INTRUSION DETECTION TO PREVENT IMPERSONATION ATTACKS IN COMPUTER NETWORKS

US 20160344768A1
Filed: 05/20/2015
Published: 11/24/2016
Est. Priority Date: 05/20/2015
Status: Active Grant

First Claim

Patent Images

1. A data processing method comprising:

a central computer receiving telemetry data from a plurality of intrusion sensors;

the central computer storing authentication records in a hosts database, wherein each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer;

the central computer receiving a suspect record that was sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer;

the central computer determining whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record; and

the central computer generating an intrusion alert when no matching record is found.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

8 Citations

20 Claims

1. A data processing method comprising:
- a central computer receiving telemetry data from a plurality of intrusion sensors;
  
  the central computer storing authentication records in a hosts database, wherein each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer;
  
  the central computer receiving a suspect record that was sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer;
  
  the central computer determining whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record; and
  
  the central computer generating an intrusion alert when no matching record is found.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein the plurality of intrusion sensors comprises two intrusion sensors that are assigned internet protocol (IP) addresses that differ by at least one of:
    - routing prefix, network prefix, and subnet number.
  - 3. The method of claim 1 further comprising the central computer instructing a second intrusion sensor to request a second particular public key certificate from the suspect sender computer of the suspect record.
  - 4. The method of claim 3 wherein the instructing comprises the central computer instructing the second intrusion sensor to periodically request the second particular public key certificate from the suspect sender computer of the suspect record.
  - 5. The method of claim 3 wherein each authentication record optionally comprises a request uniform resource locator (URL) to which the suspect sender computer of the authentication record previously responded, and wherein the instructing comprises the central computer transferring the request URL to the second intrusion sensor.
  - 6. The method of claim 3 wherein each authentication record comprises a plurality of request packets to which the suspect sender computer of the authentication record previously responded, and wherein the instructing comprises the central computer transferring the plurality of request packets to the second intrusion sensor.
  - 7. The method of claim 1 wherein generating the intrusion alert comprises the central computer generating the intrusion alert only if a training period has finished.
  - 8. The method of claim 1 wherein generating the intrusion alert comprises the central computer generating the intrusion alert only if the central computer determines that a hosts whitelist does not contain the first particular host identifier of the suspect sender computer.
  - 9. The method of claim 1 wherein each authentication record comprises an expiration date value, wherein the suspect record comprises an expiration date value, wherein the matching record has a same expiration date value as the suspect record.
  - 10. The method of claim 1 wherein each authentication record optionally comprises a media access control (MAC) address of the suspect sender computer of the authentication record, wherein the suspect record comprises a MAC address of the suspect sender computer, and wherein the matching record has a same MAC address as the suspect sender computer.
  - 11. The method of claim 1 wherein each authentication record optionally comprises a port number that the suspect sender computer of the authentication record listened on, wherein the suspect record comprises a port number that the suspect sender computer listened on, and wherein the matching record has a same port number as the suspect record.
  - 12. The method of claim 1 wherein each authentication record optionally comprises a transport protocol identifier that the suspect sender computer of the authentication record used, wherein the suspect record comprises transport protocol identifier that the suspect sender computer used, and wherein the matching record has a same transport protocol identifier as the suspect record.
  - 13. The method of claim 1 further comprising the central computer generating an intrusion alert if the central computer determines that a thumbprint blacklist contains the first particular thumbprint of the suspect record.
  - 14. The method of claim 1 wherein the first particular thumbprint of the suspect record is of a public key certificate that is not signed by a trusted certificate authority.
  - 15. The method of claim 1 wherein each authentication record comprises a public key certificate of the suspect sender computer of the authentication record, wherein the suspect record comprises the first particular public key certificate of the suspect sender computer, and wherein the matching record has a same public key certificate as the suspect sender computer.
  - 16. The method of claim 1 wherein generating the intrusion alert comprises the central computer inserting into the hosts database an authentication record based on the suspect record.

17. A device comprising:
- a hosts database configured to store authentication records, wherein each authentication record is based on telemetry data from a plurality of intrusion sensors and comprises a thumbprint of a public key certificate and a host identifier of a sender computer;
  
  a processor connected to the hosts database and programmed to;
  
  receive telemetry data from a plurality of intrusion sensors;
  
  receive a suspect record sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer;
  
  determine whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record;
  
  generate an intrusion alert when no matching record is found.
- View Dependent Claims (18)
- - 18. The device of claim 17 wherein the plurality of intrusion sensors comprises two intrusion sensors that are assigned internet protocol (IP) addresses that differ by at least one of:
    - routing prefix, network prefix, and subnet number.

19. A plurality of non-transitory computer-readable storage media storing instructions which, when executed by a plurality of processors, cause:
- receiving telemetry data from a plurality of intrusion sensors;
  
  storing authentication records in a hosts database, wherein each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer;
  
  receiving a suspect record that was sent by a first intrusion sensor and comprising a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender computer;
  
  determining whether the hosts database contains a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record;
  
  generating an intrusion alert when no matching record is found.
- View Dependent Claims (20)
- - 20. The computer-readable storage media of claim 19 wherein the plurality of intrusion sensors comprises two intrusion sensors that are assigned internet protocol (IP) addresses that differ by at least one of:
    - routing prefix, network prefix, and subnet number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
MCGREW, DAVID, RIGOUDY, TITOUAN

Granted Patent

US 9,699,202 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1483   service impersonation, e.g....

INTRUSION DETECTION TO PREVENT IMPERSONATION ATTACKS IN COMPUTER NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INTRUSION DETECTION TO PREVENT IMPERSONATION ATTACKS IN COMPUTER NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links