Managing session secrets for continuous packet capture systems
First Claim
1. A method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising:
- continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets stored in the data store and their associated key information in the secure communication session based on the correlation information;
providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and
choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.
134 Citations
30 Claims
-
1. A method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising:
-
continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules; employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite; obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session; providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session; storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information; providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets stored in the data store and their associated key information in the secure communication session based on the correlation information; providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for monitoring communication over a network between one or more computers comprising:
-
one or more network monitoring computers (NMCs), comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules; employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite; obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session; providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session; storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information; providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information; providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters; and the one or more computers, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; providing the plurality of network packets. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A processor readable non-transitory storage media that includes instructions for monitoring communication over a network between one or more computers, wherein execution of the instructions by one or more processors on one or more network monitoring computers (NMCs) performs actions, comprising:
-
continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules; employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite; employing the one or more NMCs identify a secure communication session established between two of the one or more computers; obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by a key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session; providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session; storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information; providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information; and providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A network monitoring computer (NMC) for monitoring communication over a network between one or more computers, comprising:
-
a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules; employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite; obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session; providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session; storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information; providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information; and providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification