METHOD AND APPARATUS FOR DETECTING CYBER THREATS
First Claim
1. A method of heuristically identifying a cyber threat at a computer server, the method comprising:
- serving a collection of reinforced cookies for storage during a first communication session with a first client computing device;
receiving a request for a second communication session from a second client computing device purporting to be the first client computing device; and
comparing a configuration of reinforced cookies on the second client computing device to configurations indicative of one or more cyber threats;
wherein each said reinforced cookie in the collection of reinforced cookies is generated from a unique identifier associated with a user of the first client computing device; and
wherein each said reinforced cookie comprises one or more of;
an HTTP (Hyper Text Transport Protocol) cookie;
a history cookie; and
a cache cookie.
6 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for detecting cyber threats using reinforced cookies, which include HTTP cookies, history cookies, cache cookies and/or other types. A history cookie comprises an entry for a particular web page in a browser'"'"'s navigation history. A cache cookie comprises an entry for a particular object (e.g., an image file) within a browser'"'"'s cache. Upon a client'"'"'s first visit to a web server, an identifier record is generated comprising data such as a user ID, a client device ID, an age (e.g., a counter), a cookie type, an authentication field, etc. From the unique identifier, one or more types of reinforced cookies are generated and stored with the client browser. On a subsequent visit, the client'"'"'s cookie configuration is examined to determine whether the client may be the perpetrator or victim of a cyber attack. Cookies may be updated or replaced on some or all visits.
41 Citations
23 Claims
-
1. A method of heuristically identifying a cyber threat at a computer server, the method comprising:
-
serving a collection of reinforced cookies for storage during a first communication session with a first client computing device; receiving a request for a second communication session from a second client computing device purporting to be the first client computing device; and comparing a configuration of reinforced cookies on the second client computing device to configurations indicative of one or more cyber threats; wherein each said reinforced cookie in the collection of reinforced cookies is generated from a unique identifier associated with a user of the first client computing device; and wherein each said reinforced cookie comprises one or more of; an HTTP (Hyper Text Transport Protocol) cookie; a history cookie; and a cache cookie. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of heuristically identifying a cyber threat at the computer, the method comprising:
-
serving a collection of reinforced cookies for storage during a first communication session with a first client computing device; receiving a request for a second communication session from a second client computing device purporting to be the first client computing device; and comparing a configuration of reinforced cookies on the second client computing device to configurations indicative of one or more cyber threats; wherein each said reinforced cookie in the collection of reinforced cookies is generated from a unique identifier associated with a user of the first client computing device; and wherein each said reinforced cookie comprises one or more of; an HTTP (Hyper Text Transport Protocol) cookie; a history cookie; and a cache cookie.
-
-
20. An apparatus for detecting a cyber threat on a client computing device, the apparatus comprising:
-
a web server configured to serve electronic content to client computing devices; a cookie generator configured to generate a collection of reinforced cookies for storage on a client computing device, including one or more of; a reinforced HTTP (Hyper Text Transport Protocol) cookie; a reinforced history cookie; and a reinforced cache cookie; and a heuristic analysis engine configured to compare a configuration of reinforced cookies detected on a client computing device with configurations indicative of cyber threats. - View Dependent Claims (21, 22, 23)
-
Specification