Detecting network attacks based on a hash

US 9,473,516 B1
Filed: 09/29/2014
Issued: 10/18/2016
Est. Priority Date: 09/29/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

providing, by a computer system to a client device, a network-based document comprising an annotated portion and an object, the object configured to cause the client device to hash the annotated portion of the network -based document based at least in part on an access of the client to the network-based document over a data network, the access facilitated based at least in part on a domain name system record of the network-based document, the domain name system record available from a recursive name server of an Internet service provider;

receiving, from the client device, a client hash of the annotated portion of the network-based document based at least in part on an instantiation of the object by the client device;

generating, by the computer system, a trusted hash based at least in part on hashing a trusted version of the annotated portion of the network-based document;

comparing, by the computer system, the client hash and the trusted hash;

determining, based at least in part on the comparing, that the access of the client device to the network-based document involved an unauthorized redirection to the network-based document through the data network;

generating a flag indicative of the unauthorized redirection;

determining whether a number of unauthorized redirections through the data network exceeds a threshold based at least in part on the flag; and

determining that the domain name system record of the network-based document available from the recursive name server of the Internet service provider has been altered based at least in part on the number of unauthorized redirections exceeding the threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for analyzing access to a network-based document may be provided. For example, a portion of the network-based document for hashing may be identified. A client hash of the portion may be accessed. The client hash may be based on an access of a client to the network-based document over a network. A provider hash of the portion may be also accessed. The provider hash may be based on a trusted version of the portion. The client hash and the provider hash may be compared. Based on the comparison, an issue associated with the access to the network-based document over the network may be detected.

52 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- providing, by a computer system to a client device, a network-based document comprising an annotated portion and an object, the object configured to cause the client device to hash the annotated portion of the network -based document based at least in part on an access of the client to the network-based document over a data network, the access facilitated based at least in part on a domain name system record of the network-based document, the domain name system record available from a recursive name server of an Internet service provider;
  
  receiving, from the client device, a client hash of the annotated portion of the network-based document based at least in part on an instantiation of the object by the client device;
  
  generating, by the computer system, a trusted hash based at least in part on hashing a trusted version of the annotated portion of the network-based document;
  
  comparing, by the computer system, the client hash and the trusted hash;
  
  determining, based at least in part on the comparing, that the access of the client device to the network-based document involved an unauthorized redirection to the network-based document through the data network;
  
  generating a flag indicative of the unauthorized redirection;
  
  determining whether a number of unauthorized redirections through the data network exceeds a threshold based at least in part on the flag; and
  
  determining that the domain name system record of the network-based document available from the recursive name server of the Internet service provider has been altered based at least in part on the number of unauthorized redirections exceeding the threshold.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the network-based document comprises a web page, wherein the annotated portion comprises annotations of a static portion of the web page, and wherein the object is configured to determine that the static portion is to be hashed based at least in part on the annotations.
  - 3. The computer-implemented method of claim 1, wherein the domain name system record comprises a network address associated with the network-based document, and wherein determining that the access of the client device to the network-based document involved the unauthorized redirection comprises determining that the provided network address is altered to redirect the client device to an unauthorized proxy server.
  - 4. The computer-implemented method of claim 3, wherein the network-based document comprises a web page, and further comprising:
    - receiving client hashes associated with access of a plurality of client devices to the network-based resource;
      
      identifying mismatches between the client hashes and the trusted hash; and
      
      detecting that an unauthorized change to the domain name system record occurred at the recursive name server based at least in part on the mismatches.

5. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by one or more computing systems, configure the one or more computing systems to perform operations comprising:
- identifying a portion of a network-based document for hashing;
  
  accessing a client hash of the portion of the network-based document, the client hash generated based at least in part on an access of a client device to the network-based document and received from the client device based at least in part on data communication between at least a computing system of the one or more computing systems and the client device, the access of the client device to the network-based document facilitated based at least in part on a domain name system record stored at a computing resource of an Internet service provider;
  
  accessing a provider hash of the portion of the network-based document, the provider hash generated based at least in part on an access of at least a computing system of the one or more computing systems to a trusted version of the portion of the network-based document;
  
  comparing the client hash and the provider hash;
  
  determining that the client device was redirected to the network-based document based at least in part on the comparison of the client hash and the provider hash;
  
  determining a number of unauthorized redirections of accesses of client devices to the network-based document based at least in part on comparisons of client hashes and the provider hash; and
  
  detecting that the domain name system record has been altered based at least in part on the number of unauthorized redirections exceeding a threshold.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The one or more non-transitory computer-readable storage media of claim 5, wherein the portion of the network-based document comprises one or more static portions of the network-based document.
  - 7. The one or more non-transitory computer-readable storage media of claim 5, wherein the portion of the network-based document is identified based at least in part on an annotation of the portion.
  - 8. The one or more non-transitory computer-readable storage media of claim 7, wherein the access by the client device is associated with a request for the network-based document from the client device, and wherein the network-based document comprises an object configured to cause the client device to generate the client hash based at least in part on the annotation.
  - 9. The one or more non-transitory computer -readable storage media of claim 8, wherein the access of the client to the network-based document is facilitated based at least in part on a recursive name server of the Internet service provider storing the domain name system record, and wherein the provider hash is generated based at least in part on the access of the at least computing system to the trusted version of the portion of the network-based document independently of the recursive name server of the Internet service provider.
  - 10. The one or more non-transitory computer-readable storage media of claim 5, wherein the client hash is received over an out-of-band channel, the out-of-band channel configured to facilitate data communication between the client device and a control plane of the one or more computing systems, and wherein an in-band-channel is configured to facilitate communication between the client device and a data plane of the one or more computing systems to access the client-based document.
  - 11. The one or more non-transitory computer-readable storage media of claim 5, wherein the one or more computing systems comprises the client device, wherein the operations further comprise transmitting information about the client device being redirected to a computing device of a provider of the network-based document based at least in part on a mismatch between the client hash and the provider hash.
  - 12. The one or more non-transitory computer-readable storage media of claim 5, wherein the one or more computer systems comprise a computing device of a provider, and wherein accessing the provider hash comprises receiving the provider hash from the computing device of the provider.
  - 13. The one or more non-transitory computer-readable storage media of claim 5, wherein the provider hash is embedded in the network-based document.
  - 14. The one or more non-transitory computer -readable storage media of claim 5, wherein identifying the portion of the network -based document for hashing comprises receiving an identifier of the portion from a computing device of a provider of the network-based document, wherein the operations further comprise providing the identifier to the client device over an out-of-band channel, and wherein the client hash is generated based at least in part on the identifier.

15. A system, comprising:
- a memory configured to store computer-executable instructions; and
  
  a processor configured to access the memory and execute the computer -executable instructions to collectively at least;
  
  provide a network-based document, the network-based document accessible to a client device over a network based at least in part on a domain name system record stored at a computing resource of an Internet service provider;
  
  access a client hash of a portion of the network-based document, the portion identified based at least in part on an annotation associated with the portion, and the client hash generated based at least in part on an access of the client device to the network-based document over the network and received from the client device;
  
  access a trusted hash of the portion of the network-based document, the trusted hash generated based at least in part on an access of the system to a trusted version of the portion of the network-based document;
  
  compare the client hash and the trusted hash;
  
  determine, based at least in part on the comparison of the client hash and the trusted hash, that the access of the client device to the network-based document comprises a redirection to the network-based document;
  
  determine a number of unauthorized redirections of accesses of client devices to the network-based document based at least in part on comparisons of client hashes and the trusted hash; and
  
  detect that the domain name system record has been altered based at least in part on the number of unauthorized redirections exceeding a threshold.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the network-based document is provided to the client device, and wherein the computer-executable instructions, when executed by the processor, further configure the system to at least identify that the client device is an at risk device based at least in part on the determination that the access of the client device comprised the redirection.
  - 17. The system of claim 15, wherein the computer -executable instructions, when executed by the processor, further configure the system to at least:
    - receive the client hashes associated with the accesses of the client devices to the network-based document over the network;
      
      compare the client hashes to the trusted hash; and
      
      determine that the redirection of the client device comprises an unauthorized change in traffic to a network-based resource hosting the network -based document based at least in part on the comparison of the client hashes to the trusted hash, the unauthorized change occurring at a computing resource of the Internet service provider.
  - 18. The system of claim 17, wherein the unauthorized change comprises a change to the domain name system record stored at the computing resource of the Internet service provider, the domain name system record configured to provide an address of the network-based resource to the client devices.
  - 19. The system of claim 15, wherein the computer -executable instructions, when executed by the processor, further configure the system to at least:
    - record, based at least in part on the determination of the redirection of the client device, information associated with the client device accessing another network-based document, the other network-based document configured to be accessible to the client device without redirection;
      
      determine that the information comprises data indicative of a second redirection to the other network-based document; and
      
      confirm the determination of the redirection of the client based at least in part on the second redirection.
  - 20. The system of claim 15, wherein the computer -executable instructions, when executed by the processor, further configure the system to at least:
    - access, based at least in part on determining the redirection, the domain name system record, wherein the domain name system record is generated based at least in part on the access of the client device to the network-based document;
      
      access a trusted domain name system record generated based at least in part on a domain name system request to a trusted name server; and
      
      confirm the determination of the redirection based at least in part on a comparison of the domain name system record and the trusted domain name system record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Jezorek, Matthew Ryan, Van Horenbeeck, Maarten, Lai, Richie
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Khan, Sher A

Application Number

US14/500,649
Time in Patent Office

750 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/64   Protecting data integrity, ...

H04L 61/4511   using domain name system [DNS]

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/01   Protocols

Detecting network attacks based on a hash

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting network attacks based on a hash

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links