RU2757535C2 - Method for identifying potentially dangerous devices using which the user interacts with banking services, by open ports - Google Patents

Abstract

FIELD: computer technology.

SUBSTANCE: invention relates to computer technology. A method for identifying a device through which a user interacts with remote services as potentially dangerous, contains steps at which: using a script executed in the browser on the user’s device, open ports on the user’s device, the IP address of the user’s device, available information about the browser on the user’s device are detected; with the help of a cloud security service, the identified data about the user’s device is analyzed, applying the rules for identifying potentially dangerous devices; with the help of a cloud security service, a potentially dangerous user device is identified in case of a positive result of applying the rules for identifying potentially dangerous devices.

EFFECT: ensuring that the device through which the user interacts with remote services is identified as potentially dangerous.

1 cl, 3 dwg

Description

Technology area

The invention relates to solutions for ensuring secure user interaction with banking services, and more specifically to systems and methods for identifying potentially dangerous devices when a user interacts with banking services.

State of the art

Currently, the banking sector has expanded significantly. The user (client of the bank) is provided with new opportunities for interacting with the bank, methods of payment and transfer of funds. The variety of payment systems, plastic card providers and banking services (bank services are often referred to as remote banking services) allows the user to perform a variety of transactions through computing devices. Online banking and mobile banking make it possible to carry out monetary transactions without the participation of a plastic card or bank account details.

In addition, there are various mechanisms to protect user funds from access to them by third parties. When a user is working with online banking, a method such as two-step authentication is often used. After entering authentication data in the browser on the bank's website (for example, a login and password that could become available to third parties), the bank sends a message to the user on his mobile phone, containing, for example, an additional verification code that must be entered in a special field.

However, it is worth noting that there are many attacks that exploit vulnerabilities when a user interacts with banking services, which are carried out by cybercriminals in order to gain access to the user's funds. These attacks are often referred to as fraudulent attacks. For example, using phishing sites, a login and password can be obtained to access online banking. Malicious software (such as remote administration tools) also allows attackers to steal user account data (and other sensitive data) and conduct verified transactions without the user's knowledge.

There are known systems and methods that use the so-called device fingerprint to protect users from fraudulent activity. The user generally uses the same devices, each device contains a certain set of software and features that are known to the bank. In the event that a set of software changes on a device, or the device itself changes, there is a high probability that fraudulent activity is observed. When committing fraudulent activity on a device, the latter is considered dangerous.

Thus, US publication 20150324802 describes a technology for authenticating user transactions. Authentication uses browser fingerprints, as well as vectors of various combinations of parameters (device characteristics, geolocation, information about the transaction itself).

However, often, no anti-fraudulent activity (such as anti-virus applications) is installed on the user's device. Also, users often interact with banking services other than through applications that may contain additional tools for detecting fraudulent activity (for example, SDK functions from antivirus application manufacturers) and provide the bank with additional information about the user's device and transactions, which makes it difficult or impossible to identify fraudulent activity.

The present invention makes it possible to detect potentially dangerous devices (devices from which fraudulent activity can be performed) when a user interacts with banking services through a browser.

The essence of the invention

The present invention is intended to identify potentially dangerous devices through which the user interacts with banking services.

The technical result of the present invention is to implement the declared purpose.

According to one of the implementation options, a method is provided for identifying a device through which a user interacts with remote services as potentially dangerous, comprising the stages at which: using a script, using communication protocols, identify data about the user's device; using a cloud-based security service, they analyze the identified data about the user's device, applying the rules for identifying potentially dangerous devices; using a cloud-based security service, they identify a potentially dangerous device of the user in case of a positive result of the application of the rule for identifying potentially dangerous devices.

According to another embodiment, a method is provided in which the device data is open port data of the device.

According to one particular implementation, a method is provided in which an open port is detected based on a comparison of the response time to a request to the port.

According to one of the private embodiments, a method is provided in which a comparison of the response time to a request to a port occurs with the response time to a request to a known closed port.

According to one particular implementation, a method is provided in which the communication protocols are real-time communication protocols.

According to one of the private embodiments, a method is provided in which the device data is the IP address of the device in the local network.

According to one particular implementation, a method is provided in which the device data is the name of the browser.

According to one particular implementation, a method is provided in which the device data is the operating system of the device.

According to one of the private embodiments, a method is provided in which the condition of the rule for detecting potentially dangerous devices is the presence of a RAT tool on the device.

According to one of the private embodiments, a method is provided in which the condition of the rule for detecting potentially dangerous devices is that the open ports on the device do not correspond to the typical ports for the operating system on the device.

According to one of the private embodiments, a method is provided in which the condition of the rule for detecting potentially dangerous devices is the presence of a remote administration tool on the device, which should not be present on the device.

According to one of the private embodiments, a method is provided in which the condition of the rule for detecting potentially dangerous devices is the presence on the device of open ports typical for use in networks intended for anonymization.

According to one of the private embodiments, a method is provided in which the condition of the rule for detecting potentially dangerous devices is the presence on the device of open ports characteristic of known devices used for fraudulent activity.

According to one of the private embodiments, a method is provided in which the condition of the rule for detecting potentially dangerous devices is to change the set of open ports on the device.

Brief Description of Drawings

Additional objects, features and advantages of the present invention will become apparent from a reading of the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

FIG. 1 shows the structure of the system for detecting potentially dangerous devices by open ports.

FIG. 2 shows a diagram of a method for identifying potentially dangerous devices by open ports.

FIG. 3 is an example of a general purpose computer system on which the present invention may be implemented.

Description of embodiments of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The essence recited in the description is nothing more than specific details provided to assist a person skilled in the art in a comprehensive understanding of the invention, and the present invention is defined only within the scope of the appended claims.

FIG. 1 shows the structure of the system for detecting potentially dangerous devices by open ports.

The system for detecting potentially dangerous devices by open ports consists of a browser 110 running on the user's computing device 100, a script 120 running in a browser 110, a remote server 130 that provides services to the user and with which the user interacts through the device 100, and a cloud security service 140, with which script 120 interacts.

User computing device 100 (hereinafter referred to as device 100) contains a software execution environment (eg, an operating system) in which browser 110 is executed.

Potentially dangerous device - device 100, the likelihood of fraud (fraud) from which, when online accessing the bank server (online banking) 130, is higher than a predetermined threshold value.

It is well known that device 100 may include remote administration tools. These can be both legitimate means and illegitimate ones, which are used by attackers as a result of compromise (for example, infection with malware) of device 100.

Examples of legitimate remote administration tools are:

- Remote Desktop Protocol (RDP),

- Secure Shell (SSH),

- specialized applications (for example, Team Viewer).

Examples of illegitimate remote administration tools are so-called remote administration tools (RATs), which are programs used by hackers or others to remotely connect to device 100 via the Internet or a local area network. The remote administration tool is based on client-server technology. The server side runs on a managed device 100 and receives commands from a client installed on a remote host (eg, an attacker computing device).

It should be understood that even legitimate remote administration tools can be used by cybercriminals. Especially if the mentioned tools have the functionality of silent installation of applications on the user's device 100.

These means (legitimate and illegitimate) for obtaining data for remote control of the device 100 open ports on the device 100 for incoming connections.

The present invention allows the detection of open ports on the device 100.

In general, when a user interacts through a browser 110 running on a device 100 with a remote server 130, the remote server transmits a web page to the device, which in turn contains a script file, a script 120 (eg, written in JavaScript). Hereinafter, the remote server 130 is, for the sake of clarity, the banking server 130.

The script 120 is executed when the web page received from the banking server 130 is opened in the browser 110.

In general, script 120 uses real-time communication protocols. For example, WebRTC is an open source protocol designed for organizing the transfer of streaming data between 110 browsers or other applications that support the protocol using point-to-point technology (English peer-to-peer, P2P). In turn, WebRTC uses the STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays around NAT) protocols. Through STUN, a simple request is made from the browser 110 to the remote server 180, for example, to clarify the IP address of the device 100, and the server returns the IP address of the device 100 to the browser 110. This helps the browsers 110 on the various devices 100 to set up communication channels between the browsers 110 for communication. information (for example, messages) in real time. TURN is a STUN extension that allows, for example, browser 110 to transmit traffic in real time through a remote TURN 180 server. Typically, STUN is used over UDP and TURN over TCP.

The present invention does not transmit requests from browser 110 to remote server 180 using real-time communication protocols. Instead, script 120 accesses a port on computing device 100 using real-time communication protocols.

Initially, script 120 accesses a known closed port on device 100. A known closed port can be detected both statistically (for example, the port with the least likelihood of being used on devices 100) and depending on the operating system that browser 110 is running under. to a deliberately closed port, script 120 detects the response time. Next, script 120 refers to ports that are used by both legitimate and illegitimate remote administration tools. After receiving a response, the script 120 calculates the difference in response time, while comparing the response time with the response time to a request to a known closed port. If the difference in response time differs by more than the threshold value, script 120 considers the port to be open. For example, a response from a closed port is 10 milliseconds, and a response from a port accessed by script 120 is 50 milliseconds. Thus, the port accessed by the script 120 is considered open. At the same time, the differences in response time can be both up and down. The response time depends on the type of operating system, and the response time also depends on which protocol the remote administration tool uses. For example, if the protocol provides for a handshake procedure, the response time may vary (the remote administration tool can wait for a correct request for a specified time interval, and then responds with a failure to establish a connection by timeout).

It should be noted that, in addition to remote administration tools, the above method can detect ports opened by trusted software (for example, Microsoft SQL Server). Open ports of specific software can also be detected, such as ports used by devices 100 on networks intended for anonymization. In particular, the network intended for anonymization is the Tor network, 100 devices connected to it (the so-called Tor nodes, English tor-nodes) have a similar set of open ports.

In general, the information (port number and response time) detected by script 120 about open ports is a digital fingerprint of device 100. In one embodiment, the fingerprint of device 100 is information about closed ports.

Also, in one implementation, the script 120 collects available information about the browser 110. When the page is opened, the browser 110 sends the identification information to the banking server 130. This is a text string that is part of an HTTP request, starting with "User-Agent" and usually includes information such as the name of the browser 110, the version of the browser 110, the operating system of the device 100, the language of the operating system of the device 100, and so on. This information can be obtained by script 120.

In one implementation, the script 120 also further reveals the IP address of the device 100 on the local network, for example, using Javascript components, for example:

Next, the script 120 transfers the local IP address, information about the browser 110 and the detected open ports to the cloud security service 140.

The cloud security service 140 analyzes the data received from the script 120 about the browser 110 and about the open ports on the device 100. When analyzing, the cloud security service 140 also analyzes the IP address of the device 100 in the local network, as well as the IP address from which it was obtained data from script 120. In general, the cloud security service 140 applies the rules for identifying potentially dangerous devices 100. If the rule is positively applied, the cloud security service 140 identifies (identifies) the device 100 as potentially dangerous. In general, the application of the rule is considered positive if the device 100 meets the conditions of the rule.

In one implementation, the cloud security service 140 assigns its own weight to each port depending on previously collected data about open ports on devices 100 (outside the scope of the present invention). Based on the weights of open and closed ports, cloud security service 140 determines the total hazard weight, and if the total hazard weight exceeds a predetermined threshold, cloud security service 140 judges device 100 to be potentially hazardous.

In one implementation, the cloud security service 140 computes a convolution from the fingerprint of the device 100 (port numbers and response times). Further, the cloud security service 140 compares the resulting convolution with the convolutions of the fingerprints of other devices 100 from the database, and judges by the degree of similarity that the device 100 is potentially dangerous.

In one embodiment, if a potentially dangerous device is detected, the cloud-based security service 140 transmits information about a potentially dangerous device 100 to the banking server 130. The banking server 130, using the obtained information, using methods known in the art, prevents the execution of banking transactions from the potentially dangerous device 100. For example, , the banking server 130 terminates the connection, requests additional authorization from the user, informs the information security professional, shows the user an information web page, sends an email or SMS to the user.

Options for the implementation and application of the rules for identifying potentially dangerous devices 100 by the cloud security service 140 are discussed below.

Option 1: Cloud Security Service 140 has detected open ports of illegitimate remote administration tools on device 100. Since the device 100 has a RAT tool installed and active (because the port is open), it could be compromised. To prevent data leakage, cloud security service 140 identifies device 100 as potentially dangerous. In this variant, the condition of the rule for detecting potentially dangerous devices is the presence of a RAT-tool on the device 100.

Option 2. Cloud Security Service 140 revealed that browser 100 is running macOS. Also, the cloud security service 140 revealed that ports are open, which are typical for software running under the Windows operating system (for example, Microsoft SQL Server). Device 100 is likely being spoofed. Security cloud service 140 identifies device 100 as potentially dangerous. In this case, the condition of the rule for detecting potentially dangerous devices is that the open ports on the device 100 do not correspond to the typical ports for the operating system on the device 100.

Option 3. The bank in the local network on its 100 devices uses a specific legitimate remote administration tool (eg TeamViewer). Cloud security service 140 has detected that a legitimate remote administration tool (eg, AnyDesk) is installed on device 100. Also, the cloud security service 140, having analyzed the IP address from which the information from the script 120 was received, reveals that the address belongs to the bank, and also reveals that the device 100 in the bank's local network is potentially dangerous (it has another legitimate remote administration tool installed, other than bank). The cloud security service 140 transmits the local IP address of the device 100 to the banking server 130 for further analysis, incident investigation, and decision making. In this embodiment, the condition of the rule for detecting potentially dangerous devices is the presence of a remote administration tool on the device 100, which should not be present on the device 100.

Option 4. Cloud security service 140 revealed that Tor ports are open on device 100. The use of the mentioned Tor network is often associated with an attempt by the user to anonymize his actions, therefore, when accessing the bank server 130 from device 100, where the mentioned ports characteristic of the Tor network are open, it is likely that fraudulent activity occurs. Security cloud service 140 identifies device 100 as potentially dangerous in this case. In this case, the condition for the rule for detecting potentially dangerous devices is the presence of 100 open ports on the device, which are typical for use in networks intended for anonymization.

Option 5. Cloud security service 140 revealed that the digital fingerprint of device 100 (information about open ports of device 100) corresponds with a high degree of probability (for example, 95% of open ports) to the family of known digital fingerprints of devices 100 used by attackers (for example, attackers often deploy the same images of virtual machines to perform malicious actions, and after the actions are performed, the virtual machine is deleted to hide its traces). Security cloud service 140 identifies device 100 as potentially dangerous in this case. In this embodiment, the condition of the rule for detecting potentially dangerous devices is the presence on the device 100 of open ports characteristic of known devices 100 used for fraudulent activity.

Option 6. Cloud security service 140 has detected that the digital fingerprint of device 100 is constantly changing. When the browser 110 accesses the bank server 130 and the script 120 is executed, the set of open ports does not match the previous ones. Under normal conditions, there is no reason for this, the cloud security service 140 identifies in this case the device 100 is also potentially dangerous. In this embodiment, the condition of the rule for detecting potentially dangerous devices is to change the set of open ports on the device 100.

FIG. 2 shows a diagram of a method for identifying potentially dangerous devices by open ports.

At step 210, information about the device 100 is identified using a script 120 using communication protocols. In general, communication protocols are real-time communication protocols. In one embodiment, the device data are the open ports of the device 100. In order to detect an open port, the script 120 compares the response time to a request to a known closed port and the response time to a request to the detected port. In one implementation, the device 100 data is the IP address of the device 100 on the local network. In one embodiment, the data about the device 100 is the name of the browser 110. In one embodiment, the data about the device 100 is the operating system of the device 100. In general, the data is transferred to the cloud security service 140 using the script 120.

At block 220, the detected data about the user's device 100 is analyzed using the cloud security service 140, applying rules for identifying potentially dangerous devices. In one embodiment, the rule for detecting potentially dangerous devices is conditional on the presence of a RAT tool on the device 100. In one implementation, the condition of the rule for detecting potentially dangerous devices is that the open ports on the device 100 do not correspond to the typical ports for the operating system on the device 100. present on the device 100. In one embodiment, the rule for detecting potentially dangerous devices is conditional on the presence of open ports on the device 100, which are typical for use in networks intended for anonymization. In one embodiment, the rule for detecting potentially dangerous devices is conditional on the presence of open ports on the device 100, typical of known devices 100 used for fraudulent activity. In one implementation, the rule for detecting potentially dangerous devices is conditional on changing the set of open ports on the device 100.

At step 230, a potentially dangerous device 100 is detected using the cloud security service 140 if the potentially dangerous device rule is applied.

At step 240, using the cloud security service 140, if a potentially dangerous device 100 is detected, information about the potentially dangerous device 100 is transmitted to the bank server 130. The bank server 130, using the obtained information using methods known in the art, prevents the execution of bank transactions from the potentially dangerous device 100.

FIG. 3 shows an example of a general-purpose computer system, a personal computer or server 20, comprising a central processing unit 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processing unit 21. The system bus 23 is implemented as any bus structure known from the prior art, containing in turn a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interfacing with any other bus architecture. System memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains basic procedures that transfer information between the elements of the personal computer 20, for example, at the time of loading the operating room. systems using ROM 24.

The personal computer 20, in turn, contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31, such as CD-ROM, DVD -ROM and other optical media. The hard disk 27, the magnetic disk drive 28, and the optical drive 30 are connected to the system bus 23 via the hard disk interface 32, the magnetic disk interface 33, and the optical drive interface 34, respectively. Drives and corresponding computer storage media are non-volatile storage media for computer instructions, data structures, program modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29 and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that are capable of storing data in a computer readable form (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36, where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38 and program data 39. The user has the ability to enter commands and information into the personal computer 20 through input devices (keyboard 40, manipulator " mouse "42). Other input devices may be used (not shown): microphone, joystick, game console, scanner, etc. Such input devices are conventionally connected to the computer system 20 through a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, etc. ...

The personal computer 20 is capable of operating in a networked environment using a network connection with other or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the entity. the personal computer 20 shown in FIG. 3. In a computer network, there may also be other devices, such as routers, network stations, peer-to-peer devices, or other network nodes.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, personal computer 20 is connected to local network 50 via a network adapter or network interface 51. When using networks, personal computer 20 may use a modem 54 or other means of providing communication with a wide area network, such as the Internet. Modem 54, which is an internal or external device, is connected to the system bus 23 via a serial port 46. It should be noted that the network connections are only exemplary and are not required to reflect the exact configuration of the network, i. E. in fact, there are other ways of establishing a connection by technical means of communication of one computer with another.

In conclusion, it should be noted that the information given in the description are examples, which do not limit the scope of the present invention defined by the claims. One skilled in the art will appreciate that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (10)

A method for identifying a device through which a user interacts with remote services as potentially dangerous, containing stages at which: a) using a script running in a browser on the user's device, they identify: - open ports on the user's device; - IP address of the user's device; - available information about the browser on the user's device; b) using a cloud security service, they analyze the identified data about the user's device, applying the rules for identifying potentially dangerous devices, while the detection rule is at least one of: - the presence of open ports on the device, typical for use in networks intended for anonymization; - the presence on the device of open ports typical of known devices used for fraudulent activity; - change the set of open ports on the device; c) using a cloud-based security service, they identify a potentially dangerous device of the user in case of a positive result of the application of the rule for identifying potentially dangerous devices.

Images