Unwanted tunneling alert system
First Claim
1. A computing system configured to detect and handle malicious network tunneling, the computing system comprising:
- a computer processor; and
a non-transitory computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;
access a virtual private network (VPN) log including a listing of one or more client IP addresses assigned to a corresponding one or more remote users granted access to a network;
access a data connection log including a listing of one or more remote IP addresses requested via the network;
identify a first IP address included in the VPN log and in the data connection log;
generate a risk score based on at least traffic data associated with the first IP address, the risk score at least partly indicative of a likelihood that the traffic data includes one or more malicious tunneling connections; and
terminate a first connection if the risk score exceeds a threshold value.
8 Assignments
0 Petitions
Accused Products
Abstract
Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.
151 Citations
20 Claims
-
1. A computing system configured to detect and handle malicious network tunneling, the computing system comprising:
-
a computer processor; and a non-transitory computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to; access a virtual private network (VPN) log including a listing of one or more client IP addresses assigned to a corresponding one or more remote users granted access to a network; access a data connection log including a listing of one or more remote IP addresses requested via the network; identify a first IP address included in the VPN log and in the data connection log; generate a risk score based on at least traffic data associated with the first IP address, the risk score at least partly indicative of a likelihood that the traffic data includes one or more malicious tunneling connections; and terminate a first connection if the risk score exceeds a threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method comprising:
-
as implemented by one or more computer systems comprising computer hardware and memory, the one or more computer systems configured with specific executable instructions, accessing a first log including a listing of one or more source addresses assigned to a corresponding one or more remote users granted access to a network; accessing a second log including a listing of one or more destination addresses requested via the network; identifying a first address included in both the first log and in the second log; generating a risk score based on at least traffic data associated with the first address; and terminating a first connection if the risk score exceeds a threshold value. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium comprising one or more program instructions recorded thereon, the instructions configured for execution by a computing system comprising one or more processors in order to cause the computing system to:
-
access a first log including a listing of one or more source addresses assigned to a corresponding plurality of remote users granted access to a network; access a second log including a listing of one or more destination addresses requested via the network; identify a first address included in both the first log and in the second log; generate a risk score based on at least traffic data associated with the first address; and terminate a first connection if the risk score exceeds a threshold value. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification