EP3286683A1 - System and method for monitoring the integrity of a component delivered by a server system to a client system - Google Patents
System and method for monitoring the integrity of a component delivered by a server system to a client systemInfo
- Publication number
- EP3286683A1 EP3286683A1 EP16721076.4A EP16721076A EP3286683A1 EP 3286683 A1 EP3286683 A1 EP 3286683A1 EP 16721076 A EP16721076 A EP 16721076A EP 3286683 A1 EP3286683 A1 EP 3286683A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- sensor
- component
- integration
- information
- delivered
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 12
- 238000000034 method Methods 0.000 title claims description 55
- 230000010354 integration Effects 0.000 claims abstract description 140
- 238000012986 modification Methods 0.000 claims abstract description 113
- 230000004048 modification Effects 0.000 claims abstract description 113
- 238000012545 processing Methods 0.000 claims abstract description 20
- 238000011156 evaluation Methods 0.000 claims description 71
- 230000008569 process Effects 0.000 claims description 42
- 238000004458 analytical method Methods 0.000 claims description 28
- 230000003068 static effect Effects 0.000 claims description 14
- 230000006870 function Effects 0.000 claims description 12
- 230000008859 change Effects 0.000 claims description 11
- 238000013515 script Methods 0.000 claims description 8
- 238000010801 machine learning Methods 0.000 claims description 7
- 230000006399 behavior Effects 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 5
- 238000004088 simulation Methods 0.000 claims description 4
- 230000015572 biosynthetic process Effects 0.000 claims 1
- 238000005755 formation reaction Methods 0.000 claims 1
- 230000000875 corresponding effect Effects 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011143 downstream manufacturing Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 238000010079 rubber tapping Methods 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Definitions
- the present invention relates to a system and a method for monitoring the integrity of a component delivered by a server system to a client system and processable and / or executable on the client system.
- the component can be a website which is processed or executed on a web browser acting as a client system.
- server-side components such as a web server, a software backend and a database connection of the web server, as well as client-side components that are executed in the web browser of the actual customer.
- client-side components are in the context of the representation of a Transfer web page from the web server to the customer's browser, such as HTML or JavaScript code.
- the component transmitted according to the invention is such a client-side component.
- components of the actual browser and its extensions, such as plug-ins, are not considered further.
- client-side technologies have become the focus of attackers.
- Malicious software or manual attackers intentionally attack the client-side components in the customer's browser, for example, to steal sensitive data. This is done by manipulating the original client components to modify or monitor the actual behavior of these components. Since this type of manipulation only takes place on the client side, server-side protection technologies can not recognize them.
- the object of the present invention is therefore to provide a system for monitoring the integrity of a component delivered by a server system to a client system and processable and / or executable on the client system, i. H. a client-side component according to the invention to provide.
- the present invention comprises a system for monitoring the integrity of a component delivered by a server system to a client system and processable and / or executable on the client system, which comprises an integration system and a sensor.
- the integration system integrates the sensor into the component delivered by the server system to the client system.
- the sensor is configured to be executed during processing and / or execution of the component and to detect modifications of the component.
- the present invention thus provides a client-side protection technology which is executed during processing or execution of the client-side component and recognizes modifications of the component.
- the integration system can be part of the server system or part of the client system or be made available by an intermediary proxy.
- An integration of the integration system into the client system can take place in particular if there are several logical levels in the client system, whereby the integration of the sensor by the integration system takes place at a level above the expected attack.
- the integration system can be connected upstream of the actual client system in the manner of a local proxy server in the client system.
- the integration system preferably forms part of the server system or an intermediary proxy. This has the advantage that the service provider operating the server system can deliver the protection technology provided by the sensor without the customer having to act independently or even having any influence on it.
- the integration system equips the sensor with information about the delivered state of the component and / or an identifier of the delivery process.
- the information on the delivered state of the component allow the sensor to compare with the current state of the component and thus identification of modifications.
- the identifier allows for communication of the sensor With other components of the system, an assignment of the report to a specific delivered component.
- the senor can be integrated into the component or the sensor perform such actions that the sensor can not be removed by subsequent manipulations.
- corresponding attributes of the sensor within the component can be set for this purpose.
- the integration system obfuscates the sensor during integration or after integration. This is to prevent an attacker from detecting and removing the sensor within the component.
- the integration system dynamically modifies the sensor for the integration. This is intended to reduce the detectability of the sensor within the component.
- the integration system changes variable names and / or function names and / or the size of the sensor.
- the position of the sensor within the component can be changed. Preferably, the change takes place for several and preferably each integration process different and / or random.
- the integration system alters both the sensor and one or more components of the delivered component for the purpose of obfuscation.
- the change in the other components of the delivered component also prevents easy detection of the sensor within the component.
- the change takes place here differently and / or randomly in the case of several and preferably each integration process.
- the integration system includes the sensor and / or one or more components of the delivered component in the context the integration of the sensor is encrypted.
- the encrypted components only return their original meaning during the processing and / or execution of the component.
- the entire program code of the delivered component can be encrypted after integration.
- Such encryption protects against static analysis methods, since the original meaning of the individual constituents of the component results only when the component is processed or executed.
- most malware only has static analysis and can not detect the sensor.
- the system according to the invention may further comprise a reference proxy which alters references of the sensor and / or the delivered component prior to delivery of the component to the client system and / or addresses itself. This prevents the sensor from becoming recognizable by its references.
- the references are references to external code and / or URLs.
- the change and / or re-addressing of the references is preferably carried out differently and / or randomly in the case of several and preferably each delivered component.
- the reference proxy is preferably designed such that it forwards the call to the original references when calling the modified and / or self-addressed references.
- the reference proxy can store an association between the changed and / or self-addressed and the original references together with an identifier of the delivery process. If a corresponding call then follows, it is forwarded to the original reference on the basis of the stored assignment.
- the reference proxy according to the invention can form part of the integration system. In this case, the reference proxy is preferably connected downstream of the actual integration and references all references in the component and the sensor integrated therein newly.
- the senor when executed on the client system, it sends a report and / or detected modifications to another system.
- a report and / or detected modifications to another system.
- the senor transmits thereby modified or added elements of the component completely to the further system.
- the sensor can send the complete component to the further system.
- the other system has the opportunity to carry out a comprehensive analysis of the detected modifications or the component.
- the report contains an identifier of the delivery process to which the report takes place. This allows the report and any modifications to be assigned to the corresponding component.
- the sensor according to the invention can contain information about the delivered state of the component and compare it with the current state of the component. This allows the sensor to recognize in a particularly simple manner, a modification of the component which has taken place after delivery.
- the information about the delivered state of the component may be structural information.
- the senor recognizes modifications based on a document object model of the component.
- a Document Object Model is particularly present in HTML documents and contains all the components of the HTML component. Based on the Document Object Model Therefore, modifications of the component are detected, and in particular modified and / or modified elements of the component are detected.
- the senor can be configured such that the check is restricted to subregions of the delivered component.
- a restriction to subareas of the delivered component prevents, for example, browser plug-ins occurring, unproblematic modifications in a non-critical portion of the delivered component lead to a report of a modification by the sensor.
- the senor may have a filter function to exclude certain modifications.
- a filtering function also prevents known, unproblematic modifications from being reported by the sensor.
- the filter function can be implemented in the form of a white list of permissible modifications.
- the system comprises an acceptance system, which receives information from the integration system and / or the sensor and preferably stores and / or forwards it.
- the acceptance system can use the information to recognize whether the integration of the sensor and / or the execution of the sensor has occurred on the client system.
- the acceptance system thus enables a monitoring of the proper functioning of the sensor and thus also serves to increase the safety.
- the integration system is designed such that it sends a message to the acceptance system for each integration.
- the message preferably includes an identifier of the delivery process.
- the acceptance system thus receives information about all components supplied with an integrated sensor.
- the acceptance system preferably stores the information received from the integration system and in particular an identifier for each delivery process. It is preferably provided that the acceptance system stores the information obtained from the integration system together with a time information. Alternatively or additionally, the information obtained by the integration system may already contain time information. The acceptance system therefore knows when a particular component has been delivered based on the stored information.
- the senor sends a report to the acceptance system during its execution.
- the report is preferably sent to the acceptance system regardless of whether a modification has been recognized or not. If no modification has been detected, it will be communicated via a corresponding report.
- the report if a modification has been detected, the report preferably contains information about the identified modifications, and in particular, as described in more detail above, the complete modification or the complete modified component. Further preferably, the report comprises an identifier of the delivery process. As a result, the report within the acceptance system of the corresponding component can be assigned.
- the acceptance system compares the information received from the sensor with stored information, in particular with the information that the acceptance system has received from the integration system.
- the acceptance system matches an identifier of the delivery process received from the sensor with stored identifiers delivered by the integration unit.
- the acceptance system interprets missing information or a missing report from a sensor as a modification or removal of the sensor.
- missing information is preferably recognized on the basis of the stored time information. He- knows the acceptance system while a lack of information from a sensor and thus a modification, it preferably sends a message to either a downstream evaluation system, and / or to the server system.
- the acceptance system interprets a missing report as a modification of the sensor, and preferably sends a corresponding message.
- the system according to the invention comprises an evaluation system which evaluates the modifications detected by the sensor.
- the system is designed such that the evaluation system completely receives modified or added elements of the component.
- the evaluation system can also obtain the complete component. According to the invention, the evaluation system can thereby perform a detailed analysis of the modifications.
- the evaluation system preferably receives the information about the identified modifications and in particular the modified elements or the modified component from the acceptance system.
- the acceptance system generates a new evaluation task in the event that a report from the sensor reports a modification, and sends it to the evaluation system.
- the type of evaluation of the modifications is initially not restricted. Preferably, the evaluation is carried out in several stages.
- the evaluation is carried out at least also by static analysis methods, preferably by a plurality of different static analysis methods.
- static analysis methods preferably by a plurality of different static analysis methods.
- a comparison of the identified modifications with a blacklist and / or a whitelist, ie lists of already known, harmful or harmless modifications, can take place here.
- an identification of unknown components, which are therefore not found on the blacklist, and on the whitelist, take place.
- the analysis can be based on that in the component
- the comparison with the blacklist can be done in a possible embodiment as a direct comparison, and / or as a comparison after a normalization, and / or as a similarity comparison.
- dynamic analysis methods may also be used, in particular a simulation of the processing and / or execution of the component (sandboxing). Furthermore, the evaluation by machine learning method comes into question.
- static analysis methods are preferred because they can be carried out much faster and require less effort than dynamic or machine learning methods.
- the evaluation system calculates a risk value of the modified component.
- This calculation of the risk value preferably takes place on the basis of an analysis and / or classification of the identified modifications.
- the identified modifications are analyzed and / or classified, whereby each modification has a associated with the risk value. From the endangerment values of the individual identified modifications, the risk value of the modified component can be calculated as a whole. This results in an especially easy to implement assessment of the danger emanating from a modified component.
- the evaluation system sends to the server system information on the risk of the modified component and in particular a risk value.
- a risk value Preferably, an identifier of the delivery process is sent together with the information on the risk or the risk value, so that a corresponding assignment can be made on the part of the server system.
- the server system is designed such that it initiates countermeasures on the basis of the information of the evaluation system.
- the countermeasures preferably do not involve stopping the processing and / or execution of the modified component itself.
- it is conceivable to suppress downstream processes such as an actual money transfer, a delivery of products or the like and / or to contact the customer.
- the decision about countermeasures within the server system based on the information of the evaluation system and preferably based on further information in particular to the user behavior.
- other factors such as, for example, a deviation of the detected behavior from a conventional user behavior can also be included in the decision whether and, if so, which countermeasures are taken.
- the decision on countermeasures can be made both automated, as well as by a human decision maker to whom the corresponding information is made available by the server system.
- the component is a web page.
- the client system is a web browser.
- the system according to the invention is therefore preferably used for securing a web page which is processed and / or executed by a web browser.
- the integration of the sensor into the website according to the invention ensures that after the delivery of the website, manipulations taking place by the server system are detected.
- the sensor is preferably a script which is integrated into the website. Integration into the website can also be done by integrating one or more references to external targets, which then contain the script.
- the component delivered by the server system can provide one of the following services: a webmailer, a payment service, an online shop, and / or access to a social network.
- a webmailer a payment service
- an online shop a service that provides a payment service
- a social network a service that provides a payment service.
- sensitive data is exchanged, which is secured by the sensor according to the invention and its integration into the component against manipulation and tapping.
- the present invention initially relates to the system just described for monitoring the integrity of a component delivered by a server system to a client system and processable and / or executable on the client system, which comprises at least the sensor according to the invention and an integration system according to the invention, and preferably also an acceptance system and / or or an evaluation system according to the present invention.
- the present invention also relates to the individual components of the system according to the invention, and thus in particular to the inventive proper sensor, the integration system according to the invention, the acceptance system according to the invention and the evaluation system according to the invention.
- the present invention thus encompasses, in particular, a sensor for a system as described above, wherein the sensor can be integrated into a component delivered by a server system to a client system and processable and / or executable on the client system and configured to be included in the system the processing and / or execution of the component is executed and detects modifications of the component.
- the senor is preferably configured as has already been described in more detail above with regard to the system.
- the senor can send a report and / or detected modifications to another system in its execution.
- the sensor preferably transmits modified or added elements of the component completely to the further system, and / or, in the case of a modification, sends the complete component to the further system.
- the report comprises an identifier of the delivery process.
- the senor may contain information about the delivered state of the component, and compare it with the current state of the component. In particular, these are structural information. Furthermore, it can be provided that the sensor recognizes the modifications on the basis of a document object model of the component and / or that the sensor comprises a copy of the delivered document object model of the component.
- the senor is configurable so that the review can be limited to portions of the delivered component.
- the sensor may comprise a filter function to exclude certain modifications, in particular in the form of a whitelist.
- the present invention further comprises an integration system for a system, as described in more detail above, wherein the integration system is configured such that it integrates a sensor into a component delivered by a server system to a client system and processable and / or executable on the client system.
- the integration system is preferably configured as has already been described in more detail above with regard to the overall system.
- the integration system equips the sensor with information about the delivered state of the component and / or an identifier of the delivery process.
- the integration system can integrate the sensor in the component so that the sensor can not be removed by subsequent manipulations.
- the integration system obscures the sensor during the integration or after the integration.
- the integration system dynamically modifies the sensor for the integration.
- the integration system preferably changes variable names and / or function names and / or the position of the sensor in the component and / or the size of the sensor.
- the change takes place for several and preferably each integration process different and / or random.
- the integration system alters both the sensor and one or more components of the delivered component for the purpose of obfuscation.
- the change takes place differently and / or randomly in the case of several and preferably each integration process.
- the integration system may include the sensor and / or one or more components of the delivered component, and preferably the entire program. encode the code of the delivered component as part of the integration of the sensor.
- the encrypted components preferably only return their original meaning during the processing and / or execution of the component.
- the integration system sends a message to an acceptance system for each integration, the message preferably comprising an identifier of the delivery process.
- the integration system comprises a reference proxy which alters references of the sensor and / or the delivered component to external destinations prior to delivery of the component to the client system and / or addresses itself.
- the change and / or addressing takes place differently and / or randomly in the case of several and preferably each delivered component.
- the reference proxy forwards the call to the original references when the changed and / or addressed references are called.
- the reference proxy can store an association between the changed and / or self-addressed and the original references together with an identifier for the respective delivery process.
- the present invention further includes an acceptance system for a system as set forth above, wherein the acceptance system is configured to receive, store and / or forward information from the integration system and / or the sensor.
- the acceptance system is preferably designed as already explained above with regard to the overall system.
- the acceptance system can recognize by the information whether the integration of the sensor and / or whether the sensor has been executed on the client system.
- the acceptance system preferably stores the information received from the integration system and in particular an identifier for each delivery process.
- the acceptance system preferably stores the information obtained from the integration system together with time information, and / or the information obtained from the integration system already contains time information which is stored.
- the acceptance system preferably compensates the information obtained from the sensor with stored information.
- the acceptance system compensates for an identifier of the delivery process received from the sensor with stored identifiers delivered by the integration unit.
- the acceptance system interprets missing information from a sensor as a modification of the sensor. Missing information is preferably detected based on the stored time information.
- the acceptance system preferably sends an evaluation job to an evaluation system.
- the present invention further comprises an evaluation system for a system, as described in more detail above, wherein the evaluation system is designed such that it evaluates the modifications detected by the sensor.
- the evaluation system is preferably designed as already explained above with regard to the overall system.
- the evaluation system completely receives and evaluates modified or added elements of the component, and / or or in the case of a modification receives and / or evaluates the complete component.
- the evaluation can be done in several stages.
- the evaluation can be carried out in particular by static analysis methods, in particular by comparison with a blacklist and / or a whitelist and / or an identification of unknown components and / or by means of references and / or signatures and / or word lists.
- the comparison with the blacklist may be performed as a direct comparison and / or as a comparison after normalization and / or as a similarity comparison.
- it can be checked whether there are new or changed references to a destination outside of a predefined area, in particular outside the server system.
- the evaluation can also be carried out by dynamic analysis methods, in particular by the simulation of the processing and / or execution of the component, and / or by machine learning methods.
- the evaluation system preferably calculates a risk value of the modified component. In particular, this is done based on an analysis and / or classification of the detected modifications. In particular, it can be provided that the detected modifications are analyzed and / or classified and each modification is assigned a hazard value, from which the risk value of the modified component is then calculated in its entirety. Furthermore, it can be provided that the evaluation system sends to the server system information on the risk of the modified component and in particular a risk value.
- the acceptance system according to the invention and the evaluation system according to the invention are taken in each case and independently of one another the subject of the present invention. Furthermore, the combination of An acceptance system according to the invention and an evaluation system according to the invention are the subject of the present invention.
- All components of the system according to the invention preferably operate automatically and thus implement the system according to the invention or carry out the method according to the invention automatically.
- the individual components are provided by software and / or hardware.
- the present invention further comprises a corresponding method.
- the present invention encompasses a method for monitoring the integrity of a component delivered by a server system and a client system and processable and / or executable on the client system.
- the sensor is integrated into the component delivered by the server system to the client system, wherein the sensor is executed during the processing and / or execution of the component and detects modifications of the component.
- the process according to the invention preferably takes place in the same way as has already been described in more detail above with regard to the system according to the invention.
- the method according to the invention can be carried out using a system according to the invention and / or using one of the components of such a system described above.
- Fig. 1 a first embodiment of a system according to the invention and a method according to the invention and 2 shows a second embodiment of a system according to the invention and of a method according to the invention.
- FIG. 1 and 2 two embodiments of a system according to the invention are shown. The embodiments represent at the same time embodiments of the components of the system according to the invention, as well as the method according to the invention.
- Both exemplary embodiments each show a system for monitoring the integrity of a component 50 delivered by a server system 10 to a client system 20 and processable and / or executable on the client system 20, wherein the component in the exemplary embodiment is a web page which acts as a web server operating server system 10 is transmitted to a working as a client system 20 browser.
- the communication between the web server 10 and the browser 20 takes place via the Internet, which is shown schematically as a cloud 30.
- Both the exemplary embodiment of the system according to the invention shown in FIG. 1 and in FIG. 2 initially comprise the following components:
- An integration system 40 which integrates a sensor 60 into an existing web page 50 transmitted from the web server 10 to the browser 20.
- the integration can be done by the web server 10, or by an intermediary proxy, or on the client side.
- a sensor 60 which can be integrated into the web page 50 and there identify modifications in the execution of the website.
- the sensor can be implemented via JavaScript, for example.
- An acceptance system 70 referred to in the exemplary embodiment as "report acceptance", to which the sensor component 60 determines web page changes. gene, where accepting system 70 accepts and stores the reports.
- An evaluation system 80 which examines and classifies the data stored by the acceptance system 70 according to attack patterns.
- the service operator can take appropriate measures. For example, the operator of a web shop can stop the delivery of ordered goods if the customer's account has possibly been stolen. It can be contacted with affected customers and, if appropriate, the account of the customer be temporarily blocked.
- FIG. 2 differs from the embodiment shown in FIG. 1 by a further, additional component:
- a reference proxy 90 which modifies references in the original elements of the web page 50 delivered by the web server 10 and in the elements of the sensor 60 and specifies the reference proxy as a new destination. When invoking such a reference, the reference proxy 90 forwards the call to the original destination. Preferably, the new references will be given randomly.
- the purpose of the reference proxy is to obscure references to prevent identification of references from the sensor, particularly references to the acceptance system 70 of the sensor.
- the reference proxy 90 represents an additional component added to the exemplary embodiment shown in FIG. 1. Otherwise, the exemplary embodiment shown in FIG. 2 corresponds to the exemplary embodiment shown in FIG.
- the communication between the individual components takes place in the first exemplary embodiment in FIG. 1 as follows:
- the customer 20 requests the website of the service provider 10.
- the web server 10 of the service provider delivers the requested web page.
- the sensor 60 is integrated into the website 50 in the integration system 40.
- the original web page 50 including the integrated sensor 60 is transmitted to the customer.
- the senor 60 determines modifications to the web page, and transmits a report with recognized web page modifications to the acceptance system 70.
- the acceptance system 70 notifies the evaluation system 80 that a new analysis job is ready.
- the customer 20 requests the website of the service provider 10.
- the web server 10 of the service provider delivers the requested web page 50.
- the integration system 40 integrates the sensor 60 into the web page 50. Upon successful integration of the sensor, this is signaled to the acceptance system 70. 3b.
- the reference proxy 90 obfuscates the references in the original web page 50, including the integrated sensor 60, and delivers them to the customer 20 with obfuscated references.
- the sensor 60 executes upon execution of the web page 50 and determines web page modifications which are transmitted via the reference proxy 90 to the acceptance system 70.
- the acceptance system 70 notifies the evaluation system 80 that a new analysis job is ready.
- the integration system 40 integrates the sensor into the web page 50 delivered by the server system 10.
- the sensor is implemented in the exemplary embodiment as software.
- the sensor is dynamically modified during or after the integration for obfuscation purposes.
- the integration system 40 obscures the sensor's code by replacing all variable names and function names with new random values on a regular basis or for each version delivered.
- the position of the sensor within the website can be changed regularly or even with each integration.
- the order of references within the web page containing the sensor can be randomized to make it difficult to distinguish references to the original web page code and sensor code.
- An alternative or additional way to obscure is to dynamically modify both the sensor and the rest of the website. For example, all the elements of the website including the sensor or the elements of the sensor can be given the same or randomly distributed lengths by adding padding. Alternatively or additionally, the web page or code contained therein can be encrypted, so that the web page or the code is then restored to its original meaning at runtime.
- the concealment of the sensor or the entire component including the sensor serves to protect against static analysis methods, as they can no longer identify the sensor due to the obfuscation, so that removal of the sensor is impossible.
- the script elements that comprise the sensor can be provided with attributes within the web page, which protects them from subsequent modifications.
- the attributes can be specified in the so-called Document Object Model (DOM).
- DOM Document Object Model
- the integration connects the sensor to the website in such a way that it can not be removed afterwards. This is partly because the distinction between the sensor and the original components of the website in retrospect is no longer possible. A removal of the sensor by accidentally turning off individual elements of the web page is also hardly possible, since a random off elements with high security would lead to the fact that also originally delivered scripts are deleted, which are essential for the running of the website. The sensor is so much entangled with the original scripts that a high reliability runability is only given together with the sensor.
- the integration system 40 sends a heartbeat 70 to the acceptance system.
- the heartbeat includes an identifier for the delivery process. This identifier is also integrated into the sensor so that it can use the identifier for the assignment of reports. Furthermore, the sensor is equipped with information on the structure of the delivered web page, for example, with a copy of the Document Object Model. sensor
- the sensor 60 is implemented as software that integrates with the delivered web page 50 and also executes upon execution of the web page on the client system 20.
- the sensor can be implemented, for example, via JavaScript.
- the sensor consists of one or more scripts, which are executed when the website is executed. The scripts can either be integrated directly into the website or via references.
- the sensor 60 when executed, checks the web page for modifications.
- the current Document Object Model is checked for modifications, in particular by comparing a stored copy of the unmodified Document Object Model with the current Document Object Model.
- the senor When executed, the sensor sends a report to the acceptance system 70.
- the report contains on the one hand the identifier of the delivery process, and on the other hand a message about whether modifications have been found or not. If modifications have been found, either the modified or added elements of the web page are sent completely to the acceptance system 70, or the entire modified web page. A closer analysis of the modifications by the sensor 60 is therefore not necessary and can be done in the evaluation system 80.
- the sensor 60 is configurable so that web page review can be limited to portions of the web page. This avoids that areas that are not critical and that often undergo modifications are also checked and therefore lead to superfluous messages of modifications.
- the senor may include a filter function to exclude frequently occurring modifications, for example as a result of a whitelist. This also avoids unnecessary notifications of modifications that are known to be unproblematic.
- the sensor 60 performs in its execution on the client system 20 actions, after which it can not be removed by subsequent modifications. In particular, corresponding attributes in the Document Object Model are specified in such a way that a subsequent modification is no longer possible.
- the reference proxy 90 serves to obscure the references to external targets contained in the original web page as well as in the sensor in order to make it difficult to distinguish between the elements of the web page and the sensor.
- the reference proxy 90 is arranged between the integration system 40 and the client system 20.
- the integrated sensor web page is delivered by the integration system 40 to the reference proxy 90, which replaces all the original references contained therein with new references targeting the reference proxy 90.
- the new references will be given randomly.
- references to the original destination are then passed from the reference proxy 90 to the original destination. If these are references from the original website, they will be forwarded to the original destination in server system 10. On the other hand, if they are references from the sensor, their original destination is usually the acceptance system 70, where they are forwarded.
- the references are in particular URLs to external code, in particular to JavaScript.
- the references of the original code and the sensor code are no longer distinguishable.
- the integration system 40 sends a heartbeat to the acceptance system 70, which is stored by the acceptance system 70.
- the stored information contain on the one hand an identifier of the delivery process, and on the other hand time information.
- the senor 60 when executed, transmits a report to the acceptance system 70, which can be assigned to the heartbeats of the integration via the identifier.
- the acceptance system 70 can therefore detect whether the integration of the sensor could be performed by the integration system, and whether the execution of the sensor on the client system 20 has occurred. In particular, the acceptance system 70 checks at regular intervals whether all the sensors that were delivered according to the heartbeats delivered by the integration system 40 have actually been executed. A missing report when the integration heartbeat has been performed is interpreted by the acceptance system 70 as preventing the processing / execution of the sensor by modifications of the web page. A missing report is therefore regarded as a modification of the website and treated accordingly.
- the recording system 70 accepts the information contained in the report of the sensor 60 and stores it. Furthermore, the corresponding information is transferred to the evaluation system 80 in the form of an analysis job.
- Evaluation system (classification) The data for modification stored by the acceptance system 70 are examined by the evaluation system 80 for attack patterns. Furthermore, the modifications are classified. For each identified modification, the result of the analysis may be as follows:
- the individual modifications may be analyzed and / or classified by one or more of the following static evaluation methods: i) blacklist
- a comparison of the detected modifications with known, harmful modifications can be made.
- the comparison can be performed as a direct comparison, as a comparison after normalization or as a similarity comparison.
- references contained in the modified component can be analyzed.
- a dynamic evaluation of the modified component can take place by simulating the processing or execution (sandboxing).
- the evaluation system 80 calculates a risk value of the modified web page, ie, a value that quantizes the overall risk posed by the modified web page.
- the individual modifications are preferably analyzed, classified and then assigned a single hazard value for each individual modification. Based on the individual hazard values, the risk value of the modified website is then determined in its entirety.
- the risk value is reported by the evaluation system 80 to the server system 10, together with the identifier of the delivery process.
- the service operator can then take appropriate measures. This can either be automated or done by hand.
- the measures are preferably not only made dependent on the risk value created by the evaluation system 80, but also on further data, for example on the usual user behavior.
- the inventive system can be used to increase security in a variety of applications, particularly webmailers, payment services, online shops and social networks.
- the present invention thereby provides a protection technology which, although performed on the client, can recognize the modifications made in this area, which however can be delivered by the service operator without the customer having to act independently.
- the integration of the sensor takes place on the server side or by an intermediate proxy, and is not recognizable for the customer (and possible attackers).
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102015005071.0A DE102015005071A1 (en) | 2015-04-21 | 2015-04-21 | A system and method for monitoring the integrity of a component delivered by a server system to a client system |
PCT/EP2016/000630 WO2016169646A1 (en) | 2015-04-21 | 2016-04-18 | System and method for monitoring the integrity of a component delivered by a server system to a client system |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3286683A1 true EP3286683A1 (en) | 2018-02-28 |
Family
ID=55948779
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP16721076.4A Pending EP3286683A1 (en) | 2015-04-21 | 2016-04-18 | System and method for monitoring the integrity of a component delivered by a server system to a client system |
Country Status (4)
Country | Link |
---|---|
US (1) | US10831887B2 (en) |
EP (1) | EP3286683A1 (en) |
DE (1) | DE102015005071A1 (en) |
WO (1) | WO2016169646A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106779717B (en) * | 2016-11-30 | 2021-03-30 | 宇龙计算机通信科技(深圳)有限公司 | Payment authentication method and device |
US10796019B2 (en) * | 2018-07-17 | 2020-10-06 | Dell Products L.P. | Detecting personally identifiable information (PII) in telemetry data |
US11507880B2 (en) | 2019-06-25 | 2022-11-22 | Kyndryl, Inc. | Automatic and continuous monitoring and remediation of API integrations |
Family Cites Families (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5951300A (en) * | 1997-03-10 | 1999-09-14 | Health Hero Network | Online system and method for providing composite entertainment and health information |
US7509687B2 (en) * | 2002-03-16 | 2009-03-24 | Trustedflow Systems, Inc. | Remotely authenticated operation method |
US8806617B1 (en) * | 2002-10-14 | 2014-08-12 | Cimcor, Inc. | System and method for maintaining server data integrity |
EP1549012A1 (en) * | 2003-12-24 | 2005-06-29 | DataCenterTechnologies N.V. | Method and system for identifying the content of files in a network |
WO2006054128A1 (en) * | 2004-11-22 | 2006-05-26 | Nokia Corporation | Method and device for verifying the integrity of platform software of an electronic device |
US20110010533A1 (en) * | 2005-09-20 | 2011-01-13 | Matsushita Electric Industrial Co., Ltd. | System and Method for Component Trust Model in Peer-to-Peer Service Composition |
US8307276B2 (en) * | 2006-05-19 | 2012-11-06 | Symantec Corporation | Distributed content verification and indexing |
US20080005095A1 (en) * | 2006-06-28 | 2008-01-03 | Microsoft Corporation | Validation of computer responses |
US7715448B2 (en) * | 2007-06-06 | 2010-05-11 | Red Aril, Inc. | Network device for embedding data in a data packet sequence |
US8782801B2 (en) * | 2007-08-15 | 2014-07-15 | Samsung Electronics Co., Ltd. | Securing stored content for trusted hosts and safe computing environments |
KR101377014B1 (en) * | 2007-09-04 | 2014-03-26 | 삼성전자주식회사 | System and Method of Malware Diagnosis Mechanism Based on Immune Database |
FR2931613B1 (en) * | 2008-05-22 | 2010-08-20 | Inst Nat Rech Inf Automat | DEVICE AND METHOD FOR INTEGRITY VERIFICATION OF PHYSICAL OBJECTS |
US8387129B2 (en) * | 2008-06-09 | 2013-02-26 | Qualcomm Incorporated | Method and apparatus for verifying data packet integrity in a streaming data channel |
US8572692B2 (en) * | 2008-06-30 | 2013-10-29 | Intel Corporation | Method and system for a platform-based trust verifying service for multi-party verification |
US8316387B2 (en) * | 2008-08-28 | 2012-11-20 | Microsoft Corporation | Exposure of remotely invokable method through a webpage to an application outside web browser |
US8931084B1 (en) * | 2008-09-11 | 2015-01-06 | Google Inc. | Methods and systems for scripting defense |
US8677481B1 (en) * | 2008-09-30 | 2014-03-18 | Trend Micro Incorporated | Verification of web page integrity |
US8850526B2 (en) * | 2010-06-23 | 2014-09-30 | K7 Computing Private Limited | Online protection of information and resources |
DE102011015123A1 (en) * | 2011-03-25 | 2012-09-27 | G Data Software Ag | Communication system with safety device, safety device and method for this |
US20120272317A1 (en) * | 2011-04-25 | 2012-10-25 | Raytheon Bbn Technologies Corp | System and method for detecting infectious web content |
US20120323700A1 (en) * | 2011-06-20 | 2012-12-20 | Prays Nikolay Aleksandrovich | Image-based captcha system |
US9734503B1 (en) * | 2011-06-21 | 2017-08-15 | Google Inc. | Hosted product recommendations |
US9374369B2 (en) * | 2012-12-28 | 2016-06-21 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
US9298681B2 (en) * | 2013-01-03 | 2016-03-29 | International Business Machines Corporation | Dynamic webpage change animation |
US10108590B2 (en) * | 2013-05-03 | 2018-10-23 | International Business Machines Corporation | Comparing markup language files |
KR102089513B1 (en) * | 2014-03-19 | 2020-03-16 | 한국전자통신연구원 | Software Integrity Checking System Based on Mobile Storage and the Method of |
US10395032B2 (en) * | 2014-10-03 | 2019-08-27 | Nokomis, Inc. | Detection of malicious software, firmware, IP cores and circuitry via unintended emissions |
US9294492B1 (en) * | 2015-03-10 | 2016-03-22 | Iboss, Inc. | Software program identification based on program behavior |
US9350750B1 (en) * | 2015-04-03 | 2016-05-24 | Area 1 Security, Inc. | Distribution of security rules among sensor computers |
-
2015
- 2015-04-21 DE DE102015005071.0A patent/DE102015005071A1/en active Pending
-
2016
- 2016-04-18 US US15/568,389 patent/US10831887B2/en active Active
- 2016-04-18 WO PCT/EP2016/000630 patent/WO2016169646A1/en active Application Filing
- 2016-04-18 EP EP16721076.4A patent/EP3286683A1/en active Pending
Also Published As
Publication number | Publication date |
---|---|
WO2016169646A1 (en) | 2016-10-27 |
US10831887B2 (en) | 2020-11-10 |
US20180157830A1 (en) | 2018-06-07 |
DE102015005071A1 (en) | 2016-10-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE10249428B4 (en) | A method for defining the vulnerabilities of a computer system | |
DE112010003454B4 (en) | Threat detection in a data processing system | |
DE60115615T2 (en) | SYSTEM, DEVICE AND METHOD FOR FAST PACKAGE FILTERING AND PROCESSING | |
DE60102555T2 (en) | PREVENTING MAP-ENABLED MODULAR MASKER ATTACKS | |
EP2981926B1 (en) | Data storage device for protected data exchange between different security zones | |
DE102011056502A1 (en) | Method and apparatus for automatically generating virus descriptions | |
DE10249427A1 (en) | Method for defining the security state of a computer and its ability to withstand a third party distributed attack in which a specification of attacker identity and attack method are made to provide a quantitative assessment | |
EP3430558B1 (en) | Detecting a deviation of a security state of a computing device from a desired security state | |
DE102005021064B4 (en) | Method and apparatus for protection against buffer overrun attacks | |
EP2362321A1 (en) | Method and system for detecting malware | |
WO2016169646A1 (en) | System and method for monitoring the integrity of a component delivered by a server system to a client system | |
EP3682610A1 (en) | Method and device for detecting an attack on a serial communications system | |
DE102006036111B3 (en) | Safe transmission method for message of one zone into other zone, involves transmitting message of third zone to other zone by one-way lock unit and displaying evaluated transmitted analysis results free from defective component | |
DE102012108866A1 (en) | Method for the safe operation of a field device | |
EP3641231A1 (en) | Method and device for monitoring data communication | |
CH715183A1 (en) | Penetration test method and computer program for testing the vulnerability of a computer system. | |
EP3588340B1 (en) | Computer-implemented method for operating a data storage device | |
EP3373180A1 (en) | Method and computer including protection against cyber criminal threats | |
DE602004001293T2 (en) | Program integrity check by means of statistics | |
DE102007059798B3 (en) | Executable program code i.e. executable file, coding method for computer, involves combining chains of sequential instructions to code fragments, and coding and storing detected code fragments belonging to methods in program library | |
EP4329242A1 (en) | Method and system for proactively setting a security configuration | |
DE102021131272A1 (en) | Method for controlling a user's access to a network, network and computer program | |
EP3531326A1 (en) | Method for operating a network with multiple servers | |
DE10055118A1 (en) | Program and data monitoring method for digital data processing system checks each program, interpreted data and active internet information in installation mode for virus detection | |
EP4329243A1 (en) | Computer implemented method for automated securing of a computer system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20170907 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20200213 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/40 20220101ALI20240117BHEP Ipc: G06F 21/53 20130101ALI20240117BHEP Ipc: G06F 21/54 20130101AFI20240117BHEP |