PROTECTION AGAINST IMPERSONATION ATTACKS

US 20080235794A1
Filed: 03/20/2008
Published: 09/25/2008
Est. Priority Date: 03/21/2007
Status: Active Grant

First Claim

Patent Images

1. A computing method, comprising:

running on a user computer a first operating environment for performing general-purpose operations and a second operating environment, which is configured expressly for interacting with a server in a protected communication session and is isolated from the first operating environment;

detecting by a program running in the second operating environment an attempt to imitate the protected communication session made by an illegitimate communication session that interacts with the first operating environment; and

automatically inhibiting the detected attempt.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing method includes running on a user computer a first operating environment for performing general-purpose operations and a second operating environment, which is configured expressly for interacting with a server in a protected communication session and is isolated from the first operating environment. A program running in the second operating environment detects an attempt to imitate the protected communication session made by an illegitimate communication session that interacts with the first operating environment. The detected attempt is inhibited automatically.

Citations

33 Claims

1. A computing method, comprising:
- running on a user computer a first operating environment for performing general-purpose operations and a second operating environment, which is configured expressly for interacting with a server in a protected communication session and is isolated from the first operating environment;
  
  detecting by a program running in the second operating environment an attempt to imitate the protected communication session made by an illegitimate communication session that interacts with the first operating environment; and
  
  automatically inhibiting the detected attempt.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein the second operating environment is isolated from the first operating environment such that the general-purpose operations performed in the first operating environment do not affect operation of the second operating environment, and wherein running the second operating environment comprises verifying a trustworthiness of the second operating environment by a central management system that is external to the user computer.
  - 3. The method according to claim 1, wherein detecting the attempt comprises predefining an element that appears in the protected communication session and is unlikely to appear in communication sessions other than the protected communication session, and identifying that the predefined element appears in the illegitimate communication session.
  - 4. The method according to claim 3, wherein predefining the element comprises accepting a definition of the element from a central management system that is external to the user computer.
  - 5. The method according to claim 1, wherein the protected communication session displays a Graphical User Interface (GUI) comprising a characteristic GUI feature, and wherein detecting the attempt comprises detecting that a suspected communication session interacting with the first operating environment displays a GUI feature imitating the characteristic GUI feature.
  - 6. The method according to claim 5, wherein detecting the attempt comprises reading a frame buffer, which stores a graphical image that is displayed in the user computer during the suspected communication session, and detecting the GUI feature imitating the characteristic GUI feature in the frame buffer.
  - 7. The method according to claim 1, wherein detecting the attempt comprises predefining a textual element that is characteristic of textual input that is provided by a user of the user computer during the protected communication session, monitoring input that is entered by the user during a suspected communication session interacting with the first operating environment and, responsively to detecting the textual element in the input, identifying the suspected communication session as illegitimate.
  - 8. The method according to claim 7, wherein the textual element comprises security credentials of the user.
  - 9. The method according to claim 7, wherein predefining the textual element comprises defining a characteristic format, and wherein detecting the textual element comprises detecting text that matches the characteristic format in the monitored input.
  - 10. The method according to claim 7, wherein monitoring the input comprises monitoring keystrokes of a keyboard of the user computer.
  - 11. The method according to claim 1, wherein the protected communication session provides a given content to the user computer, and wherein detecting the attempt comprises detecting that a suspected communication session interacting with the first operating environment provides the given content to the user computer.
  - 12. The method according to claim 11, wherein detecting the attempt comprises monitoring network traffic sent to the user computer with respect to the suspected communication session, and identifying the given content in the monitored network traffic.
  - 13. The method according to claim 12, wherein at least part of the network traffic sent to the user computer is encrypted, and wherein monitoring the network traffic comprises monitoring the at least part of the network traffic after the at least part of the network traffic has been decrypted by the first operating environment.
  - 14. The method according to claim 11, wherein detecting the attempt comprises predefining an attribute of the given content, and detecting that the suspected communication session provides a data item having the attribute to the user computer.
  - 15. The method according to claim 1, wherein detecting the attempt comprises monitoring a physical resource of the user computer by a virtualization layer of the user computer.
  - 16. The method according to claim 1, wherein inhibiting the attempt comprises accepting a policy, which specifies an action for inhibiting the attempt, from a central management system that is external to the user computer, and performing the action in accordance with the policy.

17. A user computer, comprising:
- an interface, which is operative to communicate with a server over a communication network; and
  
  a processor, which is coupled to run a first operating environment, which is configured to perform general-purpose operations, and a second operating environment, which is configured expressly for interacting with the server in a protected communication session and is isolated from the first operating environment, wherein the second operating environment is further configured to detect an attempt to imitate the protected communication session made by an illegitimate communication session that interacts with the first operating environment, and to automatically inhibit the detected attempt.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The user computer according to claim 17, wherein the second operating environment is isolated from the first operating environment such that the general-purpose operations performed in the first operating environment do not affect operation of the second operating environment, and wherein the processor is coupled to enable a central management system that is external to the user computer to verify a trustworthiness of the second operating environment.
  - 19. The user computer according to claim 17, wherein the processor is coupled to predefine an element that appears in the protected communication session and is unlikely to appear in communication sessions other than the protected communication session, and to detect the attempt by identifying that the predefined element appears in the illegitimate communication session.
  - 20. The user computer according to claim 19, wherein the processor is coupled to accept a definition of the element from a central management system that is external to the user computer.
  - 21. The user computer according to claim 17, wherein the processor is coupled to display during the protected communication session a Graphical User Interface (GUI) comprising a characteristic GUI feature, and to detect the attempt by detecting that a suspected communication session interacting with the first operating environment displays a GUI feature imitating the characteristic GUI feature.
  - 22. The user computer according to claim 21, and comprising a frame buffer for storing graphical images that are displayed during communication sessions, wherein the processor is coupled to detect the attempt by reading the frame buffer during the suspected communication session and detecting the GUI feature imitating the characteristic GUI feature in the frame buffer.
  - 23. The user computer according to claim 17, wherein the processor is coupled to predefine a textual element that is characteristic of textual input that is provided by a user of the user computer during the protected communication session, to monitor input that is entered by the user during a suspected communication session interacting with the first operating environment and, responsively to detecting the textual element in the input, to identify the suspected communication session as illegitimate.
  - 24. The user computer according to claim 23, wherein the textual element comprises security credentials of the user.
  - 25. The user computer according to claim 23, wherein the processor is coupled to define a characteristic format, and to detect the textual element by detecting text that matches the characteristic format in the monitored input.
  - 26. The user computer according to claim 23, and comprising a keyboard, wherein the processor is coupled to monitor the input by monitoring keystrokes of the keyboard.
  - 27. The user computer according to claim 17, wherein the interface is operative to receive a given content during the protected communication session, and wherein the processor is coupled to detect the attempt by detecting that the given content is received during a suspected communication session interacting with the first operating environment.
  - 28. The user computer according to claim 27, wherein the processor is coupled to detect the attempt by monitoring network traffic received via the interface with respect to the suspected communication session, and identifying the given content in the monitored network traffic.
  - 29. The user computer according to claim 28, wherein at least part of the received network traffic is encrypted, and wherein the processor is coupled to decrypt the at least part of the network traffic in the first operating environment, and to monitor the decrypted at least part of the network traffic.
  - 30. The user computer according to claim 27, wherein the processor is coupled to predefine an attribute of the given content, and to detect that a data item having the attribute is provided during the suspected communication session.
  - 31. The user computer according to claim 17, and comprising a virtualization layer for monitoring a physical resource of the user computer, wherein the processor is coupled to detect the attempt by monitoring the physical resource using the virtualization layer.
  - 32. The user computer according to claim 17, wherein the processor is coupled to accept a policy, which specifies an action for inhibiting the attempt, from a central management system that is external to the computer, and to perform the action in accordance with the policy.

33. A computer software product for use in a user computer, the product comprising a computer-readable medium, in which program instructions are stored, which instructions, when executed by the user computer, cause the user computer to communicate with a server over a communication network, to run a first operating environment for performing general-purpose operations, to run a second operating environment, which is configured expressly for interacting with the server in a communication session and is isolated from the first operating environment, to detect by a program running in the second operating environment an attempt to imitate the protected communication session made by an illegitimate communication session that interacts with the first operating environment, and to automatically inhibit the detected attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation, Neocleus Israel Limited (Intel Corporation)
Original Assignee
Neocleus Limited (Intel Corporation)
Inventors
Bogner, Etay

Granted Patent

US 8,296,844 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/83   input devices, e.g. keyboar...

G06F 21/84   output devices, e.g. displa...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

PROTECTION AGAINST IMPERSONATION ATTACKS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTION AGAINST IMPERSONATION ATTACKS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links