METHOD AND APPARATUS FOR DYNAMIC DETECTION OF GEO-LOCATION OBFUSCATION IN CLIENT-SERVER CONNECTIONS THROUGH AN IP TUNNEL

US 20150350160A1
Filed: 06/01/2015
Published: 12/03/2015
Est. Priority Date: 06/02/2014
Status: Active Grant

First Claim

Patent Images

1. A method for dynamically detecting geo-location obfuscation of a client connection to a server, the method comprising:

evaluating, based on a maximum segment size (MSS) parameter of a packet of a client connection to the server, whether the connection is made via tunneling;

estimating a risk of geo-location obfuscation associated with the client connection to the server, based on a latency analysis of the connection when the evaluation indicates the connection is made via tunneling; and

providing a risk assessment, according to the evaluation based on MSS of whether the connection is made via tunneling and the estimation of risk based on the latency analysis, of whether the client connection to the server is made via tunneling so as to obfuscate the geo-location of a client making the client connection to the server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for dynamic detection of fraudulent client connections to a server, in which, for example, the connection is made using an internet protocol (IP) tunneling technology such as networking on a virtual private network (VPN) and making the connection via a VPN tunnel in order to obfuscate the client IP address, in which a user of a client device may employ spoofing of IP-geo location mechanisms and IP classification on the server side. Such a user may have various motivations for obfuscating the client device'"'"'s geo-location by using an IP tunnel when connecting to a server such as gaining access to services that are not allowed in certain locations (e.g., certain movie and television content providers); browsing server data while maintaining a higher level of anonymity; and performing fraudulent actions on the server.

26 Citations

View as Search Results

20 Claims

1. A method for dynamically detecting geo-location obfuscation of a client connection to a server, the method comprising:
- evaluating, based on a maximum segment size (MSS) parameter of a packet of a client connection to the server, whether the connection is made via tunneling;
  
  estimating a risk of geo-location obfuscation associated with the client connection to the server, based on a latency analysis of the connection when the evaluation indicates the connection is made via tunneling; and
  
  providing a risk assessment, according to the evaluation based on MSS of whether the connection is made via tunneling and the estimation of risk based on the latency analysis, of whether the client connection to the server is made via tunneling so as to obfuscate the geo-location of a client making the client connection to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - forcing, by the server, the client to use an HTTPS protocol to make the connection; and
      
      extracting a client side MSS value from TCP handshake negotiations.
  - 3. The method of claim 1, wherein the evaluation further comprises:
    - comparing a value of the MSS parameter of the packet to a database of known MSS values for connections made via tunneling.
  - 4. The method of claim 1, wherein the evaluation further comprises:
    - determining that the client connection to the server is not made via tunneling when a value of the MSS parameter of the packet is either a standard value or does not match any value in a database of known MSS values for connections made via tunneling.
  - 5. The method of claim 1, wherein the estimation further comprises:
    - determining a round trip time (RTT) between the server and the client by analyzing a communication stack of the client connection.
  - 6. The method of claim 1, wherein the estimation further comprises:
    - retrieving a benchmark RTT, from a database that relates protocols to benchmark RTT, for a protocol in which the client connection to the server is made.
  - 7. The method of claim 1, wherein the estimation further comprises:
    - determining an X value by subtracting a benchmark RTT from a current RTT between the server and the client.
  - 8. The method of claim 1, wherein the estimation further comprises:
    - comparing an X value to a pre-defined threshold, wherein the threshold depends on an MSS value.
  - 9. The method of claim 1, wherein providing the risk assessment further comprises:
    - determining that the client connection to the server is made via tunneling when an X value is at least as great as a pre-defined threshold.
  - 10. The method of claim 1, wherein providing the risk assessment further comprises:
    - providing a direct correlation of an X value with the distance between the actual geo-location of the client and the geo-location obtained for the protocol used by the client.

11. A system comprising:
- a server processor; and
  
  a data storage device including a non-transitory computer-readable medium having computer readable code for instructing the processor that, when executed by the server processor, causes the server processor to perform operations comprising;
  
  evaluating, based on a maximum segment size (MSS) parameter of a packet of a client connection to the server processor, whether the client connection is made via tunneling;
  
  terminating the client connection in response to the evaluation based on MSS indicating the client connection is made via tunneling.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein the data storage device further comprises instructions that, when executed by the server processor, causes the server processor to perform operations comprising:
    - estimating a risk of geo-location obfuscation associated with the client connection to the server processor, based on a latency analysis of the client connection when the evaluation based on MSS indicates the client connection is made via tunneling; and
      
      providing a risk assessment, according to the estimation of risk based on the latency analysis and the evaluation based on MSS, of whether the client connection is made via tunneling so as to obfuscate the geo-location of a client making the client connection.
  - 13. The system of claim 11, wherein the data storage device further comprises instructions that, when executed by the server processor, causes the server processor to perform operations comprising:
    - forcing, by the server, the client to use an HTTPS protocol to make the connection; and
      
      extracting a client side MSS value from TCP handshake negotiations.
  - 14. The system of claim 11, wherein the evaluation further comprises:
    - comparing a value of the MSS parameter of the packet to a database of known MSS values for connections made via tunneling.
  - 15. The system of claim 11, wherein the evaluation further comprises:
    - determining that the client connection is not made via tunneling when a value of the MSS parameter of the packet is either a standard value or does not match any value in a database of known MSS values for connections made via tunneling.
  - 16. The system of claim 11, wherein the estimation further comprises:
    - forcing, by the server, the client to use an HTTPS protocol to make the connection; and
      
      determining a round trip time (RTT) between the server and the client by analysis of a communication stack of the client connection.
  - 17. The system of claim 11, wherein the data storage device further comprises instructions that, when executed by the server processor, causes the server processor to perform operations comprising:
    - denying a future connection for some determinate length of time from a client making the client connection.

18. A non-transitory computer-readable medium comprising instructions which, in response to execution by a computer system, cause the computer system to:
- estimate a risk of geo-location obfuscation associated with a client connection to a server, based on a latency analysis of the client connection; and
  
  terminate the client connection in response to the risk estimation indicating the client connection is made via tunneling so as to obfuscate the geo-location of a client making the client connection to the server.
- View Dependent Claims (19, 20)
- - 19. The computer-readable medium of claim 18, further comprising instructions which, in response to execution by a computer system, cause the computer system to:
    - evaluate, based on a maximum segment size (MSS) parameter of a packet of the client connection to the server, whether the client connection is made via tunneling; and
      
      provide a risk assessment, based on the MSS evaluation of whether the connection is made via tunneling and the estimation of risk based on the latency analysis, of whether the client connection to the server is made via tunneling.
  - 20. The computer-readable medium of claim 18, further comprising instructions which, in response to execution by a computer system, cause the computer system to:
    - force, by the server, the client to use an HTTPS protocol to make the client connection;
      
      extract a client side MSS value from TCP handshake negotiations; and
      
      determine a round trip time (RTT) between the server and the client by analyzing a communication stack of the client connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
eBay Inc.
Inventors
Nathan, Avihay, Arad, Uri, Argon, Oded, Stein, David, Faivishevsky, Lev, Lupo, Roi

Granted Patent

US 10,038,712 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 43/0864   Round trip delays

H04L 43/16   Threshold monitoring

H04L 47/36   by determining packet size,...

H04L 63/14   for detecting or protecting...

H04L 63/1441   Countermeasures against mal...

H04L 67/52   specially adapted for the l...

METHOD AND APPARATUS FOR DYNAMIC DETECTION OF GEO-LOCATION OBFUSCATION IN CLIENT-SERVER CONNECTIONS THROUGH AN IP TUNNEL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

METHOD AND APPARATUS FOR DYNAMIC DETECTION OF GEO-LOCATION OBFUSCATION IN CLIENT-SERVER CONNECTIONS THROUGH AN IP TUNNEL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others