METHOD AND APPARATUS FOR DETECTING CYBER THREATS

US 20110035784A1
Filed: 08/07/2009
Published: 02/10/2011
Est. Priority Date: 08/07/2009
Status: Active Grant

First Claim

Patent Images

1. A method of heuristically identifying a cyber threat at a computer server, the method comprising:

serving a collection of reinforced cookies for storage during a first communication session with a first client computing device;

receiving a request for a second communication session from a second client computing device purporting to be the first client computing device; and

comparing a configuration of reinforced cookies on the second client computing device to configurations indicative of one or more cyber threats;

wherein each said reinforced cookie in the collection of reinforced cookies is generated from a unique identifier associated with a user of the first client computing device; and

wherein each said reinforced cookie comprises one or more of;

an HTTP (Hyper Text Transport Protocol) cookie;

a history cookie; and

a cache cookie.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detecting cyber threats using reinforced cookies, which include HTTP cookies, history cookies, cache cookies and/or other types. A history cookie comprises an entry for a particular web page in a browser'"'"'s navigation history. A cache cookie comprises an entry for a particular object (e.g., an image file) within a browser'"'"'s cache. Upon a client'"'"'s first visit to a web server, an identifier record is generated comprising data such as a user ID, a client device ID, an age (e.g., a counter), a cookie type, an authentication field, etc. From the unique identifier, one or more types of reinforced cookies are generated and stored with the client browser. On a subsequent visit, the client'"'"'s cookie configuration is examined to determine whether the client may be the perpetrator or victim of a cyber attack. Cookies may be updated or replaced on some or all visits.

41 Citations

View as Search Results

23 Claims

1. A method of heuristically identifying a cyber threat at a computer server, the method comprising:
- serving a collection of reinforced cookies for storage during a first communication session with a first client computing device;
  
  receiving a request for a second communication session from a second client computing device purporting to be the first client computing device; and
  
  comparing a configuration of reinforced cookies on the second client computing device to configurations indicative of one or more cyber threats;
  
  wherein each said reinforced cookie in the collection of reinforced cookies is generated from a unique identifier associated with a user of the first client computing device; and
  
  wherein each said reinforced cookie comprises one or more of;
  
  an HTTP (Hyper Text Transport Protocol) cookie;
  
  a history cookie; and
  
  a cache cookie.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the one or more cyber threats comprise:
    - cookie theft;
      
      DNS (Domain Name Service) poisoning; and
      
      machine cloning.
  - 3. The method of claim 1, wherein said comparing comprises:
    - determining whether the second client computing device comprises only a set of reinforced HTTP cookies, and no history cookie and no cache cookie.
  - 4. The method of claim 1, wherein said comparing comprises:
    - determining whether the second client computing device comprises only a set of domain-based cookies, and no address-based cookies.
  - 5. The method of claim 4, wherein:
    - a domain-based cookie comprises a cookie encoded with a domain of the server computer; and
      
      an address-based cookie comprises a cookie encoded with an address of the server computer.
  - 6. The method of claim 1, wherein said comparing comprises:
    - determining whether the second client computing device comprises the collection of reinforced cookies transmitted to the first client computing device during said serving.
  - 7. The method of claim 1, wherein the configuration of reinforced cookies on the second client computing device comprises a subset of the collection of reinforced cookies.
  - 8. The method of claim 1, further comprising:
    - comparing the configuration of reinforced cookies on the second client computing device to configurations indicative of valid user activity.
  - 9. The method of claim 8, wherein said configurations indicative of valid user activity include at least one of:
    - clearing an HTTP cookie;
      
      clearing a browser history; and
      
      clearing a browser cache.
  - 10. The method of claim 1, wherein a history cookie comprises an entry in a browser history that identifies a specific page of content.
  - 11. The method of claim 10, wherein said serving comprises:
    - serving the first client computing device a dummy page of content for processing by a browser program executing on the first client computing device;
      
      wherein the dummy page comprises code configured to cause the browser program to attempt to load the specific page of content.
  - 12. The method of claim 11, wherein the specific content page of content is not served to the first client computing device.
  - 13. The method of claim 1, wherein a cache cookie comprises an entry in a browser cache that identifies a specific content object.
  - 14. The method of claim 13, wherein said serving comprises:
    - serving the first client computing device a dummy page of content for processing by a browser program executing on the first client computing device;
      
      wherein the dummy page comprises code configured to cause the browser program to attempt to load the specific content object.
  - 15. The method of claim 14, wherein the specific content object is not served to the first client computing device.
  - 16. The method of claim 1, further comprising:
    - serving to the second client computing device an updated collection of reinforced cookies to replace the collection of reinforced cookies.
  - 17. The method of claim 1, further comprising, prior to said serving:
    - generating the unique identifier to comprise an ID of the user and one or more additional data fields; and
      
      encoding a subset of the data fields of the unique identifier into each of the reinforced cookies.
  - 18. The method of claim 17, wherein the one or more additional data fields comprise at least one of:
    - an ID of the first client computing device;
      
      an age; and
      
      an authentication value;
      
      wherein the authentication value comprises a value derived from the ID of the user and the one or more additional data fields.

19. A computer-readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of heuristically identifying a cyber threat at the computer, the method comprising:
- serving a collection of reinforced cookies for storage during a first communication session with a first client computing device;
  
  receiving a request for a second communication session from a second client computing device purporting to be the first client computing device; and
  
  comparing a configuration of reinforced cookies on the second client computing device to configurations indicative of one or more cyber threats;
  
  wherein each said reinforced cookie in the collection of reinforced cookies is generated from a unique identifier associated with a user of the first client computing device; and
  
  wherein each said reinforced cookie comprises one or more of;
  
  an HTTP (Hyper Text Transport Protocol) cookie;
  
  a history cookie; and
  
  a cache cookie.

20. An apparatus for detecting a cyber threat on a client computing device, the apparatus comprising:
- a web server configured to serve electronic content to client computing devices;
  
  a cookie generator configured to generate a collection of reinforced cookies for storage on a client computing device, including one or more of;
  
  a reinforced HTTP (Hyper Text Transport Protocol) cookie;
  
  a reinforced history cookie; and
  
  a reinforced cache cookie; and
  
  a heuristic analysis engine configured to compare a configuration of reinforced cookies detected on a client computing device with configurations indicative of cyber threats.
- View Dependent Claims (21, 22, 23)
- - 21. The apparatus of claim 20, wherein a reinforced cookie comprises:
    - an ID of a user;
      
      an age of the cookie;
      
      a type of the cookie; and
      
      an authentication value for authenticating the reinforced cookie.
  - 22. The apparatus of claim 20, further comprising:
    - an identifier generator configured to assemble a unique identifier associated with a user of a client computing device.
  - 23. The apparatus of claim 22, wherein the cyber threats include one or more of:
    - cookie theft;
      
      DNS (Domain Name Service) poisoning; and
      
      machine cloning.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Jakobsson, Bjorn Markus

Granted Patent

US 8,286,225 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

H04L 63/1466   Active attacks involving in...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/5682   Policies or rules for updat...

H04L 67/5683   Storage of data provided by...

METHOD AND APPARATUS FOR DETECTING CYBER THREATS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR DETECTING CYBER THREATS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links