System and method for identifying security breach attempts of a website

US 10,157,280 B2
Filed: 09/23/2009
Issued: 12/18/2018
Est. Priority Date: 09/23/2009
Status: Active Grant

First Claim

Patent Images

1. A website security method implemented by a network system comprising one or more client devices and server devices, the method comprising:

receiving a request from a client device for a web page to be provided by a server application, wherein anti-trojan software code is embedded in the requested web page and the anti-trojan software code is functionally associated with the server application and comprises one or more expected communication parameters;

sending the requested web page to the client device responsive to the request, wherein the anti-trojan software code is configured to;

intercept a subsequent request resulting from an interaction with the requested web page,extract one or more communication parameters contained within the intercepted subsequent request,compare the extracted communication parameters with the expected communication parameters, wherein the expected communication parameters comprise communication parameters of different types of possible communications expected by the server application in connection with requests to the server application, anddetermine a potential client security breach exists when one or more of the extracted communication parameters do not match one or more of the expected communication parameters;

initiating a mitigation action when an indication is received from the executing anti-trojan software code that a potential security breach exists; and

responding to the subsequent request from the client device by providing a requested resource when no indication is received from the executing anti-trojan software code that a potential security breach exists.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a method, circuit and system for detecting, reporting and preventing an attempted security breach of a commercial website (for example a banking website), such as identity theft, website duplication (mirroring/Phishing), MITB (man in the browser) attacks, MITM (man in the middle) attacks and so on.

298 Citations

12 Claims

1. A website security method implemented by a network system comprising one or more client devices and server devices, the method comprising:
- receiving a request from a client device for a web page to be provided by a server application, wherein anti-trojan software code is embedded in the requested web page and the anti-trojan software code is functionally associated with the server application and comprises one or more expected communication parameters;
  
  sending the requested web page to the client device responsive to the request, wherein the anti-trojan software code is configured to;
  
  intercept a subsequent request resulting from an interaction with the requested web page,extract one or more communication parameters contained within the intercepted subsequent request,compare the extracted communication parameters with the expected communication parameters, wherein the expected communication parameters comprise communication parameters of different types of possible communications expected by the server application in connection with requests to the server application, anddetermine a potential client security breach exists when one or more of the extracted communication parameters do not match one or more of the expected communication parameters;
  
  initiating a mitigation action when an indication is received from the executing anti-trojan software code that a potential security breach exists; and
  
  responding to the subsequent request from the client device by providing a requested resource when no indication is received from the executing anti-trojan software code that a potential security breach exists.
- View Dependent Claims (2, 3)
- - 2. The method according to claim 1, wherein the mitigation action comprises at least one of terminating a communication session with the client device, sending a warning message to one or more of the client device, a website administrator or an anti-trojan software module service provider, or temporarily blocking a user of the client device from making further subsequent requests and providing remediation instructions intended for the user of the client device to re-enable access for sending the further subsequent requests.
  - 3. The method according to claim 1, wherein the expected communication parameters comprise one or more of a response size, a response format, a number of user inputs, or response contents.

4. An apparatus, comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to:
- receive a request from a client device for a web page to be provided by a server application, wherein anti-trojan software code is embedded in the requested web page and the anti-trojan software code is functionally associated with the server application and comprises one or more expected communication parameters;
  
  send the requested web page to the client device responsive to the request, wherein the anti-trojan software code is configured to;
  
  intercept a subsequent request resulting from an interaction with the requested web page,extract one or more communication parameters contained within the intercepted subsequent request,compare the extracted communication parameters with the expected communication parameters, wherein the expected communication parameters comprise communication parameters of different types of possible communications expected by the server application in connection with requests to the server application, anddetermine a potential client security breach exists when one or more of the extracted communication parameters do not match one or more of the expected communication parameters;
  
  receive the notification from the client device and initiate a mitigation action when an indication is received from the executing anti-trojan software code that a potential security breach exists; and
  
  responding to the subsequent request from the client device by providing a requested resource when no indication is received from the executing anti-trojan software code that a potential security breach exists.
- View Dependent Claims (5, 6)
- - 5. The apparatus according to claim 4, wherein the mitigation action comprises at least one of terminating a communication session with the client device, sending a warning message to one or more of the client device, a website administrator or an anti-trojan software module service provider, or temporarily blocking a user of the client device from making further subsequent requests and providing remediation instructions intended for the user of the client device to re-enable access for sending the further subsequent requests.
  - 6. The apparatus according to claim 4, wherein the expected communication parameters comprise one or more of a response size, a response format, a number of user inputs, or response contents.

7. A non-transitory computer readable medium having stored thereon instructions for website security comprising machine executable code which when executed by at least one processor, causes the processor to:
- receive a request from a client device for a web page to be provided by a server application, wherein anti-trojan software code is embedded in the requested web page and the anti-trojan software code is functionally associated with the server application and comprises one or more expected communication parameters;
  
  send the requested web page to the client device responsive to the request, wherein the anti-trojan software code is configured to;
  
  intercept a subsequent request resulting from an interaction with the requested web page,extract one or more communication parameters contained within the intercepted subsequent request,compare the extracted communication parameters with the expected communication parameters, wherein the expected communication parameters comprise communication parameters of different types of possible communications expected by the server application in connection with requests to the server application, anddetermine a potential client security breach exists when one or more of the extracted communication parameters do not match one or more of the expected communication parameters;
  
  receive the notification from the client device and initiate a mitigation action when an indication is received from the executing anti-trojan software code that a potential security breach exists; and
  
  responding to the subsequent request from the client device by providing a requested resource when no indication is received from the executing anti-trojan software code that a potential security breach exists.
- View Dependent Claims (8, 9)
- - 8. The non-transitory computer readable medium according to claim 7, wherein the mitigation action comprises at least one of terminating a communication session with the client device, sending a warning message to one or more of the client device, a website administrator or an anti-trojan software module service provider, or temporarily blocking a user of the client device from making further subsequent requests and providing remediation instructions intended for the user of the client device to re-enable access for sending the further subsequent requests.
  - 9. The non-transitory computer readable medium according to claim 7, wherein the expected communication parameters comprise one or more of a response size, a response format, a number of user inputs, or response contents.

10. A network system, comprising one or more client devices and server devices, the network system comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to:
- receive a request from a client device for a web page to be provided by a server application, wherein anti-trojan software code is embedded in the requested web page and the anti-trojan software code is functionally associated with the server application and comprises one or more expected communication parameters;
  
  send the requested web page to the client device responsive to the request, wherein the anti-trojan software code is configured to;
  
  intercept a subsequent request resulting from an interaction with the requested web page,extract one or more communication parameters contained within the intercepted subsequent request,compare the extracted communication parameters with the expected communication parameters, wherein the expected communication parameters comprise communication parameters of different types of possible communications expected by the server application in connection with requests to the server application, anddetermine a potential client security breach exists when one or more of the extracted communication parameters do not match one or more of the expected communication parameters;
  
  receive the notification from the client device and initiate a mitigation action when an indication is received from the executing anti-trojan software code that a potential security breach exists; and
  
  respond to the subsequent request from the client device by providing a requested resource when no indication is received from the executing anti-trojan software code that a potential security breach exists.
- View Dependent Claims (11, 12)
- - 11. The system as set forth in claim 10, wherein the mitigation action comprises at least one of terminating a communication session with the client device, sending a warning message to one or more of the client device, a website administrator or an anti-trojan software module service provider, or temporarily blocking a user of the client device from making further subsequent requests and providing remediation instructions intended for the user of the client device to re-enable access for sending the further subsequent requests.
  - 12. The system as set forth in claim 10, wherein the expected communication parameters comprise one or more of a response size, a response format, a number of user inputs, or response contents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Amir, Idan, Gruner, Eyal, Zilber, Boaz
Primary Examiner(s)
Thiaw, Catherine B

Application Number

US12/565,088
Publication Number

US 20110072262A1
Time in Patent Office

3,373 Days
Field of Search

726 22- 26, 709224-225
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

System and method for identifying security breach attempts of a website

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

298 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identifying security breach attempts of a website

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

298 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links