as) United States
`a2) Patent Application Publication 10) Pub. No.: US 2017/0346853 Al
`(43) Pub. Date: Nov.30, 2017
`
`Wyatt et al.
`
`US 20170346853A1
`
`(54) METHODS AND SYSTEMS FOR DETECTING
`AND PREVENTING NETWORK
`CONNECTION COMPROMISE
`
`(71) Applicant: LOOKOUT, INC., San Francisco, CA
`(US)
`
`(72)
`
`Inventors: Timothy Micheal Wyatt, Toronto
`(CA); David Luke Richardson, San
`Francisco, CA (US); Kevin Patrick
`Mahaffey, San Francisco, CA (US);
`Brian James Buck, Livermore, CA
`(US); William Neil Robinson,
`Sunnyvale, CA (US); David William
`Cowden, San Francisco, CA (US);
`Nitin Shridhar Desai, Dublin, CA
`(US); Prasad Deshpande, Lexington,
`MA (US); Robert Blaine Elwell,
`Atlanta, GA (US); Eike Christian
`Falkenberg, Walnut Creek, CA (US);
`Meng Hu, Sunnyvale, CA (US); Alex
`Shoykhet, San Francisco, CA (US)
`
`(73) Assignee: LOOKOUT, INC., San Francisco, CA
`(US)
`
`(21) Appl. No.: 15/608,556
`
`(22)
`
`Filed:
`
`May 30, 2017
`
`Related U.S. Application Data
`
`(60) Provisional application No. 62/343,748, filed on May
`31, 2016.
`
`Publication Classification
`
`(51)
`
`Int. CL
`HOAL 29/06
`HOAL 12/26
`(52) U.S. Cl
`CPC...... HOAL 63/1466 (2013.01); HO4L 63/1425
`(2013.01); HO4L 43/12 (2013.01); HO4L
`63/0884 (2013.01); HO4L 67/42 (2013.01)
`
`(2006.01)
`(2006.01)
`
`(57)
`
`ABSTRACT
`
`The security of network connections on a computing device
`is protected by detecting and preventing compromise of the
`network connections, including man-in-the-middle (MITM)
`attacks. Active probing and other methodsare usedto detect
`the attacks. Responses to detection include one or more of
`displaying a warning to a user of the computing device,
`providing an option to disconnect the network connection,
`blocking the network connection, switching to a different
`network connection, applying a policy, and sending anomaly
`information to a security server.
`
`Cell Station
`410
`
`Computing Device 200
`v
`\
`
`
`Network
`
`425
`
`
`*
`Security Server
`320
`Policy
`
`{}
`
`|
`318
`
`Probe
`
`Endpoint
`Server
`
`3304
`
` Probe
`Endpoint
`Server
`
`330b
`
`
`Destination
`Host
`
`
`340
`
`
`Page 1 of 46
`
`ironSource Exhibit 1020
`ironSource Ltd. v. Digital Turbine Inc. PTAB-PGR2021-00096
`
`

`

`Patent Application Publication
`
`Nov. 30,2017 Sheet 1 of 17
`
`US 2017/0346853 Al
`
`CG
`
`LQ
`S
`
`* = aHoo
`
`
`
`
`ener
`
`°
`
`ttetssseenneecsscsennessssoaannnsssses:~
`
`@
`>
`oo
`
`}
`
`
`
`¥
`ow
`SQ
`Ge
`Zz
`
`«
`:
`©
`oon
`ie
`rome)—_
`_
`
`O
`
`- ewe
`
`Sd ey
`ri)
`sO > 8~
`
`&©_ o
`
`mL
`
`|
`
`be
`
`100
`
`Page 2 of 46
`
`

`

`Patent Application Publication
`
`Nov. 30,2017 Sheet 2 of 17
`
`US 2017/0346853 Al
`
`Computing Device
`200
`
`Display
`205
`
`210
`
`246
`
`Storage
`
`|
`
`FIG. 2
`
`Page 3 of 46
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 3 of 17
`
`US 2017/0346853 A1
`
`
`
`|JBAISSAqUNoDaS|
`
`OZE
`
`aq0ld
`
`juiodpuy
`
`JOAI8S
`
`BOCC
`
`BQ0i¢
`
`juiodpug
`
`JBAISS
`
`GOce
`
`uoyeunseg|
`
`180}
`
`OPE
`
`IOMION
`
`SSL
`
`£Oi
`
`
`
`00%so1AsqBunndwoy
`
`Page 4 of 46
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 4 of 17
`
`US 2017/0346853 A1
`
`—_—|Old
`
`|O0Zo|4BAIOSAnos|
`
`adQid
`
`yuodpus
`
`IGAIBS
`
`EOCET
`
`eqnid
`
`quiedpug
`
`JOS
`
`QOS
`
`uoyeugseg|
`
`WOH4
`
`Ove
`
`IWALLUALx,
`
`eerAav
`
`YIOMION
`
`SL
`
`UONRIGjkOL
`
`olyenae
`
`UOHRISIO
`
`OLY
`
`18DWALLIN
`
`
`
`90zss1AeqBuyndwiog
`
`Page 5 of 46
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 5 of 17
`
`US 2017/0346853 A1
`
`OSosUgE
`WSDid
`SYEDIMIR
`pepapguelag&¢spuety3seq
`
`
`
`yeaigyerouoyY!
`
`pepemgivsy®t
`
`
`
`pEDsisgopenyOMEN&f
`
`Page 6 of 46
`
`
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 6 of 17
`
`US 2017/0346853 A1
`
`SYED“M9224
`
`PANSEYAMONae
`
`SstRPEPLAEORY
`
`
`
`
`
`TOMERANUSPIUUOISIBOFMOT
`
`REooDee
`
`fotbag:
`
`89“Ola
`
`¥S“Old
`
`Page 7 of 46
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 7 of 17
`
`US 2017/0346853 A1
`
`POA}-ys39N
`
`ee
`
`Page 8 of 46
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 8 of 17
`
`US 2017/0346853 A1
`
`SpeePRYWONBe|NpuozuBa
`
`
`
`RUSELURKIRS
`
`BYPEPUORBRSSE
`
`
`
`WASHSARIMSs!OEMS
`
`Page 9 of 46
`
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 9 of 17
`
`US 2017/0346853 A1
`
`
`
`MOBYMIOAION
`
`
`
`PICHONTigen)
`
`ROLLesaea
`
`¥8‘Sid
`
`
`
`paswuamwasySou
`
`
`
`igenconeaysypanney
`
`
`
`
`
`inpaausay)weenyqiomeN
`
`
`
`PIOAGSYISSNC)
`
`aany
`
`Page 10 of 46
`
`
`
`

`

`Patent Application Publication
`
`Nov.30, 2017 Sheet 10 of 17
`
`US 2017/0346853 A1
`
`AAPSereRATaaes
`rare:
`Ce
`
`2
`
`Becoeacctan
`
`orspeEne
`
`Page 11 of 46
`
`

`

`Patent Application Publication
`
`Nov. 30,2017 Sheet 11 of 17.
`
`US 2017/0346853 A1
`
`
`
`Page 12 of 46
`
`

`

`Patent Application Publication
`
`Nov. 30,2017 Sheet 12 of 17
`
`US 2017/0346853 A1
`
`
`
`Page 13 of 46
`
`

`

`Patent Application Publication
`
`Nov.30, 2017 Sheet 13 of 17
`
`US 2017/0346853 A1
`
`apenasFp
`
`wee
`
`ort
`
`etd
`
`
`
`WoTaduexe@eaosauf
`
`JORLiLpUbLeoiche
`
`Page 14 of 46
`
`ébOld
`
`no
`
`
`
`
`
`WooayduipxeDeonaue!
`
`
`
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 14 of 17
`
`US 2017/0346853 A1
`
`etna
`
`CRRRRRRR
`
`ispeen:Pe
`
`CbOb
`
`Page 15 of 46
`
`

`

`Patent Application Publication
`
`Nov. 30,2017 Sheet 15 of 17
`
`US 2017/0346853 Al
`
`Be.
`
`
`RaeenanaeanaraeeMRANHNMNSRAIRHOHMRRSRAMNHOHMRSRSMRHOHMRRaaMNHaHaMRRaaAaraaHanteanaaealtearaorateeanaaeantaaraarateeianaaeantenaraoretenitanaaeanteniaraorateeitnaaeantenianaaratteiensananeebanaarateeienananeenianiarateetenananeaninianaonentnia
`
`
`
`FIG.44
`
`Page 16 of 46
`
`

`

`Patent Application Publication
`
`Nov.30, 2017 Sheet 16 of 17
`
`US 2017/0346853 A1
`
`QZE|JBAIaSAuNIeS|
`
`Bqoi-|
`
`juiodpuy
`
`IBAIOS
`
`EOCE
`
`Baqi
`
`yuodpug
`
`i9nas
`
`uoleuyseg|GOCE
`
`oH
`
`Ove
`
`YIOMISN
`
`Gel
`
`SbOld
`
`
`
`
`
`COZsa1IAsqBunnduos
`
`ddyjueyo
`
`(ddlvo)
`
`2906
`
`Page 17 of 46
`
`
`
`
`

`

`Patent Application Publication
`
`Nov. 30, 2017 Sheet 17 of 17
`
`US 2017/0346853 A1
`
`SGI
`
`jyuiodpuy
`
`JGAlaS
`
`BOCES
`
`eqaig
`
`quIodpug
`
`J8AIBS
`
`Qoce
`
`uoneugsag|.
`
`iSOML.
`
`Ore
`
`GL
`
`
`
`JOAIaSGANDES|
`
`HOHEISHED
`
`OLYy
`
`
`
`00%aaiaaqgSuyndwos5
`
`LLWEOWEAa||doyjuayo
`
`Page 18 of 46
`
`YIOMAN
`
`BGO
`
`
`
`
`
`uoHRISEennnnnnnanfe-SNGm(dD)
`
`$bOld LIMALLA
`
`
`
`
`
`
`
`

`

`US 2017/0346853 Al
`
`Nov. 30, 2017
`
`METHODS AND SYSTEMS FOR DETECTING
`AND PREVENTING NETWORK
`CONNECTION COMPROMISE
`
`CROSS-REFERENCE TO RELATED CASES
`
`[0001] The present application claims priority to U.S.
`Provisional
`Patent Application
`62/343,748,
`entitled
`“METHODS AND SYSTEMS FOR DETECTING AND
`PREVENTING NETWORK CONNECTION COMPRO-
`
`MISE,”filed on May 31, 2016.
`
`TECHNICAL FIELD
`
`[0002] The present invention relates to the field of infor-
`mation technology, including, more particularly, to methods
`and systems for detecting and preventing compromise of
`computing device network connections, including man-in-
`the-middle attacks.
`
`BACKGROUND
`
`[0003] Computing devices connect to a variety of net-
`works, are turned on most of the time, and automatically
`roam between various wireless networks and cell towers
`
`without user notification or interaction. This presents the
`potential opportunity for data to leak from these devices if
`the network connection from the device is compromised and
`encryption is not properly implemented. As more data goes
`mobile, attackers are finding more sophisticated ways to get
`access to it. Data in transit is increasingly becoming an
`enterprise risk, as employees tend to be careless about
`connecting to public Wi-Fi or installing proxies that can
`decrypt data. According to a recent report, 48% of organi-
`zations don’t know if their mobile devices have connected to
`a malicious Wi-Fi, while 24% have confirmed such an
`exposure. Encrypted traffic mitigates many of the threats
`associated with connecting to the internet through untrusted
`access points or proxies, but does not solve all problems.
`This is in part because users are being trained to install
`configuration profiles (on iOS, for example) with root Cer-
`tificate Authorities (CAs) as part of the connection process.
`For example, New York City is actually requiring users to do
`this for their new free Wi-Fi program “LinkNYC.”The most
`common scenario described by the media is that of an
`attacker sitting in the same coffee shop as you, capturing or
`modifying your data as it is sent out over the free Wi-Fi.
`These methods can allow an attacker to view encrypted
`enterprise data, such as corporate login credentials. As
`attacks on the network increase in sophistication and preva-
`lence, organizations need to have visibility and protection
`into this emerging risk.
`[0004]
`It would be desirable to be able to ensure that a
`computing device is configured according to a policy that
`prevents or reduces the threat of a Man in The Middle
`(MITM)attack. There is a need to be able to detect the
`possibility or actuality of a MITMattacker, and to respond
`with warnings to a computing device or user or enterprise
`console or administrator, or to block insecure communica-
`tions. There is a need to prevent SSL downgrade attacks.
`There is a need to protect applications that do not properly
`validate certificates. There is a need to report instances of
`attempted MITM attacks to an enterprise console or security
`data store. There is a need to have policies that can protect
`applications that improperly validate certificates or certifi-
`cate chains or related information; or policies to disallow the
`Page 19 of 46
`
`usage of inappropriate certificates or configuration profiles
`in a computing device’s trusted certificate store for particu-
`lar applications or destination hosts or services (DEST-
`HOSTs). There is a need to prevent MITM attacks.
`[0005] Threat Profiles
`[0006] Active network man-in-the-middle attacks can take
`any of several forms. The following presents a summary of
`the problem spaceofthreat profiles related to MITMattacks.
`[0007] Hostile Network: an attacker sets up a hostile
`Access Point that mimics a network a user reasonablytrusts,
`either through previous association, or common known
`usage. When a computing device attachesto the network, the
`APhasin-line agencyto intercept and modify traffic at will.
`[0008] ARP Man-in-the-middle: an attacker uses gratu-
`itous Address Resolution Protocol (ARP) to advertise its
`own hardware address in place of a gateway, proxy, or host
`on the victim’s connection path.
`[0009]
`SSLBump: an attacker subverts Dynamic Host
`Configuration Protocol (DHCP), or uses a malicious appli-
`cation, configuration profile, or other attack vector to intro-
`duce a proxy underattacker control into the configuration of
`the victim’s network stack.
`[0010]
`SSLStrip: an attacker subverts un-encrypted con-
`nections made by the victim, rewriting URLs in plain text
`documents that would normally be specified as HTTPS
`(Hyper Text Transfer Protocol Secure) to use plaintext
`HTTP (Hyper Text Transfer Protocol).
`[0011] Host Certificate Hijacking: an attacker introduces a
`malicious certificate under attacker control into the trusted
`certificate store of the victim device, allowing the attacker to
`masquerade as one or more hosts that the victim intends to
`communicate with securely. An enterprise uses essentially
`the same technique to perform what is called “SSL inter-
`cept” or “SSL Interception,” for the purpose of providing
`Data Loss Prevention (DLP)or other services. SSL intercept
`is a process to decipher and inspect the content of data being
`transmitted via Secure Sockets Layer (SSL) or Transport
`Layer Security (TLS), and is possible because certificates
`can be created that are associated with a particular hostname,
`or common name, in SSL nomenclature. In Host Certificate
`Hyacking there is a certificate that is provisioned into the
`trusted certificate store of a device used by an employee of
`the enterprise. The malicious certificate in this instance
`chains up to the enterprise’s certificate that is stored in the
`trusted certificate store of a device used by an employee of
`the enterprise.
`[0012] TLS Protocol Downgrade: an attacker manipulates
`the negotiated connection to downgrade the protocol or
`negotiated cipher suites, and lowerthe security guarantees of
`the connection.
`
`[0013] TLS Exploit: an attacker exploits a vulnerable
`client or server TLS implementation to compromise the
`security of the transport (e.g. heartbleed vulnerability in
`TLS).
`
`BRIEF SUMMARY
`
`[0014] The security of network connections on a comput-
`ing device is protected by detecting and preventing the
`compromise of the network connections, including man-in-
`the-middle attacks. Active probing and other methods are
`used to detect the attacks. Responses to detection include
`one or more of displaying a warning to a user of the
`computing device, providing an option to disconnect the
`network connection, blocking the network connection,
`
`

`

`US 2017/0346853 Al
`
`Nov. 30, 2017
`
`switching to a different network connection, applying a
`policy, and sending anomaly information to a security
`server.
`
`features, and advantages of the
`[0015] Other objects,
`embodiments will become apparent upon consideration of
`the following detailed description and the accompanying
`drawings, in whichlike reference designations represent like
`features throughout the figures.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0016] The embodiments are illustrated by way of
`example and not limitation in the figures of the accompa-
`nying drawings, in which like references indicate similar
`elements, and in which:
`[0017]
`FIG. 11s an exemplary block diagram depicting an
`embodiment of the disclosure.
`[0018]
`FIG. 2 is an exemplary block diagram depicting a
`computing device.
`[0019]
`FIG. 3 shows an exemplary block diagram of an
`embodiment of a system for detecting and preventing net-
`work connection compromise.
`[0020]
`FIG. 4 shows a more detailed block diagram of an
`embodiment of a system for detecting and preventing net-
`work connection compromise, showing first hop network
`points of cell stations and Wi-Fi Access Points (APs).
`[0021]
`FIGS. 5A and 5B illustrate a computing device
`displaying a status message regarding a network to which
`the computing device is connected, according to an embodi-
`ment.
`
`FIGS. 6A and 6B illustrate a computing device
`[0022]
`displaying a message regarding a network,
`to which the
`computing device is connected, and recommendations and
`instructions, according to an embodiment.
`[0023]
`FIG. 6C illustrates a computing device displaying
`a message regarding a network to which the computing
`device is connected, and recommendationsand a disconnect
`button, according to an embodiment.
`[0024]
`FIG. 6D illustrates a computing device displaying
`a message regarding a network to which the computing
`device is connected, and recommendations, according to an
`embodiment.
`
`FIG.7 illustrates a computing device displaying a
`[0025]
`message regarding a network to which the computing device
`is connected, and recommendations, according to an
`embodiment.
`[0026]
`FIGS. 8A and 8B illustrate a computing device
`displaying a status regarding a resolved network threat,
`according to an embodiment.
`[0027]
`FIGS. 9A and 9B illustrate a computing device
`displaying a notification that a network attack was detected,
`according to an embodiment.
`[0028]
`FIG. 10 illustrates a computing device displaying a
`notification upon a lockscreen that a network attack was
`detected, according to an embodiment.
`[0029]
`FIG. 11 illustrates a computing device display a
`notification that a network to which the computing device is
`connected is safe, according to an embodiment.
`[0030]
`FIG. 12 illustrates an administrator display show-
`ing the details of a high risk application threat
`in the
`category of a Man-in-the-Middle Attack, according to an
`embodiment.
`
`FIG. 13 illustrates an administrator display show-
`[0031]
`ing the details of a Man-in-the-Middle Attack, according to
`an embodiment.
`
`Page 20 of 46
`
`FIG. 14 illustrates an administrator display on
`[0032]
`which an administrator can specify Security Policy risk
`levels for threats, according to an embodiment.
`[0033]
`FIG. 15 shows an exemplary block diagram of an
`embodiment of another system for detecting and preventing
`network connection compromise.
`[0034]
`FIG. 16 shows a moredetailed block diagram of an
`embodiment of another system for detecting and preventing
`network connection compromise, showingfirst hop network
`points of cell stations and Wi-Fi Access Points (APs).
`
`DETAILED DESCRIPTION
`
`1. Architecture
`[0035]
`FIG. 1 isa simplified block diagram ofa distributed
`[0036]
`computer network 100 incorporating an embodimentof the
`subject matter. Computer network 100 includes a number of
`computing devices 110a-110f and one or more server sys-
`tems 120 coupled to a communication network 125 via a
`plurality of communication links 130. Communication net-
`work 125 provides a mechanism for allowing the various
`components of distributed network 100 to communicate and
`exchange information with each other.
`[0037] Communication network 125 itself is comprised of
`one or more interconnected computer systems and commu-
`nication links. Communication links 130 may include hard-
`wire links, optical links, satellite or other wireless commu-
`nications links, wave propagation links, or any other
`mechanisms for communication of information. Various
`
`communication protocols may be used to facilitate commu-
`nication between the various systems shown in FIG. 1.
`These communication protocols may include TCP/IP, UDP,
`HTTP protocols, wireless application protocol
`(WAP),
`BLUETOOTH, Zigbee, 802.11, 802.15, 6LoWPAN,LiFi,
`Google Weave, NFC, GSM, CDMA,other cellular data
`communication protocols, wireless telephony protocols,
`Internet telephony, IP telephony, digital voice, voice over
`broadband (VoBB), broadband telephony, Voice over IP
`(VoIP), vendor-specific protocols, customized protocols, and
`others. While in one embodiment, communication network
`125 is the Internet, in other embodiments, communication
`network 125 may be any suitable communication network
`including a local area network (LAN), a wide area network
`(WAN), a wireless network, a cellular network, a personal
`area network, an intranet, a private network, a near field
`communications
`(NFC) network,
`a public network,
`a
`switched network, a peer-to-peer network, and combinations
`of these, and the like.
`[0038]
`In an embodiment, the server 120 is not located
`near a user of a computing device, and is communicated
`with over a network. In a different embodiment, the server
`120 is a device that a user can carry upon his person, or can
`keep nearby. In an embodiment, the server 120 has a large
`battery to power long distance communications networks
`such as a cell network or Wi-Fi. The server 120 communi-
`
`cates with the other components of the personal mobile
`device system via wired links or via low powered short
`range wireless communications such as BLUETOOTH. In
`an embodiment, one of the other components of the personal
`mobile device system plays the role of the server, e.g., the
`watch 1105, the head mounted device or glasses or virtual
`reality or augmented reality device 110d,
`the phone or
`mobile communications device 110c, the tablet 110e, the PC
`110a, and/or the vehicle (e.g., an automobile, or other
`manned or unmanned or autonomous vehicle for land or
`
`

`

`US 2017/0346853 Al
`
`Nov. 30, 2017
`
`aerial or aquatic operation) 110f Other types of computing
`devices 110 include other wearable devices, devices incor-
`porated into clothing,
`implantable or implanted devices,
`ingestible devices, or ‘things’ in the internet of things, which
`may besensors or actuators or mobile or sessile devices, or
`hubsor servers controlling such ‘things’ or facilitating their
`communications.
`
`[0039] Distributed computer network 100 in FIG. 1 is
`merely illustrative of an embodiment
`incorporating the
`embodiments and does not limit the scope of the invention
`as recited in the claims. One of ordinary skill in the art would
`recognize other variations, modifications, and alternatives.
`For example, more than one server system 120 may be
`connected to communication network 125. As another
`
`example, a number of computing devices 110a-110fmay be
`coupled to communication network 125 via an access pro-
`vider (not shown) or via some other server system.
`[0040] Computing devices 110a-110f typically request
`information from a server system that provides the infor-
`mation. Server systems by definition typically have more
`computing and storage capacity than these computing
`devices, which are often such things as portable devices,
`mobile communications devices, or other computing devices
`that play the role of a client in a client-server operation.
`However, a particular computing device may act as both a
`client and a server depending on whether the computing
`device is requesting or providing information. Aspects of the
`embodiments may be embodied using a client-server envi-
`ronment or a cloud-cloud computing environment.
`[0041]
`Server 120 is responsible for receiving information
`requests from computing devices 110a-110/ for performing
`processing required to satisfy the requests, and for forward-
`ing the results corresponding to the requests back to the
`requesting computing device. The processing required to
`satisfy the request may be performed byserver system 120
`or mayalternatively be delegated to other servers connected
`to communication network 125 or to other communications
`
`networks. A server 120 may be located near the computing
`devices 110 or may be remote from the computing devices
`110. A server 120 may be a hub controlling a local enclave
`of things in an internet of things scenario.
`[0042] Computing devices 110a-110f enable users to
`access and query information or applications stored by
`server system 120. Some example computing devices
`include portable electronic devices (e.g., mobile communi-
`cations devices) such as the Apple iPhone®,
`the Apple
`iPad®, the Palm Pre™, or any computing device running the
`Apple iOS™, Android™ OS, Google Chrome OS, Symbian
`OS®, Windows 10, Windows Mobile® OS, Palm OS® or
`Palm Web OS™,or any of various operating systems used
`for Internet of Things (oT) devices or automotive or other
`vehicles or Real Time Operating Systems (RTOS), such as
`the RIOT OS, Windows 10 for JoT, WindRiver VxWorks,
`Google Brillo, ARM Mbed OS, Embedded Apple iOS and
`OS X, the Nucleus RTOS, Green Hills Integrity, or Contiki,
`or any of various Programmable Logic Controller (PLC) or
`Programmable Automation Controller (PAC) operating sys-
`tems such as Microware OS-9, VxWorks, QNX Neutrino,
`FreeRTOS, Micrium wC/OS-II, Micrium wC/OS-II, Win-
`dows CE, TI-RTOS, RTEMS. Other operating systems may
`be used. In a specific embodiment, a “web browser” appli-
`cation executing on a computing device enables users to
`select, access, retrieve, or query information and/or appli-
`cations stored by server system 120. Examples of web
`Page 21 of 46
`
`browsers include the Android browser provided by Google,
`the Safari® browser provided by Apple, the Opera Web
`browser provided by Opera Software,
`the BlackBerry®
`browser provided by Research In Motion,
`the Internet
`Explorer® and Internet Explorer Mobile browsers provided
`by Microsoft Corporation,
`the Firefox® and Firefox for
`Mobile browsers provided by Mozilla®, and others.
`[0043]
`In the description that follows, the subject matter
`will be described with reference to acts and symbolic
`representations of operations that are performed by one or
`more devices, unless indicated otherwise. As such, it will be
`understood that such acts and operations, which are at times
`referred to as being computer-executed, include the manipu-
`lation by the processing unit of data in a structured form.
`This manipulation transforms the data or maintains it at
`locations in the memory system of the device, which recon-
`figures or otherwise alters the operation of the device in a
`manner well understood by those skilled in the art. The data
`structures where data is maintained are physical locations of
`the memory that have particular properties defined by the
`format of the data. However, while the subject matter is
`being described in the foregoing context, it is not meant to
`be limiting as those of skill in the art will appreciate that
`various acts and operations described hereinafter may also
`be implemented in hardware.
`[0044]
`FIG. 2 shows an exemplary computing device 200
`of an embodiment. Computing device 200 may be any ofthe
`computing devices 110 from FIG. 1. Computing device 200
`may include a display, screen, or monitor 205, housing 210,
`and input device 215. Housing 210 houses familiar com-
`puter components, some of which are not shown, such as a
`processor 220, memory 225, battery 230, speaker, trans-
`ceiver, antenna 235, microphone, ports, jacks, connectors,
`camera, input/output (I/O) controller, display adapter, net-
`work interface, mass storage devices 240, various sensors,
`and thelike.
`
`Input device 215 may also include a touchscreen
`[0045]
`(e.g., resistive, surface acoustic wave, capacitive sensing,
`infrared, optical imaging,dispersive signal, or acoustic pulse
`recognition), keyboard (e.g., electronic keyboard or physical
`keyboard), buttons, switches, stylus, or combinations of
`these.
`
`[0046] Mass storage devices 240 may include flash and
`other nonvolatile solid-state storage or solid-state drive
`(SSD), such as a flash drive, flash memory, or USB flash
`drive. Other examples of mass storage include mass disk
`drives, floppy disks, magnetic disks, optical disks, magneto-
`optical disks, fixed disks, hard disks, SD cards, CD-ROMs,
`recordable CDs, DVDs, recordable DVDs (e.g., DVD-R,
`DVD+R, DVD-RW, DVD+RW, HD-DVD,or Blu-ray Disc),
`battery-backed-up volatile memory, tape storage, reader, and
`other similar media, and combinations of these.
`[0047] Embodiments may also be used with computer
`systemshaving different configurations, e.g., with additional
`or fewer subsystems. For example, a computer system could
`include more than one processor (i.e., a multiprocessor
`system, which may permit parallel processing of informa-
`tion) or a system may include a cache memory. The com-
`puter system shown in FIG. 2 is but an example of a
`computer system suitable for use with the embodiments.
`Other configurations of subsystemssuitable for use with the
`embodiments will be readily apparent to one of ordinary
`skill in the art. For example, in a specific implementation,
`the computing device is a mobile communications device
`
`

`

`US 2017/0346853 Al
`
`Nov. 30, 2017
`
`such as a smartphone or tablet computer. Some specific
`examples of smartphones include the Droid Incredible and
`Google Nexus One, provided by HTC Corporation,
`the
`iPhone or iPad, both provided by Apple, and many others.
`The computing device may be a laptop or a netbook. In
`another specific implementation, the computing device is a
`non-portable computing device such as a desktop computer
`or workstation.
`
`[0048] A computer-implemented or computer-executable
`version of the program instructions useful to practice the
`embodiments may be embodied using, stored on, or asso-
`ciated with computer-readable medium. A computer-read-
`able medium may include any medium that participates in
`providing instructions to one or more processors for execu-
`tion, such as memory 225 or mass storage 240. Such a
`medium may take many forms including, but not limited to,
`nonvolatile, volatile, transmission, non-printed, and printed
`media. Nonvolatile media includes,
`for example,
`flash
`memory, or optical or magnetic disks. Volatile media
`includesstatic or dynamic memory, such as cache memory
`or RAM.Transmission media includes coaxial cables, cop-
`per wire, fiber optic lines, and wires arranged in a bus.
`Transmission media can also take the form of electromag-
`netic, radio frequency, acoustic, or light waves, such as those
`generated during radio wave andinfrared data communica-
`tions.
`
`For example, a binary, machine-executable ver-
`[0049]
`sion, of the software useful to practice the embodiments may
`be stored or reside in RAM or cache memory, or on mass
`storage device 240. The source code of this software may
`also be stored or reside on mass storage device 240 (e.g.,
`flash drive, hard disk, magnetic disk, tape, or CD-ROM). As
`a further example, code useful for practicing the embodi-
`ments may be transmitted via wires, radio waves, or through
`a network such as the Internet. In another specific embodi-
`ment, a computer program product including a variety of
`software program code to implementfeatures of the embodi-
`ment is provided.
`[0050] Computer software products may be written in any
`of various suitable programming languages, such as C, C++,
`C#, Pascal, Fortran, Perl, Matlab (from MathWorks, www.
`mathworks.com), SAS, SPSS,
`JavaScript, CoffeeScript,
`Objective-C, Objective-J, Ruby, Python, Erlang, Lisp, Scala,
`Clojure, and Java. The computer software product may be an
`independent application with data input and data display
`modules. Alternatively, the computer software products may
`be classes that may be instantiated as distributed objects.
`The computer software products may also be component
`software such as Java Beans (from Oracle) or Enterprise
`Java Beans (EJB from Oracle).
`[0051] An operating system for the system may be the
`Android operating system, iPhone OS(i.e., iOS), Symbian,
`BlackBerry OS, Palm web OS, Bada, MeeGo, Maemo,
`Limo, or Brew OS. Other examples of operating systems
`include one of the Microsoft Windowsfamily of operating
`systems(e.g., Windows 95, 98, Me, Windows NT, Windows
`2000, Windows XP, Windows XP x64 Edition, Windows
`Vista, Windows 10 or other Windows versions, Windows
`CE, Windows Mobile, Windows Phone, Windows
`10
`Mobile), Linux, HP-UX, UNIX, Sun OS, Solaris, Mac OS
`X, Alpha OS, AIX, IRIX32, or IRIX64, or any of various
`operating systems used for Internet of Things (oT) devices
`or automotive or other vehicles or Real Time Operating
`Systems (RTOS), such as the RIOT OS, Windows 10 for
`Page 22 of 46
`
`JoT, WindRiver VxWorks, Google Brillo, ARM Mbed OS,
`Embedded Apple 10S and OS X, the Nucleus RTOS, Green
`Hills Integrity, or Contiki, or any of various Programmable
`Logic Controller (PLC) or Programmable Automation Con-
`troller (PAC) operating systems such as Microware OS-9,
`VxWorks, QNX Neutrino, FreeRTOS, Micrium uC/OS-II,
`Micrium uC/OS-II], Windows CE, TI-RTOS, RTEMS.
`Other operating systems may be used.
`[0052]
`Furthermore, the computer may be connected to a
`network and may interface to other computers using this
`network. The network may be an intranet, internet, or the
`Internet, among others. The network may be a wired net-
`work (e.g., using copper), telephone network, packet net-
`work, an optical network (e.g., using optical fiber), or a
`wireless network, or any combination of these. For example,
`data and other information may be passed between the
`computer and components (or steps) of a system useful in
`practicing the embodiments using a wireless network
`employing a protocol such as Wi-Fi (IEEE standards 802.11,
`802.11a, 802.11b, 802.1le, 802.11g, 802.11i, and 802.11n,
`just to name a few examples), or other protocols, such as
`BLUETOOTHor NFC or 802.15 or cellular, or communi-
`cation protocols may include TCP/IP, UDP, HTTPprotocols,
`wireless application protocol (WAP), BLUETOOTH, Zig-
`bee, 802.11, 802.15, 6LoOWPAN,LiFi, Google Weave, NFC,
`GSM, CDMA,other cellular data communication protocols,
`wireless telephony protocols or the like. For example, sig-
`nals from a computer may be transferred, at least in part,
`wirelessly to components or other computers.
`[0053]
`FIG. 3 shows an exemplary block diagram of an
`embodiment of a system for detecting and preventing net-
`work connection compromise. Computing device 200 con-
`tains an Active MITM Detection component (AMD 304),
`which may be a stand-alone application, or may be a
`component of another application, such as a security appli-
`cation or banking application, or may be a componentof the
`operating system, or may be a component of software
`running on a baseband processor of a computing device, or
`may involve multiple components distributed in a combi-
`nation of the above locations. AMD 304 needs to be some-
`where in the network flow between the originating device or
`the originating application program andthe possible location
`of a man in the middle. AMD 304 may even be located on
`security server 320 in a configuration in which AMD 304 is
`making a connection back through the computing device
`200 and thence onwards to any of probe endpoint servers
`330a-3306 or a destination host 340. In such a configuration,
`AMD 304 on the server 320 may make a connection (a
`normal network connection, or an encrypted network con-
`nection, or a network connection using a different physical
`network such as the cellular network (as opposed to a Wi-Fi
`network)) from the server 320 to the computing device 200,
`and from the computing device to the probe endpoint server
`330a-3306 orthe destination host 340 via the network being
`tested or examined. Thus, in such configurations AMD 304
`on server 320 communicates with an effective forwarding
`agent on the computing device 200, which in turn commu-
`nicates with probe endpoint server 330a-3306 or the desti-
`nation host 340.
`
`[0054] AMD 304 mayperform a variety of methods to
`detect whether there is a MITM on a network