公开(公告)号：US10135847B2

公开(公告)日：2018-11-20

申请号：US15158367

申请日：2016-05-18

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  William Roger Salusky ,  Jeffrey S. Atkinson

IPC: H04L29/06 ,  H04L1/12

Abstract: A client system such as a database system may be vulnerable to intrusion by an unauthorized user or system through a reverse secure shell connection that enables the intruder to execute OS-level or shell commands on the client system. A reverse shell connection may be detected by monitoring and inspecting packet data traffic between the client system or internal network, and an exterior or “foreign” network. In one example of such a process, after detecting a normal shell session originating inside the internal network, a reverse shell connection exploiting the initial shell detection is detected by analyzing the transmission directions and payload sizes of a sequence of the monitored packets relative to a predetermined traffic pattern. The specific pattern may be selected for different operating systems.

公开(公告)号：US20170339166A1

公开(公告)日：2017-11-23

申请号：US15158367

申请日：2016-05-18

Applicant: salesforce.com, inc.

Inventor： John Brooke Althouse ,  William Roger Salusky ,  Jeffrey S. Atkinson

IPC: H04L29/06 ,  H04L1/12

CPC classification number: H04L63/1416 ,  H04L1/12 ,  H04L63/0236 ,  H04L67/42

Abstract: A client system such as a database system may be vulnerable to intrusion by an unauthorized user or system through a reverse secure shell connection that enables the intruder to execute OS-level or shell commands on the client system. A reverse shell connection may be detected by monitoring and inspecting packet data traffic between the client system or internal network, and an exterior or “foreign” network. In one example of such a process, after detecting a normal shell session originating inside the internal network, a reverse shell connection exploiting the initial shell detection is detected by analyzing the transmission directions and payload sizes of a sequence of the monitored packets relative to a predetermined traffic pattern. The specific pattern may be selected for different operating systems.