Detecting network attacks based on a hash
First Claim
Patent Images
1. A computer-implemented method, comprising:
- providing, by a computer system to a client device, a network-based document comprising an annotated portion and an object, the object configured to cause the client device to hash the annotated portion of the network -based document based at least in part on an access of the client to the network-based document over a data network, the access facilitated based at least in part on a domain name system record of the network-based document, the domain name system record available from a recursive name server of an Internet service provider;
receiving, from the client device, a client hash of the annotated portion of the network-based document based at least in part on an instantiation of the object by the client device;
generating, by the computer system, a trusted hash based at least in part on hashing a trusted version of the annotated portion of the network-based document;
comparing, by the computer system, the client hash and the trusted hash;
determining, based at least in part on the comparing, that the access of the client device to the network-based document involved an unauthorized redirection to the network-based document through the data network;
generating a flag indicative of the unauthorized redirection;
determining whether a number of unauthorized redirections through the data network exceeds a threshold based at least in part on the flag; and
determining that the domain name system record of the network-based document available from the recursive name server of the Internet service provider has been altered based at least in part on the number of unauthorized redirections exceeding the threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for analyzing access to a network-based document may be provided. For example, a portion of the network-based document for hashing may be identified. A client hash of the portion may be accessed. The client hash may be based on an access of a client to the network-based document over a network. A provider hash of the portion may be also accessed. The provider hash may be based on a trusted version of the portion. The client hash and the provider hash may be compared. Based on the comparison, an issue associated with the access to the network-based document over the network may be detected.
52 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
providing, by a computer system to a client device, a network-based document comprising an annotated portion and an object, the object configured to cause the client device to hash the annotated portion of the network -based document based at least in part on an access of the client to the network-based document over a data network, the access facilitated based at least in part on a domain name system record of the network-based document, the domain name system record available from a recursive name server of an Internet service provider; receiving, from the client device, a client hash of the annotated portion of the network-based document based at least in part on an instantiation of the object by the client device; generating, by the computer system, a trusted hash based at least in part on hashing a trusted version of the annotated portion of the network-based document; comparing, by the computer system, the client hash and the trusted hash; determining, based at least in part on the comparing, that the access of the client device to the network-based document involved an unauthorized redirection to the network-based document through the data network; generating a flag indicative of the unauthorized redirection; determining whether a number of unauthorized redirections through the data network exceeds a threshold based at least in part on the flag; and determining that the domain name system record of the network-based document available from the recursive name server of the Internet service provider has been altered based at least in part on the number of unauthorized redirections exceeding the threshold. - View Dependent Claims (2, 3, 4)
-
-
5. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by one or more computing systems, configure the one or more computing systems to perform operations comprising:
-
identifying a portion of a network-based document for hashing;
accessing a client hash of the portion of the network-based document, the client hash generated based at least in part on an access of a client device to the network-based document and received from the client device based at least in part on data communication between at least a computing system of the one or more computing systems and the client device, the access of the client device to the network-based document facilitated based at least in part on a domain name system record stored at a computing resource of an Internet service provider;accessing a provider hash of the portion of the network-based document, the provider hash generated based at least in part on an access of at least a computing system of the one or more computing systems to a trusted version of the portion of the network-based document; comparing the client hash and the provider hash; determining that the client device was redirected to the network-based document based at least in part on the comparison of the client hash and the provider hash; determining a number of unauthorized redirections of accesses of client devices to the network-based document based at least in part on comparisons of client hashes and the provider hash; and detecting that the domain name system record has been altered based at least in part on the number of unauthorized redirections exceeding a threshold. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a memory configured to store computer-executable instructions; and a processor configured to access the memory and execute the computer -executable instructions to collectively at least; provide a network-based document, the network-based document accessible to a client device over a network based at least in part on a domain name system record stored at a computing resource of an Internet service provider; access a client hash of a portion of the network-based document, the portion identified based at least in part on an annotation associated with the portion, and the client hash generated based at least in part on an access of the client device to the network-based document over the network and received from the client device; access a trusted hash of the portion of the network-based document, the trusted hash generated based at least in part on an access of the system to a trusted version of the portion of the network-based document; compare the client hash and the trusted hash; determine, based at least in part on the comparison of the client hash and the trusted hash, that the access of the client device to the network-based document comprises a redirection to the network-based document; determine a number of unauthorized redirections of accesses of client devices to the network-based document based at least in part on comparisons of client hashes and the trusted hash; and detect that the domain name system record has been altered based at least in part on the number of unauthorized redirections exceeding a threshold. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification