DETECTING AND DEFENDING AGAINST MAN-IN-THE-MIDDLE ATTACKS

US 20080295169A1
Filed: 05/25/2007
Published: 11/27/2008
Est. Priority Date: 05/25/2007
Status: Active Grant

First Claim

Patent Images

1. A system for defending against man in the middle (MITM) attacks directed at a target server, comprising:

an activity recording system that records an incoming IP address, userid, and time of each session occurring with the target server;

an activity analysis system that identifies suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and

a countermeasure system for taking action against suspect IP addresses.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and program product for defending against man in the middle (MITM) attacks directed at a target server. A system is provided that includes an activity recording system that records an incoming IP address, userid, and time of each session occurring with the target server; an activity analysis system that identifies suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and a countermeasure system for taking action against suspect IP addresses.

118 Citations

View as Search Results

22 Claims

1. A system for defending against man in the middle (MITM) attacks directed at a target server, comprising:
- an activity recording system that records an incoming IP address, userid, and time of each session occurring with the target server;
  
  an activity analysis system that identifies suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and
  
  a countermeasure system for taking action against suspect IP addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, further comprising a list checking system for comparing the incoming IP address with a white list.
  - 3. The system of claim 1, further comprising a list checking system for comparing the incoming IP address with a black list.
  - 4. The system of claim 1, wherein the activity analysis system includes a first value N that represents a number of sessions along with a threshold value Nt and a second value T and its associated threshold value Tt that represents a time frame, and wherein if there are more than N sessions with a particular IP address during a time period less than T, the particular IP address is identified as a suspect IP address.
  - 5. The system of claim 1, wherein the countermeasure system causes a login session to fail.
  - 6. The system of claim 1, wherein the countermeasure system causes a session to terminate.
  - 7. The system of claim 1, wherein the countermeasure system causes the suspect IP addresses to be outputted.

8. A computer program product stored on a computer readable medium, which when executed includes program instructions for defending against man in the middle (MITM) attacks directed at a target server, the program product comprising:
- program instructions for recording an incoming IP address, userid, and time of each session occurring with the target server;
  
  program instructions for identifying suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and
  
  program instructions for taking defensive action against suspect IP addresses.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The program product of claim 8, further comprising program instructions for comparing the incoming IP address with a white list.
  - 10. The program product of claim 8, further comprising program instructions for comparing the incoming IP address with a black list.
  - 11. The program product of claim 8, wherein a first value N represents a number of sessions along with a threshold value Nt and a second value T and its associated threshold value Tt represents a time frame, and wherein if there are more than N sessions with a particular IP address during a time period less than T, the particular IP address is identified as a suspect IP address.
  - 12. The program product of claim 8, wherein the defensive action causes a login session to fail.
  - 13. The program product of claim 8, wherein the defensive action causes a session to terminate.
  - 14. The program product of claim 8, wherein the defensive action causes the suspect IP addresses to be outputted.

15. A method for defending against man in the middle (MITM) attacks directed at a target server, comprising:
- recording an incoming IP address, userid, and time of each session occurring with the target server;
  
  identifying suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and
  
  taking defensive action against suspect IP addresses.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, further comprising comparing the incoming IP address with a white list.
  - 17. The method of claim 15, further comprising comparing the incoming IP address with a black list.
  - 18. The method of claim 15, wherein a first value N represents a number of sessions along with a threshold value Nt and a second value T and its associated threshold value Tt represents a time frame, and wherein if there are more than N sessions with a particular IP address during a time period less than T, the particular IP address is identified as a suspect IP address.
  - 19. The method of claim 15, wherein the defensive action causes a login session to fail.
  - 20. The method of claim 15, wherein the defensive action causes a session to terminate.
  - 21. The method of claim 15, wherein the defensive action causes the suspect IP addresses to be outputted.

22. A method for deploying a system for defending against man in the middle (MITM) attacks directed at a target server, comprising:
- providing a computer infrastructure being operable to;
  
  record an incoming IP address, userid, and time of each session occurring with the target server;
  
  identify suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and
  
  take defensive action against suspect IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Crume, Jeffery L.

Granted Patent

US 8,533,821 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

DETECTING AND DEFENDING AGAINST MAN-IN-THE-MIDDLE ATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING AND DEFENDING AGAINST MAN-IN-THE-MIDDLE ATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links