System, Method and Process for Mitigating Advanced and Targeted Attacks with Authentication Error Injection

US 20160014077A1
Filed: 07/10/2014
Published: 01/14/2016
Est. Priority Date: 07/10/2014
Status: Abandoned Application

First Claim

Patent Images

1. A security device (SD) for monitoring authentication and authorization on a network Directory Services (DS) environment, the security device comprising:

(a) a Behavioral Monitoring Module (BMM), configured to monitor traffic between network clients and the DS;

(b) a Dynamic Decision Module (DDM), configured to decide whether to block a client access request from a network client, said client access request being monitored by said BMM;

(c) an error message fabrication module, configured to synthesize an error message when a blocking decision has been made by said DDM; and

(d) a network interface, configured to send said synthesized error message to said network client that sent said client access request for which said DDM made said blocking decision.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method system and computer program product for protecting Directory Services (DS) by monitoring traffic to the DS; deciding to block a client access request in the monitored traffic originating from a network client; synthesizing an error message based at least in part on the client access request; and sending the synthesized error message to the network client, causing the network client to abort access request process such as an authentication process or an authorization process.

Citations

18 Claims

1. A security device (SD) for monitoring authentication and authorization on a network Directory Services (DS) environment, the security device comprising:
- (a) a Behavioral Monitoring Module (BMM), configured to monitor traffic between network clients and the DS;
  
  (b) a Dynamic Decision Module (DDM), configured to decide whether to block a client access request from a network client, said client access request being monitored by said BMM;
  
  (c) an error message fabrication module, configured to synthesize an error message when a blocking decision has been made by said DDM; and
  
  (d) a network interface, configured to send said synthesized error message to said network client that sent said client access request for which said DDM made said blocking decision.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The security device of claim 1, wherein said error message is a Kerberos error message.
  - 3. The security device of claim 1, wherein said BMM passively monitors said traffic.
  - 4. The security device of claim 1, wherein the security device is interposed between said network clients and said DS, such that the security device is capable of blocking requests from said network clients to all services on said DS.
  - 5. The security device of claim 1, wherein said BMM is configured to monitor traffic between said network clients and a Key Domain Controller.
  - 6. The security device of claim 1, wherein said DDM makes decisions based on logic selected from the group including:
    - local logic, remote logic and a combination of both said remote and local logic.
  - 7. The security device of claim 1, wherein said error message fabrication module extracts at least some parameters for at least some mandatory fields of said synthesized error message from said client access request.
  - 8. The security device of claim 1, wherein said network interface is configured to further send a TCP termination message to said DS, causing said DS to terminate a TCP connection between said DS and said network client.

9. A method of protecting Directory Services (DS), the method comprising the steps of:
- (a) monitoring traffic to the DS;
  
  (b) deciding to block a client access request in said monitored traffic originating from a network client;
  
  (c) synthesizing an error message based at least in part on said client access request; and
  
  (d) sending said synthesized error message to said network client, causing said network client to abort an access request process.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, wherein said monitored traffic is Kerberos traffic and said synthesized error message is a Kerberos error message.
  - 11. The method of claim 9, wherein said client access request is intended for a Key Domain Controller (KDC).
  - 12. The method of claim 9, wherein said decision made in step (b) is based on logic selected from the group including:
    - local logic, remote logic and a combination of both remote and local logic.
  - 13. The method of claim 9, wherein said traffic is monitored in a non-invasive manner.
  - 14. The method of claim 9, wherein said traffic is monitored by a network entity residing in a traffic path between said network client and the DS.
  - 15. The method of claim 14, wherein said network entity resides in said traffic path between all network clients and the DS and configured to block access of any said network clients to the DS.
  - 16. The method of claim 9, wherein at least some parameters for at least some mandatory fields of said error message are extracted from said client access request.
  - 17. The method of claim 9, further comprising the step of:
    - (e) sending a TCP termination message to the DS, causing the DS to terminate a TCP connection between the DS and said network client.

18. A non-transient computer readable medium storing computer readable code that upon execution of the code by a computer processor, causes the computer processor to:
- (a) monitor traffic to Directory Services (DS);
  
  (b) decide to block a client access request in said monitored traffic originating from a network client;
  
  (c) synthesizing an error message based at least in part on said client access request; and
  
  (d) sending said synthesized error message to said network client, causing said network client to abort an access request process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Idan & Ohad Plotnik Co., Microsoft Israel Research And Development (2002) Ltd (Microsoft Corporation)
Original Assignee
Aorato Ltd. (Microsoft Corporation)
Inventors
BE'ERY, Tal Arieh, PLOTNIK, Idan, DOLINSKY, Michael, PLOTNIK, Ohad

Application Number

US14/327,596
Publication Number

US 20160014077A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0209   Architectural arrangements,...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 9/3213   using tickets or tokens, e....

System, Method and Process for Mitigating Advanced and Targeted Attacks with Authentication Error Injection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method and Process for Mitigating Advanced and Targeted Attacks with Authentication Error Injection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links