Extracting data from encrypted packet flows

US 10,594,664 B2
Filed: 03/13/2017
Issued: 03/17/2020
Est. Priority Date: 03/13/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting, by a processor, a data packet that belongs to an encrypted data flow traversing a network;

determining, by the processor, whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake;

forwarding, by the processor, the data packet to a first server pool that will truncate the data packet, only when the encrypted data flow is the existing encrypted data flow; and

forwarding, by the processor, the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, only when the encrypted data flow is the new encrypted data flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, the present disclosure describes a device, computer-readable medium, and method for extracting data from encrypted packet flows. For instance, in one example, a method includes detecting a data packet that belongs to an encrypted data flow traversing a network, determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake, forwarding the data packet to a first server pool that will truncate the data packet, when the encrypted data flow is an existing encrypted data flow, and forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, when the encrypted data flow is a new encrypted data flow.

45 Citations

View as Search Results

20 Claims

1. A method, comprising:
- detecting, by a processor, a data packet that belongs to an encrypted data flow traversing a network;
  
  determining, by the processor, whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake;
  
  forwarding, by the processor, the data packet to a first server pool that will truncate the data packet, only when the encrypted data flow is the existing encrypted data flow; and
  
  forwarding, by the processor, the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, only when the encrypted data flow is the new encrypted data flow.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the detecting comprises:
    - scanning a header of the data packet for a value that indicates that the data packet belongs to the encrypted data flow.
  - 3. The method of claim 2, wherein the value comprises a port number in a port number field of the header, and the port number indicates a port used for communications using secure sockets layer protocol.
  - 4. The method of claim 3, wherein the port number is 443.
  - 5. The method of claim 1, wherein the data packet is a replica of an original data packet.

6. A device, comprising:
- a processor; and
  
  a non-transitory computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising;
  
  detecting a data packet that belongs to an encrypted data flow traversing a network;
  
  determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake;
  
  forwarding the data packet to a first server pool that will truncate the data packet, only when the encrypted data flow is the existing encrypted data flow; and
  
  forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, only when the encrypted data flow is the new encrypted data flow.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The device of claim 6, wherein the detecting comprises:
    - scanning a header of the data packet for a value that indicates that the data packet belongs to the encrypted data flow.
  - 8. The device of claim 7, wherein the value comprises a port number in a port number field of the header, and the port number indicates a port used for communications using secure sockets layer protocol.
  - 9. The device of claim 8, wherein the port number is 443.
  - 10. The device of claim 6, wherein the data packet is a replica of an original data packet.
  - 11. The device of claim 6, wherein the operations further comprise:
    - receiving the data packet from a traffic analysis point.
  - 12. The device of claim 11, wherein the traffic analysis point is an optical traffic analysis point that mirrors the data packet from an original data packet of the encrypted data flow traversing the network.
  - 13. The device of claim 6, wherein the first server pool will truncate the data packet by discarding the payload from the data packet.
  - 14. The device of claim 6, wherein the processor comprises a multiplexer.
  - 15. The device of claim 6, wherein the second server pool will inspect the payload of the data packet for the secure sockets layer certificate until a threshold number of packets are inspected for the new encrypted data flow.

16. A non-transitory computer-readable medium storing instructions which, when executed by a processor, cause the processor to perform operations, the operations comprising:
- detecting a data packet that belongs to an encrypted data flow traversing a network;
  
  determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake;
  
  forwarding the data packet to a first server pool that will truncate the data packet, only when the encrypted data flow is the existing encrypted data flow; and
  
  forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, only when the encrypted data flow is the new encrypted data flow.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the detecting comprises:
    - scanning a header of the data packet for a value that indicates that the data packet belongs to the encrypted data flow.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the value comprises a port number in a port number field of the header, and the port number indicates a port used for communications using secure sockets layer protocol.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the port number is 443.
  - 20. The non-transitory computer-readable medium of claim 16, wherein the data packet is a replica of an original data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Zaifman, Arthur L., Mocenigo, John M.
Primary Examiner(s)
Tsang, Henry

Application Number

US15/457,306
Publication Number

US 20180262487A1
Time in Patent Office

1,100 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

H04L 63/166   at the transport layer

H04L 63/30   for supporting lawful inter...

Extracting data from encrypted packet flows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Extracting data from encrypted packet flows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links