Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks

US 20160330220A1
Filed: 05/05/2016
Published: 11/10/2016
Est. Priority Date: 05/07/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for detecting potentially malicious activity, comprising:

receiving data associated with a plurality of authentication messages, wherein at least some of the received data includes secure ticket data, the authentication messages having been communicated over a network;

analyzing the received data associated with the plurality of authentication messages;

determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages, wherein a characteristic from the plurality of characteristics includes the secure ticket data;

receiving data associated with a new authentication message communicated over the network;

determining a plurality of characteristics of the data associated with the new authentication message;

comparing at least one determined characteristic of the new authentication message data with at least one of;

a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; and

generating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are systems and methods for performing potentially malicious activity detection operations. Embodiments may include receiving data associated with a plurality of authentication messages; analyzing the received data associated with the plurality of authentication messages; determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages; receiving data associated with a new authentication message communicated over the network; determining a plurality of characteristics of the data associated with the new authentication message; comparing at least one determined characteristic of the new authentication message data with at least one of: a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; and generating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network.

59 Citations

View as Search Results

30 Claims

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for detecting potentially malicious activity, comprising:
- receiving data associated with a plurality of authentication messages, wherein at least some of the received data includes secure ticket data, the authentication messages having been communicated over a network;
  
  analyzing the received data associated with the plurality of authentication messages;
  
  determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages, wherein a characteristic from the plurality of characteristics includes the secure ticket data;
  
  receiving data associated with a new authentication message communicated over the network;
  
  determining a plurality of characteristics of the data associated with the new authentication message;
  
  comparing at least one determined characteristic of the new authentication message data with at least one of;
  
  a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; and
  
  generating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The non-transitory computer-readable medium of claim 1, wherein generating the assessment includes performing a protective false-positive detection operation to limit false-positive indications from the potentially malicious activity indications.
  - 3. The non-transitory computer-readable medium of claim 1, wherein generating the assessment includes determining whether the new authentication message data is associated with a potential attack in the network.
  - 4. The non-transitory computer-readable medium of claim 1, wherein generating the assessment includes determining information containing the potentially malicious activity.
  - 5. The non-transitory computer readable medium of claim 1, further including identifying a network account associated with a sender of the received data associated with the new authentication message, and executing a responsive measure with respect to the identified network account.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the new authentication message is encrypted, and the comparing is based on encrypted data of the new authentication message without first decrypting the encrypted data.
  - 7. The non-transitory computer-readable medium of claim 1, wherein the comparing includes determining whether data from the new authentication message matches data from the received data from the plurality of authentication messages.
  - 8. The non-transitory computer-readable medium of claim 1, wherein the comparing includes determining whether data from the new authentication message includes a flag that is not included in the received data from the plurality of authentication messages.
  - 9. The non-transitory computer-readable medium of claim 1, wherein the comparing includes determining whether an encryption type associated with the new authentication message data matches an encryption type associated with the received data from the plurality of authentication messages.
  - 10. The non-transitory computer-readable medium of claim 1, wherein the comparing includes determining whether the new authentication message data includes a ticket that is also included in the received data from the plurality of authentication messages.
  - 11. The non-transitory computer-readable medium of claim 1, wherein the comparing includes:
    - determining whether the new authentication message data includes a ticket;
      
      identifying a machine from which the new authentication message data originated; and
      
      ascertaining whether the ticket was previously sent to the machine from which the new authentication message originated.
  - 12. The non-transitory computer-readable medium of claim 1, wherein the comparing includes determining whether an encryption attribute of an authentication message, from the plurality of authentication messages, matches an encryption attribute of the new authentication message.
  - 13. The non-transitory computer-readable medium of claim 1, wherein the plurality of authentication messages include Kerberos messages and the new authentication message is a Kerberos message.
  - 14. The non-transitory computer-readable medium of claim 1, further comprising intercepting the new authentication message and determining, based on the assessment, whether to transmit the new authentication message to a target application.
  - 15. The non-transitory computer-readable medium of claim 1, wherein the plurality of authentication messages include ticket-granting ticket requests.
  - 16. The non-transitory computer-readable medium of claim 1, wherein the plurality of authentication messages include service ticket requests.

17. A network system configured for detecting potentially malicious activity, the network system comprising:
- at least one computer-readable memory storing instructions; and
  
  at least one processor configured to execute the instructions to;
  
  receive data associated with a plurality of authentication messages, wherein at least some of the received data includes secure ticket data, the authentication messages having been communicated over a network;
  
  analyze the received data associated with the plurality of authentication messages;
  
  determine, based on the analysis, a plurality of characteristics of the data associated with the authentication messages, wherein a characteristic from the plurality of characteristics includes the secure ticket data;
  
  receive data associated with a new authentication message communicated over the network;
  
  determine a plurality of characteristics of the data associated with the new authentication message;
  
  compare at least one determined characteristic of the new authentication message data with at least one of;
  
  a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; and
  
  generate, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The network system of claim 17, wherein the generation of the assessment includes performing a protective false-positive detection operation to limit false-positive indications from the potentially malicious activity indications.
  - 19. The network system of claim 17, wherein the at least one processor is further configured to execute the instructions to identify a network account associated with a sender of the received data associated with a new authentication message, and execute a responsive measure with respect to the identified network account.
  - 20. The network system of claim 17, wherein the comparison includes a determination of whether data from the new authentication message matches data from the received data from the plurality of authentication messages.
  - 21. The network system of claim 17, wherein the comparison includes a determination of whether data from the new authentication message includes a flag that is not included in the received data from the plurality of authentication messages.
  - 22. The network system of claim 17, wherein the comparison includes a determination of whether an encryption type associated with the new authentication message data matches an encryption type associated with the received data from the plurality of authentication messages.
  - 23. The network system of claim 17, wherein the plurality of authentication messages include Kerberos messages and the new authentication message is a Kerberos message.
  - 24. The network system of claim 17, wherein the new authentication message is an intercepted message, such that the generation of the assessment occurs before a determination of whether to transmit the new secure ticket message to the target application.
  - 25. The network system of claim 17, wherein the plurality of authentication messages include ticket-granting ticket requests.
  - 26. The network system of claim 17, wherein the plurality of authentication messages include service ticket requests.

27. A computer-implemented method for performing potentially malicious activity detection operations, comprising:
- receiving data associated with a plurality of authentication messages, wherein at least some of the received data includes secure ticket data, the authentication messages having been communicated over a network;
  
  analyzing the received data associated with the plurality of authentication messages;
  
  determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages, wherein a characteristic from the plurality of characteristics includes the secure ticket data;
  
  receiving data associated with a new authentication message communicated over the network;
  
  determining a plurality of characteristics of the data associated with the new authentication message;
  
  comparing at least one determined characteristic of the new authentication message data with at least one of;
  
  a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; and
  
  generating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network.
- View Dependent Claims (28, 29, 30)
- - 28. The computer-implemented method of claim 27, wherein the comparing includes determining whether an encryption type associated with the new authentication message data matches an encryption type associated with the received data from the plurality of authentication messages.
  - 29. The computer-implemented method of claim 27, wherein the comparing includes determining whether the new authentication message data includes a ticket that is also included in the received data from the plurality of authentication messages.
  - 30. The computer-implemented method of claim 27, wherein the comparing includes:
    - determining whether the new authentication message data includes a ticket;
      
      identifying a machine from which the new authentication message data originated; and
      
      ascertaining whether the ticket was previously sent to the machine from which the new authentication message originated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
Cyber-Ark Software Limited (CyberArk Software Ltd.)
Inventors
Dulkin, Andrey, Lazarovitz, Lavi

Granted Patent

US 10,044,726 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Detecting and Reacting to Malicious Activity in Computer Networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links