• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    LEGIBLE STORAGE MEANS BY NON-TRANSITIONAL COMPUTER WITH INSTRUCTIONS FOR EXECUTION ON A HOSTED COMPUTER, SECURITY PROVISION METHOD ON A HOSTED COMPUTER, NETWORK SECURITY DEVICE, AND COMPUTER PROGRAM PRODUCT. A computer-readable storage medium with instructions executable on a host computer. The instructions record a relationship between a partner site and the host computer, replace a reference to the partner site with a nickname of the partner site referenced to the host computer, deliver the nickname of the partner site to a customer, replace the nickname of the partner site with reference to the partner site in response to receiving the alias from the customer's partner site and augment the customer's address with an alias address. The address alias is sent to the partner site. The partner action and the alias address are received from the partner site. The address is exchanged for the address alias. The partner's action is delivered to the customer using the address. These operations are monitored to identify customer activity, which constitutes a security threat on the host computer or on the partner website
    公开号:BR112012022088B1
    申请号:R112012022088-8
    申请日:2011-03-01
    公开日:2020-12-08
    发明作者:Andreas Wittenstein;Mike Eynon;Laura Mather;Jim Lloyd;Matt Frantz
    申请人:EMC IP Holding Company LLC;
    IPC主号:
    专利说明:

    Cross-reference on related request
    This application claims priority to US Provisional Patent Application 61,339,248, filed on March 1, 2010, the content of which is incorporated herein by reference. Field of invention
    The present invention relates to computer network systems and methods for detecting and defending website attacks, including attacks through third party websites. Fundamentals of the invention
    There are many different entities - financial, business, government, charity, educational, individual, etc. - who can choose to have online presences implemented by computer systems coupled to a network or computer program code running on systems of other entities that are connected to the network. Since these online systems can be used to provide information, accept and forward information, facilitate transactions, and / or allow access to online resources, these entities have an interest in ensuring these systems so that authorized activities are carried out. permitted while unauthorized activities are prevented. Internet and other online utilities are commonly used for financial, commercial, private and other transactions, preferably kept safe.
    In a simple example, a bank may choose to offer its customers online access to bank details and a facility to initiate transactions, such as funds transfers. It is to be expected that some illegitimate actions by unauthorized persons or computer systems may want to be performed, such as improperly accessing bank details, initiating unauthorized transactions, or modifying online resources for their own purposes, rather than those of the resource operator, how to deface an online presence, theft of money, goods or information; sabotage, or perform other illegal actions. Other illegitimate actions may be unexpected.
    As explained here, a common approach to providing that online presence is through a "website". While users may consider a website a "place", it is often a logical place only, as it is referenced by a URI, while its actual physical location is unimportant and can in fact be distributed across multiple data centers or even virtual data centers in computational clouds. More precisely, a website is generally the user interface aspects of a network entity presence.
    For example, a retailer can set up a server that has software on it that can take requests from a network and respond to those requests, returning content, accepting input, and / or performing some actions in response to requests. Some of that returned content may be in the form of web pages that can be viewed through client devices in response to requests for web pages from those client devices. Client devices can include computers, phones, smart portable devices, other computing devices, etc. These customer devices can be used by the retailer's customers, potential customers, visitors, suppliers or partners.
    Some web pages are static and pre-generated before a request, like a page explaining a company's history, while others are dynamic and generated in real time, like a web page that shows the contents of a user's purchase card or a page generated for a product that the user just requested. Thus, the server can have access to data systems usable for the generation of web pages and other content (music, video, etc.). The server can comprise several machines at different locations on the network, possibly serving different sets of pages or not. Thus, the term "site" can refer to the client-side view of a collection of servers, content, operations and the like, while end users can view a website as a collection of pages operated by an entity with an approach consistent that can be seen in several aspects. As used here, "website" can refer to content, servers, server operators, and / or interaction with client devices, etc., depending on the context.
    Just as website developers have created defensive methods to detect and neutralize attacks, attackers have in turn developed forms around these defenses, in a co-evolution cycle of increasing sophistication.
    Many methods have been developed to steal identities of legitimate users of website abuse. A common method is called "phishing", in which an email sent in the guise of a trustworthy entity elicits personal information from unsuspecting recipients, usually attracting potential victims to a fraudulent website that requests personally identifiable information, such as names users, passwords, account numbers, ATM PINs, etc. This stolen information is then used by imposters, manually or robotically, to log into victims' accounts on the original websites, in order to steal money, send fake emails, or perpetrate other illegal activities.
    To combat such impostors, many web operators have developed more sophisticated access control methods that require secondary authentication information that simple phishing schemes cannot easily obtain. For example, when a website suspects that an account is being used by a third party, the website can verify that the user is actually the owner of the account, requiring additional randomly chosen access credentials, such as birthplace, mother’s maiden name, or the answer to one of a set of questions pre-selected by the legitimate account owner.
    In response to the implementation of secondary authentication techniques, fraudsters have developed what is called a "man-in-the-middle", in which a phisher lures the victim to a counterfeit website imitating the look and behavior of the target website on the one hand, intercepting the victim's entry and relaying it to the real website, while on the other hand intercepting the exit from the real website and relaying back to the user via the fake website. Thus, man-in-the-middle allows fraudsters to gain entry into privileged locations by deceiving authorized website users to respond to all challenges posed by the authorization of privileged locations, thereby evading all direct authorization protocols. Despite the name "man-in-the-middle", the entire process, including any illegal activity perpetrated within the mugged account, can be carried out completely automatically, without the need for human intervention.
    To combat man-in-the-middle attacks, many websites are programmed to look for structurally identifying information, such as addresses of Internet Protocol users and inferred geographic locations, "cookies" (tokens generated from the website passed back and forth) between website and client), user agent identifiers, and request time stamp - information about which fraudsters normally do not have direct control over. This auxiliary information allows a website to detect suspicious users who, despite fulfilling all explicit authorization challenges, are evidently not using the same browsers on the same computers in the same locations as they usually do, indicating that they may be victims of attacks of man-in-the-middle.
    Now that websites are examining structural session information to distinguish imposters from legitimate users, fraudsters have developed a more sophisticated method of assault, called a "man-in-the-browser attack", using malicious software clandestinely installed on computers. potential victims themselves. Various mechanisms have been put in place to remove installed malware, including attachments to phishing emails, downloads from phishing websites and self-propagating viruses and worms; any of which can be disguised within Trojan horses that apparently or actually perform desirable functions, or can be transferred, later, through a rear door via a boot mechanism.
    This malware, usually in the form of a plug-in (hence the name), lurks in the background until it recognizes that the potential victim has successfully signed on to a target website, thus evading all direct authorization protocols. It then uses the victim's own browser on the victim's own computer, according to the user's own programming to perpetrate fraud while the victim is also interacting with the website, thus also eluding all structural authentication clues. Again, although some implementations provide real-time human intervention, however, the entire process, including any illegal activity perpetrated from the hacked account, can be performed fully automatically, despite the name "man" in the browser . Malware can evade detection by the user by performing their transactions invisibly, for example, in an off-screen window, or, as in a man-in-the-middle attack, intercepting communications between the real user and the website, and manipulating the view presented to the user.
    Since man-in-the-browser attacks, such as man-in-the-middle attacks and other phishing attacks, do substantial damage to websites and to users of legitimate websites through direct material and financial theft, as well as through sabotage, defamation, and other forms of harm, it is crucial for websites to have an effective means of detecting such attacks in order to take corrective measures against them.
    At the moment, however, there are no methods for websites to detect ata-quesman-in-the-browser.
    Many websites outsource some of their services to third-party websites specializing in such services, such as advertising, news, maps, search, indexing, rating, coding, rating, reviews, email, chat, social networks, forums, games social, collaborative editing, questionnaires, polls, media hosting, special offers and promotions, shopping, bill payment, banking, bank transfers, and identity verification. Although these third-party services can be adapted, personalized and integrated so as to appear to be offered directly by the main website, customers who use the services are diverted to the corresponding partner websites, bypassing the main website's web servers. As a result, the host website loses the entire range of customers while they are dealing with third parties, leaving them susceptible to attack through a partner website or a combination of partner websites and host website. The main website, therefore, has to rely on partner websites to monitor its customers instead. However, the monitoring information provided by third party services, usually in the form of daily, weekly or monthly reports or summaries, is generally inadequate and inopportune. Online criminals have been quick to take advantage of this weakness, so many websites now incur their biggest losses indirectly, through third party services, and urgently need an effective means for tracking users across all third party websites, in addition to their own websites. Summary of the invention
    A computer-readable storage medium with instructions executable on a host computer. The instructions record a relationship between a partner website and the host computer, replace a reference to the partner website with a pseudonym of the partner website referencing the host computer, deliver the pseudonym of the partner website to a customer, replace the pseudonym of the partner website for the reference to the partner website in response to receiving the partner website alias from the customer and augmenting the customer's address with an alias address. The address pseudonym is sent to the partner website. The action of the partners and the pseudonym of address are received from the partner website. The address is changed to the address alias. The partners' action is delivered to the customer, using the address. These operations are monitored to identify customer activity, which constitutes a security threat on the host computer or the partner website.
    The following detailed description, together with the accompanying drawings, will provide a better understanding of the nature and advantages of the present invention. Brief description of the drawings
    Fig. 1 is a top level flow information diagram of a network service rear detection system according to aspects of the present invention. Fig. 2 is a top level flow information diagram of a network service rear detection system according to aspects of the present invention. Fig. 3 is a top level diagram of flow information from the network service threat detector in figure 1 or Fig. 2. Fig. 4 is a flow diagram of information from the website analyzer in fig. 3. Fig. 5 is an information flow diagram of the session reconstructor in fig. 3. Fig. 6 is a service information flow diagram and server time modeler in figure 5. Fig. 7 is an information flow diagram of the service data comparator in fig. 6. Fig. 8 is a flow diagram of the server synchronizer in fig. 5. Fig. 9 is an information flow diagram of the session separator in fig. 5. Fig. 10 is an information flow diagram of the agent modeler in fig. 5. Fig. 11 is an information flow diagram of the customer timing modeler for Fig. 5. Fig. 12 is an information flow diagram of the service data comparator for fig. 11. Fig. 13 is an information flow diagram of the client synchronizer in fig. 5. Fig. 14 is an information flow diagram of the click data estimator in fig. 13. Fig. 15 is an information flow diagram of the load data estimator in fig. 13. Fig. 16 is an information flow diagram of the session analyzer in fig. 3. Fig. 17 is an information flow diagram of an event modeler for fig. 3. Fig. 18 is an information flow diagram of an independent session event comparator for fig. 3. Fig. 19 is an information flow diagram of the privilege threat analyzer in figure 18. Fig. 20 is an information flow diagram of the event comparator in fig. 18. Fig. 21 is an information flow diagram of an atomic event frequency predictor for fig. 20. Fig. 22 is an information flow diagram of a polarized event frequency predictor TxAB for fig. 20. Fig. 23 is an information flow diagram of a BxTA polarized event frequency predictor for fig. 20. Fig. 24 is an information flow diagram of an AxTB polarized event frequency predictor for fig. 20. Fig. 25 is an information flow diagram of a combined event frequency predictor for Fig. 20. Fig. 26 is an information flow diagram of the prediction combiner in fig. 20. Fig. 27 is an information flow diagram of the event frequency scorer in figure 20. Fig. 28 is an information flow diagram of the event duration marker in figure 20. Fig. 29 is a block diagram of the server traffic processor in fig. 2. Fig. 30 is an information flow diagram of the partner plumber in fig. 29.
    Individual elements of the modalities are numbered consistently in all of these figures. Detailed description of the invention
    This description presents a system and method for determining when there is a man-in-the-browser attack on a website, among other things. In an example of a modality of the invention, man-in-the-browser attacks on a website are detected by comparing the current user's session with the average user's session.
    The system of the invention operates on an incoming flow of input data generated by actions on a website. Example actions on a website typically correspond to hyperlink clicks by the website user. These clicks can be performed by a human being or by an automated computer program. Automated computer programs can work by simulating clicks from the website or by working through the website's application programming interface.
    Examples of actions taken on a website include entering data into forms on the website and clicks to go to other pages on the website. Examples of entering data into forms on a website include entering a user name and password on a website to enter the website, filling out an email form to send email to another website user, and entering personal information to register for an account on the website.
    As described in more detail below, each website action can comprise several parameters as defined by the information corresponding to the action on the website that can be viewed by processors and computers connected to a server, firewall, or other device that processes website traffic. and additional information provided by the website or third parties. Examples of parameters associated with website actions include IP addresses, including those of proxies used in the process of sending traffic to the website, browser header information, operating system information, information about other programs installed on the user's machine, information about the clock and other settings on the user's machine, cookies, referring URLs, user names, parameters associated with a post on the website, and other information associated with the user's action on the website.
    Various aspects of the current user session are compared to the average user session to detect man-in-the-browser attacks using a set of pre-stored data that represent the average parameter values of all user sessions during the data collect. This is compared to the average time between clicks for an average session. Then, the order in which the website pages are viewed in the current session is compared to the order in which the website pages are viewed in an average session for each page that is accessed. Finally, the time between clicks for each page in the user's session is compared to the average time between clicks for the average user session for that page. Additional tests can be used instead of, or as well as, the above.
    The above comparisons are combined to generate a score that indicates the probability that the current session is a man-in-the-browser attack. The score is used to determine whether or not an alert should be generated to notify the appropriate parties, including the website administrator, the website's alert processing system, and other associated website parts.
    The top-level information flow diagram of Fig. 1 illustrates a way that the invention disclosed here can be integrated with the data center or data centers 1030 employed by a 1015 network service: as a threat threat detection system rear 1000.
    A 1030 service data center, the system that operates a website or other network service, can be configured in several different ways, depending largely on the size of the business: for example, as a single virtual server shared with other services, a dedicated physical server, all or part of a server farm, or a virtual server farm in a computing cloud. A service data center receives actions from client 1020 from client 1010 of the service, which in turn receives 1040 service actions, such as web pages, web page updates, e-mail messages, text messages, phone calls , or other information back from the service data centers. Typical 1020 customer actions correspond to hyperlink clicks or other interactions with a website, such as entering form data or uploading images or other resources by 1010 website customers, which can be human or computer automated. Automated computer programs can work by simulating clicks from the website, using the application programming service interface, if any, or using some other protocol.
    For each customer action and service action, the response service data center 1030 relays a raw transaction record 1050 to the threat detector 1060. A transaction record describes the parameters of the transaction between the client and the server, which contains the corresponding 1020 client action parameters and 1040 server response required for threat detection. In their rawest form, these transaction logs can be simply copies of low-level packets or datagrams for all network traffic between exposed data centers and website customers, whose network service threat detector independently goes back complete transaction records.
    The 1060 network service threat detector and other components can also be located on-site, off-site, or in a cloud computing center.
    In the preferred embodiment, the entire network service threat detection system 1000 is placed with the service data center 1030 to facilitate security and real-time response. Very large Internet companies employ multiple 1030 geographically dispersed data centers, in which case a single 1000 threat detection system can serve one or more data centers.
    The 1060 network service threat detector analyzes 1050 logged transactions for suspicious behavior characteristic of man-in-the-browser ("MIB") attacks and other types of attacks, and issues 1070 threat notifications according to service threat processors 1080, including the service administrator, the service alert processing system, and other associated service parts, as appropriate. If the service is not configured to provide all the information needed for the transaction by the detector in the 1050 raw transaction log stream pushed to the detector, then the detector can issue 1100 requests to pull additional 1120 information as needed from the data centers client-facing data centers 1030 or 1110 internal service data centers, which are installed in some services where they are protected from the Internet for security or efficiency reasons. In addition, for services that can make other use of the information produced by the detector, the detector can send 1140 information to the 1030 or 1110 service data centers, either unsolicited or in response to 1130 requests from the 1060 detector. network service 1060 is described in more detail in Fig. 3.
    1080 threat processors examine 1070 threat notifications, possibly in conjunction with additional information provided by other tools (not shown), and issue corresponding 1090 repair actions to 1030 customer data centers.
    1090 repair actions can also be returned to the 1060 threat detector, allowing the detector to respond on its own to subsequent cor- respond threats without incurring the delay caused by burdening threat processors. 1090 threat repairs include immediately frustrating hijacked customers from accessing the service as a whole or sensitive parts of it, blocking it, slowing it down, diverting it to harmless pages, or falsifying sensitive information; alerting victims that their systems have been infected, either through independent channels, such as telephone or regular mail, or through changes in account information that go unnoticed by hijackers, but compel victims to contact the company through other channels, such as by phone; reverse or block fraudulent transactions; monitor and track compromised accounts, and forward incriminating evidence to the appropriate authorities for further investigation and prosecution, or other actions.
    If a website incorporates third party website services into its own services, then some of its 1040 service actions contain references to 1150 partner websites. When a customer acts on a referral, such as clicking on a hyperlink in an iframe from a website partner, then customer action 1160 is normally diverted (dashed arrow) directly to the partner website, and the response from partner website 1170 is sent directly to the customer (dashed arrow), ignoring the main website. The host website is therefore unable to monitor transactions between the customer and the partner websites, and is therefore unable to detect fraud or other illegal activities perpetrated through the partner websites.
    The invention allows the main website to monitor customer-partner traffic, including a new partner plumber that intercepts traffic between the main website and its customers, and edits outbound 1040 service actions to include customer-partner traffic through the partner channeler, replacing partner references with partner aliases referring back to the host website. When a customer acts on an edited reference, the action of the corresponding customer 1020, instead of being diverted to the partner, goes back to the main website, where the partner's plumber intercepts it, replaces the customer's address with a pseudonym on the host website to include the traffic from the partner customer back to the plumber, replace the alias partner with the original partner reference, and pass the action from the included customer 1180 to the partner website 1150. When the partner website responds to the action of the included customer, the action the corresponding included partner 1190 also goes back to the main website, where the plumber intercepts it, replaces the customer's pseudonym with the original customer's address, and again replaces the partner's references with the partner's pseudonym referring back to the host website, finally sends the action from the included partner to the customer, under the guise of an ordinary 1040 service action.
    In a rear-end threat detector deployment, the plumber is installed in the data center of the host website (s). In the preferred mode, the plumber is installed in the exposed data center (s) 1030, where it can intercept all traffic between the host, partners, and customers, with minimal disturbance to the existing website architecture, and without overloading the data centers. 1110 internal data with partner traffic. The partner's plumber is discussed in fig. 29 and fig. 30.
    In the preferred embodiment, the rear network service threat detector system 1000 is capable of detecting and correcting attacks on a service in substantially real time.
    The top-level information flow diagram in Fig. 2 illustrates an alternative way to integrate with a service data center (s): as a leading edge 2000 network service threat detection system.
    In this configuration, the service traffic processor 2010 is introduced as a proxy to intercept actions of the client 1020, in order to issue transaction logs 1050 to the threat detector 1060; and intercept normal website actions 2030 issued by website data centers 1030 in order to replace repair actions 1090 provided by threat detector 1060 or website threat processors 1080, as appropriate. As with the other components, the website's traffic processor can be on-site, off-site, or in a cloud computing center. For the generation of transaction records, website traffic processor 2010 has direct access to all information in the HTTP request headers from the actions of the 1020 client and in the HTTP response headers from the actions of the website 2030 or 1090. It it also has access, through its own clock, to the exact moment when the customer's actions were received and the actions of the 1040 website were transmitted, which is inserted in the transaction logs, thus eliminating the need for server synchronization during the reconstruction of session (see Fig. 5) different from reconciling with information exchanged internally with website data centers 1030 and 1110 through service responses 1120 for requests from detector 1100 and responses from detector 1140 for service requests 1130.
    In the preferred modality of the cutting edge threat detection system, to avoid superfluous generation of actions from normal 2030 websites replaced by repair actions 1090, exposed data centers 1030 receive the actions of the client 1020 only as actions of 2020 filtered clients coming from the processor of website traffic 2010, which either holds remedied customer shares from the website's data centers, or flags them as remedied before passing them on to data centers to register without responding.
    In an alternative modality, for example, if the website needs to record all customer actions accurately, but it is not defined to refrain from responding to remedied customer actions, the 1020 customer actions are either passed through the traffic processor of the website 2010 unfiltered, or copied directly (dashed arrow) to the website data centers, to be filtered by the website's traffic processor only at exit 2030.
    In another alternative modality, if it is more convenient for certain actions or other information to be communicated internally, especially if the cutting edge threat detector is placed with the data centers, the 1060 threat detector can request 1100 1120 information directly from the data centers isolated 1110 or exposed 1030, or provide 1130 information directly to data centers.
    In an avant-garde deployment, in the preferred mode, the partner channel is incorporated into the 2010 server traffic processor, where it can intercept all traffic between the host, customers and partners, without overloading the host's data centers with traffic of the partner.
    A state-of-the-art 2000 threat detection setting is preferable for websites that are not designed to issue the 1050 real-time parameter transaction records required by the threat detector, which are not designed to implement the desired 1090 repair actions to address with threats in real time, or who prefer to have the threat detection and repair dealt with were on the site before the offending client's actions had a chance to reach the website. Cutting-edge threat detection also offers the advantages of more accurate and more accurate time stamps and closer links in customer response time estimates, as explained in Fig. 6.
    In the preferred modality, the threat detection system 2000 is capable of detecting and correcting attacks on a website in substantially real time.
    As shown in the top-level information flow diagram of Fig. 3, network service threat detector 1060 inserts records of raw transaction parameters 1050 in continuous flow into the website data center (s), applies a series processing steps and issues 1070 threat notification alerts to website threat processors.
    In the first detection step, if the transaction records entered 1050 do not contain all the transaction information required by the threat detector, as is the case with the back detection systems 1000 (See Fig. 1.), then record enhancer 3010 obtains as much missing information as possible 1120 by querying 1100 to the data center (s), issuing increased records of 3020 transactions.
    Then, the increased transaction records 3020 are analyzed by the session builder 3030 to separate them into individual sessions of 3040 clients, as described in Figure 5. The session reconstructor can be assisted in its analysis through the use of a generated 3110 website map maintained by the 3100 website analyzer, as described under Fig. 4.
    The 3050 session analyzer then analyzes client sessions for characteristics of MiB attacks or similar website attacks, and for each session entered it can issue a record of 3060 session threat parameters, as described in Figure 11. The session analyzer you can also make use of information from the website map.
    The 3070 session comparator then compares each record of current session parameters 3060 with a set of session templates 3130 derived from session modeler 3120 from the record of current session parameters from previous aggregate, and for each client session current 3080 threat score record is issued. The session modeler can use the website map in his analysis. The session comparator is described below in connection with fig. 18, and the session modeler in connection with fig. 17.
    Finally, for each client session, the 3090 threat repairer analyzes the 3080 threat score record and, as a guarantee, issues 1070 threat notification for further analysis and Repair by the 1080 website threat processors (See fig. 1). If directed to do so, the threat repairer can also issue 1090 repair actions to the client's website data center (see Fig. 1.) or to the 2010 website's traffic processor (see fig. two).
    As described in the information flow diagram in Fig. 4, the website analyzer 3100 for use in the network service threat detector 1060 (See Fig. 3) analyzes the logical structure of the website and issues the website map 3110 detailing the 4100 intrinsic links between web pages, as well as the 4140 intrinsic access level, 4120 intrinsic privilege level, and the 4080 intrinsic security level for each region of the website. The 4010 web network assembles a complete list of all 4030 pages and other services on the website and all 4040 internal hyperlinks between the pages and other media on the website, by examining intrinsic hyperlinks on several pages, and following each link that leads to a new destination, thus building lists of services and links, and so on.
    Similar to prior art website web networks, website 4010 web network is launched at the root of the website and traverses the website through the issue of 4020 customer shares - through simulated website clicks or, if available, the web interface. website application programming - for 1030 client-side website, and analyzes 1040 website action responses for all trackable links. In the event that the website contains disjoint regions or regions not directly accessible by the external spidering, the web network is also launched on unlisted services appearing in the Request URLs and Referral URLs in 3040 client sessions. In addition, non-trackable links by external spidering, such as deliberately disguised POST CGI methods, 4010 website web traces in parallel internally through 1050 transaction logs. Whenever possible, the 4010 web network also traverses the website when accessing services and links directly through 1100 database queries to the 1110 or 1030 website data center.
    To distinguish uniform resource locators (URLs) from genetically new services from URLs only synonymous with known services, the URL resolver (not shown), employed by the 4010 web and 4050 change detector web network is increased to resolve not only the URLs provided and received by external spidering from customer 4020 actions and website 1040 actions, respectively, but also the URLs and equivalent identifiers provided by website data centers in response 1120 to bank queries data 1100 and transaction records 1050 in 3040 client session records. To resolve URL pseudonyms, web 4010 not only compares service content with that of prior art web networks, but first correlates displayed URLs for the first time externally on 1040 website actions with internal URIs given in 1060 transaction logs, synchronizing the two, for example, including a sequence number in the User-Agent field of your requests.
    The 4050 change detector monitors 3040 client sessions for the appearance of new services not on the 4030 website's list of services, as well as periodically checking for changes in the services already listed, and issues 4060 update orders to the website's web network. in accordance.
    Security Classifier 4070 examines each 4030 web service, and issues security level 4080 by classifying the service according to whether its content is always transmitted as plain text, or always transmitted in encrypted form via a secure protocol, such as TLS or SSL, as recognized by the secure protocol name "https: //" in the URLs of services, as opposed to "http: //", or by the HTTP Update header.
    4090 link mapper lists the 4030 services and 4040 links on a 4100 coherent map of the intrinsic link structure of the website.
    The 4110 privilege classifier examines 4040 website links for verification points that require passwords or higher levels of authentication, and uses this information to split the 4100 link map into regions according to the 4120 privilege step required to access the 4030 services within each region.
    The 4130 access classifier examines each web service and assigns it a 4140 access level, ranging from an innocuous static "wall" providing no access to personal or proprietary information; through an insecure "window" allowing inherently risky transactions that a malicious agent can exploit to indirectly harm the client's or website owner's interests, such as displaying personal or proprietary information and using it at another time or elsewhere; to a dangerous "door" allowing inherently dangerous transactions that a malicious agent could exploit to directly harm the interests of the customer or the website owner, such as the removal or transfer of goods or money; creating, deleting or changing information such as account ownership or shipping addresses, and, in general, making changes on the server or elsewhere outside the customer's browser. Windows are usually indicated by HTTP GET and HEAD methods, while ports are usually indicated by HTTP POST, PUT and DELETE methods.
    The 4150 website mapper compiles 4100 website link map, 4140 access level data, 4120 privilege level data, and 4080 security level data into a single graphic map directed to the 3110 integrated website for use by the session builder 3030 and session modeler 3120 (See Fig. 3) to determine whether an observed transition coincides with an intrinsic website link; by the 3070 session comparator (Fig. 3) to weight session threat scores according to the intrinsic threat values of the services and transitions involved, and by website threat processors 1080 and others or personal websites to view and explore the terrain of threat to your website, and website developers to improve the intrinsic security of your website.
    The website map includes a service index and a link index for quick random access by the service and link.
    Site map 3110 is also intended to be used by other operations personnel, for example, to determine whether all current regions on the website are properly connected and whether abandoned or experimental regions are properly disconnected, for development research, for example, to determine whether certain common routes should be replaced with the most efficient one, and whether certain unusual routes should be removed, and for marketing research, for example, to explore how various services can be accessed or promoted.
    4160 Conflict Analyzer uses 3110 website map to analyze the structural integrity of the website, and issues 4170 conflict warnings for all structural security breaches on the website, classified by priority, to prevent certain types of threats from which website security is presumably not yet aware and that fraudsters may already be exploiting. In particular, private information should never be sent in the clear, and risky actions should never be accessible to customers without the necessary authorization, so services that contain windows and especially doors must be especially privileged and secure. The conflict analyzer can also issue 4170 notices for broken links, as well as for orphaned regions of the website, whose unmaintained status may pose security risks.
    As described in the information flow diagram in Fig. 5, the 3030 session reconstructor, for use in the 1060 network service threat detector (See Fig. 3), compiles the increased 3020 transaction records from the data center of the website (s) in 3040 synchronized individual customer sessions by synchronizing and classifying records and segregating them into sessions.
    The transaction synchronization phases, comprising service timing and 5010 server timing modeling, 5040 server synchronization, 5110 agent timing modeling, 5130 client timing modeling, and 5150 client synchronization, serve to connect so as accurate as possible the customer's response delay: the interval between the moment the customer received and was able to respond to the 1040 website action (See Fig. 1.), until the instant the customer responded by issuing the customer's action customer 1020. Only by knowing the precise customer response delay can anomalous customer response delays be accurately detected.
    Transaction logs typically provide two sets of timestamps: server timestamps and client timestamps, which for HTTP services are, respectively, provided in the HTTP response data headers of website actions 1040 and in the headers of HTTP Request data from 1020 client actions. These timestamps by themselves, even if both the request timestamps and the response timestamps were reliably present and accurate, are fundamentally unsuitable for fixing the response interval of the customer, because neither the response nor the request is instantaneous in its production, transmission, reception and interpretation. Although security-conscious websites may assume that they provide some kind of response time marks, the date and time of the customer's request are only optionally present. In addition, many websites do not correctly synchronize clocks between their servers, the response phase marked by the server's response time stamp is undefined, and some offer a time stamp indicating when the transaction was logged in place of the server's response time. server.
    Customer watches are also often inaccurate, and are in fact intentionally maladjusted by users to help disguise their locations, including by some benign users for privacy, and request time marks, when present, can be deliberately forged by MiB malware and other attackers to help prevent detection. Thus, it is useful to have an accurate estimate of the customer's response time from statistical information and models on the timing characteristics of servers, services, clients and agents.
    In a cutting edge deployment, the service traffic processor 2010 (see Fig. 2.) records the times when it starts and ends by relaying each service request from and each client to the website servers and the times when it starts and ends it ends by retransmitting each corresponding response from the server back to the client, and can thus accurately estimate the client's response interval for each transaction from operation-specific timing information. In a rear deployment, however, the session reconstructor estimates the client's response interval from more general statistics.
    For website operators willing to modify their websites or have their websites modified, a client-side timing mechanism can be incorporated into website services, which explicitly measure the time interval between receiving the service and the user's response and reporting that time interval back directly to the website. For HTML pages, for example, the timer can be implemented as a Javascript Data () object created on load and set the load date, and then, when a hyperlink on the page is clicked, either the load time or the elapsed time since the load is appended to the destination URL or to the HTTP request payload.
    In a vanguard deployment, with permission, the service traffic processor incorporates this mechanism into the website's services in real time. Otherwise, having website developers add this engine to a normal development cycle can take many months. In any case, since client-side timing information can be falsified by a MiB attacker and other attackers, the session reconstructor must still confirm it with information independently derived from the server side.
    In the first stage of session reconstruction, the 5040 color-rig server synchronizer differing clock settings between active servers on the website during the data collection period and compensates for the indeterminacy of the service phase represented by date time stamps of the servers recorded in the incoming transaction records 3020, in order to accurately estimate the server receipt dates, send date, and send date for each incoming transaction record, increasing the transaction record with those dates to issue transaction record from corresponding 5050 server synchronized output. The server synchronizer bases the server clock correction and phase compensation on 5020 service-specific timing models and 5030 service-specific timing models generated and maintained by the service timing modeler and server timer 5010 for each service and each server, respectively, appearing in the logs inbound transaction. The server modeler is described in more detail under Fig. 6, and the server synchronizer in figure 8.
    Then, the 5060 transaction picker chooses all 5050 synchronized transaction records from the data collection period in chronological order, either by synchronized receipt date, send date, or send date, issuing classified 5070 transaction records. In the preferred mode, transaction records are classified by the synchronized receipt date, which tends to have the minimum variation in these three date estimates.
    5080 session separator tilts out chosen 5070 transaction records for records belonging to individual customers, based on such identification features, such as account number, cookie, authentication, URL session identification, email address, and IP address, issuing from each individual customer's set of transaction records classified as an individual 5100 customer session. The Session Separator is discussed in depth under figure 9.
    Finally, the 5150 client synchronizer corrects errant clock settings among all active customers who use the website during the data collection period, compensates for the indeterminacy of the request phase represented by time stamps of the user agents registered in the transaction logs input time, adjusts transmission time between each client and server in each direction, and adjusts user agents' service load time in order to accurately estimate the client's load date and click date, increasing records transactions in 5100 client sessions with these dates to issue corresponding synchronized client outbound transaction records in 3040 synchronized client sessions. The client synchronizer bases client clock correction, phase compensation, transmission delays, and time load on 5140 customer-specific customer timing models generated and maintained by the timing modeler the 5130 client model, by agent agent specific timing models and maintained by the 5110 agent timing modeler, as well as in 5030 server models and 5020 service models. The agent modeler is further described in Figure 10. The modeler of customer is detailed in fig. 11.
    On many websites, the accuracy of time stamps is not reliable, because each transaction can be received and transmitted by a different server, and the servers cannot be properly synchronized, so that their clocks and, consequently, their time stamps disagree significantly and progressively move away. This problem can be particularly pronounced when different transactions within the same customer session can even be served by data centers that are geographically distant from each other.
    An additional error, usually constant on all specific servers for a website, is due to the indeterminacy of the server phase indicated by a server time stamp: many web services have a considerable time interval to assemble and transmit, and the brand of time could refer to any time during that interval. In fact, the precise meaning of the Data header in the server's response is still officially undefined - although the HTTP specification recommends that the data represent the moment just before the entity is generated, it allows the date to be generated at any time during the source of the message.
    Therefore, depending on the website, the timestamp can denote when the server received and queued the HTTP request, when it unfolded the request and started serving the service, when it finished serving the service, when it registered the received or fulfilled request at a bank data, or any of those.
    As described in the information flow diagram in Fig. 6, the 5010 service timing and server timing modeler, for use in the 3030 session reconstructor (See Fig. 5), estimates and monitors the 5020 service timing characteristics for each 6020 service provided by the website during the data collection period, and the 5030 server timing characteristics for each 6140 client-side server in use on the website during the data collection period, using the service delay modeler and 6030 server to measure and model server 6040 server delay statistics and 6050 server delay statistics for each service provided by the server during the data collection period, using 6060 echo modeler to measure and model static echo delay 6070 server; using the 6080 service delay comparator to compare the delayed and service delay echo models, and use the 6090 server delay comparator to compare the server delay and delay echo models.
    The 5010 service and server modeler inserts 3020 transaction log during the data collection period and extracts the 6010 server identifier to obtain a list of all active servers exposed during the data collection period, which it provides to the modeler server and service 6030 and eco modeler 6060, and extracts the service identifier 6020 to obtain a list of all services provided by each server, during the data collection period, which it provides the service modeler and server. For current Internet addressing systems, the server identifier consists of the server's IPv6 or IPv4 addresses and port number in the header per TCP or UDP packet, the port number being required for website servers on a private network behind of a proxy, and the service identifier consists of the service URL.
    During the data collection period, the 6030 service and server timing modeler uses the 6120 service and server timer to measure the timing characteristics of each active server 6140 identified by the server identifier 6010 for each of the active services of that server 6020, and uses the 6200 service and server date comparator to model the statistical distribution of server and service timing characteristics.
    Specifically, in a rear deployment, for each active server and each of the server's active services, the server and service timer sends a statistically significant number of 6130 requests for that service to the server, and issues the time stamp. date 6160 specified by the server in the service response 6150 - Server Response Date header for HTTP operations. The moment the service timer sends a service request, it issues the time stamp sent by the 6170 service request, the moment it starts receiving response from the corresponding 6150 service, it issues the date time stamp received by the service response 6180, and the moment it just receives the service response, it issues the service response date time stamp 6190; each of these times being given by the 6100 master clock as the respective current time 6110. In a cutting edge deployment, instead of issuing a statistically significant number of instances of each service request, the server timer can simply pass the filtered client actions for servers, and receive the corresponding 2030 normal service actions, thereby providing an exact correction for each actual customer transaction without the need for additional samples.
    The 6200 service date and server comparator models the distribution of the difference between the 6190 service receipt date and the 6170 service delivery date for each 6020 service, issuing the models as 6040 service delay models. The comparator service date also models the distribution of the difference between the nominal response date 6160 and each of the service submission date 6170, and the service receipt date 6180, and the service receipt date 6190 for each 6010 server as a 6020 service function, issuing the models as 6050 server delay models. The service date comparator is detailed in figure 7.
    Also during the data collection period, echo timing model 6060 uses echo timer 6210 to measure the zero service timing characteristics of each active server 6140, and uses echo date comparator 6260 to model the statistical distribution of characteristics service time delay. Specifically, the 6210 echo timer issues a statistically significant number of 6220 echo requests, also known as ping requests, to each active 6140 website server, emitting the 6240 echo send date time stamp at the time it sends the request. echo, and issues the 6250 echo receipt date time stamp the moment it received the 6230 echo response back from the server, each time stamp being given the respective current time 6110, as specified by the 6100 master clock.
    For each timed echo, the 6260 echo date comparator calculates the difference between the 6250 echo receiving time and the corresponding 6240 echo sending time, and remits a model of the result distribution as the 6070 echo delay model. simplest modality, the server-specific echo delay model for each direction comprises half the average round-trip echo time. The preferred mode also takes into account any known asymmetries in speed and bandwidth in the transmission rate of the Internet connection at each end, dividing the round-trip echo time into two portions inversely proportional to the transmission capacity in that direction.
    Finally, for each active service 6020, the delay comparator 6080 compares the service return delay 6040 with the return delay echo 6070, emitting the difference between the models as the duration of the intrinsic service in the service model. 5020 service.
    In an alternative embodiment, server timing is modeled in terms of service fulfillment in bytes, rather than in terms of intrinsic service duration.
    For each 6140 active exposed website server, the 6080 server delay comparator also compares the 6050 server service delay distribution with the 6070 server echo delay distribution, emitting the difference between models as a server timing model 5030. In the simplest modality, the server timing model comprises three functions related to the intrinsic service duration, each with an additive bias parameter and a multiplicative rate parameter. Specifically, the receive server function, used by the 5040 server synchronizer to estimate when the server received a service request, is calculated as the difference between the service request delay function and the echo request delay function, the server send function, used to estimate when the server started sending a response, is calculated as the difference between the service send function and the echo send function, and the server send function, used to estimate when the server has finished sending a response, it is calculated as the difference between the service sending function and the echo sending function.
    In an alternative embodiment, instead of creating the 6040 server independent service delay models separate from the 6050 server delay models, the 6200 server service date comparator generates a server delay model for each active service for each active server, providing that service. The simpler combined service delay and server model then gives service request, service response, and service response delays as constant functions specific to both service and server, calculated as the average observed in each respective difference. In this case, the 6080 service delay comparator and the 6090 server delay comparator are also similarly combined in a single server and service delay comparator that correspondingly issues a separate timing model for each active service for each active server , providing that service.
    If either the 6120 service timer or the 6210 echo timer finds that a server does not respond or finishes responding to a request within a reasonable period of time, usually within a few seconds or a small multiple of the average response time for that one server or that service request which it then excludes from measuring the statistics and issues a 6310 warning to website administrators that the server is not responding as quickly as expected.
    5020 service timing models and 5030 server timing models are updated by the 6080 service delay comparator and 6090 server delay comparator periodically, with sufficient frequency to control the deviation between the server clocks, as well as after the lack of power, light-saving time clock offsets, and other exceptional events that can affect server clock settings or change proxy port numbers for individual servers. In the preferred mode, the server timer updates the server timing models frequently enough to accurately control server congestion. In an alternative modality, the 6050 service delay models and the 6070 echo delay models, and thus the 5030 server models, explicitly take website congestion into account, as related functions limited to the server load.
    In one embodiment, service models 5020 and server models 5030 and underlying service delay models 6040, server delay models 6050, and echo delay models 6070 are computed in independent batches, for example, for successive intervals data collection, such as once an hour for the previous hour. In the preferred mode, these models are continuously updated with a sliding window of shorter overlapping increments, even at the limit, as each new transaction record is collected and according to each of the old transaction periods beyond the time window.
    In addition to their use for website threat detection, the 5020 service timing models can be analyzed by the 6270 service analyzer and presented as 6280 service summaries for operations research, for example, to determine if the resources intended to specific services or types of services should be tailored, for development research, for example, to determine whether certain services should be replaced by more efficient ones, and for marketing research, for example, to determine how various services are being used.
    Likewise, in addition to their use for website threat detection, 5030 server timing models are analyzed by the 6290 server analyzer and presented as 6300 server syntheses for operations research, for example, for load balancing , or to determine whether certain servers or types of servers are meeting expectations.
    As described in the information flow diagram of Fig. 7, the server service date comparator 6200, used by the service modeler and server 5010 (See Fig. 6) models service delay 6040 using the service delay modeler 7010, and models the server delay 6050 using the server delay modeler 7020.
    For each scheduled service transaction, the server service delay modeler calculates the 7030 difference between the service receipt Dara 6010 and the corresponding service delivery date 6170, issuing the result as a 7040 service return delay. The 7050 roundtrip delay model calculates a server model independent of the distribution of this difference for each 6020 service, issuing the result as a 6040 service delay model. In the simplest modality, the service delay model comprises a specific constant function of service, calculated as the average round trip time on all active servers, which is the best fit least square. In the preferred modality, the model for each service is cached in consideration for the decomposition of round-trip data for cached versus non-cached distributions, where the cache is determined by requesting the same service from the same server, in quick succession.
    Likewise, for each timed service transaction, the server delay modeler 7020 uses differentiator 7060 to calculate the service request delay 7070 as the difference between the nominal response date 6160 and the corresponding service request submission date 6170; uses differentiator 7080 to calculate the 7090 service response delay as the difference between each 6190 service receipt date and the corresponding nominal response date, and uses the 7100 differentiator to calculate the 7110 service response delay as the difference between each service receipt date 6190 and the corresponding nominal response date. Service model finder 7120, then, fetches the 7130 service duration parameters for the service identified by a 6020 service identifier from 5020 service models.
    In the simplest modality, the service duration parameters used by the server delay modeler comprise the average service time. Finally, request delay model 7140 models the request delay for each 6010 server as a function of service duration, which it issues as the 7150 request delay and model; the 7160 response delay modeler similarly models the response delay for each server as a function of service duration, which it issues as the 7170 response delay model, and the 7180 response delay modeler similarly models the response delay for each server as a function of service duration, which it issues as a 7190 response delay model; these three models comprising the server delay model 6050. In the simplest modality, the server delay modeler models the service request, service response, and service response delays as related server-specific functions for the duration of the intrinsic service, calculated by the best fit of least squares, each function specified by an additive bias parameter and a multiplicative rate parameter. In the preferred mode, the model for each of the three service delay components also takes into account the cache, by decomposing the data observed for each of the two separate related functions, one for when the service is in cache, the other for when no cache is stored.
    In the preferred modality, the server delay modeler and service delay modeler considers for the purpose of encryption - such as TLS or SSL - in service delay implicitly, considering the encrypted versions against encrypted as separate services, separately. This usually happens automatically as a result of the convention of providing encrypted security services from different URLs, such as "https: ..." versus "http: ...".
    Note that since the bandwidth of the connection between the server timing modeler and the servers for a website is typically at least as large as that of any customer, its effect on serving time is relatively insignificant.
    As illustrated in fig. 8, the 5040 server synchronizer, for use on the 3030 session builder (See Fig. 5), sets the 6160 response date time stamp on each 3020 inbound website transaction record for inaccuracies in the clock settings of the 6010 server and for the indetermination of the service phase, using 8050 receipt date estimator, 8080 shipping date estimator, and the 8110 shipping date estimator to accurately estimate the 8060 server receipt date, shipping date 8090, and shipping date 8120, respectively, for that transaction, and issuing these estimates in outgoing transaction record synchronized by the corresponding augmented server 5050. The server synchronizer bases these adjustments on the 5020 timing model for the server timing model and 5030 service for the server.
    To detect man-in-the-browser attacks, man-in-the-middle attacks, repetitive robotic attacks and similar types of website attacks, which are characterized by abnormally ordered transactions and abnormally fast transactions, server time stamps accurate are critical. By giving the transaction the 5050 classifier (See Fig. 5) for precise and exact dates by which it chooses the transaction records, it can determine whether the order of transactions in a session appears anomalous. By giving 18020 event comparator (See fig. 18) accurate and precise event duration estimates, you can determine whether an event is abnormally fast.
    Although for non-streaming data, websites usually communicate with clients via TCP / IP, which guarantees the order of the packet, however, a separate TCP making session is created for each page, so if a client opens a plurality of pages at the same time, these requests can travel along different routes and be received by the website out of order, and they can be processed by servers of different speeds and answered out of order, and responses can also travel through different routes and reach the customer out of order. Note, however, that within a single processing sequence, for example, within a single browser window or tab, the customer's actions and website actions are necessary and strictly ordered, in the direction that the customer has to receive each website action before being able to respond, while the website must also receive every action from the customer before being able to respond.
    For each 3020 inbound transaction record, the 5010 service and server modeler extracts the 6020 service identifier and passes it to the 8030 service model finder, extracts the 6010 server identifier and passes it to the 8030 server model search engine , and extracts the server response date time stamp 6160, which passes directly to each of the server date estimators: receipt date estimator 8050, send date estimator 8080, and send date estimator 8110.
    The 8010 service model finder uses the 6020 service identifier to search for the appropriate 5020 service timing model, which it issues to the 8050 receiving date estimator, 8080 sending date estimator, and shipping 8110. In the simplest mode, shown here, the service timing model comprises an average service duration 8020.
    The server model finder 8030 uses server identifier 6010 to search for the appropriate server timing model 5030, which also issues to the server date estimators. In the simplest form, shown here, for each of the three server date estimators, 8050 receiving date estimator, 8080 sending date estimator, and 8110 sending date estimator, the server timing model comprises a function related to the duration of service, each function related to it being specified by a multiplicative rate parameter (receiving rate 8040, sending rate 8070, and sending rate 8100) and an additive polarization parameter (receiving polarization 8160, polarization of sending 8220, and sending polarization 8280), respectively.
    8050 Receipt Date Estimator estimates the 8060 server's receipt date - the instant the server received the service request, adjusting the 6160 server's response date time stamp by the 8160 server's receiving bias and the product from receiving rate from the 8040 server and the duration of the 8020 service.
    In detail, the 8140 multiplier multiplies the service duration estimate by the server receipt rate estimate, issues the result as the estimated receiving duration 8150. Adder 8170 then adds the estimated receiving duration when receiving the bias estimate, issuing the sum as a total receipt delay estimate 8180. Finally, subtractor 8190 subtracts the receipt delay estimate from the recorded response date, issuing the difference as an adjusted 8060 receipt date estimate.
    Likewise, the sending date estimator 8080 estimates the sending date of the 8090 server - the instant the server started sending the service response by adjusting the time stamp of the 6160 server response date by the sending polarization of the server. server 8190 and the product of the server shipping rate 8070 and the service duration 8020. In detail, the multiplier 8200 multiplies the service duration estimate by the server's shipping rate estimate, outputting the result as the estimated shipping duration 8210. The 8230 adder then adds the shipping loss estimate to the shipping bias estimate, issuing the sum as the total shipping delay estimate 8240. Finally, subtractor 8250 subtracts the recorded response date from the shipping delay estimate. receipt, issuing the difference as estimated 8090 adjusted shipping date.
    Likewise, send date estimator 8110 estimates the send date of the 8120 server - the instant the server finishes sending the service response - by adjusting the time stamp of the 6160 server response date by the bias sent from the server 8280 and the 8100 server send rate product and the 8020 service duration. In detail, the 8260 multiplier multiplies the service duration estimate by the server send rate estimate, outputting the result as an 8270 send duration estimate. The 8290 adder then adds the estimated duration sent to the bias estimate sent, issuing the sum as the total sent delay estimate 8300. Finally, subtractor 8310 subtracts the recorded response date from the receiving delay estimate, emitting the difference as adjusted date sent estimate 8120.
    Finally, transaction record editor 8130 augments incoming transaction record 3020 to include server estimate of 8060 server receive date, estimate of 8090 server send date, and estimate of date sent from 8130 server by issuing the record of transaction increased as 5050 synchronized transaction record.
    Often, the response to a service request is assembled from a number of service components that may differ in their service timing characteristics, as long as a number of servers may differ in their server timing characteristics. For example, a web page can include static text, dynamic client-specific text, images and other materials, and can even include other web services, for example, in separate HTML frames. In these cases, in the preferred mode, the receiving date estimator 8050, sending date estimator 8080, and sending date estimator 8110 accumulate the receiving delays 8180, sending delays 8240, and sending delay 8300, respectively, before to subtract the reply date by issuing a single 8060 receipt date estimate, a single 8090 sending date estimate, and a single 8120 single send date estimate, respectively, for the entire transaction.
    It should be noted that the relative (and possibly absolute) timing of events can be done as described here or by conventional methods, if available.
    Fig. 9 describes 5080 session separator, for use in 3030 session reconstructor (See Fig. 5). To aggregate individual transactions into individual customer sessions and segregate them from other customer sessions, the 5080 session separator identifies customers, primarily based on five specific types of information provided in 5070 classified transaction records from the HTTP header and information IP header: client and proxy IP addresses, the authorization login ID; customer's email address, session cookie, session query ID, and current and referral URLs. Unfortunately, all five of these sources of information are unreliable, ambiguous, degenerate, or unreliable. In fact, except for IP addresses, which are trusted, and cookies, which are unambiguous in legitimate sessions, all of these sources of identifying information suffer from all four of these deficiencies. On some websites, particularly for rear deployments, an internal account ID may also be available, which, while related to these other types of information, may be distinct from theirs.
    The source IP address and the destination IP address are required in all HTTP requests and responses, as part of the IP packet header, making the IP address, the only one among the five specific types of identifying information, so present in all transaction records. However, the value of the IP address is an inadequate discriminant of client sessions, because in the legitimate use of the relationship between IP addresses and clients it is ambiguous (one-to-many) and degenerate (many-to-one). On the one hand, a single IP address is shared by multiple clients, for example, when clients share a router on a local area network, or when they share a proxy or a firewall. Although in such cases the clients are differentiated by the port number in the extended IP address, the mapping between the client and the port is ephemeral. In such cases, clients can also be distinguished by HTTP transmitted to the field in the request header, but that field is optional. On the other hand, a single client can use multiple IP addresses in a single session, for example, when a mobile client is automatically switched between cell towers during the trip, when a client automatically connects or intentionally switched between wireless routers due interference in a congested wireless environment, or when using a multihoming system with multiple public IP addresses. In addition, the IP address and the Forwarded to field in a client request header are unreliable in that they can be spoofed by an attacker, for example, in order to disguise customer response times and the order of transactions .
    In order to receive responses from the website, an attacker must, of course, have control over fake IP addresses, for example through legitimate possession, hijacking the IP address through malware installed on the client's system at that IP address, or stealing the IP address by poisoning the network address translator on any router along the route to redirect traffic to the attacker's system, or poisoning address resolution caches within a local area network to direct traffic to the system from the attacker invader. For certain types of attacks, however, such as denial of service attacks on websites flooding websites with requests, denial of service attacks on customers inundating customers with responses, or attacks defaming or blacklisting customers, by assigning or offensive or hostile actions to them, attackers have no need to receive responses from the website. In man-in-the-browser attacks, the attacker automatically shares the client's IP address.
    The login ID specified in the HTTP Authorization request header field, unlike the IP address, is unreliably present, because many websites do not use it, instead of communicating authorization information in the cookie field or in a query string in the URL and because most websites allow customers to visit certain areas and perform certain types of actions without logging in. Many visitors to a website that do not have an account on the website to sign up for, and those customers with valid accounts on a website, often avoid signing in due to laziness or privacy concerns. However, for websites that use HTTP authorization to restrict access to privileged regions, the login ID is, when properly implemented by the website, reliably present in HTTP requests for services within those regions. Like IP addresses, login IDs are legitimately ambiguous and degenerate customer identifiers. On the one hand, several customers generally share the same login ID, for example, in situations where one or more users are helping others with their accounts, one or more users are supervising the others, or when several people in a company or a family use the same login ID. On the other hand, a single customer can use multiple login IDs, for example, when a customer has multiple independent accounts, or is serving a number of customers with independent accounts on the website. Login IDs are also unreliable, as they are often spoofed by attackers, for example, attacks by guessing passwords in brute force, in man-in-the-middle attacks, and for stolen accounts. In man-in-the-browser attacks, the attacker automatically shares the login ID.
    The email address specified in HTTP from the bidding header field is very unreliable, because, to protect users' privacy and to prevent spam, it is not implemented by most modern browsers, and is usually provided only by scrupulous webs and robots. From the e-mail address it is also legitimately ambiguous and degenerate, as on the one hand, several users often share an e-mail account, for example, in a family or small business, where a person is Internet- savvy or imperious, while, on the other hand, a single user can often have multiple e-mail accounts, for example, for home and office. If the available email address is more or less as untrustworthy as the IP address, where it is easily spoofed, but in order to receive any responses sent to that email address, the attacker must have access to the email account.
    The cookie specified in the HTTP cookie request header field is uncertainly present, because customers can refuse to accept cookies from the website and therefore do not return cookies to the website, and modern browsers make it easier for users in refusing cookies. On the other hand, websites may refuse to serve users who refuse cookies, and many security conscious websites do so. In addition, when present and properly implemented by the website to include a unique identification session, a cookie is the most specific client identifier that HTTP provides, because the relationship between clients and session cookies may be one to many, but not legitimately , many to one: A single customer can have multiple cookiessimultaneous sessions with a website using multiple applications to access the website, for example, when using more than one browser to connect to the website because of website-browser incompatibilities, or when using automation applications to perform routine functions on the website. In contrast, a cookie can only be shared if it is deliberately stolen, for example, by copying the cookie using malware installed on the intended recipient's system, intercepting it through a counterfeit website, taking the cookie with a packet sniffer, or forwarding the cookie via the cross-site script, or if the cookie is deliberately planted or "fixed", for example, by obtaining the victim's browser to store the cookie via cross-site cookie or cross-sub scripting.
    On some websites, a query string specifying the session ID is appended to the current URL.
    The query string session IDs are susceptible to harvesting on a website referenced from the URL query string in the HTTP Referrer field, and for session fixing by emailing the victim a hyperlink specifying a session ID in a URL query string, where the Session ID can be generated by the attacker or the target website.
    Referral URLs, specified in the HTTP Referrer field, are unreliably present, because, to help protect users' privacy, some services, browsers and browser extensions allow referrals to be disabled.
    Timestamps, in addition to being used to sort transactions in chronological order, are also used to help separate sessions based on overlapping transactions. Note, however, that a single customer may legitimately have overlap transactions, for example, by opening or operating several browser windows open simultaneously for the same website.
    In addition to timestamps and these five specific types of information, the session separator can also use generic types of information specified in HTTP Request headers, including Accept (acceptable content types), Accept-Charset (acceptable character sets), Accept-Encoding (acceptable encodings), Accept-Language (acceptable languages), Accept-Ranges (acceptable size ranges), UserAgent (name and details of web application), and Via (proxies through which the request was sent). All of these HTTP request headers are optional and therefore unreliable. In addition, they are all unreliable and are easily falsified. Some browsers and freeware plug-in browsers still exist to allow ordinary users to conveniently change some of these headers during a session. However, falsifying non-specific information during a session does not affect any of the specific session identifiers. Changes to any of these types of generic information during a session can be marked as potentially indicating that the session has been hijacked.
    The Session Separator thus separates 9010 transaction records classified 5070 according to the cookie ID, if available, as primary key, into 9020 primary strings and segregates 9030 primary strings according to account ID, login ID , Consultation session ID, or email address, as available, keys as children, in 9040 children strings; and segregates secondary strings by IP address 9050 as the tertiary key in 5100 client sessions.
    As described in the information flow diagram of Fig. 10, agent modeler 5110, for use in the 3030 session reconstructor (See Fig. 5), analyzes the timing characteristics of individual agents using agent request timing modeler 10020 and load modeler 10030 and issues 5120 agent timing models. Agent modeling is done offline in a lab testing environment, running precisely timed scripts over the hardware, operating system and application combinations used by customers to use the website services, as recorded, in the case of HTML web pages, by the user agent field 10010 in the HTTP request headers of the 3020 transaction logs received by the website. Assuming the bandwidth from the 1030 website data center to the 10060 agent test systems is willing to be at least as large as the website data center for any real customer.
    The 5110 agent modeler inserts transaction records 3020 and extracts agent identifier 10010 to obtain a list of user agents used to visit the website, and extracts service identifier 6020 to obtain a list of services provided by the website, and provides both these identifiers for the 10020 agent request timing modeler.
    For each available active user agent 10010, the agent modeler uses 10020 agent request time modeler to model agent request delay 10130, and uses agent load modeler 10030 to model agent load delay 10190 .
    The request timer modeler 10020 uses request timer 10040 to measure the timing characteristics of each available agent 10060 identified by agent identifier 10010, for each service used by the agent, identified by service identifier 6020, or to a number statistically significant and the variety of such services, and uses 10110 agent request date comparator to model the statistical distribution of the timing request agent characteristics.
    Specifically, for each available active user agent and each service requested by the agent to be tested and with that agent, the agent request timer runs a 10050 script in which agent 10060 to issue a statistically significant number of requests 6130 for that service from the 1030 website. The script reports back to the request timer the time the moment a simulated click on a hyperlink requesting the service through the agent or otherwise naturally caused the agent to issue a request to the service, which dates the request timer records as click date 10070. The script then monitors the agent system and reports back to the request timer the time the agent started transmitting the request, that the request timer records such as the date of sending request 10080, and the time at the time the agent finished working Allow the request, that the timer records as the sent request date 10090. The request timer also records the request size 10120. The click date, send request date and send request date will each be given by the current time 6110 according to master clock 6100, for which all agents to be timed are synchronized. The script also reports back the nominal request date recorded in the service request by the agent - in the Date field of the HTTP request header, in the case of HTML pages - than the request timer as the service request date 10100.
    The service request date is not always available for service requests, for HTTP requests, for example, the Date field in the HTTP Request header is optional, and some browsers and other web applications provide user interface control for block the request date from leaving.
    For customers providing a service request date 10100 through their agent, agent request date comparator 10110 models the distribution of the difference between the 10070 click date and the nominal request date, between the 10080 request submission date and the nominal request date, and between the sent request date 10090 and the nominal request date. For customers who block the service request date, the request date comparator also models the distribution of the difference between the request submission date and the click date, and between the submission request date and the click date. The agent request date comparator models each of these five models as a function of the request, and issues the functions such as request delay model 10130, as part of agent timing agent 5120 to the agent identified by the agent identifier 10010. In the simplest modality, the comparator and agent request date models each of these delays as a specific agent-related function of the 10120 request size, calculated by the best fit of least squares, each function specified by an additive bias parameter and a multiplicative rate parameter.
    Agent Request Timing Modeler 0030 uses agent load timer 10140 to measure the timing characteristics of each available agent 10060 identified by agent identifier 10010, for each service tested by Agent Request Timing Modeler 10020, and uses load date comparator 10180 to model the statistical distribution of agent load timing characteristics.
    Specifically, for each service request issued by the 10020 agent request timing modeler, 10050 agent timing script monitors the agent system and reports back to the agent load timer 10140 the time at the time the system agent starts receiving the service, which the charge timer records as the 10150 response receipt date, and reports back to the charge timer the instant the agent finishes loading the service, or, more accurately , the instant the customer can respond to the service, for example, by clicking on hyperlinks, in the case of an HTML web page, that the charge timer records as the loaded service date 10160. The charge timer also records the size of the 10170 service. .
    In the preferred mode, if a single 6130 service request receives multiple responses from 6150 services, the load script and load timer track each of these services separately for greater accuracy. Response receipt dates and loaded service dates are given by the respective current 6110 times specified by the 6100 master clock.
    The load date comparator 10180 models the difference distribution between the loaded service date 10160 and the response receipt date 10150 as a function of the service, and issues the function as a load delay model 10190, as part of the agent 5120.
    In the simplest modality, the load date comparator models the distribution as a specific affine function of the 10170 service size agent, calculated by the best fit of least squares, specified by an additive polarization parameter and a multiplicative rate parameter. In the preferred embodiment, the load reload model specifies separate related parameters for plain text against unencrypted services, and for service elements of diverging load speeds, such as HTML, images that use different compression formats, and timed messages that the customer must answer before proceeding. In the preferred embodiment, the load delay model also involves separating the load delay models for the cache vs. non-cache services.
    If the request timer or load timer does not receive a response from the script within a reasonable period of time, typically a few seconds - then it issues a 10220 notification to test administrators alerting that the agent is taking longer than the and specifying the agent and service that caused the problem.
    In addition to issuing 5120 agent timing models for use by the 5130 client modeler and 5150 client synchronizer (See Fig. 5), the agent model 5110 also uses agent analyzer 10200 to issue agent summary 10210 summarizing the 10010 agents used to visit the website, along with their frequency of use. For those agents available for testing, the agent summary also summarizes their load times for different types of services, while those available are marked for possible requests for future testing. The agent summary is also useful for website development research, for example, to determine which website agents should optimize because of their popularity, or to determine whether alternative forms of certain services should be provided for agents who take a long time , and for marketing research, for example, to determine customer preferences.
    For greater efficiency, agent timing modeling can be integrated with the website's standard quality control tests.
    As described in the information flow diagram of Fig. 11, 5130 client timing modeler, for use in the 3030 session reconstructor (See Fig. 5), estimates and tracks the 5140 timing characteristics (See fig. 5) to each website customer accessing the website during the data collection period, using customer service delay modeler 11030 to measure and model customer service delay statistics 11090, using echo timing modeler 11040 to measure and model the client echo delay statistics 11180, or, if the echo fails, use trace timer modeler 11050 to measure and model client trace delay statistics 11260, or, if the trace also fails, apply the delay modeler echo or echo delay modeler to the nearest response proxy to the customer located by Proxy Finder Near 11020, and compare the service delay estimate with the null service echo delay or trace.
    Many Internet service providers block ping requests and routes to prevent their network from being mapped by malicious customers, and some individual customers also block ping requests to reduce the visibility of their systems and thereby reduce the number of network attacks on your systems.
    The 5130 client timing modeler inserts 5090 client transaction records and extracts the client identifier 11010 to obtain a list of all active clients during the data collection period, which it provides the 11030 client service timing modeler, client echo timing modeler 11040, client trace timing modeler 11060, and proxy proxy finder 11020. For each customer transaction, the client timing modeler uses the service timing modeler to estimate service delay with based on service request date 10100 (if available), user agent identifier 10010, request size 10120, and service identifier 6020, which are obtained from the transaction record. The client identifier consists of the IPv6 or IPv4 address and port number in the TCP or UDP packet header, the port number being required for clients on a private network behind a router, firewall, proxy or other. In the case of HTML web pages, the service request date is originally from the Date field in the HTTP request header, and the user agent is from the User-Agent field. The request size is obtained from the sum of the HTTP header lengths and the value of the Content-Length field, or from the TCP or UDP length fields.
    During the data collection period, customer service timing model 11030 uses customer service timer 11060 to measure the timing characteristics of each active customer identified by customer identifier 11010, and uses customer service date comparator 11080 to model the statistical distribution of the 11090 customer service delay characteristics. Specifically, at the moment when each 1020 customer action (See Fig. 1.) is received by the website 2010 traffic processor (see Fig. 2.) , customer service timer 11060 issues 11070 service receipt date time stamp from current moment 6110 given by master clock 6100.
    For each service transaction, the customer service date comparator 11080 calculates the customer service request delay, from the service request date time stamp 10100 (if available), the user agent identifier 10010 , the size of request 10120, the service receipt date time stamp of the server traffic processor 11070, and a 5120 user agent model identified by the customer identifier and issues a distribution model as a delay model customer service number 11090. The customer service date comparator is detailed under figure 12.
    During the same measurement period, the client echo timing modeler uses an echo timer 11100 to measure the null agent timing characteristics of each active client 11010, and uses the echo date comparator 11170 to model the statistical distribution of null agent timing features. Specifically, for an active customer, the echo timer issues a statistically significant number of echo requests 11110 of various sizes to the customer or a close substitute 11120, emitting echo date time stamp 11140 the moment it sends the request echo, and emitting the 11150 echo receipt date time stamp when it received the 11130 echo response back from the client, each time stamp given by the respective current time 6110 given by the 6100 master clock. echo also records the size of the 11160 echo request.
    When the 11130 echo response is delayed by more than a reasonable limit - usually no more than a few seconds, depending on the distance to the customer and current network conditions - then 11040 echo timing modeler aborts the ping attempt, under the assumption that the client is blocking ping requests, and the 5130 client timing modeler attempts to trace timing instead.
    For each active customer, the 11170 echo date comparator calculates the difference between each 11150 echo receiving time and corresponding 11140 echo sending time for a statistically significant sample of echo requests of various sizes 11160, and issues a model of the result distribution as echo delay 11180.
    In the simplest modality, the customer-specific echo delay model comprises half the average echo time for each direction and half the variation of the echo time for each direction, each as a function related to the size of the echo request, calculated by the best fit of the least squares, where the function is specified by an additive polarization parameter and a multiplicative rate parameter.
    The preferred mode also takes into account the known asymmetries in speed and bandwidth in the transmission rate of the Internet connection at each end, as determined for some clients from client IP address 11010, dividing the round-trip echo time into two parts inversely proportional to the yield in that direction, and also proportionally dimension the variance for each direction.
    Trace timing modeler 11050 has trace route timer 11190 issues trace route requests 11200 to the same client 11010 or nearby proxy, increasing the lifetime values step by step until the destination node is reached or 11210 trace route response is delayed by more than a reasonable limit - again, typically no more than a few seconds, depending on the distance to the client and the current network conditions. If the last response occurs within a reasonable range, considering the distance and network conditions, then the trace timer emits the 11220 echo send date time stamp corresponding to the time when it sent the last route request. of successful trace, and issues the trace receipt date time stamp 11230 corresponding to the time when it received the last successful trace route response back from the client, each time stamp being given by the respective current time 6110 according to master clock 6100. The trace timer also records the size of the 11240 trace request.
    Analogously to the echo date comparator, the 11250 trace date comparator calculates the difference between each final trace receiving time 11230 and corresponding trace sending time 11220 for a statistically significant sample of trace requests of various sizes 11240, and issues a model of the distribution of the result as trace delay 11260.
    In the simplest modality, the customer-specific trace delay model comprises half the average trace time for each direction and half the variation of the trace time for each direction, each as a function related to the size of the request for dash, calculated by the best fit of the least squares, where the function is specified by an additive bias parameter and a multiplicative rate parameter. Again, the preferred embodiment also takes into account the known asymmetries of speed and bandwidth in the transmission rate of the Internet connection at each end, as determined for some clients from client IP address 11010.
    If neither the 11040 echo timing modeler nor the 11060 dash timing modeler can set the roundtrip delay for the actual client 11010, then the client timing modeler uses nearby proxy finder 11020 to find the IP address 11310 from a nearby ping proxy. The nearby proxy finder first uses the address finder 11280 to search for the location of the actual client's 11290 node from the client's 11010 IP address. Then, the proxy finder 11300 finds the ping proxy closest to the node location, issuing its IP address as destination address 11310. The 5130 client timing modeler then replaces the ping proxy server's IP address for use with the 11040 echo timing modeler and trace timing modeler 11060. In the case of the ping proxy selected also fails, the client timing modeler uses the nearby proxy locator iteratively to find another ping proxy until it succeeds.
    Finally, for each active customer (or at least some customers), the 11270 customer delay comparator compares the distribution of customer service request delay 11090 with the distribution of customer echo delay 11180 or trace route delay 11260 , issuing a model of the distribution of the result as a 5140 client timing model. In the simplest modality, the client timing model comprises echo request delay or trace request delay, as well as a pair of related size functions request 10120, one for the transmission direction and one for the receiving direction, each function specifying the average behavior with an additive bias parameter and a multiplicative rate parameter, as well as the variation in the transmission direction, and, if the request dates are provided by the customer, the difference between the customer service request delay and the echo request delay or request delay trace action, giving the average customer clock polarization and its variance. For websites with more than one data center, the client timer generates a separate model for each geographically separate data center.
    In addition to issuing 5140 client timing templates for use by the 5150 client synchronizer (See Fig. 5), 5130 client timing modeler also uses 11280 client analyzer to issue 11290 client summary summarizing 11010 clients visiting the website, along with its IP addresses, geographic location and timing characteristics, including whether it provides request dates and responds to ping requests. The customer summary is also useful for website development research, for example, to determine whether it provides more luxurious services for customers with large connection bandwidths and short connection delays, or more scarce services for customers with high bandwidths. small connection and long connection delays; and for market research, to determine where customers are located and what kind of connections they have.
    The information flow diagram of Fig. 12 describes the customer service date comparator 11080 (See figure 11), which uses agent delay estimator 12030 to estimate agent delay 12100; differentiator 12010 to measure gross service delay; differentiator 12110 to compare these two estimates, and service delay modeler 12130 to model service delay 11090.
    For each service transaction, the agent delay estimator 12030 uses agent model searcher 12040 to search for the agent model identified by agent identifier 10010 from agent models 5120. If the transaction record does not specify the agent, the agent delay estimator uses the standard agent model, whose parameters are defined for the modal values of known active agents during the data collection period.
    In the simplest modality shown here, the agent request timing model comprises agent specific request bias parameter 12050 and agent specific request rate parameter 12060. Multiplier 12070 then multiplies the agent request rate by request size 10120, issuing the product as agent request interval 12080. Adder 12090 then adds the agent request bias to the agent request interval, issuing the sum as 12100 total agent delay.
    Likewise, for each service transaction, differentiator 12010 calculates the difference between service receipt date time stamp 11070 date time stamp and service request service 10100, issuing the difference as gross service delay 12020. Differentiator 12110 then calculates the difference between gross service delay and agent delay 12100 issued by agent delay estimator 12030 for the same request, issuing the difference as service delay model 12120.
    Finally, for each customer, as identified by customer identifier 11010, service delay modeler 12130 models the service distribution, and issues a model of the distribution of that difference as the service delay model 11090. In the simplest modality, the service model service delay gives the service request delay, as the average service delay for that customer, which is the best fit least squares model.
    As described in the information flow diagram in Fig. 13, the 5090 client synchronizer, for use in the 3030 session reconstructor (See Fig. 5), inserts one 5090 client transaction record at a time, and uses the variance 13080, click date estimator 13010 and load date estimator 13030, and transaction log editor 13050 to synchronize the transaction with the load date and click date estimates by issuing the corresponding synchronized customer transaction record 5160.
    Click Date Estimator 13010, using information from the 5090 incoming customer transaction record, the 5140 customer model identified by the customer identifier in the incoming transaction record, and the 5120 agent model identified by the agent identifier in the incoming transactions, issues an estimated click date, precisely estimating the moment when the customer requested the destination service from the website, such as clicking on a link in the originating service, according to the threat detector master clock network service. The click date estimator is detailed in figure 14.
    Likewise, the load date estimator 13030, using information from the 5140 client model, the 5030 server model, the 5020 service model, and the 5120 agent model, as identified by the client identifier, the server identifier, the service identifier, and the agent identifier, respectively, in the incoming transaction record, in addition to the click date 13020 issued by the click date estimator 13010 for the same transaction record, issues the estimate from the 13040 loading date, precisely estimate the instant when the customer agent finished loading the originating service to the point where the customer was able to act on it, for example, by clicking on a hyperlink, according to the clock network service threat detector master. The load date estimator is detailed in figure 15.
    The click date estimator 13010 can estimate the click date based on either the request date timestamp recorded by the client, when available, or the receipt date of the server request registered by the server synchronizer. The client-based click time estimate is usually more accurate because it depends only on the normally constant client clock bias and short agent click delay, while the server-based estimate depends on the highly variable transmission time from client and server, which cannot be estimated as accurate. Likewise, the 13030 charge date estimator can estimate the charge date based on either the charge date time stamp recorded by the customer using a built-in charge timer, when available, or the shipping date time stamp. service record recorded by the server synchronizer. Again, the client-based load time estimate is usually much more accurate because it depends only on the normally constant client clock and brief agent click delay, while the server-based estimate depends on the highly variable transmission time from server to the client, and at highly variable load times by the client, none of which can be calculated with the greatest precision. On the other hand, the date time stamps issued by the client are both unreliably present, being optional, for example, in the specification of the HTTP Request header, and untrustworthy, in which fraudsters can deal with them directly.
    The variance comparator 13080 first checks whether the customer request date 10100 and the customer load date are available in the 5090 incoming customer transaction log. If either is available, the variance comparator compares the variance in customer 13090 transmission polarization with variance in customer clock polarization 13100, as determined by customer model 5140 identified by the customer identifier in the incoming transaction record. If the difference between the clock polarization variance and the transmission polarization variance is greater than the 13110 variance limit, then the customer's watch is considered unreliable, otherwise it is considered trustworthy, where the limit of variance is typically set to between zero and a few centiseconds.
    If the customer's request date is available and the customer's clock is considered reliable, then the variance comparator sets the 13060 click data estimator switch to use the request based click date estimator; otherwise it defines how to use the receipt-based click date estimator. Likewise, if the customer's load date and the customer's request date are available and the customer's clock is considered reliable, then the variance estimator sets the 13070 charge date estimator switch to use the date estimator. load based on request; otherwise it defines how to use the load date estimator.
    As described in the information flow diagram of Fig. 14, for each incoming customer transaction record, the click date estimator 13010, for use in the 5090 customer synchronizer (See Fig. 13.), or uses receipt-based click date estimator 14010 to issue click-based estimated date 14020, or uses request-based click date estimator 14030 to issue request-based click date estimate 14040, depending on the amount of the switching of click date estimator 13060.
    For receipt based click date estimator 14010, agent model searcher 12040 searches for agent model 5110 identified by agent identifier 10010 in transaction record 5090, issuing agent request rate 12060 and agent request bias 12050 , modeling the delay between the moment the customer requests a service, for example, clicking on a hyperlink in the originating service, and the moment when the customer starts transmitting the request. Likewise, client model finder 14070 looks for client model 5130 identified by client identifier 11010 in the transaction record, issuing client transmission rate 14080 and client transmission polarization 14090, modeling the delay between the instant in the client starts transmitting a request and the instant the server receives it.
    The multiplier 14050 multiplies the agent request rate 12060 by the size of the 10120 request, obtained from transaction record 5090, issuing the product as an estimated 14060 request duration. The multiplier 14100 multiplies the client transmission rate by the size of the request. request 10120, issuing the product as an estimate of transmission duration 14110. Maximum operator 14120, then calculates the maximum of these two values, issuing the result as an estimate of total request duration 14130. Adder 14140 then adds agent request bias 12050 and client transmission bias 14090, issuing the sum as the total request bias estimate 14150. The adder 14160 then adds the request duration to the request bias, issuing the sum as the request delay estimate 14170. Finally, subtractor 14180 subtracts request delay from request receipt date rvidor 8060 obtained from the customer's transaction record, issuing the difference as estimated click date based on receipt 14020.
    For request-based click date estimator 14030, agent model searcher 12040 looks for agent model 5110 identified by agent identifier 10010 in transaction record 5090, issuing agent click rate 14190 and click polarization of agent 14200, modeling the delay between the moment the customer requests a service, for example, by clicking on a hyperlink in the originating service, and the date of request 10100 registered by the agent in the customer transaction record with a synchronized clock. Client model searcher 14070 looks for client model 5130 identified by client identifier 11010 in the transaction record, emitting client watch polarization 14250, modeling the difference between the client watch configuration and the master detector clock. network service threat.
    The 14210 multiplier multiplies the agent click rate 14190 by the size of the 10120 request, issuing the product as an estimated 14220 agent click duration. The 14230 adder then adds the click duration to the agent click bias 14200, emitting the sum as agent click delay estimate 14240. Adder 12460 then adds the agent click delay to client clock bias 14250, issuing the sum as total click delay estimate 14270. Finally, adder 14280 adds click delay the request date 10100, issuing the result as the estimated click date based on request 14040.
    As described in the information flow diagram in Fig. 15, for each customer input transaction record, load date estimator 13030, for use in the 5090 customer synchronizer (See Fig. 13.), or use on load date estimator 15010 and load bias estimator 15020 to issue shipment-based load date estimate 15030, or issue request-based load date estimate 15040, depending on the switching date estimation value charge 13070.
    The service model finder 7020 looks at the service model 5030 identified by the service identifier 6020 in the customer transaction record 5090, issuing the service duration 7030 to the server's outbound duration estimator, the multiplier 15090 and issuing the service size 10170 for customer receipt duration estimator, multiplier 15100 and agent load duration estimator, multiplier 15120.
    The server model finder 7040 searches for the server model 5020 identified by the server identifier 6010 in the client 5090 transaction record, issuing the service sent rate of the 7110 server and service bias sent from the 7290 server, modeling the delay between the instant the server starts sending a service to the instant it finishes sending it. Likewise, customer model finder 14070 looks for customer model 5130 identified by customer identifier 11010 in the transaction record, issuing customer service receipt rate 15050 and customer service receipt polarization 15060, modeling the transmission delay between the server the instant it starts sending a service and the instant the client finishes receiving. Likewise, agent model finder 12040 looks for agent model 5110 identified by agent identifier 10010 in the transaction record, issuing agent service charge rate 15070 and agent service charge bias 15080, modeling the delay between the moment when the agent begins to receive the service and the moment when the agent finishes loading the service, insofar as the customer can act on it.
    The 15010 load duration estimator uses the 15090 multiplier to multiply the 7110 server's send rate by the 7030 service duration, issuing the product as a 7280 send duration estimate; uses the multiplier 15100 to multiply customer receipt rate 15050 by service size 10170, issuing the product as an estimate of receiving duration 15110 and uses multiplier 15120 to multiply charge rate 15070 by service size 10170, issuing the product as load duration 15130. The load duration estimator then uses maximum operator 15140 to calculate the maximum value between shipment duration, receipt duration and load duration, issuing the maximum as estimated load duration 15150.
    The load bias estimator 15020 uses the adder 15160 to add server send bias 7290, client receive bias 15060, and agent load bias 15080, outputting the result as total load bias 15170.
    The load date estimator 13030 then adds load duration 15150 to load bias 15170, issuing the sum as the total load delay estimate 15190. Finally, adder 15200 adds the load delay to the 7100 server shipping date on customer transaction record 5090, issuing the result as estimated shipping date based on shipping 15030.
    Differentiator 15210 subtracts request date 10100 specified in customer transaction record 5090 from click date 13020 issued by request-based click date estimator 14030 (See fig. 14), emitting the difference as click delay 14270. As Alternatively, the click date estimator could pass the click delay directly to the load date estimator. Adder 15230 then adds the click delay to the load date 15220 obtained from the customer transaction record, issuing the sum as the estimated load date based on request 15040.
    The information flow diagram in Fig. 16 depicts 16000 timed transition event analyzer, a particularly simple exemplary type of 3050 session analyzer for use in 1060 network service threat detector (See Fig. 3) that analyzes transaction sessions of 3040 clients in atomic session events or elementary session events, comprising timed transitions, and repackages them as 16240 client event sessions for efficient processing by 3120 session modeler and 3070 session comparator in figure 3. In one embodiment more complex, the session analyzer analyzes client sessions in overlapping trigrams or larger chunks when there are enough statistics, and includes other distinct client information.
    16080 source names and 16030 destination names can be either URLs from HTTP transaction logs, or internal service names provided by the website of a rear deployment. In the modality shown, service names are tokenized for efficiency on the 16000 session analyzer. In an alternative modality, they are tokenized before, on the 3030 session reconstructor or even on both the 3100 website analyzer and the 3010 record auger (see Fig. 3).
    Source encoder 16010 tokenizes source name 16080 to issue source identifier 16020, where the source name is the name of the accumulated 6020 service 16070 from the previous session transaction record. Likewise, destination encoder 16030 tokenizes destination name 6020 to issue destination destination identifier 16040. The source encoder and destination encoder encode a service name, searching for the name in a dictionary and returning the corresponding token, usually a hash of the name, inserting the name into the dictionary and thus generating a token for it if the service name has not yet entered the dictionary. The token has the precision of a standard binary word on the machines that incorporate the threat detector, for efficient search, comparison and other manipulations.
    The duration encoder 16050 encodes the transition duration 16120 to output the transition time interval identifier 16060, where the transition duration is calculated as the difference 16110 between the click date 13020 (the estimated time when the customer requested the destination service) and the source load date 16100, the accumulated load date 12020 16090 of the previous session transaction record (the estimated time when the customer was first able to request the service). In one embodiment, the duration encoder simply outputs the quantitative transition time to the accuracy of a standard binary word. In an alternative modality, the duration encoder roughly quantifies the transition time on an exponential scale, and tokenizes quantized intervals for effective access in a sparse matrix. An exponential sample scale is [0..1 / 16), [1 / 16..1 / 8), [1 / 8..1 / 4), [1 / 4..1 / 2), [1 /2..1), [1..2), [2..4), [4..8), [8 .. ~) seconds. A quantitative representation is preferable for atomic session analysis, where each individual event in each session is considered separately for accuracy. A tokenized representation is preferable for elementary session analysis, in which all events of a type within a session are grouped and treated as a group.
    Transition encoder 16150 encodes the ordered pair comprising source identifier 16020 and destination identifier 16040 (as shown), or, equivalently, comprising source name 11040 and destination name 11060, to output a source identifier. unique 16160 transition that identifies the transition from source to destination.
    Time source 16170 encodes the combination of originator 16020 and time slot identifier 16060 (as shown), or, equivalently, the combination of origin name 16080 and transition time 16020, to output time source identifier 16180. Likewise, timed destination encoder 16130 encodes the combination of destination identifier 16040 and time slot identifier 16060 (as shown), or, equivalently, the combination of destination name 6020 and transition time 16020 , to issue the 16180 timed destination identifier.
    The optional link encoder 16190 searches for originator 16020 and destination identifier 16040 (as shown), or, equivalently, origin name, 16080 and destination name 6020, in the website map 3110 to determine the type of connection, and codes for the link type as link identifier 16200.
    Extrinsic transitions within a session can indicate a hijacking attack. However, certain extrinsic links are provided by web browsers and similar applications, usually accessed via buttons or menu items in the application's user interface, including a "back" feature to return to the previous service in the session, a history function to return to other services recently visited by the customer, and a dialing function to return to services previously marked by the customer. In the simplest modality, the link encoder classifies links into one of three categories: intrinsic, lap step, and extrinsic. In a more complex modality, the link encoder also recognizes jumping back to previous services within the current session as a fourth category. Extrinsic calls can also be provided by external sources, such as websites and emails, and the call encoder recognizes such incoming calls by the referrer 16250, when present in the customer action record, and classifies it as another type of call.
    For elementary session analysis, the 16000 session analyzer uses event type counter 16210 to first check whether an existing session event 16240 has match identifiers - in this case match source identifier 16020, match destination identifier 16040, duration identifier 16060 and, if available, match link identifier 16200 - and, if so, just increase the event type counter 16220 for that type of event, instead of encoding the derived identifiers and packaging an event separate session.
    Session event recorder 16230 assembles source identifier 16020, destination identifier 16040, transition duration identifier 16060, time source identifier 16180, transition identifier 16160, and time target identifier 16140, in the event record session 16240. If available, the session event packer also registers link type identifier 16200 in the session event log. For elementary session events, the session event packer also stores the case count of event type 16220 in the session event record.
    Issuing 16240 client session event can be either an atomic session event, listing each individual event as a separate record, or an elementary session event synthesis, grouping equivalent events into a single record. For atomic session analysis, the 16230 session event packer simply appends each 16240 session event record to the current real-time customer atomic session event. For elementary session analysis, the event type counter merges 16210 equivalent event records within one session, maintaining an exemplary count, in the event record for each type of event.
    In the exemplary modality shown, the compound assigns service transition 16160, time source 16180, and time destination 16140 are encoded in session analyzer 16000, saving later time in session modeler 3120 and session comparator 3070, but at the expense of the space required for store additional identifiers in session event logs. In an alternative modality, the composite attributes are coded on the fly, whenever necessary, saving space, at the expense of time.
    The information flow diagram in Fig. 17 describes timed transition event modeler 17000, a particularly simple type of session modeler 3120 for use in a 1060 network service threat detector (See Fig. 3) whose session models 3130 include event models 17010 modeling not entire sessions, but only the atomic or elementary transition events of which the sessions are composed, and modeling only the global statistics of the most rudimentary characteristics of those events: the identities of the services that make up a transition and the duration transition - along with common combinations of these characteristics.
    In particular, event modeler 17000 models global statistics during the data collection period for a transition source, transition duration, and destination, as well as source and destination pairs together, destination pairs and transition duration together, and pairs of transition and origin duration together. When link information from a website map is available, the event modeler also models global link type statistics during the data collection period. In detail, for each session event record or session type record 16240, source model update 17020 updates source frequency 17030 corresponding to source identifier 16020, the transition duration model updater 17040 updates the transition duration frequency 17050 corresponding to the transition duration identifier 16060, the target model updater 17060 updates the target frequency 17070 corresponding to the target identifier 16040, timed target model updater 17080 updates the timed destination frequency corresponding to timed destination identifier 16140, transition model updater 17100 updates transition frequency 17110 corresponding to service transition identifier 16160, timed source model updater 17120 updates timed source frequency 17130, and model updater connector 17140 optionally updates the fr connection type equation 17150 corresponding to connection type identifier 16200, where the origin identifier, duration identifier, destination identifier, timed destination identifier, transition identifier, timed origin identifier and connection type identifier are obtained from the session event record 16240, and the corresponding models are updated in the 17010 event model database. In addition, the 17160 event frequency updater updates the 17170 event frequency in the event model database .
    17030 source frequencies are modeled separately from 17070 target frequencies because the distribution of source frequencies is generally not identical to the distribution of target probabilities, since, for example, a landing page is relatively unlikely to be a destination, and a logout page is unlikely to be a source, since client sessions often start with a login page and end with a logout page.
    The 17000 event modeler is designed to operate either on session event type records, or on elementary session event type records, where each event type record contains a 16220 case count, in addition to identifiers. When operating on atomic session event records, the event modeler updates source frequency 17030, duration frequency 17050, target frequency 17070, timed target frequency 17090, transition frequency 17110, timed source frequency 17130, frequency of link 17150, and event frequency 17170 simply by incrementing each frequency by one, the default increment value 17200. When operating on elementary session event records, the event modeler updates these frequencies increased each by the 16220 session count, entered as increment 17,200.
    In addition, the event modeler is designed to operate both in batch mode, for example, for processing the working entire set of website transactions during a data collection period, such as an hour, or in continuous mode, from incremental way to update models in real time with a sliding window, for example, adding each transaction or the value of each minute of transactions as it occurs, and removing each transaction or incrementing transactions with the time beyond the collection period data, for example, one hour. When operating in continuous mode, switch 17190 changes the increment of a negative to remove an atomic event record, and changes the increment to the negative of the case count 16220 to remove an event record of the type from the execution frequencies, as specified by removing the 17180 flag.
    In an alternative embodiment, the keys together - transition identifier 16160, timed origin identifier 16180, and timed destination identifier 16140 - are not directly stored in session event 16240, but are constructed from the elementary key identifier - identifier of time. origin 16020, duration 16060, and destination identifier 16040, as the case may be, on the fly by the transition model search engine 22010, time source model search engine 23010, and time target model search engine 24010, respectively. This alternative is preferable when the space available to store keys in session event logs is more critical than the time required to generate common keys.
    The information flow diagram in Fig. 18 represents an event 18000 independent session comparator, a particularly simple type of 3070 session comparator for use in the 1060 network service threat detector (See Fig. 3), which scores each event in a 16240 client session event independently, using the 18010 session event processor and 18020 event comparator, and uses 18030 session pointer to match the event scores in the 3080 session threat count. session comparator also optionally uses 18040 privilege threat analyzer to weight each event score according to the client's privilege level for the event, and also optionally uses 18050 intrinsic threat analyzer to weight each event score according to the intrinsic threat level of the event.
    The 18010 session event processor acts through the elementary event type records or chronologically ordered atomic event records chosen in the 16240 client session, issuing them one at a time, as 16240 session events to the 18020 event comparator .
    18020 event comparator compares each type of event or event with the 17010 model for that type of event, issuing anomaly 18060 event scores for that event. For elementary events, the event comparator also issues the number of 16220 instances of that type of event from the event type record. The event comparator is discussed later in Fig. 20.
    For atomic events, session score 18030 uses score accumulator 18070 to accumulate scores for individual 18060 anomaly events, issuing 3080 threat scores for the session as a whole. In the preferred mode, event anomaly scores are additive, rather than multiplicative (See Fig. 27.), to facilitate the accumulation of scores for the many events in a long session without overflowing. In the simplest modality, the session score simply adds all the scores from the anomaly event to issue the session threat score. For elementary events, the session scorer uses multiplier 18080 to multiply the anomaly score for each type of event by the number of cases 16220 of that type of event, issuing the result as event score 18090, in this case the score accumulator 18070 adds the events instead of event anomaly scores to calculate the session threat score.
    In the preferred modality, to assess session hijacking threats such as man-in-the-browser threats and man-in-the-middle threats, where, to avoid detection, to complete your privileged fraudulent transactions before the customer closes the session, and to maximize the number of hijacked sessions under human supervision - attackers are motivated to hijack a session as quickly and as soon as possible after the client has successfully obtained privileged access to a website, the 18000 session comparator uses privilege threat analyzer 18040 to calculate an 18100 buffered time weight according to how soon after logging in the corresponding anomalous event occurred, based on session event records 16240, and, in some modalities, event index 18110 issues by the event processor of session 18010, and, for elementary events, the instance event count 16220. For websites that offer multiple privilege levels, the analyzer of privilege threat also weighs the event score according to the privilege level. 18040 privilege threat analyzer is discussed in figure 19.
    When using the 18040 privilege threat analyzer, session score 18030 uses multiplier 18170 to multiply the score 18090 for each type of event or event by the corresponding privilege weighting 18100, outputting the result as a weighted event score 18180, in which case the session scorer adds weighted event scores, rather than 18090 unweighted event scores, to issue session threat score 3080.
    If the 3.110 website map containing information on intrinsic threat levels is available (see fig. 4), then the session comparator also considers intrinsic threat levels, using 18050 intrinsic threat analyzer to determine the intrinsic threat weight 18120 for each event or type of event, in order to weigh different levels of intrinsic threat according to the preferences of website security officers.
    In detail, the 18050 intrinsic threat analyzer uses the 18130 intrinsic threat finder to search for the intrinsic threat level associated with session event 16240 on the 3110 website map, issuing the result as an 18140 intrinsic threat level. intrinsic threat 18150 then look for the intrinsic threat score corresponding to the intrinsic threat level in the intrinsic threat score table 18160, issuing the result as intrinsic weight 18120.
    When using the 18050 intrinsic threat analyzer, the 18030 session scorer uses the multiplier 18170 to multiply the 18090 score for each type of event or event by the corresponding intrinsic threat weight 18100, outputting the result as 18180 weighted event score. both the intrinsic threat analyzer and the 18040 privilege threat analyzer, the session scorer first uses the 18190 multiplier to multiply the intrinsic threat weight by the 18100 privilege weight, outputting the result as 18200 event weighting. Then, it multiplies the event weighting by the event score to output the weighted event score. In both cases, the session pointer then summarizes the weighted event scores, rather than the unweighted event scores, to issue the 3080 session threat score.
    As described in the information flow diagram in Fig. 19, the 18040 privilege threat analyzer analyzes the privilege-related threat for each inbound session event or 16240 session event type, using 19010 privilege analyzer, 19020 privilege, 19030 time privilege resizer, and 19040 privilege scorer, and 18100 issue privilege weighting.
    Specifically, for atomic session 16240 events, privilege threat analyzer uses 19010 privilege analyzer to monitor chronologically chosen input events for privilege change events such as login and logout events, secondary authentication events, and events HTTP update, issuing the current 19050 privilege level, at the time of each event and the 19060 privilege duration - the duration since the last client acquired that privilege level within the session.
    In the preferred mode, the privilege duration for a special privilege level is the total customer's response delay, calculated by adding the 16060 transition durations, in each session case since the acquisition of that privilege level, thus discounting the phases. when the customer would normally wait, rather than act, including transmission time, service time, and charge time. In an alternative modality, the privilege duration is the time elapsed from the moment of acquisition of that privilege level, calculated as the difference between the time and the current event and the time of the privilege acquisition event. In another alternative modality, the duration of privilege is the number of customer transactions once that privilege level has been acquired, calculated as the difference in the event index 18110 issued by the session event processor 18010 (See fig. 18) once the privilege has been acquired.
    The 19020 privilege agent converts the 19060 privilege duration to an amortized time weight, issuing it as an aged privilege 19070, where the damping is governed by the 19080 weighting decline. Specifically, when the privilege duration is measured as the elapsed time, the privilege agent uses the 19090 multiplier to multiply the privilege duration by the weighting decline, issuing the product as a weighted agent 19100, and then uses exponentiator 19110 to take the exponential value from the weighted agent, issuing the result as an aged privilege 19070, where during the time measured in seconds, the weighting decline is typically around the natural logarithm of two, so the weighting falls from 1 at the time of the privilege acquisition to 1/2 of one second later, to 1/4 at the end of 2 seconds. When the duration of privilege is measured in terms of the number of transition events, the privilege agent can, alternatively, be recursively calculated, starting at 1, in the case of a privilege acquisition event, and multiplying the result by weighting decline in each subsequent event.
    For elementary session events, although neither the date nor the chronological event index is known for individual events, however, if session analyzer 16000 (See Fig. 16) includes the privilege level in its event classification, then types of repeated events within a session can be effectively aged by the minimum duration implied in the number of 16220 instances of that type of event in the session. Thus, for elementary session events, the pseudo-agent of privilege 19025 effectively ages each type of event repeated by the number of cases that must have preceded, in the simplest modality, multiplying the 19080 weighting decline by itself as often as the event instance counting, and adding partial products, issuing the sum as pseudo-agent of privilege 19070. The preferred modality applies the formula in a closed way to the geometric series, (dn + 1-d) / (d-1) , using incrementer 19120 to add 1 to the event instance count n 16220 13220, issuing the result as exponent p = n + 1 19130; using the 19140 power operator to increase the 19080 weighting decline for that exponent, issuing the result as 19150 power; using subtractor 19160 to subtract the power weight decline, issuing the result as a numerator 19170; and using a Separator 19200 to divide the numerator by the Separator 19190, where the Separator is calculated using a decrementor 19180 to subtract one from the weighting decline, the final result being issued as a 19070 pseudo-privilege agent.
    19030 Resizer resizes the cushioned series of aged privilege weightings to a minimum specified by the 19210 weighting minimum, using 19220 complementers to subtract the minimum weighting, issuing the difference as a minimum 19230 complement, using 19240 multiplier to multiply the minimum complement by the 19070 privilege agent , issuing the result as a 19250 scaled privilege and using an 19260 adder to add the scaled privilege to the minimum weight, issuing the result as a declined weight 19270. A positive minimum weight ensures that hijackers will continue to be detected even if they change their behavior to postpone your fraudulent transactions later in a session.
    The 19040 privilege scorer searches for 19280 privilege scores corresponding to the 19050 privilege level in the 19290 privilege score table for different privilege levels according to the preferences of website security officers. Typical privilege score values for a website using logins for both password and secondary authorization are 0.1 for non-logged in, 0.9 for logged in with a password, and 1.0 for secondarily authorized, but other values for punctuation can be used.
    Finally, multiplier 19300 multiplies the privilege score 19280 by the declining weight 19270, issuing the result as privilege weighting 18100.
    In an alternative embodiment, the 19050 privilege level is determined in advance by the 16000 session analyzer and stored in 16240 session event records (See Fig. 16.).
    As described in the information flow diagram of Fig. 20, event comparator 18020 compares a session event 16240, which is either an atomic session event or a type of elementary session event, with event models 17010 for that event type, and issues 18060 corresponding event anomaly score. In MiB, MiM, and similar types of hijacking attacks, a fraudster uses a website account simultaneously with a legitimate account customer. The actions of the website hijacker are thus interspersed with actions of the legitimate client.
    In order to maximize the chance of completing fraudulent transactions and to minimize the chance of being discovered, the fraudster's actions need to be performed quickly and at the beginning of the login session. Therefore, the hijacker has no time available to insert actions at appropriate times in the legitimate client's flow. As a result, the combined flow of customer and fraudster actions right after login is likely to present transitions that are anomalous, often not intrinsic to the website, and abnormally fast for normal sessions, in general, and especially for sessions normal victim. Furthermore, the flow of the fraudster's actions alone is likely to present transitions that are anomalies, non-intrinsic, and abnormally fast for normal sessions in general, and especially for the victim's normal sessions, because the hijacker is likely to use an aerodynamic flow skipping normal but strictly unnecessary intermediate steps, and that flow is likely to automate.
    Thus, the 18020 event comparator examines both the relative frequency and the relative duration of the event, comparing the observed frequency 20020 of the event type with the expected frequency 20130 of the event type, as well as the comparison between the observed duration 20040 of the event or type of event with the expected duration 20140 of the type of event.
    In detail, event frequency estimator 20010 estimates the relative frequency of the type of event event 16240 from event models 17010, emitting the observed event frequency 20020.
    The 20030 event duration estimator estimates the event duration by emitting the observed event duration 20040. When the 16240 session event is provided by the atomic session processor 8200 (See Fig. 18), the 20030 duration estimator only extracts the event duration, as adjusted by the 5140 transaction synchronizer (See Fig. 6), from the session event record. When, on the other hand, the fact that the session is provided by the session event type processor 24010 (See Fig. 16.) and the duration of the individual events in the session is not known, but the event type 24010 is specific to a roughly quantified time interval, then the event duration estimator estimates the event duration, as the average duration of the event type, or, if that information is not available, the event duration is estimated as the average interval duration of quantized time, both of which is retrieved from 17010 event models.
    The event comparator uses one or more 20050 event frequency predictors to predict the event frequency from the marginal event frequencies retrieved from 17010 event models, each event frequency predictor issuing a corresponding 20060 event frequency prediction. Exemplary individual event frequency predictors are described in Fig. 21 to Fig. 24, and a combined event frequency predictor factoring the common operations between these four exemplary individual predictors is described in fig. 25.
    Corresponding to each event frequency predictor 20050 is a 20070 event duration predictor in which the event duration or event type 16240 is predicted from 17010 event models corresponding to those used in the event frequency predictors, each event predictor event duration by issuing a corresponding event duration prediction 20080.
    The optional anomalous event duration detector 20090 compares each individual event duration prediction 20080 with the observed event duration 20040, emitting predictor switching signal 20100 to turn off individual event frequency predictors 20050 for computational efficiency when the event duration observed is determined not to be abnormally brief by a prediction of the duration of a particular event.
    The anomalous event duration detector determines an event to be abnormally fast, if the observed duration is less than the predicted duration minus a 20110 duration limit or by another test. In the preferred mode, the duration limit is zero, in order to postpone threat decisions until the anomaly of the entire session can be compared with the anomaly of all other sessions. Alternatively, if the number of detected attacks is expected to be substantially greater than the threat, 1080 processors (See Fig. 1) can cope, then the duration limit can be adjusted upwards to speed up less threatening events. The anomalous event duration detector is used as an efficiency optimization in ways in which it reduces computing time or other resource demands.
    The 20120 prediction combiner combines the frequency predictions of individual events 20060 and corresponding event duration predictions 20080 into a single predicted event frequency 20130 and a single corresponding predicted event duration 20140. The prediction combiner is detailed in Fig. 26 .
    The event frequency scorer 20150 compares predicted event frequency 20130 with observed event frequency 20020, considering the frequency cap 20170, and outputs anomalous frequency score 20160. In one embodiment, the event frequency scorer is turned off if the score anomalous duration 20190 is below the 20110 duration limit, for computational efficiency. The event frequency scorer is discussed in more detail in Fig. 27.
    The event duration scorer 20180 compares predicted event duration 20140 with observed event duration 20040, considering the duration limit 20110, and outputs anomalous duration score 20190. In one mode, the event duration scorer is turned off if the anomalous frequency is below the 20170 frequency limit, for computational efficiency. The event duration scorer is discussed in more detail in Fig. 28.
    Anomalous event scorer 20200 inserts anomalous frequency score 20160 and anomalous duration score 20190, and issues anomalous event score 18060. If any anomalous frequency score or anomalous duration score is non-positive, the anomalous event scorer issues an anomalous event of zero. In the preferred mode, the event anomaly scorer combines the frequency anomaly score and anomaly score duration by multiplying them together, in which the resulting product can be interpreted as the point-to-point mutual information between the terms of the event, weighted for the anomalous brevity of the event.
    Fig. 21 through Fig. 25 represent exemplary frequency predictors of events for a simple timed transition event, that is, an event composed of three variables: a first web service of origin seen by a customer, a second near destination seen by the customer, and the transition time between services, where the transition time is ideally measured as the interval between the reception of the originating customer and the request of the destination customer. The frequency and duration of a timed transition can be predicted from the marginal frequencies independent of the origin, the transition time, and the destination, as in the atomic predictor 21000 in fig. 21, or from a partial indicator in which any dependence between two of the three variables is considered: from the submarginal joint frequency of the source-destination transition and the marginal frequency of the transition, as in the polarized frequency predictor TxAB 22000 in fig. 22, from the submarginal joint frequency of the time source and the marginal frequency of the destination, as in the time source predictor 23000 in fig. 23, or from the marginal frequency of the origin and the submarginal frequency together of the timed destination, as a timed destination predictor 24000 in fig. 24. For those predictors that do not refer to the frequency of the specific transition, the predictors AxTxB, BxTA, and AxTB can optionally be refined by the frequency of the link type, if that information is available. Fig. 25 combines all four of these predictors for computational efficiency when all four indicators are run by the same processor. It should be noted that some modalities include less than all four indicators.
    As illustrated in fig. 21, the atomic timed transition predictor 21000 uses source model finder 21010 to search for source frequency 17030 corresponding to source identifier 16020, processor for transition duration model 21020 to search for frequency of transition duration 17050 corresponding to identifier transition duration 16060, target model finder 21030 to search for target frequency 17070 corresponding to target identifier 16040, optional link model finder 21040 to search frequency of link type 17150 corresponding to link identifier 16200, frequency finder of 21070 standard to search for 17170 event frequency standard, where the source identifier, duration identifier, destination identifier, and link type identifier are introduced from session event 16240, and the corresponding models and frequency standard are retrieved from the 17010 event models. Multiplier 2 1050 multiplies together the source frequency, the duration frequency, the destination frequency, and, optionally, the connection frequency 17150, giving the product as an absolute frequency Ax-TxB 21060. The power operator 21080 multiplies the frequency standard to the fourth power, outputting the result as quadruplicate standard 21090. Finally, the normalizer 21100 divides the absolute AxTxB frequency by the quadruplicate standard, emitting the relative frequency as the independent frequency prediction AxTxB 21110. If the connection frequency is not included in the frequency calculation combined, then the power operator only raises and raises to the third power.
    In atomic timed transition predictor 21000, duration model processor 21020 also searches for duration 21120 corresponding to duration identifier 16060 in session event record 16240, which it issues as duration 21120. Multiplier 21130 multiplies duration by frequency of duration 17050 , issuing the product as total duration 21140. Separator 21150 divides the total duration by the absolute atomic frequency 21060, issuing the quotient as a prediction and independent duration 21160.
    As illustrated in Fig. 22, the TxAB 22000 polarized frequency predictor uses a transition duration model processor 21020 to search for the transition duration frequency 17050 corresponding to the transition duration identifier 16060, the transition model processor 22010 to search for the transition frequency 17110 corresponding to the transition identifier 16160, and frequency norm finder 21070 to search for the event frequency norm 17170, where the duration identifier and the transition identifier are the input of the 16240 session event, and the corresponding models and the frequency standard are retrieved from event models 17010. The multiplier 22020 then multiplies together the duration frequency and the transition frequency, emitting the product as absolute TxAB frequency 22030. The power operator 22040 squares the frequency standard , issuing the result as a double standard 22050. Finally, the normalizer 22060 divides the frequency the absolute TxAB by the double standard, emitting the relative frequency as the polarized frequency prediction TxAB 22070.
    In TxAB 22000 polarized predictor, 21020 duration model processor also looks for duration 21120 corresponding to duration identifier 16060 in session event record 16240, which it issues as duration 21120. Multiplier 21130 multiplies duration by frequency of duration 17050 , issuing the product as total duration 21140. Separator 21150 divides the total duration by the absolute frequency TxAB 22030, emitting the quotient as a polarized duration prediction TxAB 22080.
    As illustrated in fig. 23, BxTA 23000 polarized frequency predictor uses target model finder 21030 to search for target frequency 17070 corresponding to target identifier 16040, time source model search 23010 to search for timed source frequency 17130 corresponding to time source identifier 16180, optional link model finder 21040 to search for link type frequency 17150 corresponding to link identifier 16200, and frequency norm finder 21070 to search for event frequency norm 17170, where the target identifier, time source identifier and identifier link type are inserted from session event 16240, and the corresponding models and frequency norm are retrieved from event models 17010. Multiplier 23020 then multiplies together the target frequency, the timed source frequency, and, optionally, the connection frequency 17150, outputs the product as an absolute BxTA frequency 23030. The 23040 power operator multiplies the frequency norm for the third power, outputting the result as a triple norm 23050. Finally, the 23060 normalizer divides the absolute BxTA frequency by the triple norm, emitting the relative frequency such as the BxTA 23070 polarized frequency prediction. If the link frequency is not included in the combined frequency calculation, then the power operator only increases the norm for the second power.
    In the polarized predictor BxTA 23000, time source model searcher 23010 also looks for duration 21120 corresponding to time source identifier 16180 in session event record 16240, which it emits as duration 21120. Multiplier 21130 multiplies the duration by the time source frequency 17130, issuing the product as total duration 21140. Separator 21150 divides the total duration by the absolute frequency BxTA 23030, emitting the quotient as a polarized duration prediction BxTA 23080.
    Likewise, as shown in fig. 24, AxTB 24000 polarized frequency predictor uses 21010 source model finder to search for 17030 source frequency corresponding to 16020 source identifier, 24010 timed destination model search engine to search for 17090 timed destination frequency corresponding to 16140 timed destination identifier, the optional link model finder 21040 to search for the link type frequency 17150 corresponding to the link identifier 16200, frequency norm searcher 21070 to search for the 17170 event frequency norm, where the source identifier, timed destination identifier and link type identifiers are inserted from session event 16240, and the corresponding models and frequency standard are retrieved from event models 17010. Multiplier 23020 multiplies together the source frequency, the timed destination frequency and, optionally , the connection frequency 17150, emitting the product as the absolute frequency AxTB 24020. As in the frequency predictor AxTB 23000 (See Fig. 23), the 23040 power operator multiplies the frequency norm for the third power, outputting the result as a 23040 triple norm. Finally, the 23060 normalizer divides the absolute AxTB frequency by the triple standard, emitting the relative frequency as the polarized frequency prediction AxTB 24030. If the link frequency is not included in the combined frequency calculation, then the power operator only increases the standard for the second power.
    In the AxTB 24000 polarized predictor, the timed destination model finder 24010 also looks for duration 21120 corresponding to timed destination identifier 16140 in session event record 16240, which it issues as duration 21120. Multiplier 21130 multiplies the duration by the target frequency time delay 17090, outputting the product as total duration 21140. Separator 21150 divides the total duration by the absolute AxTB frequency 24020, emitting the quotient as a polarized duration prediction AxTB 24040.
    As illustrated in fig. 25, combined timed transition predictor 25000 uses the source model searcher 21010 to search for the source frequency 17030 corresponding to the source identifier 16020, the model of transition duration model 21020 to search for the frequency duration 17050 corresponding to the source identifier transition duration 16060, target model finder 21030 to search for target frequency 17070 corresponding to target identifier 16040, time target model finder 24010 to search for the timed target frequency corresponding to timed target identifier 16140, the processor transition model 22010 to search for transition frequency 17110 corresponding to transition identifier 16160, time source model search 23010 to search for timed source frequency 17130 corresponding to time source identifier 16180, optional link model search engine 2104 0 to search for link type frequency 17150 corresponding to link identifier 16200, and frequency norm searcher 21070 to search for event frequency norm 17170, where the origin identifier, duration transition identifier, identifier target, the timed destination identifier, the transition identifier, timed, the origin identifier and the connection type identifier are inserted from the 16240 session event and the corresponding models and frequency norm are retrieved from the 17010 events.
    The 25050 multiplier scans the frequency standard 17170, emitting the result as a double standard 20050; the multiplier 25060 multiplies the double standard again by the standard, issuing the result as a triple standard 23050 and the multiplier 25070 multiplies the triple standard again by the standard, issuing the result as a quadruple standard 21090.
    As in the independent AxTxB frequency predictor 21000, the AxTxB 25010 atomic frequency predictor multiplies together the source frequency 17030, the duration frequency 17050, the target frequency 17070, and, optionally, the link frequency 17150, dividing the frequency Resulting absolute AxTxB 21060 by quadruple standard 21090 and emitting the resulting relative frequency as the independent frequency prediction Ax-TxB 21110. As in the polarized frequency predictor AxTB 24000, polarized frequency predictor AxTB 25020 multiplies together the source frequency, the frequency of timed destination and, optionally, the link frequency, dividing the resulting absolute AxTB frequency by the triple standard 23050, and outputting the resulting relative frequency as a polarized frequency prediction AxTB 24030. As in the polarized frequency predictor TxAB 22000, the polarized frequency predictor TxAB 25030 multiplies together the duration frequency and the transition frequency dividing the resulting absolute TxAB frequency by the double standard 20050, and emitting the relative resultant frequency as a polarized frequency prediction TxAB 22070. And, as in the polarized frequency predictor BxTA 23000, the polarized frequency predictor BxTA 25040 multiplies together the target frequency, the timed source frequency, and optionally the link frequency, dividing the resulting absolute BxTA frequency by the triple standard 23050, and outputting the relative frequency as a result of the resulting polarized frequency prediction BxTA 23070. If the link frequency does not is included in the combined frequency calculations, so the AxTxB 25010 predictor uses the triple standard instead of the quadruple standard, and the AxTB 25020 predictor and BxTA 25040 predictor use the double standard instead of the triple standard.
    The combined predictor 25000 also issues the respective duration predictions as in Fig. 21 to Fig. 24.
    In an alternative embodiment, the keys together - transition identifier 16160, timed origin identifier 16180, and timed destination identifier 16140 - are not directly stored in the 16240 session event, but are built from the elementary keys - origin identifier 16020 , transition duration 16060, and destination identifier 16040, as the case may be, on the fly by the transition model processor 22010, time source model search engine 23010, and time target model search engine 24010, respectively. This alternative is preferable when the space available to store keys in session event logs is more critical than the time required to regenerate the keys together.
    In an alternative modality, dual frequency standard 20050, triple frequency standard 23050, quadruple frequency standard 21090 are pre-computed and stored in 17010 event models, instead of being computed in the event predictor. This alternative is preferable when accessing memory is faster than multiplication.
    In an alternative modality, the marginal frequencies (source frequency 17030, duration frequency 17050, and destination frequency 17070) and sub frequencies (transition frequency 17110, source frequency timed 17130, and frequency destination 17090) do not. are pre-computed and stored in the 17010 event model database, but are instead calculated on the fly from atomic events or elementary frequencies by marginal frequency processors (source frequency processor 21010, frequency processor from duration 21020, and target frequency processor 21030) and intermediate frequency processors (transition frequency processor 22010, timed source frequency processor 23010, and timed target frequency processor 24010), respectively. This alternative mode is preferable when the storage space available for event models is more critical than the time available to calculate the marginal and submarginal frequencies on the fly.
    The marginal frequencies (source frequency 17030, duration frequency 17050, and target frequency 17070) and sub-marginal frequencies (transition frequency 17110, source frequency timed 17130, and target frequency timed 17090) as stored in the model database event 17010 and issued by the respective frequency processors can be either absolute, in which case they can be represented exactly as integers, or relative, in which case they must be represented as approximate fractions or as rational numbers of inefficient space.
    However, while the atomic prediction 21110 is a product of three marginal frequencies, submarginal predictions (transition prediction 22070, prediction of timed origin 23070, and prediction of timed destination 24030) are products of only two frequencies, so these products are calculated from absolute frequencies, so to make the atomic frequency compatible with the submarginal frequencies, either the submarginal frequencies must be multiplied by the standard, allowing the products to continue to be represented exactly as integers, or the atomic prediction must be divided by the standard, in which case the product must be approximated as a fraction or kept as a rational number. This ratio can be implemented at any stage between the end of 20050 frequency event predictors and the start of the 20120 prediction combiner. Note that, at least, for the estimation of relative simple frequencies, all atomic, marginal and Submargins have the same norm, which is the total timed transition frequency, obtained from the event model database.
    In some embodiments, the 17010 event models are stored in a sparse array such as a heap, rather than as a complete array or complete tree, to save memory. For a large website, the number of types of transitions observed would otherwise require an impractically large complete matrix.
    As described in the information flow diagram in Fig. 26, the predictor combiner 15130 inserts the individual event frequency predictions 20060 and the individual event duration predictions 20080, combining them to output the predicted event frequency 20130 and duration of expected event 20140, respectively.
    In a preferred embodiment, the prediction combiner uses the maximum selector 26010 to select the maximum event frequency prediction to emit as the predicted event frequency, and, via the 26020 prediction switch, uses the 26030 selector to select the prediction duration of corresponding event to emit as the expected event duration. Using the maximum here implies that an event should not be considered unusual if any one of a set of credible predictors shows that it is not unusual. In an alternative modality (not shown), a prediction combiner calculates the Bayesian mean of the input frequency predictions and duration predictions, and outputs the averages such as the expected event frequency and expected event duration, respectively.
    As illustrated in fig. 27, the event frequency scorer 20150 inserts the observed event frequency 20020 and the predicted event frequency 20130, compares them using the event frequency comparator 27010, normalizes the result, and outputs the anomaly frequency score 20160.
    The 27010 event frequency comparator uses the 27020 differentiator to compare observed event frequency 20020 to the predicted event frequency 20130, emitting the difference as over frequency 27030. Then, the adder 27040 adds frequency cap 20170 to the over frequency , emitting the adjusted excess frequency 27050. Frequency tracker 27060 then tests if the adjusted excess frequency is greater than zero, indicating that the event is not anomalous, in which case it emits a zero 27070 as the anomalous frequency score 20160. For computational efficiency, the tracker can also optionally enter anomalous duration score 20190. If the anomalous duration score is below the 20110 duration limit, then the event is equally determined to be non-abnormal, and in the same way the tracker issues a frequency anomaly score of zero.
    In a preferred embodiment, the frequency cap is omitted or set to zero in order to postpone threat decisions until the anomaly of the entire session can be compared with the anomaly of all sessions. Alternatively, if the number of detected attacks is expected to be substantially greater than the 1080 threat processors (See Fig. 1) can handle, then the frequency cap can be adjusted upwards to speed up less threatening events.
    If, on the other hand, the frequency tracker 27060 determines the event to be abnormal, then it passes the observed event frequency 20020 through the tracked event frequency 27080.
    The event frequency normalizer then divides 27090 the tracked event frequency by the predicted event frequency 20130, outputting the result as frequency ratio 27100. Emitting the frequency ratio, instead of the observed absolute frequency, ensures that the observed frequency of each event is evaluated only in relation to the expected frequency of that event, and regardless of the absolute frequencies of unrelated events.
    Since the observed event frequency 20020 is a simple frequency, whereas the expected event frequency 20130 is a frequency product, if the frequencies are represented as absolute frequencies, then, in order to make the observed event frequency proportional at the expected frequency, or the observed event frequency is multiplied by the standard, or the expected event frequency is divided by the standard. This ratio can be implemented at any stage between the end of the event frequency estimator 20010 or event frequency predictor 20050 and before the comparison in the event frequency comparator or normalization in the event frequency normalizer 27090. Defer this proportion until the end of the 20120 prediction combiner can reduce the amount of computation.
    Finally, log 27110 calculates the logarithm of the frequency ratio 27100, outputting the result as anomalous frequency score 20160. Using the logarithm instead of the ratio itself as per the event score allows the 3070 session comparator (See Fig. 3. ) add the anomalies of events, instead of multiplying them, thus avoiding overflowing.
    Like logarithms of the frequency ratio relative to the product of the relative marginal frequencies, the frequency anomaly score 20160 can be interpreted as the measurement of mutual information point by point between the marginal dimensions. In the preferred embodiment, 27110 calculates the base 2 logarithm, so that the score is measured in bits. In particular, in the case of timed transitions, the independent frequency predictor AxTxB 21000 measures the point-to-point information between origin, transition time, and destination; polarized frequency predictor TxAB 21050 measures point to point mutual information between transition time and service transition; the BxTA 23000 polarized frequency predictor measures mutual point-to-point information between the destination and the timed source; and the polarized frequency predictor 24000 measures point to point mutual information between the source and the timed destination. Although peer-to-peer information may be non-positive, the anomalous event scorer 20200 ensures that only positive scores are issued; that is, the session anomaly is determined only by anomalous events, so that no number of normal events can compensate for the anomalies. This is in line with the fact that man-in-the-browser, man-in-the-middle, and similar attacks characteristically include some brief events, usually near the start of a session, regardless of how long it lasts. the session.
    As illustrated in Fig. 28, the event duration scorer 20180 inserts predicted event duration 20140 and observed event duration 20040, compares them using the event duration comparator 28010, normalizes the result, and issues anomaly score of duration 20190.
    Event duration comparator 28010 uses the differentiator 28020 to compare observed event duration 20040 to predicted event duration 20140, emitting the difference as duration deficit 28030. Then adder 28040 adds duration limit 20110 to the duration deficit, emitting deficit adjusted duration 28050. The 28060 duration tracker then tests whether the adjusted duration deficit is greater than zero, indicating that the event is not anomalous, in which case it issues a zero 28070 as the anomalous duration score 20190. For computational efficiency, the tracker can also optionally enter anomalous frequency score 20160, if the anomalous frequency score is less than the 20170 frequency limit, the event is equally determined not to be anomalous, and the tracker likewise issues a score of anomalous duration of zero. In the preferred mode, the duration limit is omitted or set to zero, in order to postpone threat decisions until the anomaly of the entire session can be compared with the anomaly of all sessions. Alternatively, if the number of detected attacks is expected to be substantially greater than the 1080 threat processors (See Fig. 1.) can handle, then the duration limit can be adjusted upwards to speed up less threatening events. If, on the other hand, the event duration comparator determines that the event is normal, then it passes the adjusted duration deficit as trailed duration deficit 28080.
    The event duration normalizer 28090 then divides the trailed duration deficit 28080 by the expected event duration 20140 to provide anomalous duration score 20190, ranging from zero, if the event duration is not anomalous in all, to one, if the event duration is as abnormally brief as possible.
    As already explained, a network security system can include the detection of man-in-the-browser attacks and other attacks, using a variety of tools and approaches. Other modalities can be imagined by a person skilled in the art after reading this description. In other embodiments, the combinations and subcombination of the invention described above can be advantageously made. Exemplary component arrangements are presented for purposes of illustration and it is to be understood that combinations, additions, redispositions, and the like are contemplated in alternative embodiments of the present invention. Thus, although the invention has been described in relation to exemplary embodiments, those skilled in the art will recognize that numerous modifications are possible.
    For example, the processes described here can be implemented using hardware components, software components, and / or any combination thereof. The specification and drawings should therefore be considered in an illustrative and not restrictive sense. It will, however, be evident that various modifications and changes can be made to this, without departing from the spirit and the broader scope of the invention, as defined in the claims, and that the invention is intended to cover all modifications and equivalents within the scope of the following claims.
    As depicted in the block diagram of Fig. 29, exemplary server traffic processor 2010 (see Fig. 2.) uses plumber 29050 to include host-instigated traffic between clients 1010 and third party services 1150, so that it can be logged , along with traffic between clients and the primary network service 1015, by the 29150 for analysis by the 1060 threat detector, reviewed by the 1080 threat processors, and, when necessary, remedied by the 29160 repairman. example of a way in which the plumber can be integrated with other processes normally found in a traffic processor in the network service, such as firewalls 29010 and 29090, authenticators 29020, and encrypters 29120 decrypters 29030, compressors 29110 and decompressors 29040, link translators 29080, reformers 29100, and load balancers 29105.
    Traffic from clients 1010 and destined for host 1015, includes traffic from clients and destines to partners 1150, and includes traffic from partners destined for all clients enters the service traffic 2010 processor through a 29010 front firewall, which protects the host location of the external network using low-level security features, such as IP + port blocking and plain text packet filtering. Host traffic destined for customers, including traffic from customers destined for partners, and including partner traffic destined for customers likewise all leave the service's traffic processor through the front firewall.
    29020 Authenticator is responsible for negotiating cryptographic protocols such as SSL and TSL with 1010 clients and 1150 partners, and for low level verification of the identity of clients and partners and confirmation of the host's identity, such as their proxy, for example through SSL certificates.
    The 29030 decryptor securely converts encrypted inbound actions from 1010 clients and 1150 partners containing personal or proprietary information into plain text so that they can be viewed by the 29050 plumber and 29090 rear firewall, and acted on by the 1015 host. The encryptor 29120 encrypts plain text outbound actions from the host and re-encrypts outbound actions relayed between customers and partners to protect sensitive information en route over the network to customers and partners.
    Likewise, the 29040 decompressor decompresses incoming actions from clients 1010 and partners 1150 in plain text so that they can be examined by plumber 29050 and rear firewall 29090, and put into practice by host 1015. Compressor 29110 compresses outbound actions such as HTML content from the host and recompress actions relayed between customers and partners for faster transmission over the network.
    Plumber 29050 uses plumber router 29060 to separate incoming traffic from clients 1010 destined for host 1015, which it routes through host plumber 29070, from the included bidirectional traffic between clients and partners 1150, which it routes through partner 29140 plumbers, causing a short circuit of the host. Host plumber 29070 edits outbound host traffic to include customer responses back through partner plumbers. Likewise, partner 29140 plumbers edit outbound partner customer traffic to include customer responses back through partner plumbers. The plumber is discussed in more detail in fig. 30.
    Link translator 29080 remaps externally visible URL pseudonyms in customer requests back to the corresponding actual internal URLs, allowing the public structure of the host site to appear simple, constant, and user friendly, while protecting the structure of the actual website of potential wrongdoers.
    The 29090 rear firewall remedies threats in unencrypted un-compressed client inbound actions, using high-level features like application-attack detection and malware detection. The rear firewall also remedies threats in outbound host actions, such as the disclosure of sensitive information and policy violations.
    The load balancer 29100 distributes client actions among the host website servers or data centers on the 1015 network service, and routes the corresponding host actions back. A larger installation will often have load balancers at different times in the service traffic processor, each feeding multiple instances of its downstream components in order to effectively handle upper network traffic. For example, authentication 29020, decryption 29030, encryption 29120, decompression 29040, compression 29110, channeling 29050, and reformatting 29105 are all computationally intensive processes, so a busy location may have one or more load balancers between the firewall front and multiple authenticators and decryptors, a load balancer between the rear firewall and multiple reformers, and so on.
    Reformer 29105 reformats outbound host actions for customer-specific devices, such as cell phones, which have different restrictions, such as bandwidth, processing power, spatial and temporal screen resolution, and interactivity.
    Throttler 29130 buffers host shares and outbound partner shares as needed and feeds them out at a controlled rate to match customer transmission bandwidth and other rate constraints.
    Logger 29150 records each transaction, possibly from each service traffic processor 2010, including not only all client-host and host-client actions as on a common website, but also all transactions related to the client-host client-partner for analysis by the 1060 network service threat detector using a single master clock for precise timing. In the preferred mode, transaction times are recorded as close to the customer as possible - preferably on the front firewall in the configuration shown - in order to limit customer action delay as firmly as possible, for accurate threat analysis. The logger can also obtain additional transaction information from host location 1015, as available and useful. On the other hand, the network service can also augment its own logs with information from the 29150 logger, or it can even supplant its own logs with the loggers from the service traffic processor.
    As explained in most of this disclosure, threat detector 1060 analyzes the transaction logs issued by logger 29150 and network service 1015 for different types of network service threats, issuing alerts and reports to 1080 threat processors.
    Threat 1080 processors, in turn, issue corrective action rules for repairer 29160, who implements repair actions through the appropriate components in the 2010 service traffic processor, via force 29170.
    In the preferred embodiment, each service traffic processor 2010 phase requiring significant processing power, including 29105 reformatters, 29080 link translators, 29070 host channelers, 29140 partner channelers, 291110 decompressors and 29040 compressors and 29030 decryptors, encryptors 29120, uses a cache for efficient service, issuing a cached copy of a processed resource if the raw resources match.
    The deployment of 29050 plumber for 2010 service traffic processor may present new software bugs and incompatibilities, new risks of incorrect link mapping, new resource strains and new opportunities for attack. Thus, the preferred mode also includes 29190 monitors, showing in real time, diagnostic information, such as current and comparative rates of host plumber traffic and partner plumber traffic for each partner, as well as related errors and Repair actions , for monitoring by 1080 threat processors - or the same threat processors as for the 1060 threat detector or independent threat processors.
    The addition of client-server and client-server traffic can substantially increase the load on an established service traffic processor. In such cases, in the preferred mode, router 29060 is located in front of the offload partner plumber 29140 in a service traffic processor separate from host plumber 29070, with its own front-end components, such as front firewall 29010, authenticator 29020 , decryptor 29030 and encrypter 29120, and decompressor 29040, compressor 29110, throttler 29110, and cache 29180. In an alternative embodiment, the separate service traffic processor is located elsewhere on the external network, perhaps together with a 1060 threat detector, 1080 threat processors, and 29160 repairman, with host plumber logs relayed to the partner plumber's location via a dedicated line or encrypted network traffic, and the host plumber's logger synchronized to the partner plumber's logger for accuracy.
    Depending on the characteristics of network service traffic, costs, existing infrastructure, availability, experience and other considerations, the various components of the 2010 service traffic processor can be incorporated as software modules on one or more physical or virtual servers, hardware components, a server network, a cloud computing center, or any combination of these and other possibilities.
    Those skilled in the art will recognize that these and other front-end components could be employed in many alternative configurations, including employing multiple instances of various components, employing them in a different order, or omitting some of the components or adding others.
    As described in the information flow diagram of Fig. 30, plumber 29050 (See fig. 29) includes related host traffic between clients 1010 and third party services 1150 through partner plumbers 29140, where traffic - which, otherwise it passes invisibly and inaccessibly between customer and partner services - it is logged by logger 29150 to be monitored by monitors 29190 (See Fig. 29), analyzed by threat detector 1060, corrected by repairman 29160 and, optionally, accessed by host website 1015. The plumber includes client-host traffic presented to host by interposing host plumber 29070 as reverse host proxy * 30010 for clients and as direct to client proxy * 30030 for host servers, where paraproxy from partner 30020 processes the content of host-client actions 1040, finds all references to intended partner services, and replaces them with ps reversibly mapped eudonyms referring to the partner's plumber.
    Likewise, a 29140 partner channeler, who acts as a client * 30040 client mediator for clients, includes responsive client-partner traffic, acting as a 30060 client * mediate proxy for 1150 partners, and includes client-client traffic. partner driven by the subsequent partner using partner paraproxy 30050 to find all target partner references in the content of the 1190 partner-client actions and reliably nickname them for the partner plumber.
    In detail, the network is configured so that client requests 1020 destined for primary network service 1015 are intercepted by host * reverse proxy 30010 on host plumber 29070. Host * proxy uses client mapper 30070 to reversibly replace client return addresses in client-host * proxy actions with client * local alias for host plumber, issuing modified requests as client * proxy - host * proxy actions 30080 so that responses from host 30110 will be forwarded back to the host plumber instead of going directly to the customer. The client mapper can optionally also attach client public address 11010 to the edited action, if required by partner paraproxy 30020 or the primary network service.
    Forward client * proxy 30030 to host plumber 29070 uses host * remapper 30090 to replace nicknames * host in client actions * proxy - host * proxy 30080 with the addresses of actual hosts, issuing the modified requests as client actions * proxy - host 30100. Note that client translation for host transactions may not be necessary if the host plumber communicates with a host and single server via a dedicated connection or as a co-resident module and not over a network.
    When intercepting host - client * proxy responses 30110, client * direct proxy 30030 on host plumber 29070 uses host mapper 30120 to reversibly substitute host return addresses in host actions with their host plumber aliases, issuing the responses modified as host * proxy - client * proxy 30130 actions.
    Host service actions 30110 often contain references to other services available on the main website, and may also contain references to third party services 1150 on partner websites. Partner paraproxy 30020 on host plumber 29070 uses partner inclusor 30140 to find partner references in outbound host service actions that match the targets in the basic partner reference translation rule 30150, and replace them with local pseudonyms for the specified partner channel 29140, issuing the results included as host * proxy - client * action proxy * proxies 30160, so that all client actions on these referrals are routed through the channel of the specified partner instead of going directly for partner 1150 websites.
    In an HTML web page, the host and partner are specified as URI hyperlinks embedded in the HTML page description, corresponding to clickable controls by users in the graphical representation of the web page. In the simplest modality, partner inclusor 30140 uses a general purpose string substitute to replace all occurrences of target URI patterns according to the basic partner translation rule 30150. In a more sophisticated modality, the partner analyzes the HTML description, determines the appropriate character encoding, and searches for the appropriate target strings, for example, only in the 'href' fields of anchor tags ('a'). More generally, the partner address translator is not only applied to HTML services, but, using techniques similar to those skilled in the art, for services of other types of MIME listed in the basic partner translation rules.
    A URI can be specified in many different ways. For example, the sequences are all equivalent: http://www.google.com/ http://google.com/ (omitting the optional "www" subdomain) http://www.google.com (omitting the indicator directory directory "/") http://www.google.com// (adding a superfluous directory indicator "/") http://www.google.com/# (adding an empty "#" anchor indicator ) http://www.google.com/ (adding an empty query indicator " ") http://www.google.com/ .. (adding a parent directory indicator ".." empty) http://www.google.com/index.html ( adding the default page name "in-dex.html" optional) http://www.google.com:80/ (adding the optional World Wide Web HTTP port "80") HTTP://wWw.Google.cOm/ (optionally capitalizing letters) http: //w%77w.67oogle.c.%6fm/ (optionally percent encoding characters) http: //garbage@www.google.com/ (adding ignored authorization code) http://74.125.19.106/ (using the 4-octet decimal IP address) http: // 1249710954 / (using the decimal IP address) http: //0112.0175.0023.0152/ (using the octal 4-octet IP address) http : //0112.0175.0023.0000152/ (added superfluous leading zeros) http: //0x4a.0x7d.0x13.0x6a/ (using the 4-octet hexadecimal IP address)
    In addition to the variants exemplified here, a URI can be specified in relation to that of the page or iframe on which it occurs, or it can be a URN (uniform resource name), a PURL (persistent uniform resource locator), or even some other type variant still defined. In the preferred mode, to facilitate fraud detection through the use of non-standard URIs, to reduce the size of basic rules, and to facilitate the caching of host actions, partner paraproxy basic rule 30150 includes rules to first resolve each a canonical URI, using well-known algorithms and services, before comparing the canonical URI with the targets in the partner conversion table.
    Some websites have additional synonymous conventions, such as, optionally, naming a service through a query string instead of a directory path; arrange subdirectories in an array, rather than in a tree; accept optional abbreviations or misspellings for domain names, directory names or service names, or assign synonymous serial numbers to services. In the preferred mode, again to facilitate the detection of fraud using non-standard URIs, to simplify the rule base, and to facilitate caching, partner translation rule base 30150 is augmented with custom algorithms and rules for reducing such site-specific synonyms to canonical form, before comparing the canonical URI with the targets in the partner conversion table.
    In many cases, all URIs within the partner's domain, a subdomain of the partner, or a respective path, must be included. In the preferred embodiment, partner inclusor 30140 allows target URIs and their nicknames to be specified with generic patterns in the 30150 rule base, for example, using standard regular expression syntax for sequence and substitution pattern matching, or using variable names for the different components of a URI.
    By default URIs, partners * aliases for inclusion can take different forms. For example, the partner URL https://www.partner.com/percurso/page.html#âncora consulta can be mapped directly to a query parameter, a dynamically assigned port, a directory, a local subdomain for the host, or a different domain: https://www.hospedeiro.com/ service=parceiro%2fpercurso%2fpage.html%23âncora%3fconsulta Https://www.hospedeiro.com:12345/percurso/p Página.html#âncora consulta https : //www.hospedeiro.com/parceiro/percurso/p Página.html#âncora consultation https://parceiro.hospedeiro.com/percurso/p Página.html#âncora consulta https://www.hospedeiroparceiro.com/percurso /page.html#âncora consulta
    In the preferred embodiment, the partner inclusor 30140 supports all of these methods on a 30150 rule basis, allowing the host website to choose the most appropriate one. In the preferred embodiment, URLs are mapped using algorithms, as in the examples, so that no detailed address translation table is required. In the preferred mode, URLs are mapped directly to preserve their human readability, as in the examples, instead of, for example, being replaced by serial numbers or cluttered.
    Host * reverse proxy 30010 on host plumber 29070 uses remainder * client 30170 to replace nicknames * client on host * proxy - client * action proxy * inclusion proxy 30160 with addresses of actual clients, issuing modified responses as host * proxy - client action * proxies 1040, and forwards them towards the respective clients 1010.
    When a 1010 client acts on a partner * pseudonym on a host * proxy - action client * inclusion proxy 1040 (or on a partner * proxy - action client * inclusion proxy 30280), instead of being diverted directly to the partner website , said client-partner action * proxy action 30180 is channeled through a channeler from partner 29140, which can be located on main website 1015, a registration website, a monitoring website, a threat detection website, in a cloud computing, or elsewhere. Analogously to client mapper 30070 on host * reverse proxy 30010, proxy * mediate partner 30040 uses client mapper 30190 to reversibly replace client return addresses in client - partner * proxy inbound actions with client * local alias for the plumber partner, issuing the modified requests as client * proxy - partner * proxy 30200 actions, so that partner 1190 responses will be routed back to the partner channeler, instead of going directly to the client. The customer mapper can optionally also attach customer public address 11010 to the edited action, if required by partner paraproxy 30050 or partner service 1150.
    The partner channeler then uses partner * remapper 30210 on client * proxy mediated 30,060 to remap local partner nicknames to the actual addresses of the partner service, and sends the client * proxy - partner 1180 actions towards the specified partner websites 1150 .
    When a partner service 1150 responds to an action of the referred customer including 1180, its dragged response 1190, instead of going directly back to the customer, is channeled back through partner plumber 29140. There, client * proxy mediated 30060 uses partner mapper 30220 to reversibly replace partner return addresses in partnership actions with their partner-channeler aliases, issuing the modified responses as partner * proxy - client * proxy 30230 actions. Note that the translation of client addresses it may be unnecessary for referral partner transactions, if the partner channeler has a dedicated connection to the partner websites in question.
    Similarly to partner paraproxy 30020 on host plumber 29070, partner paraproxy 30050 on partner plumber 29140 uses partner inclusor 30240 to find partner references in outbound services partner actions corresponding to targets in the reference translation rule base of partner 30250, and replace them with a local nickname for the channel of the specified partner, issuing the inclusion results as partner * proxy - client * action proxy * proxy 30260, so that all client actions on these referrals are routed through the channel of the desired partner instead of going directly to the respective partner website 1150.
    Finally, partner * proxy mediated 30040 on host plumber 29140 then uses remapper * client 30270 to replace client * aliases on partner * proxy - client * action proxy * inclusion proxies 30260 with actual client addresses, issuing the modified responses as * proxy partner - action client * proxies 30280, and forwards them to the respective 1010 clients.
    In the preferred embodiment, partner paraproxies 30020 and 30050 are accelerated with caches 30310 and 30320, respectively. For static resources containing partner references that require mapping, caches store a copy of the resource with the references already mapped, along with information to determine whether the source has changed, such as a date and checksum for the unmapped resource. For static resources that do not require remapping, caches only store the decisive change, the absence of content that indicates that the source can be passed as unchanged. Each cache, or relevant items included in it, is also cleared when the respective partner translation rule bases 30150 or 30250 change.
    Partner address translation rule base 30150 and 30250 are maintained by repairman 29160 (See fig. 29) through repair actions 1090. In principle, the two rule bases may differ: Host service 1015 and partner 1150 issue different sets of responses 30110 and 1190 with different content, usually containing different sets of references to partner websites, which can be useful for routing traffic differently, even for partner references, in the event that an attack is directed directly to a partner site than to the host site. However, if the rule bases differ, or if host channel 29070 and partner channel 29140 are not co-residents, it is important to keep the rule base synchronized, both to avoid accidental collisions where different partner services are undesirably mapped. to the same address, and avoid referring an action to a plumber unprepared to remap your destination.
    In the preferred embodiment, substitutions in the 30150 and 30250 address translation rule bases can be conditioned by the customer, so that customers suspected of abuse through partner services 1150 can be prevented from visiting partners or diverting to others services on those sites, on the host site, on the threat detection site, or elsewhere for monitoring or other Remediation, or by changing the partner service addresses in the partner * proxy - client * proxy 30230 actions after visiting a partner site , changing the partner addresses in the client * proxy - partner * proxy 30200 actions before visiting a partner site, or changing the partner addresses in the host * proxy - client * proxy 30130 actions before the client can even attempt to visit a partner website. Conditional client partner translation is also useful for testing the inclusion of a partner service or a repair, limiting a replacement for the test personnel IP addresses, and for elimination, limiting it to an experimental group of clients.
    When host address substitutions, optionally customer-specific, for rule bases 30150 and 30250, the partner translator can also be used to change host service addresses in incoming customer actions or be incorporated into inbound service actions. exit in order to correct abuse involving a combination of partner and host services, or host services alone, either in general or by specific customers.
    More generally, since any partner service can refer to partner services not referred by the host or a previous partner, rule base 30250 on partner channel 29140 can target additional services not targeted on rule base 30150 on channel host number 29070. Thus, the plumber can be used to include communication not only with fixed partners, but with partner partners, and beyond.
    Host plumber 29070 and partner plumber 29140 issue records of their actions to logger 29150 (See Fig. 29) as host plumber record 30290 and partner plumber record 30300, respectively, using current time 6110 given by the clock master 6100 (see fig. 6), to allow the 1060 threat detector to detect threats involving partner websites, and for security personnel to directly monitor the operation of 29050 plumber for suspicious events and trends using a 2900v0 monitor (See fig. 29). Partner plumber logs also help the threat detector to improve time statistics for host client transactions, considering excursions to partner websites.
    One embodiment of the present invention relates to a computer storage product with a computer-readable storage medium having a computer code on it for performing various computer-implemented operations. The means of communication and computer code can be those specially designed and built for the purposes of the present invention, or they can be of the well-known type and available to those skilled in the areas of computer software. Examples of computer-readable media include, but are not limited to: magnetic media, such as hard drives, floppy disks and magnetic tapes; optical media such as DVDs, CD-ROMs and holographic devices; magneto-optical media, and hardware devices that are specially configured to store and execute a program code, such as application-specific integrated circuits ("ASIC"), programmable logic devices ("PLD") and ROM and RAM devices. Examples of computer code include machine code, such as that produced by a compiler, and files containing a high level of code that are executed by a computer through an interpreter. For example, a modality of the present invention can be implemented using Java ®, C ++, or another object-oriented programming language and development tools. Another embodiment of the invention can be implemented in wired circuits instead of, or in combination with, machine executable software instructions.
    The foregoing description, for the purpose of explanation, used specific nomenclature to provide a thorough understanding of the invention. However, it will be apparent to those skilled in the art the specific details that are not necessary for the practice of the invention. Thus, the foregoing descriptions of specific embodiments of the invention are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, obviously, many modifications and variations are possible in light of the previous teachings. The modalities have been chosen and described in order to better explain the principles of the invention and their practical applications, they thus allow others skilled in the art to better use the invention and various modalities with various modifications as they are appropriate for use. particularly contemplated. The following claims and their equivalents are intended to define the scope of the invention.
    权利要求:
    Claims (9)
    [0001]
    1. Computer-readable non-transient storage medium with instructions to run on a host computer, CHARACTERIZED for understanding instructions for: (i) recording a relationship between a partner site and the host computer; (ii) replace a reference to the partner site with a pseudonym of the partner site referencing the host computer; (iii) deliver the alias of the partner site to a customer; (iv) replace the alias of the partner site for the reference to the partner site in response to receiving the alias of the partner site from the client; (v) augmenting a customer's address with an address alias; (vi) send the alias address to the partner site; (vii) receiving an action from the partner and the alias of the address from the partner website; (viii) changing the address for the address pseudonym; (ix) deliver the partner's action to the customer using the address; (x) monitor from (ii) to (ix) to identify customer activity that constitutes a security threat on the host computer or on the partner website; and (xi) implement corrective action in response to the security threat, where corrective action is selected from blocking the customer, delaying the customer, diverting the customer to a harmless web page and providing the customer with false information.
    [0002]
    2. Computer-readable storage medium, according to claim 3, CHARACTERIZED by additionally comprising executable instructions for: analyzing a logical structure of the partner site; prepare a partner site map detailing intrinsic links between web pages, intrinsic access levels, intrinsic privilege levels and intrinsic security levels; evaluate security flaws in the logical structure of the partner site; determine whether an observed transition is consistent with the logical structure of the partner site; produce a session threat score based on the monitoring and logical structure of the partner site; issue a warning to the partner site in response to an identification of a structural security breach in the logical structure of the partner site; detect the appearance of a new service that is inconsistent with a pre-existing list of partner website services; rebuild a plurality of partner site sessions to identify the security threat; encrypt communications between the host computer and one between the partner site and the client; access security information from customer-facing data centers or internal service data centers.
    [0003]
    3. Computer-readable storage medium, according to claim 4, CHARACTERIZED for additionally comprising executable instructions for analyzing intercepted communications between the client and the partner site to assess the logical structure of the partner site.
    [0004]
    4. Computer-readable storage medium according to claim 1, CHARACTERIZED that the host computer is configured as a dedicated physical server, a virtual server shared with other services, a part of a server farm or a virtual server farm in a cloud computing.
    [0005]
    5. Computer-readable storage medium according to claim 1, CHARACTERIZED for additionally comprising executable instructions to alert a victim of the security threat using an independent communication channel.
    [0006]
    6. Computer-readable storage medium according to claim 1, CHARACTERIZED by the fact that the host computer is controlled by a first entity; and where the instructions for replacing the reference to the partner site with the alias of the partner site include instructions for: receiving, from third parties controlling the partner site, web content including (i) third party material for presentation to a customer user and (ii) a third party hyperlink that identifies the partner site, the third parties being different from the first entity controlling the host computer; generate, on the host computer, a web page containing modified web content, the modified web content including (i) third party material for presentation to the customer's user and (ii) a host computer hyperlink in place of the third party hyperlink, the hyperlink host computer identifying the host computer; provide the web page with the modified web content for the client; and perform network address translation to allow the customer and the partner site to exchange information across different networks.
    [0007]
    7. Computer-readable storage medium, according to claim 6, CHARACTERIZED by each one of the client, the host computer and the partner site to reside on a public network; and where the instructions for providing the web page having the modified web content to the client include instructions for sending, from the host computer, a web page that includes the host computer hyperlink identifying the host computer, a host computer IP address to identify a web page network source, and a client IP address to identify a web page network destination.
    [0008]
    8. Method for providing security on a host computer controlled by a first entity, CHARACTERIZED by understanding: receiving, from third parties controlling a partner site, web content including (i) third party material for presentation to a user of a client device and (ii) a third party hyperlink that identifies the partner site, the third party being different from the first entity controlling the host computer; generate, on the host computer, a web page containing modified web content, the modified web content including (i) third party material for presentation to the user of the client device and (ii) a host computer hyperlink in place of the third party hyperlink , the host computer hyperlink identifying the host computer; provide the web page with the modified web content for the client device; receiving a client message from the client device, the client message including (i) a request to access a resource on the partner site and (ii) a client address identifying the client device; generate a proxy message based on the client's message, the proxy message including (i) the request to access a resource on the partner site and (ii) a proxy address identifying the host computer; provide the proxy message to the partner site; receive a partner action message from the partner site in response to the proxy message, the partner action message including (i) a partner action response and (ii) a partner site address identifying the partner site; generate a proxy action message based on the partner action message, the proxy action message, the partner action message including (i) a partner action response and (ii) a proxy address identifying the computer host; provide the proxy device message to the client device; monitor communications between the client device and the partner site through the host computer to identify security threats resulting from communications; and implement corrective action in response to an identified security threat, the corrective action being selected from blocking the client device, delaying the client device, diverting the client device to a harmless web page and providing the client device with false information.
    [0009]
    9. Network security device, FEATURED for understanding: a communication interface; memory; and processing circuits coupled to the communication interface and memory, the memory storing instructions that, when executed by the processing circuits, make the processing circuits: receive, from third parties controlling a partner site, web content including (i) material of third parties for presentation to a user of a client device and (ii) a third party hyperlink that identifies the partner site, the third parties being different from the first entity controlling the host computer, generating, by the host computer, a web page with modified web content , the modified web content including (i) third party material for presentation to the user of the client device and (ii) a host computer hyperlink in place of the third party hyperlink, the host computer hyperlink identifying the host computer; provide the web page having the web content modified for the client device, receive a client message from the client device, the client message including (i) a request to access a partner website resource and (ii) a client address identifying the client device, generating a proxy message based on the client message, the proxy message including (i) the request to access a resource from the partner site and (ii) a proxy address identifying the host computer, providing the proxy to the partner site, receive a partner action message from the partner site in response to the proxy message, the partner action message including (i) a partner action response and (ii) a partner site address identifying the partner site, generate a proxy action message based on the partner action message, the proxy action message, the partner action message including (i) the partner action response and (ii) an address proxy link identifying the host computer, providing the proxy device message to the client device, monitoring communications between the client device and the partner site through the host computer to identify security threats resulting from communications, and implement corrective action in response to an identified security threat, the corrective action being selected from blocking the client device, delaying the client device, diverting the client device to a harmless web page and providing the client device with false information.
    类似技术:
    公开号 | 公开日 | 专利标题
    BR112012022088B1|2020-12-08|computer-readable non-transient storage medium with instructions for running on a host computer, method for providing security on a host computer, and network security device
    US8756684B2|2014-06-17|System and method for network security including detection of attacks through partner websites
    US9021583B2|2015-04-28|System and method for network security including detection of man-in-the-browser attacks
    US20200344246A1|2020-10-29|Apparatus, system and method for identifying and mitigating malicious network threats
    US20200287925A1|2020-09-10|Entity Group Behavior Profiling
    US10469514B2|2019-11-05|Collaborative and adaptive threat intelligence for computer security
    US10116677B2|2018-10-30|Method and system for uniquely identifying a user computer in real time using a plurality of processing parameters and servers
    Biryukov et al.2013|Trawling for tor hidden services: Detection, measurement, deanonymization
    US20120180120A1|2012-07-12|System for data leak prevention from networks using context sensitive firewall
    US20200267168A1|2020-08-20|Network attack tainting and tracking
    Steinebach et al.2019|Detection and analysis of Tor onion services
    Anderson et al.2020|Accurate TLS Fingerprinting using Destination Context and Knowledge Bases
    Di Martino et al.2020|Knocking on IPs: Identifying HTTPS Websites for Zero-Rated Traffic
    Shbair2017|Service-level monitoring of https traffic
    BR112012018643B1|2021-12-07|METHOD FOR DETECTION OF UNAUTHORIZED ACCESS TO SECURE ONLINE RESOURCES, NETWORK SECURITY SYSTEM TO DETECT UNAUTHORIZED ACCESS TO SECURE ONLINE RESOURCES AND COMPUTER READable STORAGE MEDIA
    Mohammed2021|Network-Based Detection and Prevention System Against DNS-Based Attacks
    Kondracki et al.2021|Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits
    Pearce2018|Methods and Systems for Understanding Large-Scale Internet Threats
    Hageman2021|Network Measurements and Security: Untangling the Web of Domain Names, Certificates, and Mobile Apps
    Torbjørnsen2018|A Study of Applied Passive TLS Analysis
    Mani2019|Privacy-Preserving Systems for Measuring Anonymity Networks
    Tandra et al.2014|Security for cloud based services
    Sy2019|Enhanced Performance and Privacy for Core Internet Protocols
    Kont2014|Event Management and active defense framework for small companies
    Forte2006|The state of the art in digital forensics
    同族专利:
    公开号 | 公开日
    US20110214187A1|2011-09-01|
    AU2011223767B2|2015-11-19|
    CA2791566A1|2011-09-09|
    EP2542971A4|2016-12-07|
    EP2542971B1|2019-01-30|
    CA2791566C|2018-09-18|
    US8627479B2|2014-01-07|
    SG183332A1|2012-09-27|
    AU2011223767A1|2012-09-13|
    WO2011109420A1|2011-09-09|
    EP2542971A1|2013-01-09|
    BR112012022088A2|2016-06-14|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    CA2048306A1|1990-10-02|1992-04-03|Steven P. Miller|Distributed configuration profile for computing system|
    US5632011A|1995-05-22|1997-05-20|Sterling Commerce, Inc.|Electronic mail management system for operation on a host computer system|
    US5826014A|1996-02-06|1998-10-20|Network Engineering Software|Firewall system for protecting network elements connected to a public network|
    US6571290B2|1997-06-19|2003-05-27|Mymail, Inc.|Method and apparatus for providing fungible intercourse over a network|
    EP1269286B1|2000-03-03|2008-11-19|International Business Machines Corporation|System for determining web application vulnerabilities|
    US7308709B1|2000-04-21|2007-12-11|Microsoft Corporation|System and method for managing and authenticating services via service principal names|
    US20010051981A1|2000-06-05|2001-12-13|Microsoft Corporation|Methods and systems for discovering object-exchange resources on a network|
    US7103651B2|2000-11-30|2006-09-05|Nortel Networks Limited|Method and apparatus for discovering client proximity network sites|
    US20030026230A1|2001-08-02|2003-02-06|Juan-Antonio Ibanez|Proxy duplicate address detection for dynamic address allocation|
    US8281129B1|2001-08-29|2012-10-02|Nader Asghari-Kamrani|Direct authentication system and method via trusted authenticators|
    WO2003067405A2|2002-02-07|2003-08-14|Empirix Inc.|Automated security threat testing of web pages|
    US7657540B1|2003-02-04|2010-02-02|Seisint, Inc.|Method and system for linking and delinking data records|
    US7895648B1|2004-03-01|2011-02-22|Cisco Technology, Inc.|Reliably continuing a secure connection when the address of a machine at one end of the connection changes|
    US20060037077A1|2004-08-16|2006-02-16|Cisco Technology, Inc.|Network intrusion detection system having application inspection and anomaly detection characteristics|
    US8281401B2|2005-01-25|2012-10-02|Whitehat Security, Inc.|System for detecting vulnerabilities in web applications using client-side application interfaces|
    US7730142B2|2005-07-01|2010-06-01|0733660 B.C. Ltd.|Electronic mail system with functionality to include both private and public messages in a communication|
    US8464334B1|2007-04-18|2013-06-11|Tara Chand Singhal|Systems and methods for computer network defense II|
    US8554946B2|2008-10-13|2013-10-08|Telefonaktiebolaget L M Ericsson |NAT traversal method and apparatus|
    WO2011041465A1|2009-09-30|2011-04-07|Tracking.Net|Enhanced website tracking system and method|US8127986B1|2007-12-14|2012-03-06|Consumerinfo.Com, Inc.|Card registry systems and methods|
    US9990674B1|2007-12-14|2018-06-05|Consumerinfo.Com, Inc.|Card registry systems and methods|
    US8312033B1|2008-06-26|2012-11-13|Experian Marketing Solutions, Inc.|Systems and methods for providing an integrated identifier|
    US8060424B2|2008-11-05|2011-11-15|Consumerinfo.Com, Inc.|On-line method and system for monitoring and reporting unused available credit|
    US8850584B2|2010-02-08|2014-09-30|Mcafee, Inc.|Systems and methods for malware detection|
    US9058323B2|2010-12-30|2015-06-16|Ss8 Networks, Inc.|System for accessing a set of communication and transaction data associated with a user of interest sourced from multiple different network carriers and for enabling multiple analysts to independently and confidentially access the set of communication and transaction data|
    US8938534B2|2010-12-30|2015-01-20|Ss8 Networks, Inc.|Automatic provisioning of new users of interest for capture on a communication network|
    JP5329589B2|2011-03-17|2013-10-30|株式会社三菱東京Ufj銀行|Transaction processing system and operation method of transaction processing system|
    US8972612B2|2011-04-05|2015-03-03|SSB Networks, Inc.|Collecting asymmetric data and proxy data on a communication network|
    EP2715599B1|2011-05-31|2019-07-03|EntIT Software LLC|Application security testing|
    US9501650B2|2011-05-31|2016-11-22|Hewlett Packard Enterprise Development Lp|Application security testing|
    US9607336B1|2011-06-16|2017-03-28|Consumerinfo.Com, Inc.|Providing credit inquiry alerts|
    US9483606B1|2011-07-08|2016-11-01|Consumerinfo.Com, Inc.|Lifescore|
    US9106691B1|2011-09-16|2015-08-11|Consumerinfo.Com, Inc.|Systems and methods of identity protection and management|
    US8935750B2|2011-10-03|2015-01-13|Kaspersky Lab Zao|System and method for restricting pathways to harmful hosts in computer networks|
    US8738516B1|2011-10-13|2014-05-27|Consumerinfo.Com, Inc.|Debt services candidate locator|
    EP2587397A1|2011-10-28|2013-05-01|Telefonaktiebolaget LM Ericsson |Browser device access proxy|
    US20130132508A1|2011-11-21|2013-05-23|Google Inc.|Low latency referrer free requests|
    WO2013130867A1|2012-02-29|2013-09-06|Sourcefire, Inc.|Method and apparatus for retroactively detecting malicious or otherwise undesirable software|
    US10445721B2|2012-06-25|2019-10-15|Visa International Service Association|Method and system for data security utilizing user behavior and device identification|
    US9092782B1|2012-06-29|2015-07-28|Emc Corporation|Methods and apparatus for risk evaluation of compromised credentials|
    US9348936B2|2012-07-25|2016-05-24|Oracle International Corporation|Heuristic caching to personalize applications|
    US9350762B2|2012-09-25|2016-05-24|Ss8 Networks, Inc.|Intelligent feedback loop to iteratively reduce incoming network data for analysis|
    US9313213B2|2012-10-18|2016-04-12|White Ops, Inc.|System and method for detecting classes of automated browser agents|
    WO2014065801A1|2012-10-25|2014-05-01|Empire Technology Development Llc|Secure system time reporting|
    US9853995B2|2012-11-08|2017-12-26|AO Kaspersky Lab|System and method for restricting pathways to harmful hosts in computer networks|
    US9654541B1|2012-11-12|2017-05-16|Consumerinfo.Com, Inc.|Aggregating user web browsing data|
    US9916621B1|2012-11-30|2018-03-13|Consumerinfo.Com, Inc.|Presentation of credit score factors|
    US10255598B1|2012-12-06|2019-04-09|Consumerinfo.Com, Inc.|Credit card account data extraction|
    WO2014111863A1|2013-01-16|2014-07-24|Light Cyber Ltd.|Automated forensics of computer systems using behavioral intelligence|
    US9870589B1|2013-03-14|2018-01-16|Consumerinfo.Com, Inc.|Credit utilization tracking and reporting|
    US9406085B1|2013-03-14|2016-08-02|Consumerinfo.Com, Inc.|System and methods for credit dispute processing, resolution, and reporting|
    US10102570B1|2013-03-14|2018-10-16|Consumerinfo.Com, Inc.|Account vulnerability alerts|
    US10685398B1|2013-04-23|2020-06-16|Consumerinfo.Com, Inc.|Presenting credit score information|
    US10325314B1|2013-11-15|2019-06-18|Consumerinfo.Com, Inc.|Payment reporting systems|
    US9544293B2|2013-09-20|2017-01-10|Oracle International Corporation|Global unified session identifier across multiple data centers|
    US10694029B1|2013-11-07|2020-06-23|Rightquestion, Llc|Validating automatic number identification data|
    EP3069494B1|2013-11-11|2020-08-05|Microsoft Technology Licensing, LLC|Cloud service security broker and proxy|
    US9477737B1|2013-11-20|2016-10-25|Consumerinfo.Com, Inc.|Systems and user interfaces for dynamic access of multiple remote databases and synchronization of data based on user rules|
    WO2015084344A1|2013-12-04|2015-06-11|Empire Technolgy Development, Llc|Detection of side channel attacks between virtual machines|
    US9270647B2|2013-12-06|2016-02-23|Shape Security, Inc.|Client/server security by an intermediary rendering modified in-memory objects|
    CN104125209B|2014-01-03|2015-09-09|腾讯科技(深圳)有限公司|Malice website prompt method and router|
    US8954583B1|2014-01-20|2015-02-10|Shape Security, Inc.|Intercepting and supervising calls to transformed operations and objects|
    US9544329B2|2014-03-18|2017-01-10|Shape Security, Inc.|Client/server security by an intermediary executing instructions received from a server and rendering client application instructions|
    RU2571721C2|2014-03-20|2015-12-20|Закрытое акционерное общество "Лаборатория Касперского"|System and method of detecting fraudulent online transactions|
    US9892457B1|2014-04-16|2018-02-13|Consumerinfo.Com, Inc.|Providing credit data in search results|
    US9830593B2|2014-04-26|2017-11-28|Ss8 Networks, Inc.|Cryptographic currency user directory data and enhanced peer-verification ledger synthesis through multi-modal cryptographic key-address mapping|
    US9210171B1|2014-05-29|2015-12-08|Shape Security, Inc.|Selectively protecting valid links to pages of a web site|
    US9083739B1|2014-05-29|2015-07-14|Shape Security, Inc.|Client/server authentication using dynamic credentials|
    US9225738B1|2014-06-30|2015-12-29|Emc Corporation|Markov behavior scoring|
    US9680855B2|2014-06-30|2017-06-13|Neo Prime, LLC|Probabilistic model for cyber risk forecasting|
    US9003511B1|2014-07-22|2015-04-07|Shape Security, Inc.|Polymorphic security policy action|
    US9438625B1|2014-09-09|2016-09-06|Shape Security, Inc.|Mitigating scripted attacks using dynamic polymorphism|
    US9954893B1|2014-09-23|2018-04-24|Shape Security, Inc.|Techniques for combating man-in-the-browser attacks|
    US9800602B2|2014-09-30|2017-10-24|Shape Security, Inc.|Automated hardening of web page content|
    US20160182561A1|2014-12-18|2016-06-23|Level 3 Communications, Llc|Route monitoring system for a communication network|
    US11023117B2|2015-01-07|2021-06-01|Byron Burpulis|System and method for monitoring variations in a target web page|
    US9565205B1|2015-03-24|2017-02-07|EMC IP Holding Company LLC|Detecting fraudulent activity from compromised devices|
    US9608975B2|2015-03-30|2017-03-28|Shape Security, Inc.|Challenge-dynamic credential pairs for client/server request validation|
    US9984154B2|2015-05-01|2018-05-29|Morpho Detection, Llc|Systems and methods for analyzing time series data based on event transitions|
    US10075461B2|2015-05-31|2018-09-11|Palo Alto NetworksLtd.|Detection of anomalous administrative actions|
    US9984230B2|2015-06-26|2018-05-29|Mcafee, Llc|Profiling event based exploit detection|
    US9769147B2|2015-06-29|2017-09-19|Oracle International Corporation|Session activity tracking for session adoption across multiple data centers|
    WO2017007705A1|2015-07-06|2017-01-12|Shape Security, Inc.|Asymmetrical challenges for web security|
    EP3125147B1|2015-07-27|2020-06-03|Swisscom AG|System and method for identifying a phishing website|
    US10693859B2|2015-07-30|2020-06-23|Oracle International Corporation|Restricting access for a single sign-onsession|
    US9747434B1|2015-09-17|2017-08-29|EMC IP Holding Company LLC|Authenticating with an external device by providing a message having message fields arranged in a particular message field order|
    US9781158B1|2015-09-30|2017-10-03|EMC IP Holding Company LLC|Integrated paronymous network address detection|
    US10581826B2|2015-10-22|2020-03-03|Oracle International Corporation|Run-time trust management system for access impersonation|
    US10454936B2|2015-10-23|2019-10-22|Oracle International Corporation|Access manager session management strategy|
    US10212130B1|2015-11-16|2019-02-19|Shape Security, Inc.|Browser extension firewall|
    US10033764B1|2015-11-16|2018-07-24|Symantec Corporation|Systems and methods for providing supply-chain trust networks|
    CN107203567A|2016-03-18|2017-09-26|伊姆西公司|Method and apparatus for searching for word string|
    US10115108B1|2016-03-29|2018-10-30|EMC IP Holding Company LLC|Rendering transaction data to identify fraud detection rule strength|
    CN107645517B|2016-07-20|2021-04-16|腾讯科技(深圳)有限公司|Data pushing method and device|
    US20180077227A1|2016-08-24|2018-03-15|Oleg Yeshaya RYABOY|High Volume Traffic Handling for Ordering High Demand Products|
    US10686829B2|2016-09-05|2020-06-16|Palo Alto NetworksLtd.|Identifying changes in use of user credentials|
    US10623501B2|2016-09-15|2020-04-14|Oracle International Corporation|Techniques for configuring sessions across clients|
    US10880322B1|2016-09-26|2020-12-29|Agari Data, Inc.|Automated tracking of interaction with a resource of a message|
    US9847973B1|2016-09-26|2017-12-19|Agari Data, Inc.|Mitigating communication risk by detecting similarity to a trusted message contact|
    US11044267B2|2016-11-30|2021-06-22|Agari Data, Inc.|Using a measure of influence of sender in determining a security risk associated with an electronic message|
    US10375098B2|2017-01-31|2019-08-06|Splunk Inc.|Anomaly detection based on relationships between multiple time series|
    US10243992B2|2017-02-06|2019-03-26|Facebook, Inc.|Secure content delivery over a domain portal|
    US11019076B1|2017-04-26|2021-05-25|Agari Data, Inc.|Message security assessment using sender identity profiles|
    US10805314B2|2017-05-19|2020-10-13|Agari Data, Inc.|Using message context to evaluate security of requested data|
    US10454672B2|2017-05-25|2019-10-22|Facebook, Inc.|Systems and methods for preventing session fixation over a domain portal|
    US11102244B1|2017-06-07|2021-08-24|Agari Data, Inc.|Automated intelligence gathering|
    US10554678B2|2017-07-26|2020-02-04|Cisco Technology, Inc.|Malicious content detection with retrospective reporting|
    US11050730B2|2017-09-27|2021-06-29|Oracle International Corporation|Maintaining session stickiness across authentication and authorization channels for access management|
    US10157275B1|2017-10-12|2018-12-18|Oracle International Corporation|Techniques for access management based on multi-factor authentication including knowledge-based authentication|
    US10609068B2|2017-10-18|2020-03-31|International Business Machines Corporation|Identification of attack flows in a multi-tier network topology|
    CN107947984B|2017-11-24|2021-08-03|浙江网新电气技术有限公司|Fault prediction processing method and system for railway passenger service|
    US10999304B2|2018-04-11|2021-05-04|Palo Alto NetworksLtd.|Bind shell attack detection|
    US10305479B1|2018-06-12|2019-05-28|Nxp B.V.|Fault attack protection against synchronized fault injections|
    US10880313B2|2018-09-05|2020-12-29|Consumerinfo.Com, Inc.|Database platform for realtime updating of user data from third party sources|
    US11184377B2|2019-01-30|2021-11-23|Palo Alto NetworksLtd.|Malicious port scan detection using source profiles|
    US11070569B2|2019-01-30|2021-07-20|Palo Alto NetworksLtd.|Detecting outlier pairs of scanned ports|
    US11184378B2|2019-01-30|2021-11-23|Palo Alto NetworksLtd.|Scanner probe detection|
    US11184376B2|2019-01-30|2021-11-23|Palo Alto NetworksLtd.|Port scan detection using destination profiles|
    US11238656B1|2019-02-22|2022-02-01|Consumerinfo.Com, Inc.|System and method for an augmented reality experience via an artificial intelligence bot|
    US11134078B2|2019-07-10|2021-09-28|Oracle International Corporation|User-specific session timeouts|
    US11012492B1|2019-12-26|2021-05-18|Palo Alto NetworksLtd.|Human activity detection in computing device transmissions|
    CN111711598A|2020-04-23|2020-09-25|中国电子科技网络信息安全有限公司|Sensitive data detection system for large-scale SSL/TLS encrypted session stream|
    CN111832024B|2020-07-27|2021-09-24|东方财富信息股份有限公司|Big data security protection method and system|
    法律状态:
    2019-01-08| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]|
    2019-04-30| B25A| Requested transfer of rights approved|Owner name: EMC IP HOLDING COMPANY LLC (US) |
    2019-09-17| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]|
    2020-05-26| B06A| Patent application procedure suspended [chapter 6.1 patent gazette]|
    2020-09-01| B09A| Decision: intention to grant [chapter 9.1 patent gazette]|
    2020-12-08| B16A| Patent or certificate of addition of invention granted [chapter 16.1 patent gazette]|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 01/03/2011, OBSERVADAS AS CONDICOES LEGAIS. |
    优先权:
    申请号 | 申请日 | 专利标题
    US33924810P| true| 2010-03-01|2010-03-01|
    US61/339,248|2010-03-01|
    PCT/US2011/026720|WO2011109420A1|2010-03-01|2011-03-01|System and method for network security including detection of attacks through partner websites|
    [返回顶部]