Protection against impersonation attacks

US 8,296,844 B2
Filed: 03/20/2008
Issued: 10/23/2012
Est. Priority Date: 03/21/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A computing method, comprising:

running on a user computer a first operating environment for performing general-purpose operations and a second operating environment, which is configured expressly for interacting with a server in a protected communication session and is isolated from the first operating environment, wherein general-purpose operations performed in the first operating environment do not affect operation of the second operating environment, wherein in the protected communication session the second operating environment exchanges transaction data with the server via a security protocol, the first operating environment including an operating system and the second operating environment including an operating system separate from the operating system of the first operating environment, wherein the first operating environment does not interact with the server in the protected communication session;

detecting by a program running in the second operating environment an illegitimate communication session in the first operating environment that interacts with the first operating environment, including detecting via pattern recognition an impersonation attack that imitates at least a portion of characteristic elements of the protected communication session in the first operating environment to imitate the protected communication session in the first operating environment, wherein the characteristic elements include graphical user interface (GUI) features associated with the protected communication session that are not expected to be used in the first operating environment; and

automatically inhibiting the detected impersonation attack.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing method includes running on a user computer a first operating environment for performing general-purpose operations and a second operating environment, which is configured expressly for interacting with a server in a protected communication session and is isolated from the first operating environment. A program running in the second operating environment detects an attempt to imitate the protected communication session made by an illegitimate communication session that interacts with the first operating environment. The detected attempt is inhibited automatically.

75 Citations

View as Search Results

33 Claims

1. A computing method, comprising:
- running on a user computer a first operating environment for performing general-purpose operations and a second operating environment, which is configured expressly for interacting with a server in a protected communication session and is isolated from the first operating environment, wherein general-purpose operations performed in the first operating environment do not affect operation of the second operating environment, wherein in the protected communication session the second operating environment exchanges transaction data with the server via a security protocol, the first operating environment including an operating system and the second operating environment including an operating system separate from the operating system of the first operating environment, wherein the first operating environment does not interact with the server in the protected communication session;
  
  detecting by a program running in the second operating environment an illegitimate communication session in the first operating environment that interacts with the first operating environment, including detecting via pattern recognition an impersonation attack that imitates at least a portion of characteristic elements of the protected communication session in the first operating environment to imitate the protected communication session in the first operating environment, wherein the characteristic elements include graphical user interface (GUI) features associated with the protected communication session that are not expected to be used in the first operating environment; and
  
  automatically inhibiting the detected impersonation attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein running the second operating environment comprises verifying a trustworthiness of the second operating environment by a central management system that is external to the user computer.
  - 3. The method according to claim 1, wherein detecting the impersonation attack comprises predefining an element that appears in the protected communication session and is unlikely to appear in communication session other than the protected communication session, and identifying that the predefined element appears in the illegitimate communication session.
  - 4. The method according to claim 3, wherein predefining the element comprises accepting a definition of the element from a central management system that is external to the user computer.
  - 5. The method according to claim 1, wherein the protected communication session displays a Graphical User Interface (GUI) comprising a characteristic GUI feature, and wherein detecting the impersonation attack comprises detecting that a suspected communication session interacting with the first operating environment displays a GUI feature imitating the characteristic GUI feature.
  - 6. The method according to claim 5, wherein detecting the impersonation attack comprises reading a frame buffer, which stores a graphical image that is displayed in the user computer during the suspected communication session, and detecting the GUI feature imitating the characteristic GUI feature in the frame buffer.
  - 7. The method according to claim 1, wherein detecting the impersonation attack comprises predefining a textual element that is characteristic of textual input that is provided by a user of the user computer during the protected communication session, monitoring input that is entered by the user during a suspected communication session interacting with the first operating environment and, responsively to detecting the textual element in the input, identifying the suspected communication session as illegitimate.
  - 8. The method according to claim 7, wherein the textual element comprises security credentials of the user.
  - 9. The method according to claim 7, wherein predefining the textual element comprises defining a characteristic format, and wherein detecting the textual element comprises detecting text that matches the characteristic format in the monitored input.
  - 10. The method according to claim 7, wherein monitoring the input comprises monitoring keystrokes of a keyboard of the user computer.
  - 11. The method according to claim 1, wherein the protected communication session provides a given content to the user computer, and wherein detecting the impersonation attack comprises detecting that a suspected communication session interacting with the first operating environment provides the given content to the user computer.
  - 12. The method according to claim 11, wherein detecting the impersonation attack comprises monitoring network traffic sent to the user computer with respect to the suspected communication session, and identifying the given content in the monitored network traffic.
  - 13. The method according to claim 12, wherein at least part of the network traffic sent to the user computer is encrypted, and wherein monitoring the network traffic comprises monitoring the at least part of the network traffic after the at least part of the network traffic has been decrypted by the first operating environment.
  - 14. The method according to claim 11, wherein detecting the impersonation attack comprises predefining an attribute of the given content, and detecting that the suspected communication session provides a data item having the attribute to the user computer.
  - 15. The method according to claim 1, wherein detecting the impersonation attack comprises monitoring a physical resource of the user computer by a virtualization layer of the user computer.
  - 16. The method according to claim 1, wherein inhibiting the impersonation attack comprises accepting a policy, which specifies an action for inhibiting the impersonation attack, from a central management system that is external to the user computer, and performing the action in accordance with the policy.

17. A user computer, comprising:
- an interface, which is operative to communicate with a server over a communication network; and
  
  a hardware processor, which is coupled to run a first operating environment, which is configured to perform general-purpose operations, and a second operating environment, which is configured expressly for interacting with the server in a protected communication session and is isolated from the first operating environment,wherein general-purpose operations performed in the first operating environment do not affect operation of the second operating environment,wherein in the protected communication session the second operating environment exchanges transaction data with the server via a security protocol,the first operating environment including an operating system and the second operating environment including an operating system separate from the operating system of the first operating environment, wherein the first operating environment does not interact with the server in the protected communication session,wherein the second operating environment is further configuredto detect an illegitimate communication session in the first operating environment that interacts with the first operating environment, including detecting via pattern recognition an impersonation attack that imitates at least a portion of characteristic elements of the protected communication session in the first operating environment to imitate the protected communication session in the first operating environment, wherein the characteristic elements include graphical user interface (GUI) features associated with the protected communication session that are not expected to be used in the first operating environment, andto automatically inhibit the detected impersonation attack.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The user computer according to claim 17, wherein the hardware processor is coupled to enable a central management system that is external to the user computer to verify a trustworthiness of the second operating environment.
  - 19. The user computer according to claim 17, wherein the hardware processor is coupled to predefine an element that appears in the protected communication session and is unlikely to appear in communication sessions other than the protected communication session, and to detect the impersonation attack by identifying that the predefined element appears in the illegitimate communication session.
  - 20. The user computer according to claim 19, wherein the hardware processor is coupled to accept a definition of the element from a central management system that is external to the user computer.
  - 21. The user computer according to claim 17, wherein the hardware processor is coupled to display during the protected communication session a Graphical User Interface (GUI) comprising a characteristic GUI feature, and to detect the impersonation attack by detecting that a suspected communication session interacting with the first operating environment displays a GUI feature imitating the characteristic GUI feature.
  - 22. The user computer according to claim 21, and comprising a frame buffer for storing graphical images that are displayed during communication sessions, wherein the hardware processor is coupled to detect the impersonation attack by reading the frame buffer during the suspected communication session and detecting the GUI feature imitating the characteristic GUI feature in the frame buffer.
  - 23. The user computer according to claim 17, wherein the hardware processor is coupled to predefine a textual element that is characteristic of textual input that is provided by a user of the user computer during the protected communication session, to monitor input that is entered by the user during a suspected communication session interacting with the first operating environment and, responsively to detecting the textual element in the input, to identify the suspected communication session as illegitimate.
  - 24. The user computer according to claim 23, wherein the textual element comprises security credentials of the user.
  - 25. The user computer according to claim 23, wherein the hardware processor is coupled to define a characteristic format, and to detect the textual element by detecting text that matches the characteristic format in the monitored input.
  - 26. The user computer according to claim 23, and comprising a keyboard, wherein the hardware processor is coupled to monitor the input by monitoring keystrokes of the keyboard.
  - 27. The user computer according to claim 17, wherein the interface is operative to receive a given content during the protected communication session, and wherein the hardware processor is coupled to detect the impersonation attack by detecting that the given content is received during a suspected communication session interacting with the first operating environment.
  - 28. The user computer according to claim 27, wherein the hardware processor is coupled to detect the impersonation attack by monitoring network traffic received via the interface with respect to the suspected communication session, and identifying the given content in the monitored network traffic.
  - 29. The user computer according to claim 28, wherein at least part of the received network traffic is encrypted, and wherein the hardware processor is coupled to decrypt the at least part of the network traffic in the first operating environment, and to monitor the decrypted at least part of the network traffic.
  - 30. The user computer according to claim 27, wherein the hardware processor is coupled to predefine an attribute of the given content, and to detect that a data item having the attribute is provided during the suspected communication session.
  - 31. The user computer according to claim 17, and comprising a virtualization layer for monitoring a physical resource of the user computer, wherein the hardware processor is coupled to detect the impersonation attack by monitoring the physical resource using the virtualization layer.
  - 32. The user computer according to claim 17, wherein the hardware processor is coupled to accept a policy, which specifies an action for inhibiting the impersonation attack, from a central management system that is external to the computer, and to perform the action in accordance with the policy.

33. A computer software product for use in a user computer, the computer software product comprising a non-transitory computer-readable storage medium, storing executable program instructions, which instructions, when executed by the user computer, cause the user computer to perform the operations of:
- communicating with a server over a communication network, to run a first operating environment for performing general-purpose operations, to run a second operating environment, which is configured expressly for interacting with the server in a communication session and is isolated from the first operating environment,wherein general-purpose operations performed in the first operating environment do not affect operation of the second operating environment,wherein in the protected communication session the second operating environment exchanges transaction data with the server via a security protocol,the first operating environment including an operating system and the second operating environment including an operating system separate from the operating system of the first operating environment, wherein the first operating environment does not interact with the server in the protected communication session,detecting by a program running in the second operating environment an illegitimate communication session in the first operating environment that interacts with the first operating environment, including detecting via pattern recognition an impersonation attack that imitates at least a portion of characteristic elements of the protected communication session in the first operating environment to imitate the protected communication session in the first operating environment, wherein the characteristic elements include graphical user interface (GUI) features associated with the protected communication session that are not expected to be used in the first operating environment, andautomatically inhibiting the detected impersonation attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation, Neocleus Israel Limited
Original Assignee
Intel Corporation
Inventors
Bogner, Etay
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US12/052,246
Publication Number

US 20080235794A1
Time in Patent Office

1,678 Days
Field of Search

726/22, 713/188, 713/153, 713/151
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/83   input devices, e.g. keyboar...

G06F 21/84   output devices, e.g. displa...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

Protection against impersonation attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Protection against impersonation attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links