System and method for network security including detection of attacks through partner websites

US 8,756,684 B2
Filed: 05/05/2011
Issued: 06/17/2014
Est. Priority Date: 03/01/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium with instructions for execution on a computer, comprising instructions to:

monitor transactions between a server and a plurality of clients;

perform an evaluation of session indicators associated with the transactions; and

isolate individual sessions between the server and individual clients of the plurality of clients in response to the evaluation;

wherein the instructions to perform the evaluation include instructions to perform the evaluation of current paronymous Internet Protocol (IP) address requests to a template of expected paronymous IP address requests;

wherein the instructions to perform the evaluation include instructions to perform the evaluation of temporal statistics to recognize separate Internet Protocol (IP) address strands belonging to an individual session, andfurther comprising instructions to link sequential IP address strands into chains.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer readable storage medium has instructions for execution on a computer. The instructions monitor transactions between a server and a set of clients. An evaluation of session indicators associated with the transactions is performed. Individual sessions between the server and individual clients of the plurality of clients are isolated in response to the evaluation.

41 Citations

View as Search Results

25 Claims

1. A non-transitory computer readable storage medium with instructions for execution on a computer, comprising instructions to:
- monitor transactions between a server and a plurality of clients;
  
  perform an evaluation of session indicators associated with the transactions; and
  
  isolate individual sessions between the server and individual clients of the plurality of clients in response to the evaluation;
  
  wherein the instructions to perform the evaluation include instructions to perform the evaluation of current paronymous Internet Protocol (IP) address requests to a template of expected paronymous IP address requests;
  
  wherein the instructions to perform the evaluation include instructions to perform the evaluation of temporal statistics to recognize separate Internet Protocol (IP) address strands belonging to an individual session, andfurther comprising instructions to link sequential IP address strands into chains.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computer readable storage medium of claim 1 further comprising instructions to access a table of paronymous IP addresses to identify similar but non-identical IP base addresses.
  - 3. The computer readable storage medium of claim 2 further comprising instructions to access the table across federated websites.
  - 4. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation further include instructions to perform the evaluation of sequential Internet Protocol (IP) address strands belonging to an individual client.
  - 5. The computer readable storage medium of claim 4 further comprising instructions to compare the sequential IP address strands to a table of associated IP base addresses that are used sequentially but not concurrently.
  - 6. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of Transmission Control Protocol (TCP) connection strands to a template of expected TCP connection strands.
  - 7. The computer readable storage medium of claim 6 wherein the expected TCP connection strands are concurrent TCP connection strands.
  - 8. The computer readable storage medium of claim 6 wherein the expected TCP connection strands are sequential TCP connection strands.
  - 9. The computer readable storage medium of claim 1 further comprising instructions to entwine concurrent IP address strands into cohorts.
  - 10. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of header information.
  - 11. The computer readable storage medium of claim 10 wherein the instructions to perform the evaluation of header information include instructions to evaluate header information selected from HyperText Transport Protocol (HTTP) header information, Secure Socket Layer (SSL) header information, Transport Layer security (TLS) header information and Internet Protocol (IP) header information.
  - 12. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of client and proxy Internet Protocol (IP) addresses and port numbers.
  - 13. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of Transmission Control Protocol (TCP) connection information.
  - 14. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of a session identification value.
  - 15. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of an authorization login identification value.
  - 16. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of a client email address.
  - 17. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of a session cookie.
  - 18. The computer readable storage medium of claim 1 wherein the instructions to perform the evaluation include instructions to perform the evaluation of current and referring Uniform Resource Locators (URLs).
  - 19. The computer readable storage medium of claim 1 wherein:
    - the instructions to monitor transactions include instructions to monitor traffic from one of the plurality of clients to a partner website;
      
      instructions to intercept the traffic; and
      
      instructions replace a client address with an alias, and pass the traffic to the partner website.

20. A method, including:
- monitoring transactions between a server and a plurality of clients;
  
  performing an evaluation of session indicators associated with the transactions; and
  
  isolating individual sessions between the server and individual clients of the plurality of clients in response to the evaluation;
  
  wherein performing the evaluation of the session indicators includes;
  
  evaluatingparonymous Internet Protocol (IP) address requests;
  
  performing the evaluation of current paronymous Internet Protocol (IP) address requests by comparing to a template of expected paronymous IP address requests in response to the evaluation;
  
  performing the evaluation of current paronymous Internet Protocol (IP) address requests to the template of expected paronymous IP address requests;
  
  performing the evaluation of temporal statistics to recognize separate Internet Protocol (IP) address strands belonging to an individual session, andlinking sequential IP address strands into chains.

21. Apparatus comprising:
- a server communicatively connected to a plurality of clients;
  
  a threat detection circuit;
  
  the apparatus constructed and disposed to;
  
  monitor transactions between the server and the plurality of clients;
  
  perform an evaluation, by the threat detection circuit, of session indicators associated with the transactions, including at least paronymous Internet Protocol (IP) address requests;
  
  compare, by the server, a current paronymous Internet Protocol (IP) address request to a template of expected paronymous IP address requests;
  
  isolate, by the server, individual sessions between the server and individual clients of the plurality of clients in response to the evaluation;
  
  perform the evaluation of current paronymous Internet Protocol (IP) address requests to the template of expected paronymous IP address requests;
  
  perform the evaluation of temporal statistics to recognize separate Internet Protocol (IP) address strands belonging to an individual session, andlink sequential IP address strands into chains.
- View Dependent Claims (22)
- - 22. The apparatus of claim 21, further including:
    - a channeler circuit constructed and disposed to monitor traffic from one of the plurality of clients to a partner website;
      
      intercepting, by the channeler circuit, the traffic;
      
      replacing, by the channeler circuit, a client address with an alias address; and
      
      ,passing, by the server, the traffic to the partner website.

23. A non-transitory computer readable storage medium with instructions for execution on a computer, comprising instructions to:
- monitor transactions between a server and a plurality of clients;
  
  perform an evaluation of session indicators associated with the transactions; and
  
  isolate individual sessions between the server and individual clients of the plurality of clients in response to the evaluation;
  
  wherein the instructions to perform the evaluation include instructions to perform the evaluation of current paronymous Internet Protocol (IP) address requests to a template of expected paronymous IP address requests;
  
  further comprising instructions to impose a time threshold before and after an assignment of a client and server Internet Protocol extended address pair; and
  
  wherein the instructions to perform the evaluation include instructions to perform the evaluation of a session query identification value.

24. A method, including:
- monitoring transactions between a server and a plurality of clients;
  
  performing an evaluation of session indicators associated with the transactions; and
  
  isolating individual sessions between the server and individual clients of the plurality of clients in response to the evaluation;
  
  wherein performing the evaluation of the session indicators includes;
  
  evaluating paronymous Internet Protocol (IP) address requests;
  
  performing the evaluation of current paronymous Internet Protocol (IP) address requests by comparing to a template of expected paronymous IP address requests in response to the evaluation;
  
  performing the evaluation of current paronymous Internet Protocol (IP) address requests to the template of expected paronymous IP address requests;
  
  imposing a time threshold before and after an assignment of a client and server Internet Protocol extended address pair; and
  
  performing the evaluation of a session query identification value.

25. Apparatus comprising:
- a server communicatively connected to a plurality of clients;
  
  a threat detection circuit;
  
  the apparatus constructed and disposed to;
  
  monitor transactions between the server and the plurality of clients;
  
  perform an evaluation, by the threat detection circuit, of session indicators associated with the transactions, including at least paronymous Internet Protocol (IP) address requests;
  
  compare, by the server, a current paronymous Internet Protocol (IP) address request to a template of expected paronymous IP address requests;
  
  isolate, by the server, individual sessions between the server and individual clients of the plurality of clients in response to the evaluation;
  
  perform the evaluation of current paronymous Internet Protocol (IP) address requests to the template of expected paronymous IP address requests;
  
  impose a time threshold before and after an assignment of a client and server Internet Protocol extended address pair; and
  
  perform the evaluation of a session query identification value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Frantz, Matt, Wittenstein, Andreas, Eynon, Mike, Mather, Laura, Lloyd, Jim, Schumacher, James, Murphy, Duane
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US13/101,959
Publication Number

US 20110302653A1
Time in Patent Office

1,139 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

System and method for network security including detection of attacks through partner websites

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network security including detection of attacks through partner websites

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links