Unwanted tunneling alert system

US 9,930,055 B2
Filed: 08/04/2016
Issued: 03/27/2018
Est. Priority Date: 08/13/2014
Status: Active Grant

First Claim

Patent Images

1. A computing system configured to detect and handle malicious network tunneling, the computing system comprising:

a computer processor; and

a non-transitory computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;

access a virtual private network (VPN) log including a listing of one or more client IP addresses assigned to a corresponding one or more remote users granted access to a network;

access a data connection log including a listing of one or more remote IP addresses requested via the network;

identify a first IP address included in the VPN log and in the data connection log;

generate a risk score based on at least traffic data associated with the first IP address, the risk score at least partly indicative of a likelihood that the traffic data includes one or more malicious tunneling connections; and

terminate a first connection if the risk score exceeds a threshold value.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.

151 Citations

20 Claims

1. A computing system configured to detect and handle malicious network tunneling, the computing system comprising:
- a computer processor; and
  
  a non-transitory computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;
  
  access a virtual private network (VPN) log including a listing of one or more client IP addresses assigned to a corresponding one or more remote users granted access to a network;
  
  access a data connection log including a listing of one or more remote IP addresses requested via the network;
  
  identify a first IP address included in the VPN log and in the data connection log;
  
  generate a risk score based on at least traffic data associated with the first IP address, the risk score at least partly indicative of a likelihood that the traffic data includes one or more malicious tunneling connections; and
  
  terminate a first connection if the risk score exceeds a threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing system of claim 1, wherein the risk score is based on at least one of a mismatch between a geographic location of a computing device associated with the first IP address and a geographic location of the network, employment title of a user associated with the first IP address, access rights of the user associated with the first IP address, a time between when a VPN connection associated with the first IP address is established and when a tunneled connection associated with the first IP address is established, an amount of data transferred using the tunneled connection, or a type of uniform resource locator associated with the tunneled connection.
  - 3. The computing system of claim 1, wherein, in connection with a determination that the data connection log indicates that a tunneled connection is established over a first port, the generated risk score is lower than if the tunneled connection is established over a second port.
  - 4. The computing system of claim 1, wherein a VPN connection and a tunneled connection between a computing device associated with the first IP address and the network are encrypted.
  - 5. The computing system of claim 4, wherein the first connection is the tunneled connection.
  - 6. The computing system of claim 1, wherein the non-transitory computer readable storage medium further stores program instructions that cause the computing system to:
    - generate an alert if the risk score exceeds a threshold value; and
      
      process feedback received regarding the generated alert, wherein the feedback affects generation of a second risk score in connection with an identification of a second IP address listed in both the VPN log and in the data connection log having one or more characteristics in a corresponding second traffic data in common with the traffic data associated with the first IP address.
  - 7. The computing system of claim 6, wherein the alert comprises information that at least partly indicates the traffic data that contributed to the risk score exceeding the threshold value.

8. A computer-implemented method comprising:
- as implemented by one or more computer systems comprising computer hardware and memory, the one or more computer systems configured with specific executable instructions,accessing a first log including a listing of one or more source addresses assigned to a corresponding one or more remote users granted access to a network;
  
  accessing a second log including a listing of one or more destination addresses requested via the network;
  
  identifying a first address included in both the first log and in the second log;
  
  generating a risk score based on at least traffic data associated with the first address; and
  
  terminating a first connection if the risk score exceeds a threshold value.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8, wherein the risk score is based on at least one of a mismatch between a geographic location of a computing device associated with the first address and a geographic location of the network, employment title of a user associated with the first address, access rights of the user associated with the first address, a time between when a VPN connection associated with the first address is established and when a tunneled connection associated with the first address is established, an amount of data transferred using the tunneled connection, or a type of uniform resource locator associated with the tunneled connection.
  - 10. The computer-implemented method of claim 8, wherein, in connection with a determination that the second log indicates that a tunneled connection is established over a first port, the generated risk score is lower than if the tunneled connection is established over a second port.
  - 11. The computer-implemented method of claim 8, wherein a VPN connection and a tunneled connection between a computing device associated with the first address and the network are encrypted.
  - 12. The computer-implemented method of claim 8, further comprising:
    - generating an alert if the risk score exceeds a threshold value receiving feedback regarding the generated alert; and
      
      in connection with an identification of a second address listed in both the first log and in the second log, generating a second risk score based on the received feedback.
  - 13. The computer-implemented method of claim 12, wherein the alert comprises information that at least partly indicates the traffic data that contributed to the risk score exceeding the threshold value.
  - 14. The computer-implemented method of claim 12, further comprising generating a graphical representation of the alert for display in a user interface.

15. A non-transitory computer-readable medium comprising one or more program instructions recorded thereon, the instructions configured for execution by a computing system comprising one or more processors in order to cause the computing system to:
- access a first log including a listing of one or more source addresses assigned to a corresponding plurality of remote users granted access to a network;
  
  access a second log including a listing of one or more destination addresses requested via the network;
  
  identify a first address included in both the first log and in the second log;
  
  generate a risk score based on at least traffic data associated with the first address; and
  
  terminate a first connection if the risk score exceeds a threshold value.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The medium of claim 15, wherein the risk score is based on at least one of a mismatch between a geographic location of a computing device associated with the first address and a geographic location of the network, employment title of a user associated with the first address, access rights of the user associated with the first address, a time between when a VPN connection associated with the first address is established and when a tunneled connection associated with the first address is established, an amount of data transferred using the tunneled connection, or a type of uniform resource locator associated with the tunneled connection.
  - 17. The medium of claim 15, wherein, in connection with a determination that the second log indicates that a tunneled connection is established over a first port, the generated risk score is lower than if the tunneled connection is established over a second port.
  - 18. The medium of claim 15, wherein the instructions are further configured to cause the computing system to:
    - generate an alert if the risk score exceeds a threshold value;
      
      process feedback received regarding the generated alert; and
      
      in connection with an identification of a second address listed in both the first log and in the second log, generate a second risk score based on the processed feedback.
  - 19. The medium of claim 18, wherein the alert comprises information that at least partly indicates the traffic data that contributed to the risk score exceeding the threshold value.
  - 20. The medium of claim 18, wherein the instructions are further configured to cause the computing system to generate a graphical representation of the alert for display in a user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Ricafort, Juan, Singh, Harkirat, Martin, Philip
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US15/228,297
Publication Number

US 20160344756A1
Time in Patent Office

600 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/556   involving covert channels, ...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Unwanted tunneling alert system

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Unwanted tunneling alert system

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links