Cloud application fingerprint

US 10,505,918 B2
Filed: 06/28/2017
Issued: 12/10/2019
Est. Priority Date: 06/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a security application that interfaces one or more cloud application clients in an enterprise network and one or more cloud applications;

detecting a request made by one of the one or more cloud application clients to access a cloud application of the one or more cloud applications;

sending, to the cloud application, a probe uniform resource locator created based on an absolute domain name corresponding to the cloud application for one or more responses reflecting current empirical data obtained from the cloud application;

receiving, from the cloud application, a response page in response to the probe uniform resource locator;

generating a hash of the response page;

generating an application fingerprint that includes the hash of the response page;

determining whether the application fingerprint matches a previous application fingerprint that includes one or more previous responses reflecting empirical data previously obtained from the cloud application by determining whether the hash of the response page matches a previous hash of a previous response page received from the cloud application in response to a previous probe uniform resource locator; and

if the application fingerprint does not match the previous application fingerprint, enforcing a security policy with respect to the cloud application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, a security application that interfaces one or more cloud application clients in an enterprise network and one or more cloud applications detects a request made by one of the one or more cloud application clients to access a cloud application. The security application sends one or more prompts to the cloud application for one or more responses reflecting current empirical data obtained from the cloud application. The security application receives, from the cloud application, the one or more responses, and generates an application fingerprint that includes the one or more responses.

47 Citations

20 Claims

1. A method comprising:
- at a security application that interfaces one or more cloud application clients in an enterprise network and one or more cloud applications;
  
  detecting a request made by one of the one or more cloud application clients to access a cloud application of the one or more cloud applications;
  
  sending, to the cloud application, a probe uniform resource locator created based on an absolute domain name corresponding to the cloud application for one or more responses reflecting current empirical data obtained from the cloud application;
  
  receiving, from the cloud application, a response page in response to the probe uniform resource locator;
  
  generating a hash of the response page;
  
  generating an application fingerprint that includes the hash of the response page;
  
  determining whether the application fingerprint matches a previous application fingerprint that includes one or more previous responses reflecting empirical data previously obtained from the cloud application by determining whether the hash of the response page matches a previous hash of a previous response page received from the cloud application in response to a previous probe uniform resource locator; and
  
  if the application fingerprint does not match the previous application fingerprint, enforcing a security policy with respect to the cloud application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - associating the hash of the response page with the cloud application.
  - 3. The method of claim 1, further comprising:
    - before sending the probe uniform resource locator, determining whether a third-party signed application digital certificate is available.
  - 4. The method of claim 3, further comprising:
    - if the digital certificate is available, obtaining the digital certificate; and
      
      verifying the digital certificate.
  - 5. The method of claim 1, further comprising:
    - before sending the probe uniform resource locator, verifying, via a domain name service, a domain name included in the request.
  - 6. The method of claim 5, further comprising:
    - receiving, from the cloud application, a secure sockets layer certificate; and
      
      verifying the secure sockets layer certificate.
  - 7. The method of claim 1, further comprising:
    - associating the hash of the response page with a version of the cloud application.
  - 8. The method of claim 1, further comprising:
    - associating the hash of the response page with a domain name of the cloud application.

9. An apparatus comprising:
- a network interface unit to interface one or more cloud application clients in an enterprise network and one or more cloud applications;
  
  a memory; and
  
  one or more processors coupled to the memory, wherein the one or more processors are configured to;
  
  detect a request made by one of the one or more cloud application clients to access a cloud application of the one or more cloud applications;
  
  send, to the cloud application, an arbitrary uniform resource locator created based on a base uniform resource locator corresponding to the cloud application for one or more responses reflecting current empirical data obtained from the cloud application;
  
  receive, from the cloud application, a failure code, a page redirect, or an index page in response to the arbitrary uniform resource locator;
  
  generate an application fingerprint that includes the failure code, the page redirect, or the index page;
  
  determine whether the application fingerprint matches a previous application fingerprint that includes one or more previous responses reflecting empirical data previously obtained from the cloud application by determining whether the failure code, the page redirect, or the index page match a previous failure code, a previous page redirect, or a previous index page received from the cloud application in response to a previous arbitrary uniform resource locator; and
  
  if the application fingerprint does not match the previous application fingerprint, enforce a security policy with respect to the cloud application.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the one or more processors are further configured to:
    - associate the failure code, the page redirect, or the index page with the cloud application.
  - 11. The apparatus of claim 9, wherein the one or more processors are further configured to:
    - associate the failure code, the page redirect, or the index page with a version of the cloud application.
  - 12. The apparatus of claim 9, wherein the one or more processors are further configured to:
    - associate the failure code, the page redirect, or the index page with a domain name of the cloud application.
  - 13. The apparatus of claim 9, wherein the one or more processors are further configured to:
    - before sending the arbitrary uniform resource locator, determine whether a third-party signed application digital certificate is available.
  - 14. The apparatus of claim 13, wherein the one or more processors are further configured to:
    - if the digital certificate is available, obtain the digital certificate; and
      
      verify the digital certificate.
  - 15. The apparatus of claim 9, wherein the one or more processors are further configured to:
    - before sending the arbitrary uniform resource locator, verify, via a domain name service, a domain name included in the request.
  - 16. The apparatus of claim 15, wherein the one or more processors are further configured to:
    - receive, from the cloud application, a secure sockets layer certificate; and
      
      verify the secure sockets layer certificate.

17. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
- at a security application that interfaces one or more cloud application clients in an enterprise network and one or more cloud applications;
  
  detect a request made by one of the one or more cloud application clients to access a cloud application of the one or more cloud applications;
  
  determine whether a uniform resource locator corresponding to the cloud application includes an explicit port; and
  
  if it is determined that the uniform resource locator includes the explicit port;
  
  send, to the cloud application, a request to access the explicit port included in the uniform resource locator corresponding to the cloud application for one or more responses reflecting current empirical data obtained from the cloud application;
  
  receive, from the cloud application, the a failure code or a page redirect;
  
  generate an application fingerprint that includes the failure code or the page redirect;
  
  determine whether the application fingerprint matches a previous application fingerprint that includes one or more previous responses reflecting empirical data previously obtained from the cloud application by determining whether the failure code or the page redirect match a previous failure code or a previous page redirect received from the cloud application in response to a previous request to access the explicit port; and
  
  if the application fingerprint does not match the previous application fingerprint, enforce a security policy with respect to the cloud application.
- View Dependent Claims (18, 19, 20)
- - 18. The one or more non-transitory computer readable storage media of claim 17, wherein the instructions further cause the processor to:
    - associate the failure code or the page redirect with the cloud application, a version of the cloud application, and a domain name of the cloud application.
  - 19. The one or more non-transitory computer readable storage media of claim 17, wherein the instructions further cause the processor to:
    - before sending the request to access the explicit port, determine whether a third-party signed application digital certificate is available;
      
      if the digital certificate is available, obtain the digital certificate; and
      
      verify the digital certificate.
  - 20. The one or more non-transitory computer readable storage media of claim 17, wherein the instructions further cause the processor to:
    - before sending the request to access the explicit port, verify, via a domain name service, a domain name included in the request;
      
      receive, from the cloud application, a secure sockets layer certificate; and
      
      verify the secure sockets layer certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Patel, Deep Chand, Chandrasekaran, Varagur, Pitta, Srinivas, Surender, Shrawan Chittoor
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/636,114
Publication Number

US 20190007394A1
Time in Patent Office

895 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/146   Markers for unambiguous ide...

Cloud application fingerprint

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Cloud application fingerprint

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others