公开(公告)号：US09930055B2

公开(公告)日：2018-03-27

申请号：US15228297

申请日：2016-08-04

Applicant: Palantir Technologies Inc.

Inventor： Juan Ricafort ,  Harkirat Singh ,  Philip Martin

IPC: H04L29/06 ,  H04L29/12 ,  G06F21/55

CPC classification number: H04L63/1416 ,  G06F21/556 ,  H04L61/2007 ,  H04L63/0272 ,  H04L63/1425 ,  H04L63/1441

Abstract: Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.

公开(公告)号：US11849023B2

公开(公告)日：2023-12-19

申请号：US17308370

申请日：2021-05-05

Applicant: Palantir Technologies Inc.

Inventor： Ryan Castellucci ,  Philip Martin

IPC: H04L9/06 ,  H04L9/32 ,  G06F16/17 ,  G06F11/34 ,  G06F21/55 ,  G06F21/64

CPC classification number: H04L9/0643 ,  G06F11/3476 ,  G06F16/1734 ,  G06F21/552 ,  G06F21/64 ,  H04L9/3247 ,  H04L9/3265 ,  H04L9/3297 ,  G06F2221/2151

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

公开(公告)号：US20230370483A1

公开(公告)日：2023-11-16

申请号：US18360713

申请日：2023-07-27

Applicant: Palantir Technologies Inc.

Inventor： Juan Ricafort ,  Harkirat Singh ,  Philip Martin

IPC: H04L9/40 ,  H04L61/5007 ,  G06F21/55

CPC classification number: H04L63/1416 ,  H04L61/5007 ,  H04L63/0272 ,  H04L63/029 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/20 ,  G06F21/556

Abstract: Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.

公开(公告)号：US20180302216A1

公开(公告)日：2018-10-18

申请号：US16009094

申请日：2018-06-14

Applicant: Palantir Technologies Inc.

Inventor： Ryan Castellucci ,  Philip Martin

IPC: H04L9/06 ,  G06F17/30 ,  G06F11/34 ,  H04L9/32 ,  G06F21/64 ,  G06F21/55

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

公开(公告)号：US20160344756A1

公开(公告)日：2016-11-24

申请号：US15228297

申请日：2016-08-04

Applicant: Palantir Technologies Inc.

Inventor： Juan Ricafort ,  Harkirat Singh ,  Philip Martin

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1416 ,  G06F21/556 ,  H04L61/2007 ,  H04L63/0272 ,  H04L63/1425 ,  H04L63/1441

Abstract: Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.

公开(公告)号：US20160254906A1

公开(公告)日：2016-09-01

申请号：US15149499

申请日：2016-05-09

Applicant: Palantir Technologies Inc.

Inventor： Ryan Castellucci ,  Philip Martin

IPC: H04L9/06 ,  H04L9/32 ,  G06F17/30

CPC classification number: H04L9/0643 ,  G06F11/3476 ,  G06F17/30144 ,  G06F21/552 ,  G06F21/64 ,  G06F2221/2151 ,  H04L9/3247 ,  H04L9/3265 ,  H04L9/3297

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

公开(公告)号：US20160050224A1

公开(公告)日：2016-02-18

申请号：US14823935

申请日：2015-08-11

Applicant: Palantir Technologies Inc.

Inventor： Juan Ricafort ,  Harkirat Singh ,  Philip Martin

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1416 ,  G06F21/556 ,  H04L61/2007 ,  H04L63/0272 ,  H04L63/1425 ,  H04L63/1441

Abstract: Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.

Abstract translation: 提供了检测恶意网络隧道的各种系统和方法。 例如，可以访问VPN日志和数据连接日志。 VPN日志可以列出已经与企业网络建立VPN连接的客户端IP地址。 数据连接日志可能列出已请求企业网络外部连接的客户端IP地址以及请求连接的远程IP地址。 可以解析VPN日志和数据连接日志，以将VPN日志中存在的IP地址识别为客户端IP地址，并将数据连接日志标识为远程IP地址。 如果IP地址如此存在，则可以检索与IP地址相关联的用户数据和流量数据以产生风险分数。 如果风险分数超过阈值，则生成要在GUI中显示的警报。

公开(公告)号：US20180159874A1

公开(公告)日：2018-06-07

申请号：US15891873

申请日：2018-02-08

Applicant: Palantir Technologies Inc.

Inventor： Juan Ricafort ,  Harkirat Singh ,  Philip Martin

IPC: H04L29/06 ,  H04L29/12 ,  G06F21/55

CPC classification number: H04L63/1416 ,  G06F21/556 ,  H04L61/2007 ,  H04L63/0272 ,  H04L63/1425 ,  H04L63/1441

Abstract: Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.

公开(公告)号：US09419992B2

公开(公告)日：2016-08-16

申请号：US14823935

申请日：2015-08-11

Applicant: Palantir Technologies Inc.

Inventor： Juan Ricafort ,  Harkirat Singh ,  Philip Martin

IPC: G06F12/14 ,  H04L29/06 ,  H04L29/12 ,  G06F21/55

CPC classification number: H04L63/1416 ,  G06F21/556 ,  H04L61/2007 ,  H04L63/0272 ,  H04L63/1425 ,  H04L63/1441

Abstract: Various systems and methods are provided that detect malicious network tunneling. For example, VPN logs and data connection logs may be accessed. The VPN logs may list client IP addresses that have established a VPN connection with an enterprise network. The data connection logs may list client IP addresses that have requested connections external to the enterprise network and remote IP addresses to which connections are requested. The VPN logs and the data connection logs may be parsed to identify IP addresses that are present in the VPN logs as a client IP address and in the data connection logs as a remote IP address. If an IP address is so present, user data and traffic data associated with the IP address may be retrieved to generate a risk score. If the risk score exceeds a threshold, an alert to be displayed in a GUI is generated.

Abstract translation: 提供了检测恶意网络隧道的各种系统和方法。 例如，可以访问VPN日志和数据连接日志。 VPN日志可以列出已经与企业网络建立VPN连接的客户端IP地址。 数据连接日志可能列出已请求企业网络外部连接的客户端IP地址以及请求连接的远程IP地址。 可以解析VPN日志和数据连接日志，以将VPN日志中存在的IP地址识别为客户端IP地址，并将数据连接日志标识为远程IP地址。 如果IP地址如此存在，则可以检索与IP地址相关联的用户数据和流量数据以产生风险分数。 如果风险分数超过阈值，则生成要在GUI中显示的警报。

公开(公告)号：US20150188715A1

公开(公告)日：2015-07-02

申请号：US14223918

申请日：2014-03-24

Applicant: Palantir Technologies, Inc.

Inventor： Ryan Castellucci ,  Philip Martin

IPC: H04L9/32

CPC classification number: H04L9/0643 ,  G06F11/3476 ,  G06F17/30144 ,  G06F21/552 ,  G06F21/64 ,  G06F2221/2151 ,  H04L9/3247 ,  H04L9/3265 ,  H04L9/3297

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

Abstract translation: 在一些实施例中，可验证的可修改日志，其在每个条目中可以包含多个哈希值，以便将日志的机密性确认为可验证性。 可以使用重新计算散列和验证可信数字签名来验证日志。 在一些实施例中，日志可以被划分成段，每个段由时间服务器签名或使用临时密钥系统进行自签名。 在一些实施例中，关于特定对象或事件的日志消息可以嵌套在日志内以防止报告省略。 日志记录系统可能会收到进入日志的事件或消息。