Detection of Remote Fraudulent Activity in a Client-Server-System

Abstract

Detecting unauthorized access to a device is detected in embodiments of the disclosed technology. After downloading a webpage, code is executed in a browser to scan network ports and determine which ports are open. Further webpage content sent from a web server is determined and/or modified in embodiments of the disclosed technology based on which ports are open. In some embodiments, when a particular port or ports are already in use it is determined that a malfeasant actor has access to the end user device and as such, sensitive data or secure data which is intended for a specific user is no longer sent to the end user device.

Claims

1. A method for a fraud management system to identity fraudulent behavior including instructions sent by a server, said server distributing content via a packet-switched data network which has been encrypted to a client receiving device at a separate network node on said network, said content including code to be executed by said client receiving device which is used to detect fraudulent behavior on said client receiving device and transmits results of said detection to said server via said packet-switched network based on detecting the presence of one of a remote access trojan (RAT) or automated software (BOT).

2. A method of port scanning to prevent data theft, comprising the steps of: receiving, via a wireless or wired communication channel, a request for secure data delivered via a first software port; sending at least some secure data via said channel, said secure data including code which is executed upon receipt thereof, wherein said code attempts to open a network connection via at least a second software port; receiving data sufficient to determine that said at least said second software port is in use; modifying further delivery of data via said communication channel as a result of said step of receiving data.

3. The method of claim 2, wherein said at least said second software port is a plurality of second software ports and said code, when executed, attempts to open a network connection on each of said plurality of second software ports and said modifying further delivery of data is carried out based on a determination that any one of said plurality of second software ports is in use.

4. The method of claim 3, comprising additional steps of: authenticating identity of a user carrying out said request for said secure data; receiving additional requests from said user for further secure data; sending at least some additional said secure data via said channel to said user wherein each additional request comprises code which upon execution by a device used by said user attempts to open a network connection on a plurality of additional software ports.

5. The method of claim 4, wherein said additional software ports are ports previously untried for said particular user and/or within a particular authenticated session.

6. The method of claim 5, wherein said second software port and said additional software ports are ports known to be used by remote access trojans (RAT) and/or malfeasant automated programs (BOT).

7. The method of claim 3, wherein said code is adapted to scan additional software ports and report availability of said additional software ports after a request for additional said secure data is made.

8. The method of claim 3, wherein said code is adapted to scan additional software ports and report availability of said additional software ports after a pre-defined period of time has passed without a request for additional said secure data.

9. A method of delivering webpages comprising the steps of: delivering a webpage with a request for user authentication; authenticating said user and embedding code in a second webpage causing a browser to determine behavioral characteristics of said user and as a result of certain behavioral characteristics, scan a plurality of software ports; receiving data sufficient to determine that a software port of said plurality of software ports is in use; modifying content sent in further webpages based on a determination that said software port is in use.

10. The method of claim 9, wherein a version of said code is executed upon or after download of content from each of a plurality of unique uniform resource locators.

11. The method of claim 10, wherein each time said code is executed different ports of said plurality of software ports are scanned.

12. The method of claim 11, wherein said scan takes place only after said content is fully rendered.

13. The method of claim 11, wherein said modifying is based on a determination that said software port in said use is a port used by a malfeasant.

14. The method of claim 11, wherein a quantity and/or rate of said plurality of software ports being scanned is based on available network bandwidth of a network node and and/or processor usage where said software ports are being scanned.

15. A method, comprising the steps of: delivering a combination of: a) data sufficient for a remote device to render content designed for human viewing thereof; and b) code designed for execution by a remote device on a network, wherein said code scans network ports of said device where said content has been rendered; receiving from said device an indication that a specific port of said network ports is already in use; and denying access to authenticated data due to said receiving of said indication.

16. The method of claim 15, wherein said step of delivering is carried out multiple times to said device and each time said code is executed different said network ports are scanned than a previous time.

17. The method of claim 16, wherein said code determines that said content has been rendered before said code scans network ports.

18. The method of claim 15, wherein said code designed for execution by said remote device on said network scans network ports at a rate based on one of available network bandwidth of said remote device and processor usage.

19. A computer program product comprising an algorithm to execute the method of claim 2.

20. A computer system comprising at least one server and at least one client executing the method of claim 15.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0021] FIG. 1 shows a high level diagram of devices used to carry out embodiments of the disclosed technology.

[0022] FIG. 2 shows a high level chart of steps carried out in an embodiment of the disclosed technology.

[0023] FIG. 3 shows a high level chart expounding on additional sub-routines and steps which are carried out in some methods of the disclosed technology.

[0024] FIG. 4 shows a high level block diagram of devices used to carry out embodiments of the disclosed technology.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE DISCLOSED TECHNOLOGY

[0025] After downloading a webpage, code is executed in a browser to determine behavioral characteristics of a user of the browser and to scan network ports and determine which ports are open. Further webpage content sent from a web server is determined and/or modified in embodiments of the disclosed technology based on the behavioral characteristics and/or which ports are open. In some embodiments, when the behavioral characteristics discloses the use of a RAT or BOT software, the set of ports to scan is determined from prior knowledge of the specific type of RAT or BOT. In some embodiments, when a particular port or ports are already in use it is determined that a malfeasant actor has access to the end user device and as such, sensitive data or secure data which is intended for a specific user is no longer sent to the end user device. In some embodiments, the RAT or BOT behavioral characteristics are logged and stored by the behavioral module (to allow faster identification of such in future uses in some embodiments).

[0026] Embodiments of the disclosed technology will become more clear in view of the following description of the figures.

[0027] FIG. 1 shows a high level diagram of devices used to carry out embodiments of the disclosed technology. Here, the server 110 sends content over a network 99 by way of a network node 98. The end user device 120 receives this content via a different network node 98 and stores content or retrieves previously stored content using a storage device 125. A malfeasant 130 is another computer device or device carrying out instructions of a malfeasant actor to at least partially gain control or data from the end user device 120. Each of these devices has the elements shown with reference to FIG. 4 and connects via a packet switched data network to at least one other of the devices. When the server 110 delivers content to the end user device 120, this can be secure content intended only for an authenticated user of the end user device 120. The end user device 120 carries out instructions that when executed, collects and characterizes the behavior of the authenticated user of the end user device 120. Such instructions are included in the content delivered by server 110 and represent methods that perform continuous authentication of the user during the session. The behavioral characteristics are defined as statistical measures of at least one or a plurality of key press times, key flight times, mouse movement, device description, user agent (meaning operating system, browser type, model, and version), screen refresh rate, pressure sensor readings and more. The devices 110 and 120 communicate via a particular software port (e.g. port 81 or 443). Via the communication, the behavioral characteristics are transferred from device 120 to server 110, in which the behavioral characteristics are matched to possible prior usage of the user's known behavior and checked for presence of known RAT and BOT signatures. Commonly, behavioral characterization is complex and a less than perfect match to a user behavioral profile or, in the case of malfeasance, a RAT or BOT profile, is achieved. In addition, the end user device 120 carries out further instructions received from the server 110 to scan ports other than the one or more already used for communicating to the server 110. Only one port can be used by one application at a time in a TCP/IP (transport control protocol internet protocol) stack. As such, if a port is currently in use, an attempt by the web browser to open or use the port will be denied. Based on the check for RAT/BOT signatures, the further instructions to scan other ports are comprised such that the port numbers to scan are chosen in an order that most relevantly represents the signatures of the detected RAT or BOT profiles, making for a much more effective selection of ports. Should the web browser receive a denial of opening a port other than the one used by the web browser or other application which receives content from the server 110 the server 110 then has the possibility to change what content is delivered. For example, should port 1111 be unavailable on the end user device 120, the end user device 120 reports this to the server 110 which then stops delivering secure data to the end user device 120 because this can be indicative of data being illicitly sent to a RAT/BOT 130 via the network 99.

[0028] FIG. 2 shows a high level chart of steps carried out in an embodiment of the disclosed technology. The steps carried out by the server 110 are shown in the box on the left. The steps carried out by the end user device 120 are shown in the box on the right. In step 210 the server receives a request for data from the end user device 120. Data, in this embodiment, is sent to authenticate the user in step 220. This can be a request for a username and password, a request for biometric data (fingerprint or iris scan), etc. In step 230 viewable content and code to be executed are sent from the server 110 to the end user device 120. Viewable content is data which is rendered or sent with the intention that it be rendered into text and images by the end user device which is designed to be viewed by a human. Code to be executed is defined as data which is sent with the intention that instructions there-within be carried out by end user device to, at least, attempt to collect behavioral biometrics data and open a network port on the end user device.

[0029] At this point, the end user device 120 carries out steps in embodiments of the disclosed technology, namely, rendering the viewable content in step 240 and executing code in step 250. The code causes the end user device 120 to collect behavioral characteristics of the user of end user device 120, and in step 260, scan software ports and determine which ports are open. The behavioral characteristics are sent to the server 110, which performs an analysis of the behavioral characteristics and based on this updates the code to be executed in step 230 again. The determination 270 of which ports are open can be based on being denied access to a port and while this step is shown as being carried out by the end user device 120, the actual determination or action which is based on the information gleaned by scanning the software ports can be carried out by the server. Referring still to FIG. 2, if a port is unavailable to be opened, as determined in step 270, then this information is sent to the server in step 280. The server will then device in step 299 if further content sent to the end user device 120 should be modified accordingly. This modification of further content sent can be in a manner which restricts access or further access to sensitive or private data about an individual or organization such as personal identifying information, bank account numbers, bank balances, and transaction history.

[0030] During the course of an authenticated session (a series of data exchanges between the server and end user device where a first authentication scheme, such as received username and password, is used to access secure data for a particular user determined to be operating the end user device) a plurality of webpages and other data may be sent in step 290. This continues or can continue with back and forth data requests and responses thereto in step 290 and then again in step 230. Content is only modified or restricted in step 299, in embodiments of the technology, when it is determined that a RAT or BOT is communicating or may be communicating with the end user device 120 due to either a RAT/BOT behavior signature being detected or a specific port being unavailable which is associated or used by a known RAT or BOT.

[0031] Referring again to FIG. 2, through multiple website views the code to be executed is sent in step 230 either one time per webpage download or one time while a webpage is dynamically updated. At each download of the webpage, each update of the webpage, or simply after a predefined passage of time (e.g. 1, 5, or 10 seconds) additional ports can be scanned in step 260. The ports scanned can be ports which have not previously been scanned in the authenticated session or for this end user 120, as known to the server 110. More detail about determining when and which ports to scan is described below with reference to FIG. 3.

[0032] FIG. 3 shows a high level chart expounding on additional sub-routines and steps which are carried out in some methods of the disclosed technology. Here, step 260 of FIG. 2 which refers to the scanning of software ports and determining open ports is elucidated in more detail with variations which take place in some embodiments of the disclosed technology. These steps are carried out by the end user device 120 in embodiments of the disclosed technology. In step 310 the code received from the server 110 along with a webpage with viewable content causes the end user computing device 120 to scan software ports. This can take place along with one or multiple of the pathways leading from box 310 which serve to vary how the scans are conducted. Since port scans are associated with a computational cost and network delay, it is unfeasible to do an exhaustive search and scan all ports in one go.

[0033] In step 320, the CPU (central processing unit) usage is determined for the end user device 120. In order to avoid degradation to the user experience and/or system performance of the end user computing device, in step 320 it is determined that if CPU usage is above a threshold that port scanning speed or quantity is throttled or reduced in step 335 due to a determination, in step 330, of limited CPU usage available. Likewise, if the available bandwidth in step 325 is determined to be limited in step 330, then the speed or quantity of ports scanned is throttled. In this case, bandwidth can refer to the maximum transfer speed between the server 110 and end user device 120, ping time, latency, or information known about the network on which the IP address of the end user device is situated. A cellular or satellite data connection, for example, may be given less ports to scan or ports per minute to scan than a wired fiber optic data connection to the end user.

[0034] In step 340 it is determined if ports have been previously scanned for the particular end user computing device 120 or scanned during a particular authenticated session. It might be decided, and programmed into the code which has instructions carried out by the end user device 120, to scan all 65535 ports in sequence, randomly, or based on most likely ports used by a RAT or BOT especially in view of a present known threat, as determined by the behavioral analysis, and common RAT or BOT used at the time. RATs commonly use port 80, 443, 8000, or 8080 which while typically also used for a web server, are ports that an end user computing device typically does not use. A Windows, Macintosh, or Linux machine used by an end user to access his/her bank, for example, probably is not running a web server. Therefore, if these ports are found to be unavailable than it may be indicative of a RAT or BOT running and action might be taken to restrict sending of sensitive data to such a machine. In step 50, prior ports scanned might be excluded from a future scan and/or new ports are selected to be scanned.

[0035] In any of the above cases, after it is determined which ports to scan and a speed at which to scan the ports, then the ports are scanned in a version of carrying out the coded instructions for same in step 390. The data about which ports are open for use or unavailable is then sent to the server in step 280 for processing and possibly restricting access to sensitive data, as described with reference to FIG. 2.

[0036] Describing the process of port scanning at a lower level, this can be carried out by a web browser by way of JavaScript in embodiments of the disclosed technology. This uses existing software. Some ways to implement port scanning mechanisms inside a browser are by injecting image elements into the DOM (document object model), by leveraging the XMLHttpRequest object or by leveraging WebSockets. The injection of new DOM elements works, because some DOM elements are triggering the browser to open connections and trying to download additional information. This will work for example for HTML <img> elements. The src attribute with some local address including some particular port of interest can be used for testing (i.e. https://127.0.0.1:8080). By JavaScript it is possible to hook into some event handling mechanisms for these particular elements. Listening to the events will reveal if the port is open or not. An example of code to carry out same follows.

TABLE-US-00001 function PortScannerImg( ) { this.timeout = 1000; this.run = function (ip, scan_list) { var self = this; scan_list.forEach(function (item, index) { var img = new Image( ); var handler = function (e) { if (!img) return; img = undefined; item.state = open; }; img.src = http:// + ip + : + item.port + / + Math.floor(Math.random( ) * 1000000) + .png; img.onerror = handler; img.onload = handler; setTimeout(function ( ) { if (!img) return; img = undefined; item.state = closed; }, self.timeout); }); } } {port: 21}, {port: 22}, {port: 25}, {port: 110}, {port: 8080}, {port: 8081}, {port: 8443}, {port: 3306}, {port: 3389} ]; var scannerImg = new PortScannerImg( ); scannerImg.run(127.0.0.1, scan_list);

[0037] Leveraging XMLHttpRequest is another way to carry out port scanning. In this case an AJAX Request is issued to the localhost IP address with some specific port of interest. Here again the different events can be handled with the aid of JavaScript to make the decision if a port is open or not.

TABLE-US-00002 function PortScannerXMLHttp( ) { this.run = function (ip, scan_list) { scan_list.forEach(function (item, index) { var xhttp= new XMLHttpRequest( ); xhttp.onreadystatechange = function( ) { if (xhttp.readyState == 4) { if (!item.state) item.state = open; } }; xhttp.open(GET, http:// + ip + : + item.port, true); xhttp.send( ); setTimeout(function ( ) { if (!item.state) item.state = closed; }, 1000); }); } } var scan_list2 = [ {port: 21},{port: 22},{port: 25},{port: 110}, {port: 8080},{port: 8081},{port: 8443}, {port: 3306},{port: 3389} ]; var scannerXMLHttp = new PortScannerXMLHttp( ); scannerXMLHttp.run(127.0.0.1, scan_list2);

[0038] A third method to detect open ports is by way of WebSockets. In this case it is possible to track how much time is needed to change the readyState property. Depending on how long it takes to change the state one can conclude if a port is open or closed.

[0039] FIG. 4 shows a high level block diagram of devices used to carry out embodiments of the disclosed technology. Device 500 comprises a processor 550 that controls the overall operation of the computer by executing the device's program instructions which define such operation. The device's program instructions may be stored in a storage device 520 (e.g., magnetic disk, database) and loaded into memory 530 when execution of the console's program instructions is desired. Thus, the device's operation will be defined by the device's program instructions stored in memory 530 and/or storage 520, and the console will be controlled by processor 550 executing the console's program instructions. A device 500 also includes one or a plurality of input network interfaces for communicating with other devices via a network (e.g., the internet). The device 500 further includes an electrical input interface. A device 500 also includes one or more output network interfaces 510 for communicating with other devices. Device 500 also includes input/output 540 representing devices which allow for user interaction with a computer (e.g., display, keyboard, mouse, speakers, buttons, etc.). One skilled in the art will recognize that an implementation of an actual device will contain other components as well, and that FIG. 4 is a high level representation of some of the components of such a device for illustrative purposes. It should also be understood by one skilled in the art that the method and devices depicted in FIGS. 1 through 3 may be implemented on a device such as is shown in FIG. 4.

[0040] While the disclosed technology has been taught with specific reference to the above embodiments, a person having ordinary skill in the art will recognize that changes can be made in form and detail without departing from the spirit and the scope of the disclosed technology. The described embodiments are to be considered in all respects only as illustrative and not restrictive. All changes that come within the meaning and range of equivalency of the claims are to be embraced within their scope. Combinations of any of the methods, systems, and devices described herein-above are also contemplated and within the scope of the disclosed technology.