Dectection of invalid port accesses in port-scrambling-based networks

US 20180270257A1
Filed: 05/15/2018
Published: 09/20/2018
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a plurality of computers connected to a network, wherein each computer retaining a replica of a whitelist of programs, wherein the selective scrambling of ports is performed based on the whitelist wherein each computer is configured to selectively scramble ports of outgoing communications transmitted over the network, wherein each computer is configured to descramble ports of incoming communications received from the network; and

a server connected to the network, wherein said server is configured to monitor for an invalid port access, wherein the invalid port access is a communication transmitted over the network being directed at a port, wherein an unscrambled port obtained after descrambling the port is an invalid port, wherein said server is configured to log the invalid port access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method, system and product for detection of invalid port accesses in port-scrambling-based networks. The network may comprise a plurality of computers, each of which is configured to selectively scramble port of outgoing communications transmitted over the network and to descramble ports of incoming communications received from the network. The selective scrambling of ports may be based on a whitelist of programs. Invalid port accesses are monitored for. Invalid port accesses may be a communication transmitted over the network directing at a port, wherein an unscrambled port obtained after descrambling the port, is an invalid port. Invalid port accesses may be logged and actions may be taken to mitigate potential security risk represented thereby.

Citations

20 Claims

1. A system comprising:
- a plurality of computers connected to a network, wherein each computer retaining a replica of a whitelist of programs, wherein the selective scrambling of ports is performed based on the whitelist wherein each computer is configured to selectively scramble ports of outgoing communications transmitted over the network, wherein each computer is configured to descramble ports of incoming communications received from the network; and
  
  a server connected to the network, wherein said server is configured to monitor for an invalid port access, wherein the invalid port access is a communication transmitted over the network being directed at a port, wherein an unscrambled port obtained after descrambling the port is an invalid port, wherein said server is configured to log the invalid port access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the server is configured to distribute replicas of the whitelist to the plurality of computers.
  - 3. The system of claim 1, wherein each computer is configured to utilize a transformation function for port scrambling and for port descrambling, wherein the transformation function depends on the whitelist.
  - 4. The system of claim 1, wherein each computer is configured to perform the selective scrambling in response to a detection that a program initiating the outgoing communication is listed in the whitelist.
  - 5. The system of claim 1, wherein the server is configured to generate and distribute a time-dependent key that is replaced periodically and valid for a limited time duration, wherein each computer is configured to utilize a transformation function for port scrambling and for port descrambling, wherein the transformation function depends on the time-dependent key.
  - 6. The system of claim 5, wherein in response to identification of the invalid port access, avoiding distribution of new time-dependent keys to a computer that is responsible for the invalid port access, whereby preventing the computer from correctly scrambling and descrambling ports.
  - 7. The system of claim 1, wherein the server is configured to identify repeated or successive attempts to access invalid or neighboring ports by a same computer.
  - 8. The system of claim 1 further comprising:
    - a component directly connected to the network, wherein the component is configured to utilize ports of incoming messages as is without descrambling;
      
      wherein each of said plurality of computers is configured to avoid scrambling ports of an outgoing communication when the outgoing communication targets the component, andwherein each of said plurality of computer is configured to avoid descrambling ports of incoming communications transmitted by the component.
  - 9. The system of claim 8, wherein the component is one of:
    - a firewall component and a gateway component.
  - 10. The system of claim 1, wherein said server is operatively coupled with monitoring agents deployed on each of said plurality of computers, wherein the monitoring agents are configured to intercept communications to identify invalid port accesses.
  - 11. The system of claim 1, wherein in response to identification of the invalid port access, said server is configured to take an action to mitigate a potential security risk associated with the invalid port access.
  - 12. The system of claim 1, wherein in response to identification of the invalid port access, preventing a computer responsible for the invalid port access from effectively communicating with the plurality of computers.

13. A computer program product comprising a non-transitory computer readable medium retaining program instructions which program instructions when read by a processor, cause the processor to perform a method carried out in a computer network environment comprising a plurality of computers, each of which being configured for selectively scrambling ports of outgoing communications and for descrambling ports of incoming communications, the method comprising:
- monitoring communications in the network;
  
  identifying an invalid port access attempt, wherein the invalid port access attempt is a communication that is directed at a port, wherein an unscrambled port obtained after descrambling the port, is an invalid port; and
  
  logging the invalid port access attempt.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer program product of claim 13, wherein said logging comprises logging a program and a computer responsible for the invalid port access attempt, wherein the program is a program executed by the computer and caused the communication to be transmitted.
  - 15. The computer program product of claim 14, wherein the program is excluded from a whitelist, wherein each of the plurality of computers retaining the whitelist, wherein each of the plurality of computers is configured to scramble ports only of outgoing communications transmitted by programs listed in the whitelist.
  - 16. The computer program product of claim 13, wherein the method comprises preventing effective communications by a computer responsible for the invalid port access attempt, whereby mitigating potential security risk from the computer.
  - 17. The computer program product of claim 16, wherein a server is configured to distribute a time-dependent key used by each of the plurality of computers for scrambling and descrambling ports, wherein preventing effective communications by the computer comprises avoiding sending an up-to-date the time-dependent key to the computer.

18. A server comprising:
- a processor and a coupled memory,wherein the server is connected to a network, wherein a plurality of computers are connected to the network, wherein each computer is configured to selectively scramble ports of outgoing communications transmitted over the network, wherein each computer is configured to descramble ports of incoming communications received from the network, wherein each computer retaining a whitelist of programs, wherein the selective scrambling of ports is performed based on the whitelist; and
  
  wherein said server is configured to monitor for an invalid port access, wherein the invalid port access is a communication transmitted over the network having directing at a port, wherein an unscrambled port obtained after descrambling the port is an invalid port, wherein said server is configured to log the invalid port access.
- View Dependent Claims (19, 20)
- - 19. The server of claim 18, wherein said server is configured to periodically generate a time-dependent key and distribute the time-dependent key over the network, wherein each of the plurality of computers is configured to utilize a transformation function and an inverse function thereof for scrambling and descrambling of ports, respectively, wherein the transformation function depends on the time-dependent key.
  - 20. The server of claim 19, wherein the transformation function depends on the whitelist and on the time-dependent key, whereby modification of a local copy of the whitelist on a computer, prevents the computer from effectively communicating over the network with other computers of the plurality of computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber 2.0 (2015) LTD.
Original Assignee
Cyber 2.0 (2015) LTD.
Inventors
Haelion, Erez Kaplan

Granted Patent

US 10,333,956 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/14   against software analysis o...

G06F 21/44   Program or device authentic...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/162   at the data link layer

H04L 67/146   Markers for unambiguous ide...

H04L 67/54   Presence management, e.g. m...

Dectection of invalid port accesses in port-scrambling-based networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dectection of invalid port accesses in port-scrambling-based networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links