This invention relates to the field of computer systems. More particularly, a method and apparatus are provided for detecting various types of cyber threats.
Cyber threats are a given in today's computing environments. Although some types of threats, such as viruses, worms and denial of service attacks seem to receive the most publicity, many other types of threats exist, having a wide range of severity and ease of detection.
For example, several threats involve the use of cookies stolen from a victim's computing device or intercepted in transit. Traditional cookies are textual name-value pairs that a browser stores on a user's computing device when the browser visits a web site that uses cookies. These types of cookies are sometimes called browser cookies or HTTP (Hyper Text Transport Protocol) cookies, and a site may store virtually any number of them on a user's computing device.
Browser cookies are typically used to provide information regarding a user or computing device across multiple visits to the web sites that originated the cookies. Thus, a browser cookie may be stored on the computing device the first time a user visits a particular web site, and may contain a session identifier, a username, an IP (Internet Protocol) address of the computing device, a random string or any other value. When the user returns to the web site in a later browser session, the browser automatically sends the cookie to the site. The cookie's content may be used to identify the user, personalize the web page it presents based on the user's preferences, load a shopping cart with items previously selected by the user, etc.
Other information stored by a browser may be used in a manner similar to a traditional browser cookie. For example, a browser's history keeps track of web sites (e.g., by URL (Uniform Resource Locator)) the browser visits. A given site can then query or probe a user's browser to learn whether the browser has visited a target web site.
Not all sites in the browser's history may actually have been viewed by the user, because a given web page or other collection of program code (such as HTML (Hyper Text Markup Language)) presented by the browser may have ordered the browser to open a site in a frame that a user does not actually see (e.g., an HTML IFrame). This allows the source web site to plant information of its choice in the browser history. Because the browser history can provide tracking information similar to a browser history, an entry in a browser history could be termed a “history cookie”.
Similarly, a browser typically caches various objects (e.g., icons, logos, other images, links) for possible reuse, to avoid having to download them multiple times. A page sent to a browser from a web site may include any number of cacheable objects. By observing which objects the browser does not download in order to present that page, the web site can determine which objects the browser already has in its cache. Some of those objects may be “web bugs”—invisible or tiny (e.g., 1 pixel by 1 pixel) objects that a user may not realize are being displayed by her browser.
Because a given object may be very specific, meaning that it is only downloaded from one source or a limited number of sources, the web site can determine that the browser likely has or has not visited a source. Therefore, a particular object in a browser cache (or even the lack of the particular object) may be considered a “cache cookie” and be used to track or determine a user's browsing activity.
Each of these types of cookies—a traditional cookie, a history cookie and a cache cookie—may be generated in two or more forms, which may reflect the manner in which the source or associated web site or object is identified. For example, a domain-based cookie identifies the source or associated web site by a URL (e.g., www.example.com). An IP-based cookie identifies the site by an IP address (e.g., 192.168.1.1).
Several types of cyber threats involve the theft or interception of cookies, which may then be used to allow a malicious actor to masquerade as the victim. A cookie thief may be able to pose as a valid user to a target web site and obtain data or access to information that he or she would not otherwise have been able to access.
For example, after a valid user logs into a network-based electronic mail service (e.g., with username and password), that site may store on the user's computing device a cookie that uniquely identifies the user. When the user later returns to the site, the user's browser automatically sends the cookie and (if it matches what the site stored as the cookie), the site may give the user immediate access to her mail without logging in again.
However, if an attacker is able to appropriate the cookie after it is stored, and stores it in his browser, he could then visit the site and get immediate access to the victim's electronic mail. He could then read her private correspondence, maybe learn a password that was sent to the user from a social networking page or other site, masquerade as the user by sending a message requesting sensitive information, etc.
A basic cookie theft may involve pilfering one or more of a user's traditional cookies (domain- and/or IP-based) from her browser, possibly via malware implanted on her computing device, by interception with a packet sniffer program, through cross-site scripting, via physical access to the device, and/or other methods.
A different type of attack on a user's browser is termed “DNS Poisoning,” and involves corrupting DNS (Domain Name Service) information to cause a user's browser to visit a site or web page other than one it is trying to visit. This may allow the attacker to obtain one or more of the user's domain-based cookies.
More particularly, when a browser is directed to a given site by URL (e.g., www.example.com), which identifies the site's domain (i.e., example.com), a DNS lookup is performed to find the actual address (e.g., IP address) that corresponds to the URL. This lookup may be executed at multiple locations before finding an answer—such as within the user's browser, within a wireless access point via which the user's computing device accesses the internet, in one or more servers at the user's ISP (Internet Service Provider), etc. If a malicious actor changes the DNS data at one of these locations, or manages to return a response to the DNS lookup in place of the normal mechanism, the response may identify the IP address of a malicious site instead of the desired web site.
When the user's browser receives the incorrect IP address, it cannot know that it is invalid, and will therefore navigate in a normal manner to the specified address. Because the browser believes the site to be genuine, it will automatically transmit to the malicious site any traditional domain-based cookies it has for that site.
Yet another cyber threat, termed “machine cloning,” allows an attacker to obtain all of a user's browser information, including all domain-based and IP-based traditional cookies, history cookies and cache cookies, as well as private and public cryptographic keys and other data. Machine cloning involves cloning or copying all of a victim's computing device, or at least all relevant data.
Because the attacker now has a virtual twin of the victim's device, his browser can produce traditional cookies and respond appropriately to any probes or queries regarding history cookies and cache cookies.
In light of the number and types of cyber threats, there is a need for a method and apparatus for reliably distinguishing between legitimate and nefarious user activity, configurations and connection requests.