Endpoint-based man in the middle attack detection
US-9602531-B1 · Mar 21, 2017 · US
Methods and systems for detecting and preventing network connection compromise
US10440053B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10440053-B2 |
| Application number | US-201715608556-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 30, 2017 |
| Priority date | May 31, 2016 |
| Publication date | Oct 8, 2019 |
| Grant date | Oct 8, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The security of network connections on a computing device is protected by detecting and preventing compromise of the network connections, including man-in-the-middle (MITM) attacks. Active probing and other methods are used to detect the attacks. Responses to detection include one or more of displaying a warning to a user of the computing device, providing an option to disconnect the network connection, blocking the network connection, switching to a different network connection, applying a policy, and sending anomaly information to a security server.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for preventing the use of a first connection, the method comprising: (i) inspecting, by a client-side proxy on a computing device, a communication from an application on the computing device to a destination, the communication originating from the computing device and configured to use the first connection to send content to the destination, the inspecting of the communication being completed before the first connection is used and the inspecting including a determination of whether the content contains predetermined content; and (ii) when the determination is that the content contains the predetermined content: creating, by the client-side proxy before the first connection is used, a second connection, the client-side proxy creating the second connection through a server to the destination, the second connection being more secure than the first connection, and modifying, by the client-side proxy, the communication to use the second connection instead of using the first connection to send the content, including the predetermined content, to the destination. 2. The method of claim 1 further comprising: determining, by the client-side proxy from the inspecting before the first connection is used, that the first connection is to be used; detecting, by the client-side proxy, that the first connection is compromised before the creating, by the client-side proxy, the second connection to the destination; and modifying, by the client-side proxy after the communication, a second communication from the application so that the modified second communication uses the second connection. 3. The method of claim 2 , wherein the detecting, by the client-side proxy, that the first connection is compromised is based on one or more of: (i) a probe of the first connection; (ii) a failure of a certificate from the destination to match a previous certificate from the destination; or (iii) a presence of one or more of: an addresses, or an identifier that is not specified in a policy for the first connection. 4. The method of claim 1 further comprising: determining, by the client-side proxy before the first connection is used, whether data associated with the application on the computing device indicates that the communication will be encrypted; and wherein the creating, by the client-side proxy before the first connection is used, the second connection to the destination includes: creating, by the client-side proxy, the second connection to the destination when the determination is that the received data indicates that the communication will be encrypted. 5. The method of claim 1 , wherein the inspecting, by the client-side proxy, the communication further includes: (i) determining, by the client-side proxy, whether the communication or the first connection is subject to a policy; and (ii) performing the remaining steps of the method when the client-side proxy determines that the communication or the first connection is subject to the policy. 6. The method of claim 5 , wherein the policy is specified by an administrator or a user of the computing device. 7. The method of claim 5 , wherein the policy determines the remaining steps of the method are to be performed based on a risk level. 8. The method of claim 7 , wherein the risk level is associated with one or more of: the communication, the first connection, or the computing device. 9. The method of claim 7 , wherein the risk level is based on one or more of: a geographic location of the computing device; an assessed security state of the computing device; or an assessed value of information stored on the computing device. 10. The method of claim 1 , wherein the application created the first connection, wherein the determining whether the content contains predetermined content includes obtaining, by the client-side proxy from an operating system on the computing device, an identity of the application. 11. A method for preventing the use of a first connection, the method comprising: (i) inspecting, by a client-side proxy on a computing device, a communication from an application on the computing device to a destination, the communication originating from the computing device and configured to use the first connection to send content to the destination, the inspecting of the communication being completed before the first connection is used and the inspecting including a determination of whether the content contains predetermined content; and (ii) when the determination is that the content contains the predetermined content: creating, by the client-side proxy before the first connection is used, a second connection to the destination, the second connection being more secure than the first connection, performing, by the client-side proxy before the first connection is used, a handshake with the destination using the second connection, recording, by the client-side proxy before the first connection is used, session information associated with the handshake, breaking, by the client-side proxy before the first connection is used, the second connection, making, by the client-side proxy before the first connection is used, a third connection to the destination, the third connection being made using the recorded session information, and modifying, by the client-side proxy before the first connection is used, the communication so that the modified communication uses the third connection to send the content, including the predetermined content, to the destination. 12. The method of claim 11 further comprising: determining before the first connection is used, by the client-side proxy from the inspecting, that the first connection is to be used; detecting, by the client-side proxy before the first connection is used, that the first connection is compromised before the creating, by the client-side proxy, the second connection to the destination; and modifying, by the client-side proxy after the communication, a second communication from the application on the computing device so that the modified second communication uses the third connection. 13. The method of claim 12 , wherein the detecting, by the client-side proxy, that the first connection is compromised is based on one or more of: (i) a probe of the first connection; (ii) a failure of a certificate from the destination to match a previous certificate from the destination; or (iii) a presence of one or more of: an address, or an identifier that is not specified in a policy for the first connection. 14. The method of claim 11 , wherein the inspecting, by the client-side proxy, the communication further includes: (i) determining, by the client-side proxy, whether the communication or the first connection is subject to a policy; and (ii) performing the remaining steps of the method when the client-side proxy determines that the communication or the first connection is subject to the policy. 15. The method of claim 14 , wherein the policy is based on a risk level associated with one or more of: the communication, the first connection, or the computing device. 16. The method of claim 14 , wherein the policy is specified by an administrator or a user of the computing device. 17. The method of claim 16 , wherein the policy determines the remaining steps of the method are to be performed based on a risk level. 18. The method of claim 17 , wherein the risk level is based on one or more of: a geographic location of the computing device; an assessed security state of the computing device; or an assessed value of information s
Assignees
Inventors
Classifications
Active monitoring, e.g. heartbeat, ping or trace-route · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
Assessing vulnerabilities and evaluating computer system security · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10440053B2 cover?
- The security of network connections on a computing device is protected by detecting and preventing compromise of the network connections, including man-in-the-middle (MITM) attacks. Active probing and other methods are used to detect the attacks. Responses to detection include one or more of displaying a warning to a user of the computing device, providing an option to disconnect the network co…
- Who is the assignee on this patent?
- Lookout Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1466. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 08 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 11 related publications on this page (citations in our corpus or others sharing the same primary CPC).