System and method for network security including detection of attacks through partner websites
First Claim
Patent Images
1. A non-transitory computer readable storage medium with instructions for execution on a computer, comprising instructions to:
- monitor transactions between a server and a plurality of clients;
perform an evaluation of session indicators associated with the transactions; and
isolate individual sessions between the server and individual clients of the plurality of clients in response to the evaluation;
wherein the instructions to perform the evaluation include instructions to perform the evaluation of current paronymous Internet Protocol (IP) address requests to a template of expected paronymous IP address requests;
wherein the instructions to perform the evaluation include instructions to perform the evaluation of temporal statistics to recognize separate Internet Protocol (IP) address strands belonging to an individual session, andfurther comprising instructions to link sequential IP address strands into chains.
12 Assignments
0 Petitions
Accused Products
Abstract
A computer readable storage medium has instructions for execution on a computer. The instructions monitor transactions between a server and a set of clients. An evaluation of session indicators associated with the transactions is performed. Individual sessions between the server and individual clients of the plurality of clients are isolated in response to the evaluation.
41 Citations
25 Claims
-
1. A non-transitory computer readable storage medium with instructions for execution on a computer, comprising instructions to:
-
monitor transactions between a server and a plurality of clients; perform an evaluation of session indicators associated with the transactions; and isolate individual sessions between the server and individual clients of the plurality of clients in response to the evaluation; wherein the instructions to perform the evaluation include instructions to perform the evaluation of current paronymous Internet Protocol (IP) address requests to a template of expected paronymous IP address requests; wherein the instructions to perform the evaluation include instructions to perform the evaluation of temporal statistics to recognize separate Internet Protocol (IP) address strands belonging to an individual session, and further comprising instructions to link sequential IP address strands into chains. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method, including:
-
monitoring transactions between a server and a plurality of clients; performing an evaluation of session indicators associated with the transactions; and isolating individual sessions between the server and individual clients of the plurality of clients in response to the evaluation; wherein performing the evaluation of the session indicators includes;
evaluatingparonymous Internet Protocol (IP) address requests; performing the evaluation of current paronymous Internet Protocol (IP) address requests by comparing to a template of expected paronymous IP address requests in response to the evaluation; performing the evaluation of current paronymous Internet Protocol (IP) address requests to the template of expected paronymous IP address requests; performing the evaluation of temporal statistics to recognize separate Internet Protocol (IP) address strands belonging to an individual session, and linking sequential IP address strands into chains.
-
-
21. Apparatus comprising:
-
a server communicatively connected to a plurality of clients; a threat detection circuit; the apparatus constructed and disposed to; monitor transactions between the server and the plurality of clients; perform an evaluation, by the threat detection circuit, of session indicators associated with the transactions, including at least paronymous Internet Protocol (IP) address requests; compare, by the server, a current paronymous Internet Protocol (IP) address request to a template of expected paronymous IP address requests; isolate, by the server, individual sessions between the server and individual clients of the plurality of clients in response to the evaluation; perform the evaluation of current paronymous Internet Protocol (IP) address requests to the template of expected paronymous IP address requests; perform the evaluation of temporal statistics to recognize separate Internet Protocol (IP) address strands belonging to an individual session, and link sequential IP address strands into chains. - View Dependent Claims (22)
-
-
23. A non-transitory computer readable storage medium with instructions for execution on a computer, comprising instructions to:
-
monitor transactions between a server and a plurality of clients; perform an evaluation of session indicators associated with the transactions; and isolate individual sessions between the server and individual clients of the plurality of clients in response to the evaluation; wherein the instructions to perform the evaluation include instructions to perform the evaluation of current paronymous Internet Protocol (IP) address requests to a template of expected paronymous IP address requests; further comprising instructions to impose a time threshold before and after an assignment of a client and server Internet Protocol extended address pair; and wherein the instructions to perform the evaluation include instructions to perform the evaluation of a session query identification value.
-
-
24. A method, including:
-
monitoring transactions between a server and a plurality of clients; performing an evaluation of session indicators associated with the transactions; and isolating individual sessions between the server and individual clients of the plurality of clients in response to the evaluation; wherein performing the evaluation of the session indicators includes;
evaluating paronymous Internet Protocol (IP) address requests;performing the evaluation of current paronymous Internet Protocol (IP) address requests by comparing to a template of expected paronymous IP address requests in response to the evaluation; performing the evaluation of current paronymous Internet Protocol (IP) address requests to the template of expected paronymous IP address requests; imposing a time threshold before and after an assignment of a client and server Internet Protocol extended address pair; and performing the evaluation of a session query identification value.
-
-
25. Apparatus comprising:
-
a server communicatively connected to a plurality of clients; a threat detection circuit; the apparatus constructed and disposed to; monitor transactions between the server and the plurality of clients; perform an evaluation, by the threat detection circuit, of session indicators associated with the transactions, including at least paronymous Internet Protocol (IP) address requests; compare, by the server, a current paronymous Internet Protocol (IP) address request to a template of expected paronymous IP address requests; isolate, by the server, individual sessions between the server and individual clients of the plurality of clients in response to the evaluation; perform the evaluation of current paronymous Internet Protocol (IP) address requests to the template of expected paronymous IP address requests; impose a time threshold before and after an assignment of a client and server Internet Protocol extended address pair; and
perform the evaluation of a session query identification value.
-
Specification