Detecting and defending against man-in-the-middle attacks

US 8,533,821 B2
Filed: 05/25/2007
Issued: 09/10/2013
Est. Priority Date: 05/25/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A system for defending against man in the middle (MITM) attacks directed at a target server, comprising:

an activity recording system that records an incoming IP address, user id, and time of each session occurring with the target server;

a list checking system for performing the following;

comparing a single incoming IP address with a white list; and

comparing the single incoming IP address with a black list after the comparing of the single incoming IP address with the white list in the case that the single incoming IP address is not present on the white list;

an activity analysis system that performs the following after the list checking system compares the single incoming IP address with the black list, in the case that the single incoming IP address is not present on the black list;

searches for records of a previous login attempt from the single incoming IP address;

determines a number of user ids occurring from the single incoming IP address during a predefined time period;

compares the number of user ids occurring from the single incoming IP address to a predefined threshold number of user ids specific to the predefined time period; and

identifies the single incoming IP address as a suspect IP address in response to the number of user ids occurring from the single incoming IP address exceeding the threshold within the predefined time period,wherein the activity analysis system includes a first value N that represents a number of sessions along with a threshold value Nt and a second value T and its associated threshold value Tt that represents a time frame, and wherein if there are more than N sessions with the single incoming IP address during a time period less than T, the single incoming IP address is identified as a suspect IP address; and

a countermeasure system for taking action against the suspect IP address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and program product for defending against man in the middle (MITM) attacks directed at a target server. A system is provided that includes an activity recording system that records an incoming IP address, userid, and time of each session occurring with the target server; an activity analysis system that identifies suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and a countermeasure system for taking action against suspect IP addresses.

182 Citations

13 Claims

1. A system for defending against man in the middle (MITM) attacks directed at a target server, comprising:
- an activity recording system that records an incoming IP address, user id, and time of each session occurring with the target server;
  
  a list checking system for performing the following;
  
  comparing a single incoming IP address with a white list; and
  
  comparing the single incoming IP address with a black list after the comparing of the single incoming IP address with the white list in the case that the single incoming IP address is not present on the white list;
  
  an activity analysis system that performs the following after the list checking system compares the single incoming IP address with the black list, in the case that the single incoming IP address is not present on the black list;
  
  searches for records of a previous login attempt from the single incoming IP address;
  
  determines a number of user ids occurring from the single incoming IP address during a predefined time period;
  
  compares the number of user ids occurring from the single incoming IP address to a predefined threshold number of user ids specific to the predefined time period; and
  
  identifies the single incoming IP address as a suspect IP address in response to the number of user ids occurring from the single incoming IP address exceeding the threshold within the predefined time period,wherein the activity analysis system includes a first value N that represents a number of sessions along with a threshold value Nt and a second value T and its associated threshold value Tt that represents a time frame, and wherein if there are more than N sessions with the single incoming IP address during a time period less than T, the single incoming IP address is identified as a suspect IP address; and
  
  a countermeasure system for taking action against the suspect IP address.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the countermeasure system causes a login session to fail.
  - 3. The system of claim 1, wherein the countermeasure system causes a session to terminate in response to the identifying of the single incoming IP address as a suspect address.
  - 4. The system of claim 1, wherein the countermeasure system causes the suspect IP address to be outputted.

5. A computer program product stored on a non-transitory computer readable medium, which when executed includes program instructions for defending against man in the middle (MITM) attacks directed at a target server, the program product comprising:
- program instructions for recording an incoming IP address, user id, and time of each session occurring with the target server;
  
  program instructions for comparing the incoming IP address with a white list;
  
  program instructions for comparing the incoming IP address with a black list after the comparing of the incoming IP address with the white list in the case that the incoming IP address is not present on the white list;
  
  program instructions for searching for records of a previous login attempt from the single incoming IP address;
  
  program instructions for identifying suspect IP addresses by determining a number of user ids occurring from the single incoming IP address during a predefined time period after the comparing of the incoming IP address with the black list, in the case that the single incoming IP address is not present on the black list;
  
  program instructions for comparing the number of user ids occurring from the single incoming IP address to a predefined threshold number of user ids specific to the predefined time period;
  
  program instructions for identifying the single incoming IP address as a suspect IP address in response to the number of user ids occurring from the single incoming IP address exceeding the threshold within the predefined time period,wherein a first value N represents a number of sessions along with a threshold value Nt and a second value T and its associated threshold value Tt represents a time frame, and wherein if there are more than N sessions with the single incoming IP address during a time period less than T, the single incoming IP address is identified as a suspect IP address; and
  
  program instructions for taking defensive action against the suspect IP address.
- View Dependent Claims (6, 7, 8)
- - 6. The program product of claim 5, wherein the defensive action causes a login session to fail.
  - 7. The program product of claim 5, wherein the defensive action causes a session to terminate in response to the identifying of the single incoming IP address as a suspect address.
  - 8. The program product of claim 5, wherein the defensive action causes the suspect IP address to be outputted.

9. A computer-implemented method performed on at least one computing device for defending against man in the middle (MITM) attacks directed at a target server, the method comprising:
- recording an incoming IP address, user id, and time of each session occurring with the target server using the at least one computing device;
  
  comparing the incoming IP address with a white list;
  
  comparing the incoming IP address with a black list after the comparing of the incoming IP address with the white list in the case that the incoming IP address is not present on the white list;
  
  searching for records of a previous login attempt from the single incoming IP address;
  
  identifying suspect IP addresses by determining a number of user ids occurring from the single incoming IP address during a predefined time period after the comparing of the incoming IP address with the black list, in the case that the single incoming IP address is not present on the black list;
  
  comparing the number of user ids occurring from the single incoming IP address to a predefined threshold number of user ids specific to the predefined time period;
  
  identifying the single incoming IP address as a suspect IP address in response to the number of user ids occurring from the single incoming IP address exceeding the threshold within the predefined time period,wherein a first value N represents a number of sessions along with a threshold value Nt and a second value T and its associated threshold value Tt represents a time frame, and wherein if there are more than N sessions with the single incoming IP address during a time period less than T, the single incoming IP address is identified as a suspect IP address; and
  
  taking defensive action against the suspect IP address using the at least one computing device.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein the defensive action causes a login session to fail.
  - 11. The method of claim 9, wherein the defensive action causes a session to terminate in response to the identifying of the single incoming IP address as a suspect address.
  - 12. The method of claim 9, wherein the defensive action causes the suspect IP address to be outputted.

13. A method for deploying a system for defending against man in the middle (MITM) attacks directed at a target server, comprising:
- providing a computer infrastructure being operable to;
  
  record an incoming IP address, user id, and time of each session occurring with the target server;
  
  compare the incoming IP address with a white list;
  
  compare the incoming IP address with a black list after the comparing of the incoming IP address with the white list in the case that the incoming IP address is not present on the white list;
  
  search for records of a previous login attempt from the single incoming IP address;
  
  identify suspect IP addresses by determining a number of user ids occurring from the single incoming IP address during a predefined time period after the comparing of the incoming IP address with the black list, in the case that the single incoming IP address is not present on the black list;
  
  compare the number of user ids occurring from the single incoming IP address to a predefined threshold number of user ids specific to the predefined time period;
  
  identify the single incoming IP address as a suspect IP address in response to the number of user ids occurring from the single incoming IP address exceeding the threshold within the predefined time period,wherein a first value N represents a number of sessions along with a threshold value Nt and a second value T and its associated threshold value Tt represents a time frame, and wherein if there are more than N sessions with the single incoming IP address during a time period less than T, the single incoming IP address is identified as a suspect IP address; and
  
  take defensive action against the suspect IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Crume, Jeffery L.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US11/753,673
Publication Number

US 20080295169A1
Time in Patent Office

2,300 Days
Field of Search

726 22- 26, 713/165, 713/172, 713/181, 713/182
US Class Current

726/22
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

Detecting and defending against man-in-the-middle attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

182 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Detecting and defending against man-in-the-middle attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

182 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others