TECHNIQUES FOR SECURELY DETECTING COMPROMISES OF ENTERPRISE END STATIONS UTILIZING TUNNEL TOKENS

US 20200137026A1
Filed: 12/30/2019
Published: 04/30/2020
Est. Priority Date: 02/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network, comprising:

receiving, at a tunnel gateway server within the cloud network that is implemented by one or more electronic devices, a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token; and

transmitting, by the tunnel gateway server, the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the third set of one or more packets allows for determining whether one of the enterprise end station has been compromised, wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in a cloud network to detect compromises within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network. The method includes receiving, at a tunnel gateway server within the cloud network, a first set of packets via a tunnel across a public network from a first server within the enterprise network, where the first set of packets were generated responsive to the first server receiving a second set of packets that originated from within the enterprise network and that included data and a source enterprise network address, where the first set of packets does not include the source enterprise network address and the data includes a token. The method further includes transmitting, by the tunnel gateway server, the data within a third set of packets to a second server that acts as if it were an enterprise server within the enterprise network.

14 Citations

View as Search Results

20 Claims

1. A method in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network, comprising:
- receiving, at a tunnel gateway server within the cloud network that is implemented by one or more electronic devices, a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token; and
  
  transmitting, by the tunnel gateway server, the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the third set of one or more packets allows for determining whether one of the enterprise end station has been compromised, wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - identifying, by the tunnel gateway server, one trap server of a plurality of trap servers, based on the first set of one or more packets, to be the second server to which the data is transmitted.
  - 3. The method of claim 2, wherein the identification of the one trap server to be the second server is based on a client identifier included within the first set of one or more packets.
  - 4. The method of claim 2, wherein the identification of the one trap server to be the second server is based on a protocol used within the data.
  - 5. The method of claim 2, wherein the identification of the one trap server to be the second server is based on a source address of the first set of one or more packets.
  - 6. The method of claim 1, further comprising:
    - receiving, at the tunnel gateway server, a fourth set of one or more packets carrying response data that was generated by the second server based at least in part on the data included within the third set of one or more packets, wherein the fourth set of one or more packets does not include the source enterprise network address.
  - 7. The method of claim 6, further comprising:
    - transmitting, by the tunnel gateway server, a fifth set of one or more packets carrying the response data that was generated by the second server to the first server via the tunnel across the public network, wherein the first server can determine the source enterprise network address to be used as a destination for the response data and can transmit the response data accordingly using the source enterprise network address as a destination address.
  - 8. The method of claim 1, wherein the token was placed upon an enterprise end station within the enterprise network that originated the second set of one or more packets, wherein the token appears to be useful for accessing the first server or a resource provided by the first server.
  - 9. The method of claim 1, further comprising:
    - monitoring, by a traffic monitoring module within the cloud network that is implemented by one or more electronic devices, traffic transmitted to the second server, including the third set of one or more packets transmitted to the second server; and
      
      providing, by the traffic monitoring module, alert data to the enterprise network in response to detecting, based on the monitoring, use of the token in the third set of one or more packets.
  - 10. The method of claim 9, wherein the providing the alert data to the enterprise network causes one or more security measures to be deployed in the enterprise network that monitor or block traffic, increase an amount of logging or monitoring, or notify a particular enterprise user.
  - 11. The method of claim 1, wherein the identifier is an encrypted version of the source enterprise network address.
  - 12. The method of claim 1, wherein the first set of one or more packets utilizes, as a source Internet Protocol (IP) address, a routable IP address that is different than the source enterprise network address.

13. A non-transitory computer-readable storage medium having stored therein instructions which, when executed by one or more processors of a device, causes the device to implement a tunnel gateway server in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network by performing operations comprising:
- receiving a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token; and
  
  transmitting the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the third set of one or more packets allows for determining whether one of the enterprise end station has been compromised, wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses.
- View Dependent Claims (14, 15, 16)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the operations further comprise:
    - identifying one trap server of a plurality of trap servers, based on the first set of one or more packets, to be the second server to which the data is transmitted.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the operations further comprise:
    - receiving a fourth set of one or more packets carrying response data that was generated by the second server based at least in part on the data included within the third set of one or more packets, wherein the fourth set of one or more packets does not include the source enterprise network address.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the operations further comprise:
    - transmitting a fifth set of one or more packets carrying the response data that was generated by the second server to the first server via the tunnel across the public network, wherein the first server can determine the source enterprise network address to be used as a destination for the response data and can transmit the response data accordingly using the source enterprise network address as a destination address.

17. A network device, comprising:
- one or more processors; and
  
  a non-transitory computer-readable storage medium having instructions stored therein which, when executed by the one or more processors, causes the device to implement a tunnel gateway server in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network by being adapted to;
  
  receive a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token andtransmit the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the third set of one or more packets allows for determining whether one of the enterprise end station has been compromised, wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses.
- View Dependent Claims (18, 19, 20)
- - 18. The network device of claim 17, wherein the token was placed upon an enterprise end station within the enterprise network that originated the second set of one or more packets, wherein the token appears to be useful for accessing the first server or a resource provided by the first server.
  - 19. The network device of claim 17, wherein the identifier is an encrypted version of the source enterprise network address.
  - 20. The network device of claim 17, wherein the first set of one or more packets utilizes, as a source Internet Protocol (IP) address, a routable IP address that is different than the source enterprise network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
SHULMAN, Amichai, DULCE, Sagie, GOIHMAN-SHUSTER, Daniella, BEN-HADOR, Shahar

Granted Patent

US 11,533,295 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 45/745   Address table lookup; Addre...

H04L 61/103   across network layers, e.g....

H04L 61/2514   between local and global IP...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

TECHNIQUES FOR SECURELY DETECTING COMPROMISES OF ENTERPRISE END STATIONS UTILIZING TUNNEL TOKENS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR SECURELY DETECTING COMPROMISES OF ENTERPRISE END STATIONS UTILIZING TUNNEL TOKENS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links