Monitoring traffic in a computer network

US 9,985,981 B2
Filed: 09/14/2017
Issued: 05/29/2018
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising a non-transitory computer readable storage medium retaining program instructions, which program instructions when read by a processor, cause the processor to perform a method carried out in a computer network environment comprising a plurality of devices, each of which being configured for applying a transformation function on an identifier of a target port for network communication indicated in a transmission request of an application program executing thereon, whereby a scrambled version of the identifier is obtained, the plurality of devices being further configured for directing the transmission to be received via a different target port identified by the scrambled version of the identifier, the method comprising:

identifying an invalid port access attempt by a first transmission directed at a first port of a first computerized apparatus comprised in the plurality of devices, is wherein said identifying the invalid port access is based an ability of the transformation function to yield a first port identifier identifying the first port;

wherein the transformation function depends on at least one secret parameter shared among the plurality of devices, wherein a device of the plurality of devices is configured to apply the transformation function only for transmission issued by application programs that are listed in a list of authorized application programs; and

in response to said identifying, providing for an action to be performed whereby a security threat ascribed to the invalid port access attempt is mitigated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method, computerized apparatus and computer program product for monitoring traffic in a computer network. The computer network comprises a plurality of devices configured to apply a transformation function on a target port identifier of a requested transmission by an application program executing thereon and direct the transmission to a different target port per the scrambled identifier thereby obtained. The transformation function depends on at least one parameter shared among the plurality of devices and applying thereof is conditioned on the application program requesting transmission being listed in a list of authorized application programs. Attempts to access invalid ports as defined by the transformation function are identified and an action for mitigating a security threat ascribed thereto is provided.

11 Citations

20 Claims

1. A computer program product comprising a non-transitory computer readable storage medium retaining program instructions, which program instructions when read by a processor, cause the processor to perform a method carried out in a computer network environment comprising a plurality of devices, each of which being configured for applying a transformation function on an identifier of a target port for network communication indicated in a transmission request of an application program executing thereon, whereby a scrambled version of the identifier is obtained, the plurality of devices being further configured for directing the transmission to be received via a different target port identified by the scrambled version of the identifier, the method comprising:
- identifying an invalid port access attempt by a first transmission directed at a first port of a first computerized apparatus comprised in the plurality of devices, is wherein said identifying the invalid port access is based an ability of the transformation function to yield a first port identifier identifying the first port;
  
  wherein the transformation function depends on at least one secret parameter shared among the plurality of devices, wherein a device of the plurality of devices is configured to apply the transformation function only for transmission issued by application programs that are listed in a list of authorized application programs; and
  
  in response to said identifying, providing for an action to be performed whereby a security threat ascribed to the invalid port access attempt is mitigated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer program product of claim 1, wherein the method further comprising:
    - determining, based on analyzing the first transmission, whether the first transmission is likely to transpire from a malicious activity, wherein the action is responsive to said determining.
  - 3. The computer program product of claim 2, wherein said determining further comprises analyzing past access attempts from a same device of which the first transmission originates to identify repeated or successive attempts to access invalid or neighboring ports.
  - 4. The computer program product of claim 2, wherein analyzing the first transmission is skipped for traffic originating from or directed towards one of a predetermined collection of devices in the computer network.
  - 5. The computer program product of claim 4, wherein the predetermined collection of devices comprises one or more devices of a type selected from the group consisting of:
    - a firewall component;
      
      a gateway component; and
      
      any combination thereof.
  - 6. The computer program product of claim 1, wherein the first transmission is intercepted by a server monitoring traffic over the computer network, wherein said identifying is performed by the server.
  - 7. The computer program product of claim 1, wherein the first transmission is intercepted by a monitoring agent deployed at the first computerized apparatus, wherein said identifying is performed by the monitoring agent.
  - 8. The computer program product of claim 1, wherein said identifying comprises comparing the first identifier to a collection of valid target ports obtained by is applying the transformation function on identifiers of ports each of which being of a type selected from the group consisting of:
    - a common port;
      
      a port used by a program in the list of authorized application programs;
      
      a port used by a program; and
      
      executing on the first computerized apparatus.
  - 9. The computer program product of claim 1, wherein the at least one secret parameter comprises a time-dependent encryption key, wherein the method further comprising:
    - determining whether the first port was previously valid;
      
      computing a timeframe from when the first port became invalid and until the transmission attempted accessing thereto; and
      
      comparing the timeframe to a predetermined threshold;
      
      wherein the action is determined based at least on whether the predetermined threshold is exceeded by the timeframe.
  - 10. The computer program product of claim 1, wherein said identifying comprises comparing the first identifier to a collection of identifiers of predetermined ports excluded from being used as target ports for receiving transmissions, whereby invalidity of the first port is determined upon a match being found.
  - 11. The computer program product of claim 1, wherein the action entails preventing a device of which the first transmission originates from effectively communicating with any of the plurality of devices by providing the device with a defunct instance of at least a portion of the at least one secret parameter.
  - 12. The computer program product of claim 1, wherein said identifying comprises applying an inverse transformation function on the first identifier.
  - 13. The computer program product of claim 1, wherein the list of authorized application programs provided to the device is a subset of a predetermined list of authorized application programs defined for the plurality of devices.

14. A server configured to be deployed in a computer network environment comprising a plurality of devices, each of which being configured for applying a transformation function on an identifier of a target port for network communication indicated in a transmission request of an application program executing thereon, whereby a scrambled version of the identifier is obtained, the plurality of devices being further configured for directing the transmission to be received via a different target port identified by the scrambled version of the identifier,wherein the server comprises a processor that is configured to perform an action to mitigate a security threat from an invalid port access attempt;
- wherein the server is configured to obtain an indication of the invalid port access attempt;
  
  wherein the invalid port access attempt by a first transmission directed at a first port of a first device comprised in the plurality of devices is identified based an ability of the transformation function to yield a first port identifier identifying the first port; and
  
  wherein the transformation function depends on at least one secret parameter shared among the plurality of devices, wherein a device of the plurality of devices is configured to apply the transformation function only for transmission issued by application programs that are listed in a list of authorized application programs.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The server of claim 14, wherein said server is configured to identify based on past access attempt from a same device repeated or successive attempts to access invalid or neighboring ports.
  - 16. The server of claim 14, wherein the server is configured to avoid analyzing transmissions originating from or directed towards one of a predetermined collection of devices in the computer network.
  - 17. The server of claim 16, wherein the predetermined collection of devices comprises one or more devices of a type selected from the group consisting of:
    - a firewall component; and
      
      a gateway component.
  - 18. The server of claim 16, wherein the server is configured to monitor traffic over the computer network and to intercept the first transmission.
  - 19. The server of claim 16, wherein the server is configured to obtain the indication from a monitoring agent deployed at the first device, wherein the monitoring agent is configured to locally identify the invalid port access attempt.
  - 20. The server of claim 16, wherein the action entails preventing a device from which the first transmission originates from effectively communicating with any of the plurality of devices by said server providing the device with a defunct instance of at least a portion of the at least one secret parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber 2.0 (2015) LTD.
Original Assignee
Cyber 2.0 (2015) LTD.
Inventors
Haelion, Erez Kaplan
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/705,215
Publication Number

US 20180007072A1
Time in Patent Office

257 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/14   against software analysis o...

G06F 21/44   Program or device authentic...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/162   at the data link layer

H04L 67/146   Markers for unambiguous ide...

H04L 67/54   Presence management, e.g. m...

Monitoring traffic in a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring traffic in a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links