Detecting man-in-the-middle attacks via security transitions
First Claim
Patent Images
1. A computer-implemented method of detecting a possible network security breach occurring during a network interaction involving a client computer, the method comprising:
- establishing a page list comprising, for each of a plurality of transitions from a source web page to a destination web page, an identifier of the source web page, an identifier of the destination web page, and a representation of an expected security level associated with the transition;
detecting a transition from a first web page to a second web page within a browser associated with the client computer;
responsive to detecting the transition from the first web page to the second web page, identifying a site that comprises the first web page and the second web page in a site list comprising a list of sites to be protected;
detecting a security level associated with the transition from the first web page to the second web page;
responsive to identifying the site in the site list, identifying an expected security level associated with the transition from the first web page to the second web page using the page list;
determining whether the detected security level is lower than the identified expected security level; and
responsive to the identified detected security level being lower than the identified expected security level, performing a remedial action.
2 Assignments
0 Petitions
Accused Products
Abstract
A page list comprising a list of transitions between network resources is established. Subsequently, a transition is detected between a first network resource and a second network resource. An expected security level associated with the transition is identified based on the page list. Responsive to the detected security level being determined to be lower than the expected security level, a remedial action is performed.
249 Citations
20 Claims
-
1. A computer-implemented method of detecting a possible network security breach occurring during a network interaction involving a client computer, the method comprising:
-
establishing a page list comprising, for each of a plurality of transitions from a source web page to a destination web page, an identifier of the source web page, an identifier of the destination web page, and a representation of an expected security level associated with the transition; detecting a transition from a first web page to a second web page within a browser associated with the client computer; responsive to detecting the transition from the first web page to the second web page, identifying a site that comprises the first web page and the second web page in a site list comprising a list of sites to be protected; detecting a security level associated with the transition from the first web page to the second web page; responsive to identifying the site in the site list, identifying an expected security level associated with the transition from the first web page to the second web page using the page list; determining whether the detected security level is lower than the identified expected security level; and responsive to the identified detected security level being lower than the identified expected security level, performing a remedial action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium storing a computer program executable by a processor for detecting a possible network security breach occurring during a network interaction involving a client computer, actions of the computer program comprising:
-
establishing a page list comprising, for each of a plurality of transitions from a source web page to a destination web page, an identifier of the source web page, an identifier of the destination web page, and a representation of an expected security level associated with the transition; detecting a transition from a first web page to a second web page within a browser associated with the client computer; responsive to detecting the transition from the first web page to the second web page, identifying a site that comprises the first web page and the second web page in a site list comprising a list of sites to be protected; detecting a security level associated with the transition from the first web page to the second web page; responsive to identifying the site in the site list, identifying an expected security level associated with the transition from the first web page to the second web page using the page list; determining whether the detected security level is lower than the identified expected security level; and responsive to the identified detected security level being lower than the identified expected security level, performing a remedial action. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented system for detecting a possible network security breach occurring during a network interaction involving a client computer, comprising:
-
a cache containing a page list comprising, for each of a plurality of transitions from a source web page to a destination web page, an identifier of the source web page, an identifier of the destination web page, and a representation of an expected security level associated with the transition; a security module performing actions comprising; detecting a transition from a first web page to a second web page within a browser associated with the client computer; responsive to detecting the transition from the first web page to the second web page, identifying a site that comprises the first web page and the second web page in a site list comprising a list of sites to be protected; detecting a security level associated with the transition from the first web page to the second web page; responsive to identifying the site in the site list, identifying an expected security level associated with the transition from the first web page to the second web page using the page list; determining whether the detected security level is lower than the identified expected security level; and responsive to the identified detected security level being lower than the identified expected security level, performing a remedial action. - View Dependent Claims (17, 18, 19, 20)
-
Specification