| 发明名称 | Unwanted tunneling alert system | ||
| 摘要 | Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated. | ||
| 申请公布号 | US9419992(B2) | 申请公布日期 | 2016.08.16 |
| 申请号 | US201514823935 | 申请日期 | 2015.08.11 |
| 申请人 | Palantir Technologies Inc. | 发明人 | Ricafort Juan;Singh Harkirat;Martin Philip |
| 分类号 | G06F12/14;H04L29/06;H04L29/12;G06F21/55 | 主分类号 | G06F12/14 |
| 代理机构 | Knobbe, Martens, Olson & Bear, LLP | 代理人 | Knobbe, Martens, Olson & Bear, LLP |
| 主权项 | 1. A computing system configured to detect and handle malicious network tunneling, the computing system comprising: a computer processor; and a non-transitory computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to: access a virtual private network (VPN) log including a listing of one or more first client IP addresses assigned to a corresponding one or more remote users granted access to the network via VPN connections;access a data connection log including a listing of one or more second client IP addresses that requested outbound data connections from the network and a listing of one or more remote IP addresses identified by the outbound data connections;identify a first IP address included in the VPN log as a first client IP address and in the data connection log as a remote IP address;determine user data associated with the first IP address, the user data including one or more of a user identity, a user role, a user geographic location, or a user access level;determine traffic data associated with the first IP address, the traffic data including information regarding any connections from the network initiated by the first IP address;generate a risk score based on at least the determined user data and the determined traffic data, the risk score at least partly indicative of a likelihood that the traffic data includes one or more malicious tunneling connections; andgenerate an alert if the risk score exceeds a threshold value. | ||
| 地址 | Palo Alto CA US | ||