25, wherein the policy is specified by an administrator or a user of the computing device.
  - 27. The non-transitory, computer-readable storage medium of claim 25, wherein the policy determines the remaining steps of the method are to be performed based on a risk level.
  - 28. The non-transitory, computer-readable storage medium of claim 27, wherein the risk level is associated with one or more of:
    - the communication, the first connection, or the computing device.
  - 29. The non-transitory, computer-readable storage medium of claim 27, wherein the risk level is based on one or more of:
    - a geographic location of the computing device;
      
      an assessed security state of the computing device;
      
      or an assessed value of information stored on the computing device.
  - 30. The non-transitory, computer-readable storage medium of claim 21, wherein the application created the first connection, wherein the instruction to determine whether the content contains predetermined content includes an instruction to obtain, by the client-side proxy from an operating system on the computing device, an identity of the application.

31. A system, comprising at least one processor and memory and instructions that when executed cause the at least one processor to:
- (i) inspect, by a client-side proxy on a computing device, a communication from an application on the computing device to a destination, the communication originating from the computing device and configured to use the first connection to send content to the destination, the inspecting of the communication being completed before the first connection is used and the inspecting including a determination of whether the content contains predetermined content; and
  
  (ii) when the determination is that the content contains the predetermined content;
  
  create, by the client-side proxy before the first connection is used, a second connection, the client-side proxy creating the second connection through a server to the destination, the second connection being more secure than the first connection, andmodify, by the client-side proxy, the communication to use the second connection instead of using the first connection to send the content, including the predetermined content, to the destination.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The system of claim 31, the instructions further causing the processor to:
    - determine, by the client-side proxy from the inspecting before the first connection is used, that the first connection is to be used;
      
      detect, by the client-side proxy, that the first connection is compromised before the creating, by the client-side proxy, the second connection to the destination; and
      
      modify, by the client-side proxy after the communication, a second communication from the application so that the modified second communication uses the second connection.
  - 33. The system of claim 32, wherein the instruction to detect, by the client-side proxy, that the first connection is compromised, is based on one or more of:
    - (i) a probe of the first connection;
      
      (ii) a failure of a certificate from the destination to match a previous certificate from the destination;
      
      or(iii) a presence of one or more of an address, or an identifier that is not specified in a policy for the first connection.
  - 34. The system of claim 31, the instructions further causing the processor to:
    - determine, by the client-side proxy before the first connection is used, whether data associated with the application on the computing device indicates that the communication will be encrypted; and
      
      wherein the instruction to create, by the client-side proxy before the first connection is used, the second connection to the destination includes an instruction to;
      
      create, by the client-side proxy, the second connection to the destination when the determination is that the received data indicates that the communication will be encrypted.
  - 35. The system of claim 31, wherein the instruction to inspect, by the client-side proxy, the communication further includes instructions to:
    - (i) determine, by the client-side proxy, whether the communication or the first connection is subject to a policy; and
      
      (ii) perform the remaining steps of the method when the client-side proxy determines that the communication or the first connection is subject to the policy.
  - 36. The system of claim 35, wherein the policy is specified by an administrator or a user of the computing device.
  - 37. The system of claim 35, wherein the policy determines the remaining steps of the method are to be performed based on a risk level.
  - 38. The system of claim 37, wherein the risk level is associated with one or more of:
    - the communication, the first connection, or the computing device.
  - 39. The system of claim 37, wherein the risk level is based on one or more of:
    - a geographic location of the computing device;
      
      an assessed security state of the computing device;
      
      or an assessed value of information stored on the computing device.
  - 40. The system of claim 31, wherein the application created the first connection, wherein the instruction to determine whether the content contains predetermined content includes an instruction to obtain, by the client-side proxy from an operating system on the computing device, an identity of the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Wyatt, Timothy Micheal, Buck, Brian James, Cowden, David William, Desai, Nitin Shridhar, Deshpande, Prasad, Elwell, Robert Blaine
Primary Examiner(s)
Rashid, Harunur

Application Number

US15/608,556
Publication Number

US 20170346853A1
Time in Patent Office

861 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/12   Network monitoring probes

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04L 67/01   Protocols

H04L 9/3265   using certificate chains, t...

H04W 12/122   Counter-measures against at...

Methods and systems for detecting and preventing network connection compromise

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

229 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting and preventing network connection compromise

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

229 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links