公开(公告)号：US20170339166A1

公开(公告)日：2017-11-23

申请号：US15158367

申请日：2016-05-18

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  William Roger Salusky ,  Jeffrey S. Atkinson

IPC: H04L29/06 ,  H04L1/12

CPC classification number: H04L63/1416 ,  H04L1/12 ,  H04L63/0236 ,  H04L67/42

Abstract: A client system such as a database system may be vulnerable to intrusion by an unauthorized user or system through a reverse secure shell connection that enables the intruder to execute OS-level or shell commands on the client system. A reverse shell connection may be detected by monitoring and inspecting packet data traffic between the client system or internal network, and an exterior or “foreign” network. In one example of such a process, after detecting a normal shell session originating inside the internal network, a reverse shell connection exploiting the initial shell detection is detected by analyzing the transmission directions and payload sizes of a sequence of the monitored packets relative to a predetermined traffic pattern. The specific pattern may be selected for different operating systems.

公开(公告)号：US10536439B2

公开(公告)日：2020-01-14

申请号：US15589220

申请日：2017-05-08

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  Jeffrey S. Atkinson ,  Joshua Atkins

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/26

Abstract: Client fingerprints can be used to detect and defend against malware and hacking into information systems more effectively than using IP addresses. A unique client fingerprint can be based on data found in the client's SSL client hello packet. SSL version, cipher suites, and other fields of the packet can be utilized, preferably utilizing individual field values in the order in which they appear in the packet. The ordered values are converted to decimal values, separated by delimiters, and concatenated to form an identifier string. The identifier string may be mapped, preferably by a hash function, to form the client fingerprint. The client fingerprint may be logged, and whitelists and blacklists may be formed using client fingerprints so formed.

公开(公告)号：US10135847B2

公开(公告)日：2018-11-20

申请号：US15158367

申请日：2016-05-18

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  William Roger Salusky ,  Jeffrey S. Atkinson

IPC: H04L29/06 ,  H04L1/12

Abstract: A client system such as a database system may be vulnerable to intrusion by an unauthorized user or system through a reverse secure shell connection that enables the intruder to execute OS-level or shell commands on the client system. A reverse shell connection may be detected by monitoring and inspecting packet data traffic between the client system or internal network, and an exterior or “foreign” network. In one example of such a process, after detecting a normal shell session originating inside the internal network, a reverse shell connection exploiting the initial shell detection is detected by analyzing the transmission directions and payload sizes of a sequence of the monitored packets relative to a predetermined traffic pattern. The specific pattern may be selected for different operating systems.