WO2013079113A1

WO2013079113A1 - Secure cloud browsing client-server system and method of secure remote browsing using the same

Info

Publication number: WO2013079113A1
Application number: PCT/EP2011/071507
Authority: WO
Inventors: Carlos DEL OJO ELIAS; Roberto Di Pietro; Antonio Felguera Segador; David HERNANDO DAVALILLO; Miquel MARIÑO ESPINOSA; Marta PALANQUES VILALLONGA; Marcel MALET ABULI
Original assignee: Fundacio Privada Barcelona Digital Centre Tecnologic; Silk Aplicaciones S.L.
Priority date: 2011-12-01
Filing date: 2011-12-01
Publication date: 2013-06-06

Abstract

A client-server architecture is provided wherein a secure server communicates with a computer application on a client device permitting access to a remote browser hosted in the secure server. Hence the user browses the internet in a transparent manner, however from within a highly secured browsing environment as provided by the secure server. In this manner the exposure to malicious software attacks directly at the client device is minimised.

Description

FUNDACIO PRIVADA BARCELONA NOVEMBER 30 , 2011 DIGITAL CENTRE TECNOLOGIC P 1410 PC00

SECURE CLOUD BROWSING CLIENT-SERVER SYSTEM AND METHOD

OF SECURE REMOTE BROWSING USING THE SAME

TECHNICAL FIELD

[001] The present invention relates generally to securely navigating the Internet and more specifically to a novel Secure Cloud Browsing Client-Server system, and corresponding method of securely navigating the internet using the same.

DESCRIPTION OF THE RELATED ART

[002] In the last twenty years, the World Wide Web (WWW) has evolved its capability to display even more complex material, such as from very simple and static documents to complete web applications which are comparable to traditional desktop applications in terms of functionality and usability. Some examples of these applications are web mails, e-commerce, online banking, corporate intranets, social networks or office suites.

[003] Current web documents and applications are nowadays developed typically using a mixture of web languages. It is important to differentiate between those web languages that are executed on the server-side and those which run on the client-side. In the first group we have languages like the Hypertext Preprocessor PHP, Active Server Pages ASP, or Java. They are used to generate hypertext documents with dynamic information that are sent to the client. These hypertext documents are coded with languages in the second group like Hypertext Markup Language HTML and Cascading Style Sheets CSS, which define the appearance of the document in the screen, and JavaScript, which adds interaction between the user and the document.

[004] FIG. 1 depicts a standard system architecture 100 for navigating the Internet. To access the WWW a piece of software, called a browser 111, installed on a user's computing device 110, such as personal computer PC, is executed. On execution, the browser 111 establishes a communication link 140 from the user's device 110 to a web server 120 hosted by any web application provider. The link 140 is established over a network 130, which is typically the Internet, but which can also refer to any sort of public or private network. The most common browsers used are Internet Explorer from Microsoft, Firefox from Mozilla, Chrome from Google, or Safari from Apple. To retrieve a document the user introduces an address, or Universal Resource Locator URL, into the browser triggering a request to be sent from the PC's browser to the web server via the Hypertext Transfer Protocol HTTP. The web server 120 receives and processes the request and either recovers the document from a local storage or generates it dynamically. The web server 120 then transmits the document to the user's PC 110 via link 140. When the browser on the PC receives the document it processes its contents to end up rendering it in the user device's 110 display.

[005] Generally, to render a document some additional requests are needed to download images, style sheets or scripts. A bi-directional communication is therefore established between the user's computing device 110 and the web server 120. The user will then interact with the web server and will, for instance, fill in a form to send some information back to the web server. This interactive process is commonly known as web browsing.

[006] Documents that browsers receive are typically in source code and in clear text. In other words, they have neither been compiled nor are they in binary code. This is the reason why the browser must parse and compile them. However this processing step introduces serious vulnerabilities into the system. An infected device with malware could very easily modify the browser in different ways to alter either the contents that are shown to the user or the information that the user sends back to the web server (for example, the information the user fills in a form, as is typically requested during interactive browsing sessions). Due to these characteristics, the attacks are easily programmable and automated, which in turn eases the affectation of a high number of users relatively quickly.

[007] Another problem is that a browser' s vulnerability can be exploited locally without the user even noticing it. Once the browser's security has been compromised, its own behavior and also the user's web navigation actions can be modified without permission. Moreover, once the browser has been compromised, the effects of the attack are persistently stored and affect all future browsing sessions. The browser can thus be under an attacker's influence which can register user actions, access sensitive information, or modify user's actions, whilst these modifications are hidden from the user itself by editing the server's response to them.

[008] Various solutions have been proposed to try to correct or minimize the possibility of attacks happening and enhancing a device's security. One such solution requires the user to periodically update its browsing software. Security is maximised by re-installing the full operating system together with every application. However this has the drawback that it is very time consuming and burdensome for the end user.

[009] Another standard solution is to use complementary security tools, like antivirus, antispyware or online scanning of the device. However even these additional security software tools are not completely efficient, as new malicious software are programmed to exploit the weakness even in the latest versions of the security software.

[0010] In this sense, it is worth noting that the average browser user is not sufficiently aware of the existing security risks whilst browsing. Many times potentially dangerous sites are browsed and programs run or downloaded from the Internet, or received by e- mail, without the user even suspecting that their device could get infected.

[0011] Furthermore, average users do not have enough computing knowledge to keep their devices protected. Even when a computing device has already all the security software installed, it is a known problem that many users do not apply the available updates for their operating systems, their web browsers, or antivirus. Even users with such knowledge do not want to be aggravated with standard security maintenance of their IT devices, and prefer that such updating and security management be performed automatically for them.

[0012] The combination of these facts together with the browser's inherent vulnerabilities poses a great risk for devices and more concretely for user's access to web applications. In case a machine gets infected it becomes a hostile environment wherein the continuous execution of applications, including the browser itself, could result in irreparable harm. In such Internet navigating scenarios the browser is in fact one of the weakest security points in the whole navigating process. [0013] However the browser at the client side is not the only security risk. Information exchanged between user and server is transmitted over a network, either private or public. Although this communication channel is usually secured through encryption, it should also be considered hostile, since it is shared by many types of users, from benign to malicious ones. For reasons similar to the ones already described, the user's device might lack the mechanisms to implement robust channel encryption negotiation. In such case this also becomes an added security risk that can also lead to leakage of confidential information or to modification of the communication between parties (browser and server). Furthermore, in this case, these risks can be materialized without the need for an attacker to gain control over the user's device.

[0014] For the above explained reasons, a need exists for better protecting the environment where a browser is executed, together with the browser itself, as well as the communication channel established with the server. This would generally secure the navigation environment. However, these mechanisms should be fulfilled without affecting a user's navigation experience and without requiring specific actions from an average user with low security awareness and knowledge.

SUMMARY

[0015] It is therefore an object of the present invention to provide solutions to the above mentioned problems.

[0016] In particular, it is the object of the present invention to provide a client-server architecture wherein a secure server, in response to a request for browsing the internet received from a client, transmits an executable file to be run on the client device. The resulting computer application permits access to a remote browser hosted in the secure server. Hence the user browses the internet in a transparent manner, however from within a highly secured browsing environment as provided by the secure server. In this manner the exposure to malicious software attacks directly at the client device is minimised.

[0017] The client-server solution of the invention is advantageous in that the responsibility for securing the navigating environment is assigned to a network administrator, who is better suited for these tasks, given its knowledge and resources, than the standard end user navigating the WWW. This administrator can be located anywhere on the Internet, and has the flexibility to enhance the security of the browsing experience of any user, no matter its location in the World Wide Web. Hence this enhanced security can be referred to as a Cloud solution, and the server managed by the administrator a Cloud Server.

[0018] The administrator would therefore be enabled to maximise the protection provided to the client's browsing environment, as well as the communication channel, hence securing the navigation environment, while at the same time enabling a more pleasing browsing experience removing from the user the need to worry about security risks or administration. A solution accomplishing these conditions is therefore beneficial for both parties.

[0019] In one embodiment of the invention a device at a server is provided which is configured to communicate with the end user's computing device and the web application server in order to provide a secure browsing environment for the end user.

[0020] In another embodiment of the invention the client device is provided with an application which is configured to communicate with the device at the server in order to provide a secure browsing environment for the end user.

[0021] Another embodiment of the invention refers to a method of secure Internet browsing, the method being performed at a secure server on the Internet.

[0022] Another embodiment of the invention refers to a method of secure Internet browsing, the method being performed at the client device.

[0023] Another embodiment of the invention provides a computer readable medium configured to store instructions, which when executed on the client device, performs a method of secure Internet browsing.

[0024] Another embodiment of the invention provides a computer readable medium configured to store instructions, which when executed on the device at the server, performs a method of secure Internet browsing.

[0025] The invention provides methods and devices that implement various aspects, embodiments, and features of the invention, and are implemented by various means. For example, these techniques may be implemented in hardware, software, firmware, or a combination thereof. [0026] For a hardware implementation, the processing units may be implemented within one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays (FPGAs), processors, controllers, micro- controllers, microprocessors, other electronic units designed to perform the functions described herein, or a combination thereof.

[0027] For a software implementation, the various means may comprise modules (e.g. procedures, functions, and so on) that perform the functions described herein. The software codes may be stored in a memory unit and executed by a processor. The memory unit may be implemented within the processor or external to the processor.

[0028] Various aspects, configurations and embodiments of the invention are described. In particular the invention provides methods, apparatus, systems, processors, program codes, and other apparatuses and elements that implement various aspects, configurations and features of the invention, as described below.

BRIEF DESCRIPTION OF THE DRAWING(S)

[0029] The features and advantages of the present invention will become more apparent from the detailed description set forth below when taken in conjunction with the drawings in which like reference characters identify corresponding elements in the different drawings. Corresponding elements may also be referenced using different characters.

[0030] FIG. 1 is a general overview of an Internet navigation system of the prior art.

[0031] FIG. 2 depicts a general overview of the client-server embodiment of the Secure

Client-Server architecture.

[0032] FIG. 3 depicts a detailed view of the client-server embodiment of the Secure

Client-Server architecture together with its components both on client and server side.

[0033] FIG. 4 depicts components of the Secure Secure Server System at the server side.

[0034] FIG. 5 depicts components of the user device together with the Client Access Tool at the client side. [0035] FIG. 6 depicts the different approaches to obfuscation code renewal according to one aspect of the invention.

[0036] FIG. 7 depicts the communication between client and server via a Tunneling

Protocol.

[0037] FIG. 8 depicts components of the Monitoring Manager according to another embodiment of the invention.

[0038] FIG. 9 depicts a method of assigning a secure browsing or testing environment for new sessions.

[0039] FIG. 10 depicts communication flows of a download and connection process according to one aspect of the invention.

[0040] FIG. 11 depicts communication flows of a download and connection process according to another aspect comprising user authentication.

[0041] FIG. 12 depicts communication flows of a download and connection process according to another aspect illustrating a transport process to a secured browsing environment.

[0042] FIG. 13 depicts communication flows of a download and connection process according to another aspect illustrating further details of the communication between the client and the server.

[0043] FIG. 14 depicts communication flows of a download and connection process according to another aspect illustrating new tab creation.

DETAILED DESCRIPTION

[0044] In the following the words "web", "WWW", or "Internet" may be used interchangeably, as they refer to the same entity, which represents the network of inter- connected computing devices commonly known in the art.

[0045] The term "webpage" refers to the data files hosted on diverse computing devices on the Internet and which are served to end users by transmission to their computing devices so that they can be displayed for viewing on the user device's display.

[0046] The term "browser" refers to the software, computer program, or application, which permits the content files received to be displayed on the user device's display. The browser typically performs a number of data processing actions for converting the received data file to a format ready for display.

[0047] The term "malware" will be used to refer to any code, such as software code or computer program, which is hosted by a legitimate user and which executes actions in detriment of the host, thereby exhibiting malicious behaviour. From the following description, it will be understood by the person skilled in the art that although any one preferred aspect of the invention already provides solutions to at least some of the problems of the devices and methods of the prior art, the combination of multiple aspects herein disclosed results in additional synergistic advantageous effects over the prior art, as will be described in the following.

[0048] FIG. 2 depicts an embodiment of the invention wherein a client-server architecture is provided for secure web browsing. On the server side a Secure Server System, SSS, 210 is provided as a highly secured remote access point to the WWW 130. On the user side, a Client Access Tool, CAT 220 is used with the specific function of offering a transparent access interface to the Secure Server System. A user wanting to visit a web site will access it through the proposed system in order to secure his session. Both Secure Server System and Client Access Tool work together via communication link 230 providing an intermediate layer between the web application and the user's device resulting in a browsing architecture which is independent of the web site to be accessed.

[0049] The Secure Server System 210 can be placed in the user's internal network and managed by the network administrator, so that it is used to securely browse all accessed web applications. In another aspect of the invention, the Secure Server System might be managed by the owner of a specific web application and act as a proxy for incoming sessions to the web application server. In this case, the platform exclusively protects sessions in the mentioned web application. In the following, we will generally refer to the Secure Server System administrator as administrator, independently of the location of the Secure Server System in the network.

[0050] FIG. 3 is another view of the system architecture of the embodiment of FIG. 2 depicting further details of the client-server components once deployed. As can be seen from FIG. 3, the exchange of data and control information flows to and from the user's computing device 110, the Secure Server System 310, and the web application server 120 via the internet 130, or other data communication network. On the client's side, the user device 110 comprises the local browser 111 as well as an additional Client Access Tool 220. As will be explained further, this Client Access Tool does not reside originally on any of the computing devices 110. It is deployed by the server side and executed on each client which necessitates secure browsing. On the server side, the Secure Server System 210 comprises an Access Manager 311, a Connection Manager 312, a Monitoring Manager 313, and at least one instance of a Secure Browsing Server 320. Each Secure Browsing Server comprises at least one Secure Browsing Instance 330, each instance comprising one Secure Remote Browser 335. The number of Secure Browsing Servers and Instances in the system depends on the number of user's accessing the Secure Server System simultaneously, as will be explained further below.

[0051] Although further details are given below, in general terms the Secure Browsing Server is configured to deliver a new environment to the user for every browsing session. This is done by creating a Secure Browsing Instance with its corresponding Remote Browser, which is used instead of the Local Browser to access the final web application from the user's device 110, however remotely and securely. The Access Manager's 311 main function is to coordinate establishment of the communication with the user's standard browser in a transparent manner, the Connection Manager 312 is responsible for managing the plurality of Secure Browsing Servers, creating and destroying Secure Browsing Instances as the need might be, and coordinating communication between the Client Access Tool and the Secure Browsing Server, whereas the Monitoring Manager 313 monitors events inside every instance and the overall status of the Secure Browsing Servers, performs a risk estimation and can take actions depending on the level of the estimated risk.

[0052] A user that wants to access a specific webpage introduces the web page's URL in his local browser 111. The request is routed to the Access Manager 311, which will in turn deliver a Client Access Tool 220, such as an executable file, to the user's device 110, the Client Access Tool 220 being customized for one specific session. At the same time, the Secure Browsing Server 320 hosted in the Secure Server System 210 creates one Secure Browsing Instance 330, which is assigned to the user as a browsing environment for the mentioned session and interacts with its corresponding Client Access Tool 220. When the Client Access Tool is executed in the user's computer, it establishes a session with its assigned Secure Browsing Instance 330 through the Connection Manager 312. A Secure Remote Browser 335, executed inside the Secure Browsing Instance 330, fetches, retrieves and renders, the contents of the destination web site following the usual process, as if it were hosted in the end user's computing device 110. Once rendered, the webpage contents are sent to the Client Access Tool 220 as images, for display on the user's device display. No HTML code, or other type of programmable code, is sent to the client. The transmission of the webpage contents as an image reduces the amount of processing to be performed at the user's device since the webpages can be displayed almost directly on the display. Furthermore, it adds to the security of the transaction, making the webpage more tamper resistant.

[0053] The Client Access Tool therefore only receives ready-made images or screen directives for displaying on the user device's display. The user device 110 will therefore not be involved in the parsing, compiling, rendering, or other common webpage processing steps, necessary to display an image for viewing. Instead, it either displays the received image or generates an image as a result of screen directives. In order to transmit webpage requests, or provide user input, the Client Access Tool is configured with the capability of retrieving instructions input by the user via the device's keyboard or mouse. These instructions are simply routed from the Client Access Tool to the Secure Remote Browser where they are actually transmitted to the application server, effectively enabling the user to interact with it.

[0054] One of the key advantages of the present client-server architecture is that it provides additional security by segregating the high risk components from the end-user device and isolating them at the Secure Server System. Since code never reaches the user's device, the user is protected from any infections caused by the potentially malicious source code, which resides at the server. Moreover, since only images are finally transmitted to the end user, instead of source code, the risk of malicious intervention in the user device is minimised rendering a highly secure environment. However, at the same time, the user is capable of performing all actions as if the full browsing software were hosted on its own device, in a completely transparent manner. [0055] As stated before, a new Secure Browsing Instance is created upon every session establishment, so that every session is assigned one specific instance. Since a Secure Browsing Server is capable of serving many sessions simultaneously, and of delivering a new environment for every session, each environment is isolated from others and from the Secure Browsing Server itself, which acts as a host to these plurality of Secure Browsing Instances. Hence the Secure Browsing Instance acts as a container wherein the data and processes running inside belong to one specific session and cannot be accessed from outside, and vice versa. A container is an isolated environment that provides an abstraction of an operating system. In this case, each container replicates an independent Secure Browsing Instance. This adds further security as the container- environment prevents an attack by a malicious user to a certain browsing environment from automatically propagating throughout the server.

Secure Browsing Server

[0056] FIG. 4 shows a simplified block diagram of a Secure Browsing Server 400 architecture. The Secure Browsing Server comprises at least one Secure Browsing Instance 410 depending on the number of simultaneous sessions which are active. It additionally comprises physical hardware resources 440, and a host operating system 430, which could be Linux, Windows or any other OS, and an isolation layer 420 that enables the server to create completely separate Secure Browsing Instances 330. Each Secure Browsing Instance comprises isolated input/output resources 413, like network access or a file system. Each environment corresponds to a specific user session and runs a Server Access Controller 412, which synchronises with the Client Access Tool, and one Remote Browser 335 that provides access to the WWW.

[0057] Prior art servers have been described wherein a large number of simultaneous user sessions are hosted in the same server. In these servers a problem with one session typically affects other concurrent sessions. For example, general system-spread errors simultaneously affect not only one, but many of the active sessions. Hence all sessions are vulnerable to system-level anomalies. Another problem is that a system-level error intentionally caused by an attacker would have a detrimental effect on a large group of users. Such attack could concentrate on the confidentiality aspect of user data which could be leaked to other users intentionally.

[0058] In one aspect of the present invention, the isolation layer 420 solves these problems by providing strong isolation between navigation environments, and with the host, with the use of virtualization techniques

[0059] The isolation layer 420 confines the processes and data of each environment therefore removing completely the possibility of interference between environments. This ensures that, even if an instance would get infected, it would only affect the current session and not any concurrent users. Moreover, virtualization also enables the possibility to effectively delete and reset the Secure Browsing Instance for every session. This means that changes in an instance (for example, a malicious modification of the Secure Remote Browser) will not affect future sessions, since they are confined in the isolated instance and erased with it.

[0060] The preferred virtualization technology is container-based virtualization since the host and instances share a same kernel in a controlled way, while having an independent file system at their disposal. This mechanism offers good isolation level, but also low resources consumption and fast deployment time of the instances.

[0061] Additionally, container-based virtualization allows flexibility in managing resources. Firstly, since the central processing unit CPU and random access memories RAM are shared, an instance could unknowingly, or intentionally, monopolize resources thus decreasing performance for other instances. Therefore, mechanisms to establish limits on CPU time or RAM memory space consumption are introduced to prevent a situation where a single container consumes all or inadequate CPU time or RAM usage.

[0062] In another aspect, tools that permit inter-process communication through the use of RAM memory are knowingly blocked from operation. For example, in the case of memory sharing, which allows inter-process communication by sharing a specific memory area among many processes, the possibility of creating shared memory segments between different environments is blocked. In some cases, in addition to these measures, kernel security patches provide extra security measures. [0063] Another problem with such solutions is that network traffic can be seen by every instance since the network system is shared among instances, or even a communication channel between instances could be established. In another aspect of the invention this problem is solved by creating virtual network interfaces for each environment, where part of the interface is emulated, while routing tables, or firewalling, are centrally managed by the host.

[0064] In yet another aspect, the present invention comprises other measures with the objective of limiting the visibility of communication with other instances from one specific environment. As already stated, the file system is a non-shared resource between containers. The problem here is that replicating a complete file system for every instance can make the system non-viable due to its accumulated overall size. However since most of the file system's content is immutable, which means that some parts never (or nearly never) change in time and are identical among instances, this content can be shared among instances.

[0065] To this end, every Secure Browsing Server contains a master file system containing the directories to be shared. Upon creation of a Secure Browsing Instance, its file system is composed of non-shared files, or directories, and a set of hard-links pointing to locations in the master file system. A hard-link is a directory entry that associates a name with a file on a file system. Consequently, all Secure Browsing Instances have two types of elements in its file system: real files and hard-links to the master copy. Since a hard-link consumes much less memory than a real file, the final memory consumption of every instance is considerably reduced, resulting in a scalable architecture. This highly scalable solution in turn enables a viable implementation on a large scale to many thousands or even millions of users.

[0066] However it might happen that some Secure Browsing Instances attempt to modify hard-linked files either intentionally, or as part of an attack. However they could also be modified accidentally, or even legitimately. Since the Secure Browsing Server does not know the nature of these types of modifications, it should not attempt to preemptively block all modifications, however it cannot risk allowing such modifications to be done freely. [0067] Hence in another aspect of the present invention the Secure Browsing Server confines each modification to its own environment, that is, to the Secure Browsing Instance wherein the modification was caused. This is done by copying the modified file locally inside the container's file system as a non-shared file, and at the same time, its corresponding hard-link with master instance is erased. In this manner, containers can share files while assuring that changes to any of these are confined to the instance causing the change. Hence if any file inside the shared file system was to be modified, this would not affect all other sessions inside the given Secure Browsing Server.

[0068] The Secure Browsing instance is meant to temporarily offer the tools needed to browse a web application and these tools are discarded after use. In other words, the Secure Browsing Server of the present invention only requires the features specifically necessary to access a web application. Moreover, offering complementary features, or different configuration options, would pose a new risk, since these options would be available both to legitimate and malicious users. Reducing the available features reduces the attack surface and makes it easy to control the user's actions. Furthermore, not including these extra features generally decreases memory consumption, enabling a better scalable secure browsing architecture.

[0069] Therefore the operating system and applications inside the Secure Browsing Instance are tailored to support all the functionalities needed to navigate but not offering any other not required. The Secure Browsing Server offers this way high scalability to attend a high number of users while the provider can strictly control the actions that a user can perform while interacting with its web site, since the provider itself is supplying tailored tools to facilitate access to his own web application. Client Access Tool

[0070] Prior art browsers receive clear text source code, which is susceptible to easy modification and parsing. This can lead to alteration of user's actions or to gathering of confidential information by an attacker. This risk is minimised by not using the standard user device's local browser to access the web. Instead a Client Access Tool 220 is supplied by the Secure Cloud Browser. This Client Access Tool is a remote control client that does not receive HTML code, JavaScript code or any other form of web source code, but only receives rendered web contents, for instance compressed bitmaps, which are displayed in its window. This way, malicious software that has infected the user device 110 and wants to modify data from the session to commit fraud, should first try to understand the transaction data from a bitmap and then change it. This is a computing intensive process and would normally take a very long time to achieve, if possible at all.

[0071] At the same time, attacks happening at the client side are similarly protected. Data introduced by the user using the keyboard or mouse, for instance directly typing into a window of a web form, are immediately available for viewing by the user. Since the characters are shown in the display as soon they are typed, a malicious software would not only have to change this data in its attack, but also dynamically update the image viewed by the user on the device's screen. Otherwise, the user would notice the malicious modification in his display, even before the data is sent to the web site. Since the characters displayed in an attack would not be the same as the intended ones being typed, the user would be alerted immediately as to an anomaly in the system. Even if not suspicious of an attack, this event would prompt the user to close the current session and start a new one, thereby indirectly eliminating the malicious attack.

[0072] Once the Client Access Tool executable file is received from the Secure Browsing Server it is automatically executed resulting in the establishment of a remote control session with the Secure Browsing Instance. FIG. 5 shows the main components of the Client Access Tool 220 as integrated within the client device 110 it interacts with. The Client Access Controller 540 communicates with the Server Access Controller 412 via communication interface 550. The pair formed by the Client and Server Access Controllers offers interaction with one specific Secure Remote Browser. Any webpage contents to be displayed are received ciphered from the respective Secure Browsing Instance at the communication interface, which de-tunnels and de-ciphers them. The Client Access Controller then coordinates the display of the received content on display 510 using image formats typically accepted by screen drivers, such as bitmaps.

[0073] The client device also has a keyboard 520 and mouse 530 to receive events and instructions from the user. The Client Access Controller intercepts these events and instructions and retransmits them to the Secure Browsing Server after they are ciphered and tunneled by the communication interface. Although more details will be given below on ciphering and tunneling, it is to note that both operations are performed by the communication interface, oblivious to the rest of the elements of the Client Access Tool. Once these events have been processed in the respective Secure Browsing Instance, the resulting changes are sent back to Client Access Tool for updating the contents of the webpage as displayed.

[0074] The Client Access Tool is a security critical element of the client-server architecture, since it is executed in the user's environment, which cannot be assumed to be secure. The Client Access Tool is exposed to many of the threats usually affecting a regular browser, which are derived from the environment's condition. One of these is manipulation of the application, which is a common attack technique that consists in modifying part of the application's code, such that it will behave in a malicious way, for instance changing the content of webpage forms. This type of attack is very common in electronic commerce, or banking activities, or electronic transactions, and they usually target the browser. One way of overcoming this kind of threat is for the banking service provider to distribute secure hardware that in general terms contain protected software. This software might be used to verify integrity of the interaction between user and local browser, might be a secure browser itself or even a full operating system. However, this solution has a high cost for the institution, both in terms of hardware and distribution of it, and is cumbersome for the user, who is required to carry a physical device for accessing one application. Another solution is to install a customized banking application on the client's device. However this solution requires the financial institution to cater not only for the server side of their electronic commerce activity, but also for the inadequacies of managing the client side. For the average user this solution is also not usually welcome, as it means installing yet another customized application in their devices. In case the user device is one with limited processing capabilities, such as a wireless mobile phone, smart phone, or tablet, this additional installation is undesirable and not performed by the users.

[0075] On the other hand these problems are solved by simply downloading an executable file that is run, but not installed, in the user's machine, in a transparent manner, without any user intervention. Software installation implies permanent storage of its components (binaries, shared libraries or configuration files, among others), as well as configuration of the operating system in the client device, where the software is to be executed, whereas execution without installation relies on previous configuration of the environment. Instead, the components needed to execute the software are retrieved from an independent storage and the system is configured during launching. Hence, the application can be executed without any persistent effects on the operating system. Moreover, by untangling the software from the operating system, a better integrity control over the executable file can be achieved, while there is no need to rely on libraries permanently stored in the operating system, which might have suffered manipulation.

[0076] Yet the Client Access Tool may be exposed to persistent manipulation if it is permanently stored in an infected machine. The risk exists that an attacker with access to the user's machine could alter the executable file's code and cause changes, and thus damage, in a similar way as when manipulating a fully-installed application. These malicious changes would be stored and therefore affect any future session established through use of that executable file. In one aspect of the invention, to eliminate the possibility of manipulation after use, the Client Access Tool is configured to be used only once per session. After the end of a session, the Client Access Tool is configured to stop operating. In this configuration the Client Access Tool is called a "one-time" browser OTB. This embodiment has the advantage of confining any attacks to a single session. Hence as sessions are destroyed, so is the malware created therein.

[0077] Since the Client Access Tool is expected to be downloaded by a large number of users with different platforms and operating systems it needs to be compatible with a large variety of operating systems. Therefore, to ensure its widespread usability, it is programmed using a multiplatform language. An example of a preferred multiplatform language is Java, since Java and its Java Virtual Machine (from now on JVM) are widespread in current user systems.

[0078] Other types of attacks on client devices exist. Another possible strategy while trying to manipulate an application's operations is targeting libraries required by the application, instead of the application itself. This type of attack is typically performed on well-known and widely extended technologies, which tend to be better known by attackers. The Java software used by the Client Access Tool in this aspect of the invention uses standard libraries of the JVM, hence it is also potentially open to this type of attack, wherein its libraries could be manipulated. To minimize the potential impact of such an attack, in another aspect of the present embodiment sensitive functions, or libraries, are integrated into the Client Access Tool. An example of a sensitive library is a security library. This way, the Client Access Tool does not rely on JVM standard libraries to perform sensitive operations (for instance, ciphering functions). As a consequence, those critical functions would be covered by the same security mechanisms protecting the Client Access Tool, and not delegated to software permanently placed in an untrusted environment.

[0079] Since the Client Access Tool has to be downloaded every time the user wants to access a web application, download time is very important from a usability point of view, and it would be desirable to minimise it. Therefore in order to maximise the user's positive experience navigating with the Client Access Tool, in another aspect of the invention, the application's functions are minimised to those necessary for, on one hand, receiving images and coordinating their display on the user device, and, on the other hand, receiving and routing user input from the client to the server side. The application is not expected to perform any further functionality, as they will be offered by the Secure Cloud Browser environment with which it interacts.

[0080] Therefore, the Client Access Tool is developed as a "thin" Client Access Tool wherein, firstly, it is designed to be part of a larger architecture where most computing load is hosted by a server. Hence, a thin client only includes functionalities that have to be exclusively performed by the client, and not the server, and thus is as small as possible. This simplicity makes it especially suitable for use in hostile environments, providing a smallest attack surface which is easier to secure. At the same time responsibility of connection and configuration is mainly assigned to the Secure Server System, thus keeping management functions in the provider or administrator's control. Finally, due its size, a thin client is very easy to download, thus minimizing the session establishment time.

[0081] As stated before, an attacker wanting to manipulate the Client Access Tool's behaviour would try to understand it in order to modify and manipulate its code. Since the Client Access Tool only resides in the user's machine during its use and is erased afterwards, any changes made to the client are not permanently stored. However, the risk still exists that an attacker might attempt to alter it dynamically, that is, during the time it is being downloaded or executed. The attack here could concentrate on writing a piece of malware that would attempt to automatically parse and modify the application's code at download. To solve this eventuality, in another aspect of the invention, obfuscation techniques are used to hide the components of the Client Access Tool. Obfuscation consists in deliberately making a code confusing and ambiguous, so that it is harder to understand and, as a consequence, to reverse engineer. This is achieved by applying a series of transformations to the original code, so that control flow, variables' and function's purpose and constant values are hidden. Different transformations are applied to every instance and these are chosen randomly and ensure on one hand that the analysis of the code takes considerable time and that the analysis of one specific instance does not simplify the analysis of any future instance on the other. Hence, an attacker analyzing the code would not be able to write the above mentioned piece of malware, since he would not know what the next client's code would look like. Instead, he would need to analyze every Client Access Tool instance separately. Obfuscation, or code transformation techniques, are well known in the art. In the following several aspects comprising the integration of code transformation techniques to the client-server architecture of the present invention are described.

[0082] However if given enough time, most secure systems become vulnerable, as an attacker can manage to understand an application instance's code eventually, even by trial and error techniques. Moreover, in the case of obfuscation, since functionality and appearance of the original code must be maintained, some restrictions apply to the possible transformations. Therefore to enhance security in time, and improve the durability of the Client Access Tool's inherent defences, in another aspect of the invention a security period is assigned to the application code. After this security period the code is renewed automatically, and the obfuscated code is replaced by a new piece of obfuscated code, where different obfuscation transformations have been applied. This time varying nature of the code will make it extremely difficult for the attacker to modify the code, since with every new code a new analysis needs to be performed from scratch again. Hence security here is maximised as the probabilities of hacking this time varying code are very low. At the same time, such frequent code updating is enabled by the minimised nature of the Client Access Tool, since the thin software may be updated many times in a short interval of time without burdening the processing capacity of the user's device.

[0083] In one aspect of the invention, code renewal is implemented by choosing the security period based on the estimated complexity analysis of the final obfuscated Client Access Tool, such that the condition Tsec < Te is satisfied, where Tsec is the security period and Te is the estimated analysis time. In other words, the code must be renewed sooner than the time it has been estimated a malicious attack needs to debug the resident code.

[0084] FIG. 6 shows different approaches to obfuscation code renewal. In the following, two main parameters are taken into account: the time taken to download the new piece of code, Td, and the time period in which the Client Access Tool can be considered protected, Tp. The first axis 610 represents a first aspect of code renewal. As can be seen the user starts downloading the first instance of the Client Access Tool (CAT1) at time tl . At this same moment, the code is exposed to analysis by a malicious user either listening into the channel or residing in the user's machine. Once the download has been completed at time t2, the first Client Access Tool is executed and used for a certain time. But once the security period Tsec has expired, the first Client Access Tool can no longer be trusted and must be replaced by a new instance where different obfuscation transformations have been applied. Thus, at time t3, the Secure Server System sends a new second instance of the Client Access Tool (CAT2).

[0085] However, in the interval Td from t3 until t4, the active session is interrupted, since none of the clients can be used. In other words, there are no active applications available for use. Once the second Client Access Tool is downloaded, it is executed and the session may be continued. Although, in this case, the security period is Tsec = t3 - tl, the first Client Access Tool can only be both used and trusted during the smaller period Tp = t3 - 12, namely the effective security period.

[0086] The session interruption described above is unbearable considering current usability objectives. In another aspect of the invention, as depicted in axis 620, this problem is solved by downloading the Client Access Tools in the background during a user's navigation. This could be done by taking advantage of inactivity periods where the network traffic amount is lower, as depicted by the background downloading of CAT2 during the security period of CAT1. Hence, in this implementation, the second instance is available for continued use as soon as the security period of the first instance ends, therefore providing a seamless transition between application instances.

[0087] A disadvantage with this second aspect of code renewal is that the effective security period of the second instance is decreased, since it is exposed at time t3 but not used until time t7. Hence, new clients need to be downloaded more frequently, so that they are available for use once the effective security period is over. This can lead to traffic congestion or to a situation where the Client Access Tool in use expires before the next one is available.

[0088] An improvement over this implementation is given in a third aspect of code renewal, as depicted in axis 630, which permits the exact moment at which an application is first exposed to be controlled and adjusted. This is implemented using encryption techniques. For instance, the Access Manager 311 ciphers the Client Access Tool before delivering it in the background, which can be seen from the shaded intervals between time t3 and time t4, and between time t5 and time t6. At time t7, right before the first instance expires, the Secure Server System delivers the deciphering key. The second Client Access Tool is then deciphered by the user's device, and thus exposed for analysis only at the end of this deciphering operation, at time t8. At this same point it is also executed. Therefore the exposure time can be managed by the Secure Server System, ensuring that the code is not exposed to analysis before it is needed. Of particular advantage is that the effective security period, as defined by the time period between time t8 and time t9 is also the highest. One of the reasons of this is that deciphering is a locally run operation which is generally faster than downloading the application. Another remarkable advantage is that the deciphering key does not need to be transmitted over any secure channel, since in this scenario it is assumed that the attacker already resides in an infected user device, however would not have access to the application until it is deciphered. Therefore in this third aspect of code renewal a seamless transition between application instances is provided without compromising security.

[0089] In another aspect of the invention, obfuscation techniques are used which maximise the time required to hack a particular application code. In such situations the security period is larger than the duration of a session. In an extreme case this security period is notably longer that the maximum session duration. In this case, there is no need to apply code renewal as just described. If the complexity achieved is high enough, obfuscation might be applied even to a group of clients, and not necessarily be uniquely applied to every delivered client. For instance, if the security period is estimated to be 24 hours long, the system might apply obfuscation once a day, generating a day-client that will be used for every session starting within that specific period. In this case, all clients will be the same except for the session ID and the shared key embedded in the code, which are unique for every session. As can be seen, a trade-off exists between code obfuscation complexity and code renewal. On one hand stronger obfuscation removes the need for code renewal, thereby resulting in less processing steps and less bandwidth consumption. On the other hand implementing some degree of code renewal permits lighter obfuscation techniques, thereby reducing overall processing resources. Hence the more complex obfuscation which is more resource intensive can be compensated by using code renewal.

[0090] The possibility exists that a malicious user may attempt to bypass the protections provided by obfuscation by using a regular remote control software to connect to the Secure Browsing Instance directly, instead of infecting and using a modified Client Access Tool. This would allow the attacker to gain real-time access to a Secure Browsing Instance in use, where confidential data could be spied, or traffic manipulated, among others, with the only requirement of correctly configuring the client. Hence, a mechanism is needed that will ensure that traffic entering one Secure Browsing Instance comes from the Client Access Tool that was delivered by the Access Manager for that specific session and period of time. This would ensure that the executable in use is protected by the previous mechanisms.

[0091] Therefore, in another aspect of the invention, in order to control which Client Access Tool is accessing which virtual environment, the unique Client Access Tool is bound to a specific Secure Browsing Instance at the server through two parameters: the session ID and the cipher key. The session ID, as will be further explained later, allows the Connection Manager to identify incoming connections and determine the Secure Browsing Instance to which it is destined. Hence it serves for routing purposes, but does not provide an effective access control mechanism for many reasons, the most important of which is the fact that the tunnel ID is known by the Connection Manager 312. The cipher key, on the other hand, is used to establish an end-to-end ciphered channel between the Client Access Tool and its corresponding container, and should only be known by these two players. Hence, this key could also be used as an access control token, if it was securely stored.

[0092] Key negotiation processes of the prior art comprise two parties using asymmetric cryptography to agree on a channel cipher symmetric key, and the standard method used is the Diffie-Hellman key exchange method. Generally, the negotiation phase consists on an exchange of questions and answers (challenges and responses) that are used to determine a symmetric cipher key. Once this phase is completed, both parties locally store the agreed key and start ciphering their communication using a symmetric algorithm. However, once the Client Access Tool stores the key in the user device's local memory, it is exposed to the adversary. Moreover, negotiation processes are aimed at two parties that never met before agreeing on a shared key, while the current scenario is quite different. Both the Client Access Tool and the Secure Browsing Instance are part of a bigger unique architecture. Furthermore, the Client Access Tool is actually issued by the Secure Server System - more specifically, by the Access Manager. Therefore, in this aspect of the invention no negotiation process is required, but it does need a mechanism that allows hiding of the key in the hostile environment. Thus a symmetric key system is preferably used, where two ends - the Client Access Tool and the container - share a pre-established key, which is embedded in the Client Access Tool before sending it to the client device. Taking the advantage of the protection offered by obfuscation, as explained before, and the Client Access Tool's code complexity, the hard-coded key can be effectively hidden, even from an intruder with permissions in the user's environment. [0093] Taking into account the previous considerations on obfuscation and code renewal, and given that the Secure Browsing Instance will only accept traffic ciphered with the corresponding symmetric key, an attacker is prevented from finding out the key, inside the obfuscated Client Access Tool, in a specific period of time as long as the condition Tsec < Te is satisfied, where Tsec is the security period and Te is the analysis time necessary to find out the key. In other words, the code must be renewed sooner than the time it has been estimated a malicious attack needs to analyze the resident code.

[0094] After the time Tsec, the key is useless, since the entire Client Access Tool software is replaced, and a new key is embedded in it. Since the attacker needs to retrieve the key in order to establish a connection with the Secure Browsing Instance, and this key is hidden inside the Client Access Tool's code, as long as the key is kept secret the Client Access Tool's integrity is assured.

Connection Manager

[0095] Since the client-server architecture of the present invention will need to attend a high number of concurrent sessions it is desirable to design a dynamically scalable system catered to the environment it will be integrated. In such case, multiplication of the elements in the Secure Server System environment is needed to attend to the expected demand, such as deploying a plurality of Secure Browsing Servers, so that a higher number of Secure Browsing Instances can be offered. The Connection Manager 312 is entrusted with this complex management task and its main responsibility is managing the creation of new Secure Browsing Instances upon request of the Access Manager 311.

[0096] In one aspect of the invention, when receiving the mentioned request, the Connection Manager requests the Monitoring Manager 313 information on the Secure Browsing Servers' load information. Based on this, the Connection Manager chooses one of the Secure Browsing Servers to host the new environment and instructs it to create a new Secure Browsing Instance. The new Secure Browsing Instance then establishes a communication channel with its counterpart Client Access Tool at the client side. Thus, in this aspect, the Connection Manager also performs the function of dynamically assigning resources depending on current load usage. Therefore when acting as a load balancer, it optimises resource allocation depending on actual system capacity consumption and user needs.

[0097] The existence of a large number of simultaneously active Secure Browsing Servers causes the Secure Server System to have many different open access points. As a consequence, a larger part of the Secure Server System is exposed to possible attacks. Therefore it would be desirable to have only a single open access point in order to minimise the risk of such types of attacks. Moreover, from a scalability and compatibility point of view, having a single access point has the advantage of easier connection management. The Connection Manager 312 therefore acts as the single access point for all external communications, limiting the Secure Server System's possible attack channels. Hence the Connection Manager bridges the bi-directional communication link between the Client Access Tool and the Secure Browsing Instance while a session is active. While acting as the single communication interface to the Secure Server System, internal elements are hidden from direct access. In one aspect of the invention, the Connection Manager replaces the Secure Browsing Server's IP address by its own, thus effectively hiding the inner network's addressing data as well as the possibility to discover its internal structure.

[0098] The Secure Server System 210 presented herein is easily integrated into existing architectures to provide them with the advantages of the invention. Consequently, a strong compatibility with any architecture is desirable, such that no change or special configuration or adaptations, are required while integrating the Secure Server System. This is achieved due to the inherent characteristics of how the client-server architecture is deployed, which does not affect or change any existing infrastructures while being integrated. Complementarily, a particular provider or administrative architecture does not affect the Secure Server System, or its method of connecting, and deploying, and communicating.

[0099] A security policy commonly used in internal networks consists in limiting the protocols accepted within the network so that, for instance, HTTP and HTTPS connections are allowed, but SSH protocol might be blocked, in order to avoid possible intruders to remotely connect to any device. In order to ensure this compatibility and transparent integration, traffic is encapsulated using a Tunneling Protocol. Tunneling enables communication to be encapsulated inside a permitted protocol, so that the information exchanged between the Client Access Tool and the Secure Server System will not be discarded by network policies. For instance, going back to the previous example, traffic could be HTTP-encapsulated, since the HTTP protocol was permitted by the policies in place.

[00100] Since the Tunnel is only required for communications between the Secure Server System and the rest of the external network, the encapsulation and de- encapsulation process is applied by the Connection Manager 312 on each connection. Screen images sent from the Secure Browsing Instance 330 to the Client Access Tool 220 are encapsulated, for example, using an HTTP Tunnel, by the Connection Manager 312 before they are transmitted to the client device 110 through the public network 130. Complementarily, incoming data is encapsulated by the Client Access Tool 220 before it is transmitted to the Secure Server System 210. A session identifier ID is used to identify tunnels, so that every tunnel is linked to a Secure Browsing Instance 330. This session ID is attached by the Client Access Tool 220 in the tunnel's header and checked upon arrival by the Connection Manager. Since HTTP is the most common protocol used in browsing environments, this tunneling enhances the invention's compatibility with different kinds of network configurations, which makes the invention highly compatible. This characteristic is especially critical if the system is offered as a service by the web site provider.

[00101] FIG. 7 is a graphic representation of the implementation of the Tunneling Protocol in the communication link between the Secure Server System 210 and the client device 110. Since Secure Browsing Servers 330 have intense resource requirements, the tunneling and de-tunneling operations are performed fully in the Connection Manager 312, which results in the load of the Secure Browsing Servers being lightened, as each and every Server 330 is no more responsible for performing these communication-related functions.

[00102] In this aspect of the invention, since the Connection Manager is responsible for redirecting connections to the intended Secure Browsing Instances, it also manages dynamically the growing farm of Secure Browsing Servers, however without necessitating a corresponding alteration of the external network. Moreover, since all communications, including the new requests for webpage download, or Internet browsing, to and from client devices always go through the Connection Manager, sessions can be transparently transported from one Secure Browsing Instance to another just by replicating the Secure Remote Browser's status and updating the redirection rules in the Connection Manager. Therefore, in case a particular session needs to be transported, the Connection Manager takes charge of coordinating the change and transports the remote browsing session to another instance by triggering the creation of a new Secure Browsing Instance. The manager then obtains a copy of the Secure Remote Browser status, requests the creation of one new instance including the given session data and the deletion of the former environment and changes its own records in order to redirect traffic to the new instance instead of the former. Note that, if the Connection Manager did not have this role, the Client Access Tool would have to be reconfigured to change its connection destination creating unnecessary exchange of control data and channel capacity usage.

[00103] Once the browsing session is ended, the Connection Manager is configured to request the closing of the client-server secure environment. It therefore shuts down the assigned Secure Browsing Instance, allows the Client Access Tool to lapse naturally, and deletes its information from the record, so that packets including the corresponding ID are discarded. Since the records kept at the Connection Manager are linked to Secure Browsing Instances' validity, the Connection Manager is also used to establish an expiration time for sessions, so that the environment and the related records will be erased after it and incoming connections using the given ID rejected.

Monitoring System

[00104] In another embodiment of the invention, in addition to the security mechanisms deployed in the Secure Browsing Server 320, and the management functions assigned to the Connection Manager 312, an independent Monitoring System is provided to control the actions and status of the different modules of the client-server environment. The Monitoring System is configured to detect both errors and attacks to the client-server system and to prevent the malware from spreading and infecting other components of the system. [00105] FIG. 8 depicts a Monitoring System 800 according to one embodiment of the invention. To perform this function the Monitoring System comprises a plurality of Information Collectors 821, which log data received from the at least one Secure Browsing Server 320. The Monitoring System also comprises a Monitoring Manager 313 which evaluates the logged information, analyses the data statistically, and decides to perform certain actions in consequence. In another aspect of this embodiment, the Information Collectors are placed inside every Secure Browsing Instance 330 and every Secure Browsing Server in order to have constant access to the monitoring targets.

[00106] In one aspect of this embodiment, the Information Collectors are configured to check and record regularly information and data relating to performance and resource consumption. For example, this could be information on RAM space, CPU time, and file system usage. The Monitoring Manager 313 then compares the collected data with pre-established thresholds such that an alarm is triggered if these are reached. These indicators are aimed at detecting attempts to monopolize resources by a specific Secure Browsing Instance that could lead to a degradation of performance of other Secure Browsing Instances hosted inside one specific Secure Browsing Server. It is also intended to detect excessive resource usage amongst Secure Browsing Servers. Using this information, the Monitoring Manager takes decisions on how to dynamically reassign resources depending on current availability, needs, and overall system optimisation. In another aspect of the invention, this information is used to block, ban or restrict one specific session, based on the assumption that it is malicious or, at least, dangerous. Finally, the Connection Manager 312 uses this information to deploy new Secure Browsing Instances, in order to balance the load of the system, as described before.

[00107] In another aspect of this embodiment, security alerts are obtained through comparison between actions performed inside every instance, or Secure Browsing Server, and a model of expected behavior, following a mechanism that is similar to a white list of actions. The term white list usually refers to a set of entities which are given a special privilege as opposed to a black list, wherein the privileges are revoked for those entities. In our case, actions performed in the Secure Browsing Instance, or the Secure Browsing Server, are under evaluation and compared to a white list. If an action is contained in the list, the system assumes it to be legitimate as a privilege, and actions not contained in the list are thus considered suspicious. In another aspect of the invention, the white list is enhanced by adding information on the likelihood of one action to legitimately take place given context information, such as previous events. The Monitoring Manager permits an overall configuration and number of Secure Browsing Instances to operate simultaneously as long as the indicators comply with the predetermined white list. However, when a high number of users are being served simultaneously by the client-server architecture of the invention, such monitoring mechanisms tend to raise a high number of false positive alarms, where an event is mistakenly catalogued as dangerous or unwanted, due to the large variety of possible actions and the complexity of their context. The problem with trying to ameliorate such monitoring inaccuracy by an even more accurate behavioural model is that the data matching process becomes excessively cumbersome also as a consequence of the model's complexity, in addition to the inherent complexity of serving many thousands or even millions of browsing sessions.

[00108] Therefore it is an advantageous characteristic of the present client-server architecture in that it inherently minimises these monitoring and control problems. On one hand the operating system and applications have been tailored to reduce the possible actions to be performed. Moreover, since Secure Browsing Instances have a very specific purpose, the expected behavior model can be highly concretized yielding a very stable non-changing white list, hence leading to smaller chances of false positives or negatives happening and also simplifying real-time matching of the actions.

[00109] It is another advantageous characteristic of the present Secure Browsing Server architecture in that it reduces further risks of attack or infection by removing such monitoring and evaluation tasks from within the Secure Browsing Server's environment, as it is generally not recommendable to evaluate risks inside any single Secure Browsing Instance or even in the Secure Browsing Server's host operating system. Consider an attacker that gains control over the Secure Browsing Instance and tries to perform dangerous functions inside it, like for instance changing the network permissions in order to record traffic from neighbouring Secure Browsing Instances. Once the malicious user has reached administrator permissions over the instance, he can disable the Information Collector and thus avoid detection. In such scenario, if the attacked Information Collector was to decide whether to apply extra security measures to contain the attack, it would be of no use in such a situation. These security problems are solved in the Secure Server System of the invention as these decisions are taken by a central Monitoring Manager, independent from the Secure Browsing Servers.

[00110] Alerts generated by the Information Collectors are sent to the Monitoring Manager, which furthermore has information about the overall Server System and thus is able to correlate information, or match events, taking place in different Secure Browsing Instances. Since the attacker could hypothetically still be successful at disabling the Information Collector, at modifying alerts or even eliminate them, in another aspect of this embodiment, the Information Collector is configured to regularly send keep-alive messages that contain hashes that enable verification of previous alerts' integrity. This way, the Monitoring Manager can detect any modifications of alarms and add yet another obstacle to malicious attacks to the Monitoring Manager.

[00111] In another aspect of this embodiment, the Monitoring Manager is configured to assign a risk level to every active client-server browsing session. A risk parameter is determined based on three information sources, namely an initial risk parameter, the alarms issued relating to a particular Secure Browsing Instance, and an environmental status parameter. The risk parameter is set at an initial value, for example 0, and can only increase throughout the session. Depending on the resulting risk at any one moment in time, the Monitoring Manager decides whether to apply any additional security measures and issues corresponding instructions to the Connection Manager to execute these additional security measures.

[00112] The calculation of a risk level enables the stepwise application of these measures, based on the overall status of the session - including historical information on the session's evolution - instead of taking decisions based on any one concrete event. When considering suspicious actions inside any one Secure Browsing Instance, these can be evaluated depending on their criticality but also on other previous actions that might be related, hence resulting in a better overview that allows the System to identify coordinated attacks rather than single apparently unrelated actions. Complementarily, when evaluating the system's load status, many thresholds can be established to every parameter, obtaining a scale on the criticality of the situation, rather than a binary alarm. Hence risk management is globally optimised not only with respect to all the Secure Server System's different components, but also with regard to the statistical history of events.

[00113] The initial risk parameter is obtained as a result of combining a series of parameters that are based either on objective predefined criteria or on system's learning, based on previous behaviors of users inside the system. The former allow verification of currently common risk-control checks, which can be compared to prejudices that identify unusual behaviour or configurations. As for instance, parameters commonly used in prior art to identify sessions with a higher risk are browser and session language; i. e., if the application is mainly used by Europeans, sessions configured with languages from countries in other continents might be considered risky. These types of verifications are currently the most extended and can also be fed into the Monitoring System of the Secure Server System.

[00114] On the other hand, as an example of learning-based parameters, if sessions established from one specific IP address have proven to lead to high risk sessions due to the continuous monitoring of the specific IP address, any new requests are automatically assigned a high initial risk upon establishment. For parameters with a high initial risk component, available functions are limited from the start.

[00115] Environment information allows the Monitor Manager to take into account risks taking place in neighbouring instances in order to build a broader system overview of risks by linking independent and separate risk events. Since many sessions coexist in the same Secure Browsing Server, events inside one Secure Browsing Instance can lead to risks in the others. Going back to the example of an attacker trying to sniff traffic, for instance, events occurring in the attacker's environment can have consequences in other environments, and thus the risk of Secure Browsing Instance inside the same physical machine would be increased based on this specific instance's alert. Once the risk level begins to rise, the system checks a set of thresholds and can limit some specific functions of the Secure Browsing Instance in use. As an example, the ability to download documents could be disabled, in order to avoid the presence of malware in a compromised environment. [00116] FIG. 9 depicts a flow diagram according to another embodiment of the invention describing a method of triggering secure browsing. In this aspect the Secure Server System assigns either a High Security environment or a Honeypot environment depending on whether the risk level as determined by the Monitoring Manager exceeds a threshold Eth representing a high level of risk when compared to the expected behaviour of a session. The objective here is to immediately assign high risk sessions to a high security browsing environment. Moreover, sessions exceeding Eth can be divided in two groups depending on the knowledge on the error, or attack, that is taking place. Hence, the Monitoring Manager also obtains a parameter of knowledge K on the behaviour, which is compared to a second threshold Ath. Sessions with high risk and showing a known attack, or error, pattern are assigned to a High Security Browsing Server, while unknown ones are monitored in a separate environment where their security risks can be further tested as assigned to a Honeypot Secure Browsing Server.

[00117] In step 910 the risk level of the current session being monitored is determined. Next, in step 920, this determined risk level is compared to a predetermined threshold Eth representing a high risk level. If the determined risk level is below Eth, as in step 930, the session is allowed to stay in its current security settings. These could be the client's default settings, or self-configured security settings. On the other hand, if the session's risk reaches, or exceeds, a threshold representing high risk Eth, it will be transported to one of those specific functions depending on the system's knowledge about the attack in course as gathered by the Monitoring Manager. Session transportation implies reproducing the status of the browser at a specific instant and redirection of incoming connections from that moment on. Hence, upon transportation, the session is replicated in a new and completely reset Secure Browsing Instance.

[00118] In step 940 the previous events are analysed and compared to patterns of known attacks. In step 950 a test is performed to determine whether the events analysed reasonably correspond to any attack already known by the Monitoring Manager. If positive 960, these sessions will be transported to the High Security Secure Browsing Server. On the other hand, risks not corresponding to known patterns are transported 970 to the Honeypot Secure Browsing Server. [00119] Transporting instances inside the High Security SBS results in their capabilities being strictly limited due to stronger security configurations so as to minimize the risk of an attacker achieving intrusion in the system. Restricted functions can include downloading, uploading and printing files, browsing any third party's web-pages whereas security and isolation are enforced, for instance using a more restrictive virtualization technology or deploying independent file systems, instead of sharing immutable files.

[00120] On the other hand, sessions transported to the Honeypot SBS are offered a dummy environment in order to analyze and understand the new attack process. Sessions are provided a copy of the production environment where neighboring instances host fake users, such that attacks do not target real ones. Since the security test is performed recursively, as can be seen from arrow 980, if the attacker ever reaches a point where the attack matches a known pattern, it can be transported to the High Security SBS from that point on. This behavior not only enables identification of future occurrences of the attack, but is also a tool to improve the security mechanisms in place inside regular Secure Browsing Instances and Secure Browsing Servers.

Download and Connection Procedures

[00121] FIG. 10 depicts a first method 1000 for providing Internet browsing capabilities according to a first embodiment of the invention. This embodiment comprises all the various aspects and configurations already described so far, either in isolation or in combination, resulting in differing technical effects and advantages over the prior art as has been described.

[00122] The downloading process begins at step 1010 when the user introduces in his pre-installed local browser the URL of a web site (for example, http://www.example.com). If the site is secured it responds with a redirection to the Secure Server System, as in step 1020 (for example, redirect to https://securedbrowsing.example.com). In response the client device is prompted to formally request an instance of a container in a Secure Browsing Server, which creates a Secure Browsing Instance. At the same time, at step 1040, the Secure Browsing Server also prepares and serves to the client device 110 the binary code of a Client Access Tool. When the software download is completed, the device executes it.

[00123] Execution can be implemented in one aspect of this embodiment as starting a new process independent from the original local browser. In another aspect of this embodiment, the Client Access Tool is created inside the local browser. This option depends on configuration of the platform and has some implications on the solution's look and feel: if the client is executed as an independent process, it will be shown as an independent window, while execution inside the browser shows the contents of the Secure Remote Browser as a new tab inside the local browser, which results in a more transparent implementation. These settings also have some security implications: when executed inside the browser, the Client Access Tool can be subject to attempts of manipulation from the Local Browser, since it is a process running inside this latter. On the contrary, when shown in a different window, the Client Access Tool is run as a process independent of the Local Browser. This enhances security but requires higher permissions in the user device.

[00124] In step 1050, the Client Access Tool proceeds to establish a connection with its respective Secure Browsing Instance, and displays the contents of the Secure Remote Browser on the client device's display. Alternatively, another possibility would be not redirecting the user to the Secure Server System, but simply retrieving the Client Access Tool and delivering it directly to the original web site (http://www.example.com) via the Web Application Server.

[00125] As mentioned, the request 1030 for a new Secure Browsing Instance triggers the Secure Browsing Server to prepare a new instance of a container which is assigned specific for the user. This process implies different configuration actions like setting the web site address, session permissions, and others. The Client Access Tool is also specifically prepared for that session, and all the data required for establishing the connection between the user device and the container (session ID and encryption keys) is embedded in the binary code before signing the software.

[00126] FIG. 11 depicts a second method 1100 for providing Internet browsing capabilities according to a second embodiment of the invention wherein authentication procedures are performed before accessing the Secure Server System. This embodiment is based on the first embodiment of FIG. 10.

[00127] Authentication can either be performed at the web site once the connection is established with the Secure Browsing Server. Alternatively, the authentication can be performed from the Local Browser so that the session is transported once the user has been authenticated. This has the additional advantage of reducing the amount of petitions received by the Secure Server System. FIG. 11 depicts this aspect of the invention wherein the Secure System Server takes over the session once the user is authenticated. As can be seen, in step 1110, the web site initially sends a login form so that the user can respond by introducing his credentials using the Local Browser in step 1120. Once the credentials are validated, the web site communicates with the platform in step 1130 to authorize the user to request a secure browsing container, which is performed in step 1020. While the first method of FIG. 10 has the advantage of protecting the user credentials, which are only given in the secured environment, the second method of FIG. 11 is offered to save platform resources as only authorized users can request a Secure Browsing Instance. This could prevent, for instance, Deny of Service attacks against the Secure Server System, where a large amount of petitions are sent to the server, so that it runs out of resources. However, the process in FIG. 10 offers enhanced security during login, which is a security sensitive process.

[00128] In case the Secure Server System is operated according to the first method of FIG. 10, a limitation to the number of requests from any one single device is introduced in a further aspect of this embodiment. The Access Manager is configured to include a mechanism that identifies the client device where the request has been originated and can establish limits on the number of sessions one device can open. Since the parameters that identify the device must be collected at the user's computing device and might be available or not depending on its permissions, these limits can also be made variable depending on the quality of the data collected. Once the Access Manager has verified that the device is allowed to open a new connection, it delivers the Client Access Tool.

[00129] FIG. 12 depicts a third method 1200 for providing Internet browsing capabilities according to a third embodiment of the invention wherein the connection to the secured platform could start at any moment during the usage of the web site, and not necessarily right after login is completed. This embodiment is a modification of either the first or second embodiments of FIGs. 10 and 11.

[00130] This would allow the administrator, for instance, to redirect a session to the Secure Server System when the web application's independent risk assessment detects that the operations being performed suppose a risk for either the web site or the user. In other words, in this embodiment the capability of transferring a session is provided to the Secure Server System but the decision whether to transport it is performed by the web application. The user logs onto the web application as described before and is authenticated in step 1210. After one or many navigation actions 1220, a request or a post is received in step 1230 by the Application Server which is determined that needs enhanced security, this Server determines that the session needs to be transported to a container to enhance the protection and then issues a redirection instruction to the user in step 1030. Simultaneously, it notifies the Secure Server System that the user is authorized to request a container instance in step 1130, which retrieves the necessary session information in steps 1240 and 1250, so that the Secure Remote Browser can replicate the status of the user's local browser. Similarly to the former processes, the platform replies to the user request with the Client Access Tool software and when the download is completed (step 1040) the connection is established in step 1050. Previously to connection establishment, during the preparation of the container, the Secure Remote Browser would have asked the Application Server for the current state of the session (step 1240).

Communication between Entities

[00131] During Internet navigation, the Client Access Tool communicates with the Secure Browsing Instance and this one with the Application web site Server. FIG. 13 depicts some examples of the messages that are exchanged between these entities. The Secure Remote Browser within its corresponding Secure Browsing Instance sends 1301 a web page request to the Web Application Server, which processes it and responds 1302 with a document. The Secure Remote Browser then processes the contents of the document and renders the result to deliver them to the Client Access Tool window in 1303, showing the updated contents in the user's screen.

[00132] Keyboard and mouse events occurring in the Client Access Tool are transmitted 1304 to the Secure Remote Browser to process them and update 1305 the display, if needed. Some events will cause the browser to issue 1308 a new request to the server but others can cause the display to update without requiring interaction with the Web Application Server. This might be the case while filling in a form, where typed content is shown to the user before the form is sent to the server. Similar as in previous steps, a document is requested and transmitted 1309 in return for it to be rendered in the Secure Remote Browser before the display of the client's device is updated 1310, however with the new contents.

[00133] In case the Secure Remote Browser is shown as an independent window from the local browser, the former can be configured to support tab functionality in order to display as many tabs as necessary following the regular process. However, if the Secure Remote Browser is integrated into the local browser's window, tabs need to be managed independently so that every tab can be shown as a tab of the local browser.

[00134] FIG. 14 depicts this aspect of the invention showing the process by which a new tab is opened in the local browser, displaying a new tab in the system. The user requests 1410 a new webpage, for instance by clicking on a link. This petition is transmitted through the thin-client reaching the Secure Browsing Instance and is processed, determining that a new tab needs to be opened. The Secure Browsing Instance then informs 1420 the Client Access Tool 220 that a new Client Access Tool 1450 should be downloaded to be displayed in a new tab. Simultaneously the Secure Browsing Server is informed 1430 that it should accept the incoming petition. The Client Access Tool then requests 1030 the Secure Browsing Server for a new Client Access Tool and downloads 1040 the new thin-Client Access Tool in return. Once downloaded and executing the new Client Access Tool, the Secure Cloud Browser Server is requested 1050 to establish the connection with the Secure Browsing Instance.

[00135] In another aspect of the invention when processing the request 1410 for a new URL, the Secure Browsing Instance could also determine that the URL corresponds to a page that does not need to be secured. This could for instance apply if secure browsing capability is being offered as a security service by the provider of a web site "www.example.com" and the user requests access to a different site, for example "www.otherprovider.com". In this case, the system could request to open a new tab on the local browser and specify the URL to be loaded, and the user would in turn access "www.otherprovider.com" from his local browser.

[00136] It is to be understood by the skilled person in the art that the various embodiments, realisations, and aspects of the invention have been so drafted with the aim of disclosing the invention in a concise manner. This does not mean that the intention is of limiting the scope of the disclosure to the precise combination of embodiments, realisations, and aspects as drafted. On the other hand, the intention is that the different features of the inventive concepts described may be readily understood to be combinable as would be derived from a clear and objective reading of the disclosure by one of ordinary skill in the art.

[00137] Furthermore, it is to be understood that the embodiments described herein may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof. When the systems and/or methods are implemented in software, firmware, middleware or microcode, program code or code segments, a computer program, they may be stored in a machine-readable medium, such as a storage component. A computer program or a code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted using any suitable means including memory sharing, message passing, token passing, network transmission, or others.

[00138] For a software implementation, the techniques described herein may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions described herein. The software codes may be stored in memory units and executed by processors. The memory unit may be implemented within the processor or external to the processor, in which case it can be communicatively coupled to the processor through various means as is known in the art. Further, at least one processor may include one or more modules operable to perform the functions described herein.

[00139] Moreover, various aspects or features described herein may be implemented, on one hand, as a method or process or function, and on the other as an apparatus, a device, a system, or an article of manufacture using standard programming and/or engineering techniques. The term "article of manufacture" as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media. For example, computer-readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips, etc.), optical disks (e.g., compact disk (CD), digital versatile disk (DVD), etc.), smart cards, and flash memory devices (e.g., EPROM, card, stick, key drive, etc.). Additionally, various storage media described herein can represent one or more devices and/or other machine- readable media for storing information. The term "machine-readable medium" can include, without being limited to, various media capable of storing, containing, and/or carrying instruction(s) and/or data. Additionally, a computer program product may include a computer readable medium having one or more instructions or codes operable to cause a computer to perform the functions described herein.

[00140] What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination, or permutation, of components and/or methodologies for purposes of describing the aforementioned embodiments. However one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible within the general inventive concept clearly derivable from an objective reading of the present disclosure. Accordingly, the described embodiments are intended to embrace all such alterations, modifications and variations that fall within scope of the appended claims.

[00141] The various logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor (DSP), and application specific integrated circuit (ASIC), a field programmable gate array (FPGA), or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.

[00142] The methods or algorithms described may be embodied directly in hardware, in a software module executed by a processor, or a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

[00143] Those skilled in the art should appreciate that the foregoing discussion of one or more embodiments does not limit the present invention, nor do the accompanying figures. Rather, the present invention is limited only by the following claims.

Claims

1. A server system for providing internet browsing capabilities to a user of at least one client device, wherein the server system comprises: means for receiving a request for a webpage file;

means for creating, at the server, at least one browsing instance comprising a remote browser;

means for providing, from the server, a client access tool at the client device, the client access tool enabling data transfer between the client device and the at least one browsing instance;

means for controlling communication with the client access tool enabling a browsing session as the user of the client device browses the internet using the remote browser comprised in the at least one browsing instance.

2. The server system of claim 1, wherein the client access tool is provided as at least one executable file for execution on the client device, the at least one executable file being configured for a single browsing session.

3. The server system of claim 2, wherein the means for controlling comprises the at least one server browser instance transmitting the webpage file to the at least one client device in an image format.

4. The server system of claim 2, wherein the means for controlling is configured to control the creation and termination of, or control the number of, at least one browsing sessions for each client device, and wherein a new browsing session can be opened as a new tab within the same remote browser, or as a new remote browser.

5. The server system of claim 2, wherein the means for controlling is configured to encapsulate the data exchanged in the at least one browsing session.

6. The server system of claim 4, wherein the means for controlling is configured to detect an active non-secured browsing session and transport it to a secured environment by creating at least one browsing session.

7. The server system of claim 4, wherein the means for controlling is configured to apply code transformation to the client access tool code before transmitting it as an executable file to the client device, wherein each client access tool has a different transform applied to it.

8. The server system of claim 7, wherein the means for controlling is configured to periodically apply a different code transformation to the client access tool code after a predetermined security period, and transmitting an updated executable file to the client device.

9. The server system of claim 8, wherein the means for controlling is configured to transmit the updated executable file to the client device at the end of the security period, or during the security period.

10. The server system of claim 9, wherein the means for controlling is configured to cipher the code before transmitting the updated executable file to the client device during the security period, and to transmit to the client device a deciphering key at the end of the security period for deciphering the client access tool code.

11. The server system of claim 4, further comprising means for monitoring security and capacity indicators, wherein the means for controlling is configured to create and/or terminate the at least one browsing session based on a number of webpage file requests, system loading and security levels as determined by the means for monitoring.

12. The server system of claim 11, wherein the means for monitoring comprises a plurality of information collectors configured to collect indicators from the means for receiving, from the means for controlling, and from every browsing instance, and wherein the means for monitoring comprises a monitoring manager configured to determine a risk level representing high risk and a knowledge level representing known indicators or patterns.

13. The server system of claim 12, wherein the means for monitoring is configured to transport a current browsing session to a high security environment if the risk level is equal to or above a first threshold and the knowledge level is equal to or above a second threshold.

14. The server system of claim 12, wherein the means for monitoring is configured to transport a current browsing session to a testing environment if the risk level is equal to or above a first threshold and the knowledge level is below a second threshold.

15. The server system of claim 2, further comprising means for isolating one browsing instance from another wherein each browsing instance comprises a master file system and a set of hard-links pointing to locations in the master file system, and wherein the means for controlling is configured to copy an infected file into the master file system and erase the corresponding hard-link.

16. A client device for providing internet browsing capabilities to at least one user, the client device comprising: means for transmitting a request for a webpage file;

means for receiving a client access tool from a server, the client access tool enabling data transfer between the client device and at least one browsing instance at the server; means for communicating data with the server enabling a browsing session as the user of the client device browses the internet using the remote browser comprised in the at least one browsing instance.

17. The client device of claim 16, wherein the means for receiving is configured to receive and execute at least one executable file configured for a single browsing session.

18. The client device of claim 16, wherein the means for receiving is configured to receive the webpage file in an image format.

19. A method in a server for providing internet browsing capabilities to a user of at least one client device, the method comprising: receiving a request for a webpage file;

creating, at the server, at least one browsing instance comprising a remote browser;

providing, from the server, a client access tool at the client device, the client access tool enabling data transfer between the client device and the at least one browsing instance;

controlling communication with the client access tool enabling a browsing session as the user of the client device browses the internet using the remote browser comprised in the at least one browsing instance.

20. A method in a client device for providing internet browsing capabilities to at least one user, the method comprising: transmitting a request for a webpage file;

receiving a client access tool from a server, the client access tool enabling data transfer between the client device and at least one browsing instance at the server; communicating data with the server enabling a browsing session as the user of the client device browses the internet using the remote browser comprised in the at least one browsing instance.

A computer readable medium comprising instructions which, when executed a computer, perform the steps of method claims 19 and 20.