Unwanted tunneling alert system

US 10,609,046 B2
Filed: 02/08/2018
Issued: 03/31/2020
Est. Priority Date: 08/13/2014
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

a computer processor; and

a non-transitory computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;

access a first log including a listing of one or more client IP addresses corresponding to one or more remote users granted access to a network;

access a second log including a listing of one or more remote IP addresses requested via the network;

identify a first IP address included in the first log and in the second log;

generate a risk score based on data associated with the first IP address, the risk score at least partly indicative of a likelihood that a malicious tunneling connection is present; and

generate an alert in response to the risk score satisfying a threshold.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.

300 Citations

23 Claims

1. A computing system comprising:
- a computer processor; and
  
  a non-transitory computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;
  
  access a first log including a listing of one or more client IP addresses corresponding to one or more remote users granted access to a network;
  
  access a second log including a listing of one or more remote IP addresses requested via the network;
  
  identify a first IP address included in the first log and in the second log;
  
  generate a risk score based on data associated with the first IP address, the risk score at least partly indicative of a likelihood that a malicious tunneling connection is present; and
  
  generate an alert in response to the risk score satisfying a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 16)
- - 2. The computing system of claim 1, wherein the non-transitory computer readable storage medium further stores program instructions that cause the computing system to generate user interface data that, when executed, causes a user device to display a user interface depicting the alert.
  - 3. The computing system of claim 2, wherein the alert and one or more other alerts are generated periodically.
  - 4. The computing system of claim 2, wherein the alert comprises at least one of a number of users that are connected to a known virtual private network (VPN) client during a time period associated with the alert, an indication of whether characteristics of traffic between the network and a second user device matches a tunneled connection profile, an indication of an amount of outbound data transmitted by the second user device to a remote user device, an indication of whether suspicious file transfer protocol (FTP) activity was detected, an indication of whether a country mismatch was detected, or an indication of whether a suspected case of a VPN compromise is present.
  - 5. The computing system of claim 2, wherein the non-transitory computer readable storage medium further stores program instructions that cause the computing system to:
    - receive an indication that the alert is selected; and
      
      update the user interface data such that the user interface includes a window depicting at least one of information of a user associated with first IP address, an indication of whether the user is a person of interest, an indication of a geographic location of the user, an indication of a geographic location to where the user tunneled, or the risk score.
  - 6. The computing system of claim 2, wherein the non-transitory computer readable storage medium further stores program instructions that cause the computing system to:
    - receive an indication that the alert is selected; and
      
      receive an indication that the alert is a false positive; and
      
      adjust determination of future risk scores based on the received indication that the alert is a false positive.
  - 7. The computing system of claim 6, wherein the non-transitory computer readable storage medium further stores program instructions that cause the computing system to adjust weights of one or more factors used to generate future risk scores based on the received indication that the alert is a false positive.
  - 8. The computing system of claim 1, wherein, in connection with a determination that the second log indicates that a tunneled connection is established over a first port, the generated risk score is lower than if the tunneled connection is established over a second port.
  - 16. The computer-implemented method of claim 8, wherein, in connection with a determination that the second log indicates that a tunneled connection is established over a first port, the generated risk score is lower than if the tunneled connection is established over a second port.

9. A computer-implemented method comprising:
- as implemented by one or more computer systems comprising computer hardware and memory, the one or more computer systems configured with specific executable instructions,accessing a first log including a listing of one or more source addresses corresponding to one or more remote users granted access to a network;
  
  accessing a second log including a listing of one or more destination addresses requested via the network;
  
  identifying a first address included in both the first log and in the second log;
  
  generating a risk score based on data associated with the first address; and
  
  generating an alert in response to the risk score satisfying a threshold.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer-implemented method of claim 9, further comprising generating user interface data that, when executed, causes a user device to display a user interface depicting the alert.
  - 11. The computer-implemented method of claim 10, wherein the alert and one or more other alerts are generated periodically.
  - 12. The computer-implemented method of claim 10, wherein the alert comprises at least one of a number of users that are connected to a known virtual private network (VPN) client during a time period associated with the alert, an indication of whether characteristics of traffic between the network and a second user device matches a tunneled connection profile, an indication of an amount of outbound data transmitted by the second user device to a remote user device, an indication of whether suspicious file transfer protocol (FTP) activity was detected, an indication of whether a country mismatch was detected, or an indication of whether a suspected case of a VPN compromise is present.
  - 13. The computer-implemented method of claim 10, further comprising:
    - receiving an indication that the alert is selected; and
      
      updating the user interface data such that the user interface includes a window depicting at least one of information of a user associated with first IP address, an indication of whether the user is a person of interest, an indication of a geographic location of the user, an indication of a geographic location to where the user tunneled, or the risk score.
  - 14. The computer-implemented method of claim 10, further comprising:
    - receiving an indication that the alert is selected; and
      
      receiving an indication that the alert is a false positive; and
      
      adjusting determination of future risk scores based on the received indication that the alert is a false positive.
  - 15. The computer-implemented method of claim 14, wherein adjusting determination of future risk scores further comprises adjusting weights of one or more factors used to generate future risk scores based on the received indication that the alert is a false positive.

17. A non-transitory computer-readable medium comprising one or more program instructions recorded thereon, the instructions configured for execution by a computing system comprising one or more processors in order to cause the computing system to:
- access a first log including a listing of one or more source addresses corresponding to a plurality of remote users granted access to a network;
  
  access a second log including a listing of one or more destination addresses requested via the network;
  
  identify a first address included in both the first log and in the second log;
  
  generate a risk score based on data associated with the first address; and
  
  generate an alert in response to the risk score satisfying a threshold .
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The medium of claim 17, wherein the instructions are further configured to cause the computing system to generate user interface data that, when executed, causes a user device to display a user interface depicting the alert.
  - 19. The medium of claim 18, wherein the alert and one or more other alerts are generated periodically.
  - 20. The medium of claim 18, wherein the alert comprises at least one of a number of users that are connected to a known virtual private network (VPN) client during a time period associated with the alert, an indication of whether characteristics of traffic between the network and a second user device matches a tunneled connection profile, an indication of an amount of outbound data transmitted by the second user device to a remote user device, an indication of whether suspicious file transfer protocol (FTP) activity was detected, an indication of whether a country mismatch was detected, or an indication of whether a suspected case of a VPN compromise is present.
  - 21. The medium of claim 18, wherein the instructions are further configured to cause the computing system to:
    - receive an indication that the alert is selected; and
      
      update the user interface data such that the user interface includes a window depicting at least one of information of a user associated with first IP address, an indication of whether the user is a person of interest, an indication of a geographic location of the user, an indication of a geographic location to where the user tunneled, or the risk score.
  - 22. The medium of claim 18, wherein the instructions are further configured to cause the computing system to:
    - receive an indication that the alert is selected; and
      
      receive an indication that the alert is a false positive; and
      
      adjust determination of future risk scores based on the received indication that the alert is a false positive.
  - 23. The medium of claim 22, wherein the instructions are further configured to cause the computing system to adjust weights of one or more factors used to generate future risk scores based on the received indication that the alert is a false positive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Ricafort, Juan, Singh, Harkirat, Martin, Philip
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US15/891,873
Publication Number

US 20180159874A1
Time in Patent Office

782 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/556   involving covert channels, ...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Unwanted tunneling alert system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

300 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Unwanted tunneling alert system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

300 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links