Systems and methods for detecting man-in-the-middle attacks

US 9,888,035 B2
Filed: 08/12/2015
Issued: 02/06/2018
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting man-in-the-middle attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

registering a mobile device of a user within a computing environment as an authenticated mobile device that corresponds to the user;

receiving an authentication request to log into a secure computing resource as the user;

transmitting, in response to receiving the authentication request, an out-of-band push authentication prompt to the registered mobile device of the user through a different channel than a channel through which the authentication request was received;

comparing a geolocation indicated by the authentication request with a geolocation indicated by the registered mobile device in response to the out-of-band push authentication prompt by comparing a measure of proximity with a proximity threshold that distinguishes between matching and nonmatching geolocations; and

performing a remedial action in response to detecting a man-in-the-middle attack based on a determination that the geolocation indicated by the authentication request and the geolocation indicated by the registered mobile device do not match.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting man-in-the-middle attacks may include (1) registering a mobile device of a user within a computing environment as an authenticated mobile device that corresponds to the user, (2) receiving an authentication request to log into a secure computing resource as the user, (3) transmitting, in response to receiving the authentication request, an out-of-band push authentication prompt to the registered mobile device of the user through a different channel than a channel through which the authentication request was received, (4) comparing a geolocation indicated by the authentication request with a geolocation indicated by the registered mobile device, and (5) performing remedial action in response to detecting a man-in-the-middle attack based on a determination that the geolocation indicated by the authentication request and the geolocation indicated by the registered mobile device do not match. Various other methods, systems, and computer-readable media are also disclosed.

13 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting man-in-the-middle attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- registering a mobile device of a user within a computing environment as an authenticated mobile device that corresponds to the user;
  
  receiving an authentication request to log into a secure computing resource as the user;
  
  transmitting, in response to receiving the authentication request, an out-of-band push authentication prompt to the registered mobile device of the user through a different channel than a channel through which the authentication request was received;
  
  comparing a geolocation indicated by the authentication request with a geolocation indicated by the registered mobile device in response to the out-of-band push authentication prompt by comparing a measure of proximity with a proximity threshold that distinguishes between matching and nonmatching geolocations; and
  
  performing a remedial action in response to detecting a man-in-the-middle attack based on a determination that the geolocation indicated by the authentication request and the geolocation indicated by the registered mobile device do not match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein registering the mobile device comprises:
    - installing a mobile security application on the mobile device;
      
      signing a message from the mobile device to a registration server using a private key embedded within the mobile security application.
  - 3. The method of claim 1, wherein transmitting, in response to receiving the authentication request, the out-of-band push authentication prompt to the registered mobile device comprises transmitting a request for the user to approve of the authentication request.
  - 4. The method of claim 1, wherein transmitting, in response to receiving the authentication request, the out-of-band push authentication prompt to the registered mobile device comprises transmitting a verification code for the user to enter through the channel through which the authentication request was received.
  - 5. The method of claim 1, wherein the geolocation indicated by the authentication request is ascertained through a service that provides access to a database that maps Internet protocol addresses to geolocation information.
  - 6. The method of claim 5, wherein the service provides a record that specifies at least one of:
    - an address;
      
      longitude and latitude coordinates; and
      
      an organization.
  - 7. The method of claim 1, wherein the geolocation indicated by the registered mobile device is ascertained through at least one of:
    - accessing an application programming interface of the registered mobile device that provides the geolocation through a global positioning system; and
      
      accessing a cell id associated with the registered mobile device.
  - 8. The method of claim 1, wherein detecting the man-in-the-middle attack comprises:
    - identifying information indicating a potential false positive in detecting the man-in-the-middle attack; and
      
      determining that the man-in-the-middle attack is detected despite the indication of the potential false positive.
  - 9. The method of claim 8, wherein determining that the man-in-the-middle attack is detected despite the indication of the potential false positive comprises identifying a lack of confirmation information that would confirm the potential false positive, the confirmation information comprising at least one of:
    - satisfaction of a challenge prompt at the registered mobile device in response to identifying the information indicating a potential false positive;
      
      user history information confirming that the user is trusted;
      
      information about other users that share attributes with the user; and
      
      information indicating that an Internet protocol address does not hop;
      
      information confirming that the user requests to access the secure computing resource through at least one of a proxy and a network address translation mechanism.
  - 10. The method of claim 1, wherein detecting the man-in-the-middle attack comprises:
    - receiving an indication that the authentication request is transmitted from the registered mobile device; and
      
      detecting that an Internet protocol address of the authentication request and an Internet protocol address indicated by the registered mobile device are not an exact match.

11. A system for detecting man-in-the-middle attacks, the system comprising:
- a registration module, stored in memory, that registers a mobile device of a user within a computing environment as an authenticated mobile device that corresponds to the user;
  
  a reception module, stored in memory, that receives an authentication request to log into a secure computing resource as the user;
  
  a transmission module, stored in memory, that transmits, in response to receiving the authentication request, an out-of-band push authentication prompt to the registered mobile device of the user through a different channel than a channel through which the authentication request was received;
  
  a comparison module, stored in memory, that compares a geolocation indicated by the authentication request with a geolocation indicated by the registered mobile device in response to the out-of-band push authentication prompt by comparing a measure of proximity with a proximity threshold that distinguishes between matching and nonmatching geolocations;
  
  a performance module, stored in memory, that performs a remedial action in response to detecting a man-in-the-middle attack based on a determination that the geolocation indicated by the authentication request and the geolocation indicated by the registered mobile device do not match; and
  
  at least one physical processor configured to execute the registration module, the reception module, the transmission module, the comparison module, and the performance module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the registration module registers the mobile device by:
    - installing a mobile security application on the mobile device; and
      
      signing a message from the mobile device to a registration server using a private key embedded within the mobile security application.
  - 13. The system of claim 11, wherein the transmission module transmits, in response to receiving the authentication request, the out-of-band push authentication prompt to the registered mobile device by transmitting a request for the user to approve of the authentication request.
  - 14. The system of claim 11, wherein the transmission module transmits, in response to receiving the authentication request, the out-of-band push authentication prompt to the registered mobile device by transmitting a verification code for the user to enter through the channel through which the authentication request was received.
  - 15. The system of claim 11, wherein the geolocation indicated by the authentication request is ascertained through a service that provides access to a database that maps Internet protocol addresses to geolocation information.
  - 16. The system of claim 15, wherein the service provides a record that specifies at least one of:
    - an address;
      
      longitude and latitude coordinates; and
      
      an organization.
  - 17. The system of claim 11, wherein the geolocation indicated by the registered mobile device is ascertained through at least one of:
    - accessing an application programming interface of the registered mobile device that provides the geolocation through a global positioning system; and
      
      accessing a cell id associated with the registered mobile device.
  - 18. The system of claim 11, wherein the performance module detects the man-in-the-middle attack at least in part by:
    - identifying information indicating a potential false positive in detecting the man-in-the-middle attack; and
      
      determining that the man-in-the-middle attack is detected despite the indication of the potential false positive.
  - 19. The system of claim 18, wherein the performance module determines that the man-in-the-middle attack is detected despite the indication of the potential false positive by identifying a lack of confirmation information that would confirm the potential false positive, the confirmation information comprising at least one of:
    - satisfaction of a challenge prompt at the registered mobile device in response to identifying the information indicating a potential false positive;
      
      user history information confirming that the user is trusted;
      
      information about other users that share attributes with the user;
      
      information indicating that an Internet protocol address does not hop; and
      
      information confirming that the user requests to access the secure computing resource through at least one of a proxy and a network address translation mechanism.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- register a mobile device of a user within a computing environment as an authenticated mobile device that corresponds to the user;
  
  receive an authentication request to log into a secure computing resource as the user;
  
  transmit, in response to receiving the authentication request, an out-of-band push authentication prompt to the registered mobile device of the user through a different channel than a channel through which the authentication request was received;
  
  compare a geolocation indicated by the authentication request with a geolocation indicated by the registered mobile device in response to the out-of-band push authentication prompt by comparing a measure of proximity with a proximity threshold that distinguishes between matching and nonmatching geolocations; and
  
  perform a remedial action in response to detecting a man-in-the-middle attack based on a determination that the geolocation indicated by the authentication request and the geolocation indicated by the registered mobile device do not match.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Venkataramani, Srinath, Antonyraj, Rosarin Jolly Roy
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US14/824,775
Publication Number

US 20170006060A1
Time in Patent Office

909 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 63/0876   based on the identity of th...

H04L 63/1466   Active attacks involving in...

H04L 63/18   using different networks or...

H04L 67/55   Push-based network services

H04W 12/06   Authentication

H04W 12/122   Counter-measures against at...

H04W 4/02   Services making use of loca...

H04W 4/029   Location-based management o...

Systems and methods for detecting man-in-the-middle attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting man-in-the-middle attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links