公开(公告)号：US11128606B2

公开(公告)日：2021-09-21

申请号：US16708211

申请日：2019-12-09

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  Jeffery S. Atkinson ,  Joshua Atkins

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/26 ,  H04L9/32 ,  H04L9/06

Abstract: Client fingerprints can be used to detect and defend against malware and hacking into information systems more effectively than using IP addresses. A unique client fingerprint can be based on data found in the client's SSL client hello packet. SSL version, cipher suites, and other fields of the packet can be utilized, preferably utilizing individual field values in the order in which they appear in the packet. The ordered values are converted to decimal values, separated by delimiters, and concatenated to form an identifier string. The identifier string may be mapped, preferably by a hash function, to form the client fingerprint. The client fingerprint may be logged, and whitelists and blacklists may be formed using client fingerprints so formed.

公开(公告)号：US10536439B2

公开(公告)日：2020-01-14

申请号：US15589220

申请日：2017-05-08

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  Jeffrey S. Atkinson ,  Joshua Atkins

IPC: G06F21/00 ,  H04L29/06 ,  H04L12/26

Abstract: Client fingerprints can be used to detect and defend against malware and hacking into information systems more effectively than using IP addresses. A unique client fingerprint can be based on data found in the client's SSL client hello packet. SSL version, cipher suites, and other fields of the packet can be utilized, preferably utilizing individual field values in the order in which they appear in the packet. The ordered values are converted to decimal values, separated by delimiters, and concatenated to form an identifier string. The identifier string may be mapped, preferably by a hash function, to form the client fingerprint. The client fingerprint may be logged, and whitelists and blacklists may be formed using client fingerprints so formed.

公开(公告)号：US10135847B2

公开(公告)日：2018-11-20

申请号：US15158367

申请日：2016-05-18

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  William Roger Salusky ,  Jeffrey S. Atkinson

IPC: H04L29/06 ,  H04L1/12

Abstract: A client system such as a database system may be vulnerable to intrusion by an unauthorized user or system through a reverse secure shell connection that enables the intruder to execute OS-level or shell commands on the client system. A reverse shell connection may be detected by monitoring and inspecting packet data traffic between the client system or internal network, and an exterior or “foreign” network. In one example of such a process, after detecting a normal shell session originating inside the internal network, a reverse shell connection exploiting the initial shell detection is detected by analyzing the transmission directions and payload sizes of a sequence of the monitored packets relative to a predetermined traffic pattern. The specific pattern may be selected for different operating systems.

公开(公告)号：US11411997B2

公开(公告)日：2022-08-09

申请号：US17125283

申请日：2020-12-17

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  Andrew Smart ,  Randy Nunnally, Jr. ,  Michael Brady ,  Caleb Yu

IPC: H04L9/40 ,  H04L41/22 ,  H04L9/06

Abstract: Methods, systems, and devices supporting active fingerprinting for transport layer security (TLS) servers are described. In some systems, a client device may transmit a same set of client hello messages to each TLS server. The client device may receive a set of server hello messages in response to the standard set of client hello messages based on the contents of each client hello message. For example, a server hello message may indicate a selected cipher suite, TLS protocol version, and set of extensions in response to the specific information included in a client hello message. The client device may generate a hash value (e.g., a fuzzy hash) based on the set of server hello messages received from a TLS server. By comparing the hash values generated for different TLS servers, the client device may determine whether the TLS configurations for the different TLS servers are the same or different.

公开(公告)号：US20220368724A1

公开(公告)日：2022-11-17

申请号：US17815727

申请日：2022-07-28

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  Andrew Smart ,  Randy Nunnally, JR. ,  Michael Brady ,  Caleb Yu

IPC: H04L9/40 ,  H04L41/22 ,  H04L9/06

Abstract: Methods, systems, and devices supporting active fingerprinting for transport layer security (TLS) servers are described. In some systems, a client device may transmit a same set of client hello messages to each TLS server. The client device may receive a set of server hello messages in response to the standard set of client hello messages based on the contents of each client hello message. For example, a server hello message may indicate a selected cipher suite, TLS protocol version, and set of extensions in response to the specific information included in a client hello message. The client device may generate a hash value (e.g., a fuzzy hash) based on the set of server hello messages received from a TLS server. By comparing the hash values generated for different TLS servers, the client device may determine whether the TLS configurations for the different TLS servers are the same or different.

公开(公告)号：US20170339166A1

公开(公告)日：2017-11-23

申请号：US15158367

申请日：2016-05-18

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  William Roger Salusky ,  Jeffrey S. Atkinson

IPC: H04L29/06 ,  H04L1/12

CPC classification number: H04L63/1416 ,  H04L1/12 ,  H04L63/0236 ,  H04L67/42

Abstract: A client system such as a database system may be vulnerable to intrusion by an unauthorized user or system through a reverse secure shell connection that enables the intruder to execute OS-level or shell commands on the client system. A reverse shell connection may be detected by monitoring and inspecting packet data traffic between the client system or internal network, and an exterior or “foreign” network. In one example of such a process, after detecting a normal shell session originating inside the internal network, a reverse shell connection exploiting the initial shell detection is detected by analyzing the transmission directions and payload sizes of a sequence of the monitored packets relative to a predetermined traffic pattern. The specific pattern may be selected for different operating systems.