System and method for network security including detection of attacks through partner websites

US 8,627,479 B2
Filed: 03/01/2011
Issued: 01/07/2014
Est. Priority Date: 03/01/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium with instructions for execution on a host computer, comprising instructions to:

(i) record a relationship between a partner site and the host computer;

(ii) substitute a reference to the partner site with a partner site alias referencing the host computer;

(iii) deliver the partner site alias to a client;

(iv) replace the partner site alias for the reference to the partner site in response to receiving the partner site alias from the client;

(v) augment an address of the client with an address alias;

(vi) send the address alias to the partner site;

(vii) receive from the partner site a partner action and the address alias;

(viii) exchange the address for the address alias;

(ix) deliver the partner action to the client utilizing the address;

(x) monitor (ii) through (ix) to identify client activity that constitutes a security threat at the host computer or the partner site; and

(xi) implement a remedial action in response to the security threat, wherein the remedial action is selected from blocking the client, delaying the client, diverting the client to a harmless webpage and supplying the client with spoofed information.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer readable storage medium with instructions executable on a host computer. The instructions record a relationship between a partner site and the host computer, substitute a reference to the partner site with a partner site alias referencing the host computer, deliver the partner site alias to a client, replace the partner site alias for the reference to the partner site in response to receiving the partner site alias from the client and augment the address of the client with an address alias. The address alias is sent to the partner site. A partner action and the address alias are received from the partner site. The address is exchanged for the address alias. The partner action is delivered to the client utilizing the address. These operations are monitored to identify client activity that constitutes a security threat at the host computer or the partner site.

79 Citations

View as Search Results

21 Claims

1. A non-transitory computer readable storage medium with instructions for execution on a host computer, comprising instructions to:
- (i) record a relationship between a partner site and the host computer;
  
  (ii) substitute a reference to the partner site with a partner site alias referencing the host computer;
  
  (iii) deliver the partner site alias to a client;
  
  (iv) replace the partner site alias for the reference to the partner site in response to receiving the partner site alias from the client;
  
  (v) augment an address of the client with an address alias;
  
  (vi) send the address alias to the partner site;
  
  (vii) receive from the partner site a partner action and the address alias;
  
  (viii) exchange the address for the address alias;
  
  (ix) deliver the partner action to the client utilizing the address;
  
  (x) monitor (ii) through (ix) to identify client activity that constitutes a security threat at the host computer or the partner site; and
  
  (xi) implement a remedial action in response to the security threat, wherein the remedial action is selected from blocking the client, delaying the client, diverting the client to a harmless webpage and supplying the client with spoofed information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer readable storage medium of claim 1 further comprising executable instructions to analyze a logical structure of the partner site.
  - 3. The computer readable storage medium of claim 2 further comprising executable instructions to analyze intercepted communications between the client and the partner site to evaluate the logical structure of the partner site.
  - 4. The computer readable storage medium of claim 2 further comprising executable instructions to prepare a partner web site map detailing intrinsic linkages among web pages, intrinsic access levels, intrinsic privilege levels and intrinsic security levels.
  - 5. The computer readable storage medium of claim 2 wherein the executable instructions to monitor include executable instructions to evaluate security flaws in the logical structure of the partner site.
  - 6. The computer readable storage medium of claim 2 wherein the executable instructions to monitor include executable instructions to determine whether an observed transition is consistent with the logical structure of the partner site.
  - 7. The computer readable storage medium of claim 2 wherein the executable instructions to monitor include executable instructions to produce a session threat score based upon the monitoring and the logical structure of the partner site.
  - 8. The computer readable storage medium of claim 2 further comprising executable instructions to issue a warning to the partner site in response to an identification of a structural security flaw in the logical structure of the partner site.
  - 9. The computer readable storage medium of claim 1 wherein the instructions to monitor include executable instructions to detect appearance of a new service that is inconsistent with a pre-existing list of partner site services.
  - 10. The computer readable storage medium of claim 1 further comprising executable instructions to reconstruct a plurality of partner site sessions to identify the security threat.
  - 11. The computer readable storage medium of claim 1 further comprising executable instructions to encrypt communications between the host computer and the client.
  - 12. The computer readable storage medium of claim 1 further comprising executable instructions to encrypt communications between the host computer and the partner site.
  - 13. The computer readable storage medium of claim 1 wherein the host computer is configured as a dedicated physical server, a virtual server shared with other services, a portion of a sever farm or a virtual server farm in a computing cloud.
  - 14. The computer readable storage medium of claim 1 wherein the instructions to monitor include executable instructions to access security information from client-facing data centers or internal service data centers.
  - 15. The computer readable storage medium of claim 1 further comprising executable instructions to warn a victim of the security threat utilizing an independent communication channel.
  - 16. The computer readable storage medium of claim 1 wherein the host computer is controlled by a first party;
    - and wherein the instructions to substitute the reference to the partner site with the partner site alias include instructions to;
      
      receive, from a third-party controlling the partner site, web content including (i) third-party material for presentation to a user of the client and (ii) a third-party hyperlink which identifies the partner site, the third-party being different than the first party controlling the host computer,generate, by the host computer, a webpage having modified web content, the modified web content including (i) the third-party material for presentation to the user of the client and (ii) a host computer hyperlink in place of the third-party hyperlink, the host computer hyperlink identifying the host computer, andprovide the webpage having the modified web content to the client.
  - 17. The computer readable storage medium of claim 16, further comprising instructions to:
    - perform network address translation to enable the client and the partner site to exchange information across different networks.
  - 18. The computer readable storage medium of claim 16 wherein each of the client, the host computer and the partner site resides on a public network;
    - and wherein the instructions to provide the webpage having the modified web content to the client include instructions to;
      
      sending, from the host computer, a webpage which includes the host computer hyperlink identifying the host computer, a host computer IP address to identify a network source of the webpage, and a client IP address to identify a network destination of the webpage.

19. In a host computer controlled by a first party, a method of providing security, comprising:
- receiving, from a third-party controlling a partner site, web content including (i) third-party material for presentation to a user of a client device and (ii) a third-party hyperlink which identifies the partner site, the third-party being different than the first party controlling the host computer;
  
  generating, by the host computer, a webpage having modified web content, the modified web content including (i) the third-party material for presentation to the user of the client device and (ii) a host computer hyperlink in place of the third-party hyperlink, the host computer hyperlink identifying the host computer;
  
  providing the webpage having the modified web content to the client device;
  
  receiving a client message from the client device, the client message including (i) a request to access a resource of the partner site and (ii) a client address identifying the client device;
  
  generating a proxy message based on the client message, the proxy message including (i) the request to access a resource of the partner site and (ii) a proxy address identifying the host computer;
  
  providing the proxy message to the partner site;
  
  receiving a partner action message from the partner site in response to the proxy message, the partner action message including (i) a partner action response and (ii) a partner site address identifying the partner site;
  
  generating a proxy action message based on the partner action message, the proxy action message, the partner action message including (i) the partner action response and (ii) a proxy address identifying the host computer;
  
  providing the proxy action message to the client device;
  
  monitoring communications between the client device and the partner site through the host computer to identify security threats resulting from the communications; and
  
  implementing a remedial action in response to an identified security threat, the remedial action being selected from blocking the client device, delaying the client device, diverting the client device to a harmless webpage and supplying the client device with spoofed information.

20. A network security apparatus, comprising:
- a communications interface;
  
  memory; and
  
  processing circuitry coupled to the communications interface and the memory, the memory storing instructions which, when carried out by the processing circuitry, cause the processing circuitry to;
  
  receive, from a third-party controlling a partner site, web content including (i) third-party material for presentation to a user of a client device and (ii) a third-party hyperlink which identifies the partner site, the third-party being different than the first party controlling the host computer,generate, by the host computer, a webpage having modified web content, the modified web content including (i) the third-party material for presentation to the user of the client device and (ii) a host computer hyperlink in place of the third-party hyperlink, the host computer hyperlink identifying the host computer,provide the webpage having the modified web content to the client device,receive a client message from the client device, the client message including (i) a request to access a resource of the partner site and (ii) a client address identifying the client device,generate a proxy message based on the client message, the proxy message including (i) the request to access a resource of the partner site and (ii) a proxy address identifying the host computer;
  
  provide the proxy message to the partner site,receive a partner action message from the partner site in response to the proxy message, the partner action message including (i) a partner action response and (ii) a partner site address identifying the partner site,generate a proxy action message based on the partner action message, the proxy action message, the partner action message including (i) the partner action response and (ii) a proxy address identifying the host computer,provide the proxy action message to the client device,monitor communications between the client device and the partner site through the host computer to identify security threats resulting from the communications;
  
  implement a remedial action in response to an identified security threat, the remedial action being selected from blocking the client device, delaying the client device, diverting the client device to a harmless webpage and supplying the client device with spoofed information.

21. A computer program product having a non-transitory computer readable medium which stores a set of instructions to provide security, the set of instructions, when carried out by a host computer controlled by a first party, causing the host computer to perform a method of:
- receiving, from a third-party controlling a partner site, web content including (i) third-party material for presentation to a user of a client device and (ii) a third-party hyperlink which identifies the partner site, the third-party being different from the first party controlling the host computer;
  
  generating, by the host computer, a webpage having modified web content, the modified web content including (i) the third-party material for presentation to the user of the client device and (ii) a host computer hyperlink in place of the third-party hyperlink, the host computer hyperlink identifying the host computer;
  
  providing the webpage having the modified web content to the client device;
  
  receiving a client message from the client device, the client message including (i) a request to access a resource of the partner site and (ii) a client address identifying the client device;
  
  generating a proxy message based on the client message, the proxy message including (i) the request to access a resource of the partner site and (ii) a proxy address identifying the host computer;
  
  providing the proxy message to the partner site;
  
  receiving a partner action message from the partner site in response to the proxy message, the partner action message including (i) a partner action response and (ii) a partner site address identifying the partner site;
  
  generating a proxy action message based on the partner action message, the proxy action message, the partner action message including (i) the partner action response and (ii) a proxy address identifying the host computer;
  
  providing the proxy action message to the client device;
  
  monitoring communications between the client device and the partner site through the host computer to identify security threats resulting from the communications; and
  
  implementing a remedial action in response to an identified security threat, the remedial action being selected from blocking the client device, delaying the client device, diverting the client device to a harmless webpage and supplying the client device with spoofed information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Wittenstein, Andreas, Eynon, Mike, Mather, Laura, Lloyd, Jim, Frantz, Matt
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US13/038,280
Publication Number

US 20110214187A1
Time in Patent Office

1,043 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 16/9566   URL specific, e.g. using al...

H04L 2101/663   Transport layer addresses, ...

H04L 61/301   Name conversion

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

System and method for network security including detection of attacks through partner websites

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network security including detection of attacks through partner websites

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links