GB2545894A - Network service abuse prevention - Google Patents

Network service abuse prevention Download PDF

Info

Publication number
GB2545894A
GB2545894A GB1522494.2A GB201522494A GB2545894A GB 2545894 A GB2545894 A GB 2545894A GB 201522494 A GB201522494 A GB 201522494A GB 2545894 A GB2545894 A GB 2545894A
Authority
GB
United Kingdom
Prior art keywords
network
connection attempt
related service
network connection
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1522494.2A
Other versions
GB201522494D0 (en
Inventor
Hentunen Daavid
Lehtio Artturi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WithSecure Oyj
Original Assignee
F Secure Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F Secure Oyj filed Critical F Secure Oyj
Priority to GB1522494.2A priority Critical patent/GB2545894A/en
Publication of GB201522494D0 publication Critical patent/GB201522494D0/en
Publication of GB2545894A publication Critical patent/GB2545894A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An identity portion associated with a network service (11, Fig 2) is obtained, a network connection attempt for the service is detected, and it is determined whether credentials for the connection attempt correspond to the said identity portion. The identity portion may be a username and password, login identifier or tracking identifier such as a cookie. It may also be determined if the network device identifier of a user device (12, Fig 2) matches with an identifier required for accessing the service. The device identifier may be an internet protocol (IP) address, and media access control (MAC) address, or a device name. An application identifier may also be compared with an allowed identifier to determine if the connection to try to access the service is permitted. The application may be recognised based on SHA1 information, meta information, or application unique network traffic. The identifiers may be received from a management entity (22, Fig 2) and then stored, or retrieved from a local or external source. The connection is allowed or denied based on the authentication determination. If the connection is blocked, an alert may be generated which includes a prompt to manually allow the connection.

Description

Title
Network service abuse prevention Field
The present invention relates to network service abuse prevention. More specifically, the present invention relates to measures (including methods, apparatuses and computer program products) for realizing network service abuse prevention.
Background
In modern communication networks, security is a vital issue, and attacks on network security tend to be increasing in terms of both number and complexity. Modern malicious software ("malware"), being a threat to all computer systems, commonly need any network-based way for exchanging information from and to a command and control center, also known as command and control channel.
Such command and control channel may be used to notify server addresses, to transmit software updates for the malicious software, and even to transfer stolen data.
In order to hide such command and control channel, in recent times, common network based services (web services) are used, which provide a suitable communication infrastructure at which communication by means of a thus established command and control channel is not or at least difficult to distinguish from harmless network traffic the network based service is originally intended for.
Examples for such common network based services (third party web services) are Facebook, OneDrive, Twitter, Google services, and so on.
Accordingly, recognizing and preventing an exploitation of these third party web services by malicious software is paramount in modern communication networks.
One possibility to prevent from an exploit of these third party web services by malicious software would be to deny all connections related to such third party web service (e.g. by policy).
Another possibility would be to detect differences between network traffic profiles of command and control channels of malicious software and network traffic profiles of legit traffic utilizing the third party web service.
However, either of these approaches show some disadvantages.
Namely, for example, if denying all connections related to a third party web service, even legit utilization of the third party web service would not be possible.
Furthermore, for example, detecting differences between malicious and legit utilization of the third party web service may imply high effort, e.g. for analyzing and filtering of a high amount of network traffic.
Accordingly, it is evident that available approaches for preventing an exploitation of these third party web services by malicious software suffer from various drawbacks, and it is thus desirable to improve network service abuse prevention so as to overcome such drawbacks.
Summary
Various exemplifying embodiments of the present invention aim at addressing at least part of the above issues and/or problems and drawbacks.
Various aspects of exemplifying embodiments of the present invention are set out in the appended claims.
According to an example aspect of the present invention, there is provided a method, the method comprising: obtaining an identity portion associated with a first network related service, detecting a network connection attempt for a network related service, determining, if said network connection attempt is for said first network related service, whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, and handling said network connection attempt based on a result of said determining.
According to an example aspect of the present invention, there is provided an apparatus, comprising a memory configured to store computer program code, and a processor configured to read and execute computer program code stored in the memory, wherein the processor is configured to cause the apparatus to perform: obtaining an identity portion associated with a first network related service, detecting a network connection attempt for a network related service, determining, if said network connection attempt is for said first network related service, whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, and handling said network connection attempt based on a result of said determining.
According to an example aspect of the present invention, there is provided an apparatus, comprising means for obtaining an identity portion associated with a first network related service, means for detecting a network connection attempt for a network related service, means for determining, if said network connection attempt is for said first network related service, whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, and means for handling said network connection attempt based on a result of said determining.
According to further developments and/or modifications of any one of the aforementioned example aspects of the present invention, for example, one or more of the following can apply: - the handling may comprise judging said network connection attempt as allowed if said credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, - the identity portion may be a username or login identifier, - the identity portion may be a tracking identifier, - additional obtaining a network device identifier associated with a second network related service, may be effected, while in relation to said determining it is further determined, if said network connection attempt is for said second network related service, whether a network device initiating said network connection attempt corresponds to said obtained network device identifier associated with said second network related service, - the handling may comprise judging said network connection attempt as allowed if said network device initiating said network connection attempt corresponds to said obtained network device identifier associated with said second network related service, - the said network device identifier may be an internet protocol address or a media address control address or a network device name, - additional obtaining an application identifier associated with a third network related service may be effected, while in relation to said determining it is further determined, if said network connection attempt is for said third network related service, whether an application initiating said network connection attempt corresponds to said obtained application identifier associated with said third network related service, - the handling may comprise judging said network connection attempt as allowed if said application initiating said network connection attempt corresponds to said obtained application identifier associated with said third network related service, - the application may be recognized based on SHA1 information transmitted with the network connection attempt, and/or application related meta information transmitted with the network connection attempt, and/or application unique network traffic, - the obtaining said identity portion may comprise receiving said identity portion associated with said first network related service, and storing said identity portion associated with said first network related service, - the obtaining said identity portion may comprise retrieving said identity portion associated with said first network related service, - the obtaining said network device identifier may comprise receiving said network device identifier associated with said second network related service, and storing said network device identifier associated with said second network related service, - the obtaining said network device identifier may comprise retrieving said network device identifier associated with said second network related service, - the obtaining said application identifier may comprise receiving said application identifier associated with said third network related service, and storing said application identifier associated with said third network related service, - the obtaining said application identifier may comprise retrieving said application identifier associated with said third network related service, - additional allowing a connection corresponding to said connection attempt may be effected, if said network connection attempt is judged as allowed, - additional denying a connection corresponding to said connection attempt may be effected, if said network connection attempt is not judged as allowed, - additional generating an alert including information regarding said connection attempt may be effected, if said network connection attempt is not judged as allowed, - the alert includes at least one of a prompt to manually allow said connection corresponding to said connection attempt, a prompt to manually allow an ascertained identity portion of said credentials utilized for said network connection attempt to be obtained as associated with said first network related service, a prompt to manually allow an ascertained network device identifier of said network device initiating said network connection attempt to be obtained as associated with said second network related service, and a prompt to manually allow an ascertained application identifier of said application initiating said network connection attempt to be obtained as associated with said third network related service.
According to an example aspect of the present invention, there is provided a computer program product, comprising computer-executable computer program code which, when the computer program code is executed on a computer, is configured to cause the computer to carry out a method according to the aforementioned method-related example aspect of the present invention, including any developments and/or a modifications thereof.
The computer program product may comprise or may be embodied as a (tangible/non-transitory) computer-readable (storage) medium or the like, on which the computer-executable computer program code is stored, and/or the program is directly loadable into an internal memory of the computer or a processor thereof.
Any one of the above aspects solve at least part of the problems and drawbacks identified in relation to the prior art. Further developments and/or modifications of the aforementioned example aspects of the present invention are set out herein with reference to the drawings and exemplifying embodiments of the present invention.
By way of exemplifying embodiments of the present invention, there is provided network service abuse prevention. More specifically, by way of exemplifying embodiments of the present invention, there are provided measures and mechanisms for realizing network service abuse prevention.
Thus, improvement is achieved by methods, apparatuses and computer program products enabling/realizing network service abuse prevention.
Brief description of the drawings
In the following, the present invention will be described in greater detail by way of non-limiting examples with reference to the accompanying drawings, in which
Figure 1 is a block diagram illustrating an example of a system configuration according to exemplifying embodiments of the present invention,
Figure 2 is a block diagram illustrating an example of a system configuration according to exemplifying embodiments of the present invention,
Figure 3 is a schematic diagram of a procedure according to exemplifying embodiments of the present invention,
Figure 4 is a schematic diagram of a procedure according to exemplifying embodiments of the present invention,
Figure 5 is a block diagram illustrating an apparatus according to exemplifying embodiments of the present invention.
Detailed description of drawings and embodiments of the present invention
The present invention is described herein with reference to particular nonlimiting examples and to what are presently considered to be conceivable embodiments of the present invention. A person skilled in the art will appreciate that the present invention is by no means limited to these examples, and may be more broadly applied.
Hereinafter, various exemplifying embodiments and implementations of the present invention and its aspects are described using several variants and/or alternatives. It is generally noted that, according to certain needs and constraints, all of the described variants and/or alternatives may be provided alone or in any conceivable combination (also including combinations of individual features of the various variants and/or alternatives). In this description, the words "comprising" and "including" should be understood as not limiting the described exemplifying embodiments and implementations to consist of only those features that have been mentioned, and such exemplifying embodiments and implementations may also contain features, structures, units, modules etc. that have not been specifically mentioned.
In the drawings, it is noted that lines/arrows interconnecting individual blocks or entities are generally meant to illustrate an operational coupling there-between, which may be a physical and/or logical coupling, which on the one hand is implementation-independent (e.g. wired or wireless) and on the other hand may also comprise an arbitrary number of intermediary functional blocks or entities not shown.
According to exemplifying embodiments of the present invention, in general terms, there are provided measures and mechanisms for (enabling/realizing) network service abuse prevention, as described in more details below.
Figure 1 shows a schematic diagram illustrating a system configuration underlying exemplifying embodiments of the present invention.
According to Figure 1, in its most basic form, a network service client 12 is network-connected to a network service provider 11. The network service provider 11 may provide a network service such like a third party web service. The network service client 12 may access (try to access) a network service such like the third party web service.
The network service client 12 may be connected to more than one network service providers 11. The network service provider 11 may provide the network service to more than one network service clients 12, and, may thus, be connected to more than one network service clients 12. Furthermore, the network service provider 11 may provide more than one network services.
The network service client 12 may be any device able to access the network service provided by the network service provider 11, and may be for example a workstation or the like (generally, any type of endpoint, including laptops, desktops, mobiles, servers, TVs e.g. in a household, printers e.g. in corporate environments, or the like).
The connection between the network service client 12 and the network service provider may be established via any kind of communication network, such as any kind of IP-based network (IP: Internet Protocol).
Figure 2 shows a schematic diagram illustrating another system configuration underlying exemplifying embodiments of the present invention.
According to Figure 1, the network service client 12 is network-connected to the network service provider 11 via a network sensor 21. The network sensor 21 may be connected to and managed by a management entity 22.
Details in particular with respect to the functioning of the network service client 12 of Figures 1 and 2 and the network sensor 21 and the management entity 22 of Figure 2 will be explained hereinbelow with reference to Figures 3 and 4.
Figure 3 is a schematic diagram of a procedure for realizing network service abuse prevention according to exemplifying embodiments of the present invention. As shown in Figure 3, a procedure for realizing network service abuse prevention according to exemplifying embodiments of the present invention comprises various operations at a network service client 12 illustrated in Figure 1 or at a network sensor 21 illustrated in Figure 2.
Specifically, in a network configuration illustrated in Figure 1, the network service client 12 (which may in particular be a laptop, a desktop, a mobile, a server, etc.) obtains (S31) an identity portion associated with a first network related service. Generally, third party web services require any form of credentials which might for example be a combination of a username and a password. As a further option, third party web services may require a user authentication by means of tracking of a user, that is, by means of a tracking identifier. Examples for such tracking identifiers are Cookies of applications like Web Browsers (e.g. Evercookie, Canvas Fingerprinting). In this way, a user may be authenticated even if not (actively) logged in. When obtaining an identity portion for a specific third party web service, for example a username (being a portion of credentials, i.e., a credential portion, or in general, a kind of identity portion) may be obtained. As another example, any login identifier may be obtained. As another example, a specific cookie may be obtained. In order to obtain the identity portion, in case of the network service client 12 in the configuration of Figure 1, the identity portion may be retrieved from a local data base or any other data source. It is self evident that not only one identity portion can be obtained for each web service but instead a plurality of identity portions can be associated to the same web service. Furthermore, more than one web service can be considered correspondingly. A specific example of obtaining the identity from a data source may be as follows: In case a user uses some kind of password management software that stores credentials for different third party web services like e.g. Google, Facebook and Twitter, the user's respective usernames for those respective services may be retrieved from the password management software.
Further, the network service client 12 of Figure 1 detects (S32) a network connection attempt for a network related service. That is, the network service client 12 (e.g. any software or hardware component thereof) detects an attempt to connect to the network service provider 11 for a third party web service.
Upon such detection, the network service client 12 of Figure 1 determines, whether said network connection attempt is for said first network related service (whether said network connection attempt is for a third party web service an identity portion is obtained (e.g. retrieved) for), and if said network connection attempt is for said first network related service, the network service device 12 determines (S33) whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service.
In particular, in the example above related to username-password combination, if the identity portion is a username and the web service requires a username-password combination, it is determined whether the obtained username corresponds to the username of the used username-password combination.
Further, in the example above related to cookies (i.e. a tracking identifier), such cookie can be considered as a temporal or permanent session key, which in turn is for the explanation of exemplifying embodiments of the present invention considered as a kind or credentials. Such tracking identifier (e.g. cookie) may identify a (personal) device and consequently a certain user (identity of a person) using the device. That is, in the example above related to a tracking identifier (e.g. cookie), if the web service requires a session key and the identity portion is (a portion of) such cookie, it is determined whether the obtained cookie corresponds to the used cookie/session key.
Finally, as shown in Figure 3, the network service client 12 of Figure 1 handles (S34) said network connection attempt based on a result of said determining.
It is noted that although explained by means of the network service client 12 of Figure 1, the method shown in Figure 3 may also be performed by the network sensor 21 shown in Figure 2.
The network sensor 21 may be any network device which is able to gather network traffic between two network entities, for example network traffic between the network service client 12 and the network service provider 21. The network sensor is particularly advantageous in case the network service client 12 is not able to perform the above described procedure steps according to exemplifying embodiments of the present invention. This might be the case in case the network service client is embodied e.g. by a TV, a printer, or the like.
In particular, the network sensor 21 is able to detect (S32) the network service clients 12 attempt to connect to the network service provider 11 for a third party web service from the gathered network traffic.
Furthermore, for the determining (S33), the network sensor is able to identify the network related service for which the network connection attempt is effected and is able to identify the credentials utilized for said network connection attempt from the gathered network traffic.
In order to obtain the identity portion (S31), in case of the network sensor in the configuration of Figure 2, the identity portion may be retrieved from a local data base or any other data source, and may alternatively be received and subsequently stored locally. In particular, the identity portion (associated with the first network related service) may be received from the management entity 22 shown in Figure 2, and the management entity 22 may then be configured to transmit the respective identity portion to the network sensor 21.
As mentioned above, the network connection attempt is handled (S34) based on a result of said determining. To this end, the network service client 12 of Figure 1 or the network sensor 21 of Figure 2 may judge the network connection attempt as allowed if said credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service.
It is noted that instead of the combination of an identity portion and a network related service, a combination of an identity portion, a network related service, and a device identifier may be used to judge whether the network connection attempt as allowed. In particular, in such case, an identity portion for a web service is only allowed in case the network connection attempt comes from a certain device the identity portion is associated to.
In other words, according to exemplifying embodiments of the present invention, only the use of third party web services from a device (e.g. the network service client 12) by the credentials (parts of credentials) that are pre-configured to be allowed to access those services from the device may be allowed.
In so doing, the use of third party web services from the device (e.g. network service client 12) are monitored. Furthermore, in case an attempt from the device to access a third party web service is seen, i.e., detected, a username from a list of usernames that are allowed to use that service from this device is compared with the username actually used to log in to the service. In a strict sense, all usernames from a list of usernames that are allowed to use that service from this device are compared with the username actually used to log in to the service.
If the actually used username is not one of the allowed usernames, then this use of (this attempt to use) the service is treated as malicious. On the other hand, if the actually used user username is one of the allowed usernames, then this use of the service is treated as benign.
According to further exemplifying embodiments of the present invention, the network service client 12 of Figure 1 (or the network sensor 21 of Figure 2) may obtain (S41) an application identifier associated with e.g. a third network related service. Generally, applications can be identified by several indicator derivable from the network traffic, e.g. by SHA1 information of an application transmitted with the network connection attempt, by application related meta information transmitted with the network connection attempt (for example, "File description", "Product name", "Copyright", "Filename", and the like) and by an application unique network traffic (for example a value o a "User-Agent-HTTP-Header-Field" or the like may be checked, exploiting that different browsers and applications using HTTP for their communication usually use distinct User-Agent values). An example for such application is, e.g., a Chrome web browser. In order to obtain the application identifier, the application identifier may be retrieved from a local data base or any other data source, and may alternatively be received and subsequently stored locally. In particular, in case of the network sensor 21, the application identifier (associated with the third network related service) may be received from the management entity 22 shown in Figure 2, and the management entity 22 may then be configured to transmit the respective application identifier to the network sensor 21.
Step S33 of Figure 3 may be varied such that it is determined whether said network connection attempt is for said third network related service (whether said network connection attempt is for a third party web service an application identifier is obtained (e.g. retrieved) for), and, if said network connection attempt is for said third network related service, it is determined determines whether an application initiating said network connection attempt corresponds to said obtained application identifier associated with said third network related service.
In particular, in the example above, if the application identifier is an application name, it is determined whether e.g. an intercepted "User-Agent HTTP Header Field") indicated an application with the application name.
As mentioned above, the network connection attempt is handled (S34) based on a result of said (modified) determining. To this end, the network connection attempt may be judged as allowed if said application initiating said network connection attempt corresponds to said obtained application identifier associated with said third network related service (i.e., if the application name and the intercepted "User-Agent HTTP Header Field" of the above example correspond to each other).
Accordingly, in other words, connection attempts for a specific web service by a specific application may be principally allowed.
It is noted that instead of the combination of an application identifier and a network related service, a combination of an identity portion, a network related service, and an application identifier or a combination of an identity portion, a network related service, a device identifier, and an application identifier may be used to judge whether the network connection attempt as allowed.
Figure 4 is a schematic diagram of a procedure for realizing network service abuse prevention according to exemplifying embodiments of the present invention and illustrates a modification of the procedure shown in Figure 3. The procedure of Figure 4 may be performed by a network sensor 21 as shown in Figure 2.
In particular, as shown in Figure 4, the network sensor 21 may obtain (S41) a network device identifier associated with a second network related service. Generally, network entities can be identified by various more or less unique identifiers. Examples for such identifiers are an IP address and a medium access control (MAC) address. The network service client 12 in Figure 2 may be identified by such network device identifier, e.g. by an IP address. In order to obtain the network device identifier, the network device identifier may be retrieved from a local data base or any other data source, and may alternatively be received and subsequently stored locally. In particular, the network device identifier (associated with the second network related service) may be received from the management entity 22 shown in Figure 2, and the management entity 22 may then be configured to transmit the respective network device identifier to the network sensor 21.
As is further shown in Figure 4, in the modified procedure, the step S33 of Figure 3 may be varied (i.e. step S33a in Figure 4) such that the network sensor 21 determines whether said network connection attempt is for said second network related service (whether said network connection attempt is for a third party web service a network device identifier is obtained (e.g. retrieved) for), and, if said network connection attempt is for said second network related service, the network sensor 21 determines whether a network device initiating said network connection attempt corresponds to said obtained network device identifier associated with said second network related service.
In particular, in the example above, if the network device identifier is an IP address and if the network device that initiates the network connection attempt (e.g. network service client 12 which may be a network-connected TV having a certain IP address), it is determined whether the obtained IP address corresponds to the IP address of the network service client 12 (e.g. be a network-connected TV).
As mentioned above, the network connection attempt is handled (S34) based on a result of said (modified) determining (S33a). To this end, the network sensor 21 of Figure 2 may judge the network connection attempt as allowed if said network device initiating said network connection attempt corresponds to said obtained network device identifier associated with said second network related service (i.e., if both IPs of the above example coincide).
In other words, according to exemplifying embodiments of the present invention, the network sensor 21 is provided with information as to which third party service related connections may use authorized credentials or may otherwise be allowed. Such provision of the information may be effected by the management entity 22, which is, as explained above, configured to do so.
In so doing, a user can choose to allow the use of specific third party services per device in cases where related connections were not authorized.
This means for example that user can decide that IP belonging to a smart TV can in the future use e.g. Twitter, regardless that this service does not use any credentials.
Based on the above discussed judgment of the network connection attempt as allowed, the network service client 12 of Figure 1 and/or the network sensor 21 of Figure 2 may allow a connection corresponding to the detected connection attempt, or may deny the connection corresponding to the detected connection attempt (the latter in case the network connection is not judged as allowed).
Alternatively or in addition, in case the network connection is not judged as allowed, the network service client 12 of Figure 1 and/or the network sensor 21 of Figure 2 may generate an alert including information regarding said connection attempt.
Such alert said alert may include, for example, a prompt to manually allow said connection corresponding to said connection attempt, a prompt to manually allow an ascertained identity portion of said credentials utilized for said network connection attempt to be obtained as associated with said first network related service, and/or a prompt to manually allow an ascertained network device identifier of said network device initiating said network connection attempt to be obtained as associated with said second network related service.
In other words, according to exemplifying embodiments of the present invention, an attempted connection may be allowed once (upon explicit instruction/confirmation of a user). For example, a current access to a certain web service is needed (and thus confirmed), while thereafter such certain third party web service will again be denied regardless of the temporary allowance.
The general disallowance may be for example also derived from a default policy stored/provided in any cloud service or backend. For example, a particular device (e.g. a particular TV) should not use the service Twitter at all based on behavior analysis done on such backend. Hence, the particular device may be blocked without bothering (ask) the user. In such case, the user may be notified about the block event and the user can later on allow it if policy needs to be changed locally.
Further, a new "identity portion - web service"-combination (or "identity portion - web service - device identifier"-combination) may be stored such that it will be automatically allowed from then on. For example, a user may be asked whether it is intended that a use of new username for this certain third party web service is allowed in the future. Returning to the specific example above, according to which a password management software (data source) is utilized that stores credentials for different third party web services like e.g. Google, Facebook and Twitter, in case the username (i.e. identity portion) was not yet stored in the password management software, the newly accepted username might be stored to the password management software.
Further, a new "device identifier - web service"-combination may be stored such that it will be automatically allowed from then on. For example, a user may be asked whether it is intended that a certain device is allowed to use a certain third party web service in the future.
The device identifier related approach may be, for example, implemented by means of a whitelisting policy or a blacklisting policy, e.g. depending on a user's preference.
As discussed above, the network service client 12 of Figure 1 (and also the network sensor 21 of Figure 2) is able to identify the network related service and to identify the credentials utilized for said network connection attempt.
It is noted that some third party web services allow content uploading (e.g. exfiltration of stolen data) only if user is logged in to the service, while content reading is allowed by the service without logging in. If e.g. a device or an application whitelisted by means of any of the above described approaches according to exemplifying embodiments of the present invention, then malware might use own credentials for uploading stolen data. Hence, in case a user does not have credentials for the service, then a default policy for the service may be that a use of the service with credentials is a sign of malicious activity. Hence, according to exemplifying embodiments of the present invention, it is possible to synchronize entries for identity portions and/or for network device identifiers and/or for application identifiers and corresponding policies to detect malicious activity based on a comparison of a network connection attempt and the synchronized entries.
According to exemplifying embodiments of the present invention, such identification of the credentials may be effected as follows: In case the use of third party web service was initiated e.g. by a browser and HTTPS was used, the Browser Helper Object may be used in order to get visibility to the used log in username. In case proprietary third party application (no browser supporting Browser Helper Object) was used, application programming interface (API) hooking may be used for getting the username. Alternatively, the username may be asked from the user for turning off the blocking of the third party web service (e.g. utilized by an application (App")).
As a further option according to exemplifying embodiments of the present invention, a policy may be enforced according to which credentials are necessary although a certain third party web service does not require any credentials. That is, in such case, access to such third party web service not requiring any credentials is not allowed unless credentials (which correspond to the obtained identity portion) are utilized, though.
In so doing, even third party services not requiring credentials are prevented from being abused e.g. by malicious software.
According to exemplifying embodiments of the present invention, the above-mentioned behavior may be achieved by an implementation in an Advance Threat Protection (ATP) client or an SAFE client.
The above-described procedures and functions may be implemented by respective functional elements, entities, modules, units, processors, or the like, as described below.
While in the foregoing exemplifying embodiments of the present invention are described mainly with reference to methods, procedures and functions, corresponding exemplifying embodiments of the present invention also cover respective apparatuses, entities, modules, units, nodes and systems, including both software and/or hardware thereof.
Respective exemplifying embodiments of the present invention are described below referring to Figure 5, while for the sake of brevity reference is made to the detailed description of respective corresponding configurations/setups, schemes, methods and functionality, principles and operations according to Figures 1 to 4.
In Figure 5, the solid line blocks are basically configured to perform respective methods, procedures and/or functions as described above. The entirety of solid line blocks are basically configured to perform the methods, procedures and/or functions as described above, respectively. With respect to Figure 5, it is to be noted that the individual blocks are meant to illustrate respective functional blocks implementing a respective function, process or procedure, respectively. Such functional blocks are implementation-independent, i.e. may be implemented by means of any kind of hardware or software or combination thereof, respectively.
Further, in Figure 5, only those functional blocks are illustrated, which relate to any one of the above-described methods, procedures and/or functions. A skilled person will acknowledge the presence of any other conventional functional blocks required for an operation of respective structural arrangements, such as e.g. a power supply, a central processing unit, respective memories, a display, or the like. Among others, one or more memories are provided for storing programs or program instructions for controlling or enabling the individual functional entities or any combination thereof to operate as described herein in relation to exemplifying embodiments.
In general terms, respective devices/apparatuses (and/or parts thereof) may represent means for performing respective operations and/or exhibiting respective functionalities, and/or the respective devices (and/or parts thereof) may have functions for performing respective operations and/or exhibiting respective functionalities.
In view of the above, the thus illustrated devices/apparatuses are suitable for use in practicing one or more of the exemplifying embodiments of the present invention, as described herein.
Figure 5 shows a schematic diagram illustrating an example of a structure of an apparatus according to exemplifying embodiments of the present invention.
As indicated in Figure 5, an apparatus 50 according to exemplifying embodiments of the present invention may comprise at least one processor 51 and at least one memory 52 (and possibly also at least one interface 53), which may be operationally connected or coupled, for example by a bus 54 or the like, respectively.
The processor 51 of the apparatus 50 is configured to read and execute computer program code stored in the memory 52. The processor may be represented by a CPU (Central Processing Unit), a MPU (Micro Processor Unit), etc, or a combination thereof. The memory 52 of the apparatus 50 is configured to store computer program code, such as respective programs, computer/processor-executable instructions, macros or applets, etc. or parts of them. Such computer program code, when executed by the processor 51, enables the apparatus 50 to operate in accordance with exemplifying embodiments of the present invention. The memory 52 may be represented by a RAM (Random Access Memory), a ROM (Read Only Memory), a hard disk, a secondary storage device, etc., or a combination of two or more of theses. The interface 53 of the apparatus 50 is configured to interface with another apparatus and/or a user of the apparatus 50. That is, the interface 53 may represent a communication interface (including e.g. a modem, an antenna, a transmitter, a receiver, a transceiver, or the like) and/or a user interface (such as a display, touch screen, keyboard, mouse, signal light, loudspeaker, or the like).
The apparatus 50 may, for example, represent a (part of a) the network service client 12 in Figure 1, or may represent a (part of a) the network sensor 21 in Figure 2. Additionally, the management entity 22 in Figure 2 may be embodied in a similar manner. The apparatus 50 may be configured to perform a procedure and/or exhibit a functionality as described in any one of Figures 3 and 4.
When representing the (a part of the) network service client 12 or the network sensor 21, the apparatus 50 or its processor 51 (possibly together with computer program code stored in the memory 52), in its most basic form, is configured to obtain an identity portion associated with a first network related service, to detect a network connection attempt for a network related service, to determine, if said network connection attempt is for said first network related service, whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, and to handle said network connection attempt based on a result of said determining.
When representing the (a part of the) management entity 22, the apparatus 50 or its processor 51 (possibly together with computer program code stored in the memory 52), in its most basic form, is configured to transmit an identity portion associated with a first network related service, and/or to transmit a network device identifier associated with a second network related service, and/or to transmit an application identifier associated with a third network related service.
Accordingly, any one of the above-described schemes, methods, procedures, principles and operations may be realized in a computer-implemented manner.
Any apparatus according to exemplifying embodiments of the present invention may be structured by comprising respective units or means for performing corresponding operations, procedures and/or functions. For example, such means may be implemented/realized on the basis of an apparatus structure, as exemplified in Figure 5 above, i.e. by one or more processors 51, one or more memories 52, one or more interfaces 53, or any combination thereof.
An apparatus according to exemplifying embodiments of the present invention, which represents the (a part of the) network service client 12 or the network sensor 21, may comprise (at least) a unit or means for obtaining an identity portion associated with a first network related service, a unit or means for detecting a network connection attempt for a network related service, a unit or means for determining, if said network connection attempt is for said first network related service, whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, and a unit or means for handling said network connection attempt based on a result of said determining.
An apparatus according to exemplifying embodiments of the present invention, which represents the (a part of the) management entity 22, may comprise (at least) a unit or means for transmitting an identity portion associated with a first network related service, and/or a unit or means for transmitting a network device identifier associated with a second network related service, and/or a unit or means for transmitting an application identifier associated with a third network related service.
For further details regarding the operability/functionality of the individual elements according to exemplifying embodiments of the present invention, reference is made to the above description in connection with any one of Figures 1 to 4, respectively.
According to exemplifying embodiments of the present invention, any one of the processor, the memory and the interface may be implemented as individual modules, chips, chipsets, circuitries or the like, or one or more of them can be implemented as a common module, chip, chipset, circuitry or the like, respectively.
According to exemplifying embodiments of the present invention, a system may comprise any conceivable combination of the thus depicted devices/apparatuses and other network elements, which are configured to cooperate as described above.
In general, it is to be noted that respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts. The mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
Generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention. Such software may be software code independent and can be specified using any known or future developed programming language, such as e.g. Java, C++, C, and Assembler, as long as the functionality defined by the method steps is preserved. Such hardware may be hardware type independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS), BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit)) components, FPGA (Field-programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device) components or DSP (Digital Signal Processor) components. A device/apparatus may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of a device/apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor. A device may be regarded as a device/apparatus or as an assembly of more than one device/apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
Apparatuses and/or units, means or parts thereof can be implemented as individual devices, but this does not exclude that they may be implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible or non-transitory medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof. A computer program product encompasses a computer memory encoded with executable instructions representing a computer program for operating/driving a computer connected to a network.
The present invention also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable.
In view of the above, there are provided measures for network service abuse prevention. Such measures exemplarily comprise obtaining an identity portion associated with a first network related service, detecting a network connection attempt for a network related service, determining, if said network connection attempt is for said first network related service, whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, and handling said network connection attempt based on a result of said determining.
Even though the invention is described above with reference to the examples and exemplifying embodiments with reference to the accompanying drawings, it is to be understood that the present invention is not restricted thereto. Rather, it is apparent to those skilled in the art that the above description of examples and exemplifying embodiments is for illustrative purposes and is to be considered to be exemplary and nonlimiting in all respects, and the present invention can be modified in many ways without departing from the scope of the inventive idea as disclosed herein.

Claims (34)

Claims
1. A method, comprising obtaining an identity portion associated with a first network related service, detecting a network connection attempt for a network related service, determining, if said network connection attempt is for said first network related service, whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, and handling said network connection attempt based on a result of said determining.
2. The method according to claim 1, wherein in relation to said handling, said method further comprises judging said network connection attempt as allowed if said credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service.
3. The method according to claim 2, wherein said identity portion is a username or login identifier, or said identity portion is a tracking identifier.
4. The method according to any of claims 1 to 3, further comprising obtaining a network device identifier associated with a second network related service, and in relation to said determining it is further determined, if said network connection attempt is for said second network related service, whether a network device initiating said network connection attempt corresponds to said obtained network device identifier associated with said second network related service.
5. The method according to claim 4, wherein in relation to said handling, said method further comprises judging said network connection attempt as allowed if said network device initiating said network connection attempt corresponds to said obtained network device identifier associated with said second network related service.
6. The method according to any of claims 1 to 5, wherein said network device identifier is an internet protocol address or a media address control address or a network device name.
7. The method according to any of claims 1 to 6, further comprising obtaining an application identifier associated with a third network related service, and in relation to said determining it is further determined, if said network connection attempt is for said third network related service, whether an application initiating said network connection attempt corresponds to said obtained application identifier associated with said third network related service.
8. The method according to claim 7, wherein in relation to said handling, said method further comprises judging said network connection attempt as allowed if said application initiating said network connection attempt corresponds to said obtained application identifier associated with said third network related service.
9. The method according to any of claims 7 to 8, wherein said application is recognized based on SHA1 information transmitted with the network connection attempt, and/or application related meta information transmitted with the network connection attempt, and/or application unique network traffic.
10. The method according to any of claims 1 to 9, wherein in relation to said obtaining said identity portion, said method further comprises receiving said identity portion associated with said first network related service, and storing said identity portion associated with said first network related service, or in relation to said obtaining said identity portion, said method further comprises retrieving said identity portion associated with said first network related service.
11. The method according to any of claims 4 to 10, wherein in relation to said obtaining said network device identifier, said method further comprises receiving said network device identifier associated with said second network related service, and storing said network device identifier associated with said second network related service, or in relation to said obtaining said network device identifier, said method further comprises retrieving said network device identifier associated with said second network related service.
12. The method according to any of claims 7 to 11, wherein in relation to said obtaining said application identifier, said method further comprises receiving said application identifier associated with said third network related service, and storing said application identifier associated with said third network related service, or in relation to said obtaining said application identifier, said method further comprises retrieving said application identifier associated with said third network related service.
13. The method according to any of claims 2, 3, 5, 6 and 8 to 12, further comprising allowing a connection corresponding to said connection attempt, if said network connection attempt is judged as allowed.
14. The method according to claim 13, further comprising denying a connection corresponding to said connection attempt, if said network connection attempt is not judged as allowed.
15. The method according to claim 13, further comprising generating an alert including information regarding said connection attempt, if said network connection attempt is not judged as allowed.
16. The method according to claim 15, wherein said alert includes at least one of a prompt to manually allow said connection corresponding to said connection attempt, a prompt to manually allow an ascertained identity portion of said credentials utilized for said network connection attempt to be obtained as associated with said first network related service, a prompt to manually allow an ascertained network device identifier of said network device initiating said network connection attempt to be obtained as associated with said second network related service, and a prompt to manually allow an ascertained application identifier of said application initiating said network connection attempt to be obtained as associated with said third network related service.
17. An apparatus, comprising a memory configured to store computer program code, and a processor configured to read and execute computer program code stored in the memory, wherein the processor is configured to cause the apparatus to perform: obtaining an identity portion associated with a first network related service, detecting a network connection attempt for a network related service, determining, if said network connection attempt is for said first network related service, whether credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service, and handling said network connection attempt based on a result of said determining.
18. The apparatus according to claim 17, wherein in relation to said handling, said processor is configured to cause the apparatus to perform: judging said network connection attempt as allowed if said credentials utilized for said network connection attempt correspond to said obtained identity portion associated with said first network related service.
19. The apparatus according to claim 18, wherein said identity portion is a username or login identifier, or said identity portion is a tracking identifier.
20. The apparatus according to any of claims 17 to 19, wherein the processor is configured to cause the apparatus to perform: obtaining a network device identifier associated with a second network related service, and in relation to said determining it is further determined, if said network connection attempt is for said second network related service, whether a network device initiating said network connection attempt corresponds to said obtained network device identifier associated with said second network related service.
21. The apparatus according to claim 20, wherein in relation to said handling, the processor is configured to cause the apparatus to perform: judging said network connection attempt as allowed if said network device initiating said network connection attempt corresponds to said obtained network device identifier associated with said second network related service.
22. The apparatus according to any of claims 17 to 21, wherein said network device identifier is an internet protocol address or a media address control address or a network device name.
23. The apparatus according to any of claims 17 to 22, wherein the processor is configured to cause the apparatus to perform: obtaining an application identifier associated with a third network related service, and in relation to said determining it is further determined, if said network connection attempt is for said third network related service, whether an application initiating said network connection attempt corresponds to said obtained application identifier associated with said third network related service.
24. The apparatus according to claim 23, wherein in relation to said handling, the processor is configured to cause the apparatus to perform: judging said network connection attempt as allowed if said application initiating said network connection attempt corresponds to said obtained application identifier associated with said third network related service.
25. The apparatus according to any of claims 23 to 24, wherein said application is recognized based on SHA1 information transmitted with the network connection attempt, and/or application related meta information transmitted with the network connection attempt, and/or application unique network traffic.
26. The apparatus according to any of claims 17 to 25, wherein in relation to said obtaining said identity portion, the processor is configured to cause the apparatus to perform: receiving said identity portion associated with said first network related service, and storing said identity portion associated with said first network related service, or in relation to said obtaining said identity portion, the processor is configured to cause the apparatus to perform: retrieving said identity portion associated with said first network related service.
27. The apparatus according to any of claims 20 to 26, wherein in relation to said obtaining said network device identifier, the processor is configured to cause the apparatus to perform: receiving said network device identifier associated with said second network related service, and storing said network device identifier associated with said second network related service, or in relation to said obtaining said network device identifier, the processor is configured to cause the apparatus to perform: retrieving said network device identifier associated with said second network related service.
28. The apparatus according to any of claims 23 to 27, wherein in relation to said obtaining said application identifier, the processor is configured to cause the apparatus to perform: receiving said application identifier associated with said third network related service, and storing said application identifier associated with said third network related service, or in relation to said obtaining said application identifier, the processor is configured to cause the apparatus to perform: retrieving said application identifier associated with said third network related service.
29. The apparatus according to any of claims 18, 19, 21, 22 and 24 to 28, wherein the processor is configured to cause the apparatus to perform: allowing a connection corresponding to said connection attempt, if said network connection attempt is judged as allowed.
30. The apparatus according to claim 29, wherein the processor is configured to cause the apparatus to perform: denying a connection corresponding to said connection attempt, if said network connection attempt is not judged as allowed.
31. The apparatus according to claim 29, wherein the processor is configured to cause the apparatus to perform: generating an alert including information regarding said connection attempt, if said network connection attempt is not judged as allowed.
32. The apparatus according to claim 31, wherein said alert includes at least one of a prompt to manually allow said connection corresponding to said connection attempt, a prompt to manually allow an ascertained identity portion of said credentials utilized for said network connection attempt to be obtained as associated with said first network related service, a prompt to manually allow an ascertained network device identifier of said network device initiating said network connection attempt to be obtained as associated with said second network related service, and a prompt to manually allow an ascertained application identifier of said application initiating said network connection attempt to be obtained as associated with said third network related service.
33. A computer program product comprising computer-executable computer program code which, when the program is run on a computer, is configured to cause the computer to carry out the method according to any one of claims 1 to 16.
34. The computer program product according to claim 33, wherein the computer program product comprises a computer-readable medium on which the computer-executable computer program code is stored, and/or wherein the program is directly loadable into an internal memory of the processor.
GB1522494.2A 2015-12-21 2015-12-21 Network service abuse prevention Withdrawn GB2545894A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1522494.2A GB2545894A (en) 2015-12-21 2015-12-21 Network service abuse prevention

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1522494.2A GB2545894A (en) 2015-12-21 2015-12-21 Network service abuse prevention

Publications (2)

Publication Number Publication Date
GB201522494D0 GB201522494D0 (en) 2016-02-03
GB2545894A true GB2545894A (en) 2017-07-05

Family

ID=55311315

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1522494.2A Withdrawn GB2545894A (en) 2015-12-21 2015-12-21 Network service abuse prevention

Country Status (1)

Country Link
GB (1) GB2545894A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030055966A1 (en) * 2001-09-14 2003-03-20 Fujitsu Limited Information processing system
US20070245148A1 (en) * 2005-12-31 2007-10-18 Broadcom Corporation System and method for securing a credential via user and server verification
US20080046989A1 (en) * 2006-08-17 2008-02-21 Mark Frederick Wahl System and method for remote authentication security management
US20080060063A1 (en) * 2006-08-31 2008-03-06 Parkinson Steven W Methods and systems for preventing information theft
US20110093939A1 (en) * 2009-10-20 2011-04-21 Microsoft Corporation Resource access based on multiple credentials
US20120102551A1 (en) * 2010-07-01 2012-04-26 Prasanna Bidare System for Two Way Authentication
WO2012098265A1 (en) * 2011-01-21 2012-07-26 Lionel Wolovitz Method and system for controlling access to networks and/or services

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030055966A1 (en) * 2001-09-14 2003-03-20 Fujitsu Limited Information processing system
US20070245148A1 (en) * 2005-12-31 2007-10-18 Broadcom Corporation System and method for securing a credential via user and server verification
US20080046989A1 (en) * 2006-08-17 2008-02-21 Mark Frederick Wahl System and method for remote authentication security management
US20080060063A1 (en) * 2006-08-31 2008-03-06 Parkinson Steven W Methods and systems for preventing information theft
US20110093939A1 (en) * 2009-10-20 2011-04-21 Microsoft Corporation Resource access based on multiple credentials
US20120102551A1 (en) * 2010-07-01 2012-04-26 Prasanna Bidare System for Two Way Authentication
WO2012098265A1 (en) * 2011-01-21 2012-07-26 Lionel Wolovitz Method and system for controlling access to networks and/or services

Also Published As

Publication number Publication date
GB201522494D0 (en) 2016-02-03

Similar Documents

Publication Publication Date Title
US11134386B2 (en) Device identification for management and policy in the cloud
US10805265B2 (en) Detection of compromised credentials as a network service
US11470070B2 (en) Time-based network authentication challenges
US11134058B1 (en) Network traffic inspection
US20200296127A1 (en) Hierarchical risk assessment and remediation of threats in mobile networking environment
US10701056B2 (en) Intercept-based multifactor authentication enrollment of clients as a network service
US20240121211A1 (en) Systems and methods for continuous fingerprinting to detect session hijacking inside zero trust private networks
EP3420677B1 (en) System and method for service assisted mobile pairing of password-less computer login
US10547600B2 (en) Multifactor authentication as a network service
US10154049B2 (en) System and method for providing an in-line sniffer mode network based identity centric firewall
US9954820B2 (en) Detecting and preventing session hijacking
WO2018063583A1 (en) Multifactor authentication as a network service
US20170237749A1 (en) System and Method for Blocking Persistent Malware
US10412078B2 (en) Advanced local-network threat response
WO2019157333A1 (en) Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor
US11363022B2 (en) Use of DHCP for location information of a user device for automatic traffic forwarding
US20210112093A1 (en) Measuring address resolution protocol spoofing success
US9712556B2 (en) Preventing browser-originating attacks
GB2545894A (en) Network service abuse prevention
US10339340B1 (en) Anonymous reputation requests
GB2540375A (en) Preventing browser-originating attacks in a local area network

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)