Techniques for securely detecting compromises of enterprise end stations utilizing tunnel tokens

US 10,567,342 B2
Filed: 06/20/2016
Issued: 02/18/2020
Est. Priority Date: 02/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network, comprising:

receiving, at a first server within the enterprise network that is implemented by one or more electronic devices, a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and

transmitting, by the first server, a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, and wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses; and

causing, within the enterprise network, one or more security measures to be deployed that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A token tunnel server (TTS) within an enterprise network receives packets from a source address directed to a destination address (both of the enterprise network) that were caused to be originated by an attacker. The packets carry data including a token that was placed upon an end station of the enterprise and that appears to be useful for accessing an enterprise server, despite the apparent enterprise server not actually being deployed within the enterprise network. The TTS transmits packets carrying the data (that do not include the source address) across a public network outside of the enterprise network to a tunnel gateway server (TGS). The TGS sends the data to a trap server that acts as the apparent enterprise server. Actions of the attacker with regard to the trap server can be monitored while the source address is not provided to the TGS.

12 Citations

View as Search Results

24 Claims

1. A method in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network, comprising:
- receiving, at a first server within the enterprise network that is implemented by one or more electronic devices, a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and
  
  transmitting, by the first server, a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, and wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses; and
  
  causing, within the enterprise network, one or more security measures to be deployed that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the alert data is received by a management server implemented by one or more electronic devices.
  - 3. The method of claim 2, wherein the source enterprise network address is assigned to the enterprise end station upon which the token was placed, and wherein the enterprise end station on which the token was placed originated the first set of one or more packets.
  - 4. The method of claim 2, wherein the alert data comprises the token, and wherein the method further comprises:
    - determining that a source of the first set of one or more packets is a second enterprise end station that is different than the enterprise end station upon which the token was placed, wherein the determining is based upon the token of the alert data and the identifier of the alert data.
  - 5. The method of claim 4, further comprising:
    - determining, by the management server, an identifier of the second enterprise end station on which the token was placed; and
      
      transmitting the identifier of the second enterprise end station to the second server.
  - 6. The method of claim 2, wherein the alert data comprises the identifier, and wherein the method further comprises:
    - determining, by the management server, at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address based upon the identifier from the alert data, wherein the one or more security measures to be deployed within the enterprise network monitor or block traffic originating from the enterprise end station that utilized the source enterprise network address or the source enterprise network address.
  - 7. The method of claim 1, wherein the one or more security measures comprises one or more of:
    - increasing an amount of logging with regard to one or more internal enterprise servers deployed within the enterprise network;
      
      increasing an amount of analysis of subsequent traffic originated from the source enterprise network address;
      
      orblocking at least some of the subsequent traffic originated from the source enterprise network address.
  - 8. The method of claim 1, wherein the second set of one or more packets utilizes, as a source Internet Protocol (IP) address, a routable IP address that is different than the source enterprise network address, and wherein the identifier is carried within the payload of the second set of one or more packets.
  - 9. The method of claim 8, wherein the identifier comprises an encrypted version of the source enterprise network address.
  - 10. The method of claim 8, further comprising:
    - receiving, at the first server, a third set of one or more packets carrying response data that was generated by the third server based at least in part upon the data of the second set of one or more packets, wherein the third set of one or more packets does not include the source enterprise network address; and
      
      transmitting, by the first server, a fourth set of one or more packets carrying the response data generated by the third server to the source enterprise network address, wherein the first server determined the source enterprise network address to be used as a destination for the fourth set of one or more packets.
  - 11. The method of claim 1, wherein the second set of one or more packets also causes the second server to select the third server from a plurality of trap servers to forward the data to.
  - 12. The method of claim 11, wherein the second set of one or more packets includes a client identifier associated with the enterprise network that was added by the first server, and wherein the selection of the third server by the second server occurs at least in part based upon the client identifier.
  - 13. The method of claim 11, wherein the plurality of trap servers includes two or more of a file server, a database server, and a webserver, and wherein the selection is based at least in part on an application layer protocol evident from the second set of one or more packets.
  - 14. The method of claim 1, wherein the third server is enabled to engage with an attacker that caused the first set of one or more packets to be originated, wherein the engagement includes providing data summarizing the first set of one or more packets to an operator and originating a third set of packets including response data resulting from one or more actions of the operator.

15. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a device, cause the device to implement a first server to act in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network by performing operations comprising:
- receiving a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and
  
  transmitting a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses, wherein the transmitting the second set of one or more packets to the second server causes one or more security measures to be deployed in the enterprise network that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the second set of one or more packets utilizes, as a source Internet Protocol (IP) address, a routable IP address that is different than the source enterprise network address, and wherein the identifier is carried within the payload of the second set of one or more packets.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the identifier comprises an encrypted version of the source enterprise network address.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein the operations further comprise:
    - receiving a third set of one or more packets carrying response data that was generated by the third server based at least in part upon the data of the second set of one or more packets, wherein the third set of one or more packets does not include the source enterprise network address; and
      
      transmitting a fourth set of one or more packets carrying the response data generated by the third server to the source enterprise network address, wherein the first server determined the source enterprise network address to be used as a destination for the fourth set of one or more packets.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the source enterprise network address is assigned to the enterprise end station upon which the token was placed, and wherein a second enterprise end station that is different than the enterprise end station on which the token was placed originated the first set of one or more packets.

20. A device, comprising:
- one or more processors; and
  
  a non-transitory computer-readable storage medium having instructions which, when executed by the one or more processors, cause the device to implement a first server to act in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network by being adapted to;
  
  receive a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and
  
  transmit a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses, wherein the transmission of the second set of one or more packets to the second server causes one or more security measures to be deployed in the enterprise network that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The device of claim 20, wherein the second set of one or more packets utilizes, as a source Internet Protocol (IP) address, a routable IP address that is different than the source enterprise network address, and wherein the identifier is carried within the payload of the second set of one or more packets.
  - 22. The device of claim 21, wherein the identifier comprises an encrypted version of the source enterprise network address.
  - 23. The device of claim 21, wherein the instructions further cause the device to be adapted to:
    - receive a third set of one or more packets carrying response data that was generated by the third server based at least in part upon the data of the second set of one or more packets, wherein the third set of one or more packets does not include the source enterprise network address; and
      
      transmit a fourth set of one or more packets carrying the response data generated by the third server to the source enterprise network address, wherein the first server determined the source enterprise network address to be used as a destination for the fourth set of one or more packets.
  - 24. The device of claim 20, wherein the source enterprise network address is assigned to the enterprise end station upon which the token was placed, and wherein a second enterprise end station that is different than the enterprise end station on which the token was placed originated the first set of one or more packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Dulce, Sagie, Goihman-Shuster, Daniella, Ben-Hador, Shahar
Primary Examiner(s)
Doan, Trang T

Application Number

US15/187,657
Publication Number

US 20170244672A1
Time in Patent Office

1,338 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 45/745   Address table lookup; Addre...

H04L 61/103   across network layers, e.g....

H04L 61/2514   between local and global IP...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

Techniques for securely detecting compromises of enterprise end stations utilizing tunnel tokens

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for securely detecting compromises of enterprise end stations utilizing tunnel tokens

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links