System to enable detecting attacks within encrypted traffic

US 20070169190A1
Filed: 01/04/2006
Published: 07/19/2007
Est. Priority Date: 01/04/2005
Status: Active Grant

First Claim

Patent Images

1. A system for detecting network attacks within encrypted network traffic received by a protected network comprising:

a sensor module configured to receive and analyze network traffic for attacks; and

a security module configured to decrypt encrypted network traffic, and send decrypted traffic to the sensor module.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting network attacks within encrypted network traffic received by a protected network includes a decryption module and an adaptor module. This system and method can be inserted and used with multiple types of operating systems.

Citations

20 Claims

1. A system for detecting network attacks within encrypted network traffic received by a protected network comprising:
- a sensor module configured to receive and analyze network traffic for attacks; and
  
  a security module configured to decrypt encrypted network traffic, and send decrypted traffic to the sensor module.
- View Dependent Claims (2)
- - 2. The system of claim 1, wherein the security module is configured to decrypt secure sockets layer (SSL) traffic and the sensor module is configured to receive and analyze the decrypted SSL traffic.

3. A system, for use with a sensor module, for identifying network attacks within packets received by a protected network comprising:
- a decryption module configured to received encrypted packets, decrypt the encrypted packets, and transmit the encrypted packets; and
  
  an adaptor module configured to route packets from the protected network to the sensor module, route encrypted packets from the protected network to the decryption module, receive the decrypted packets from the decryption module, and route the decrypted packets to the sensor module.
- View Dependent Claims (4)
- - 4. The system of claim 3, wherein the sensor module is further configured to generate an alert when an attack is detected.

5. A security module to provide an interface with a protected network for use with a sensor module which can analyze network traffic comprising:
- a decryption module configured to receive encrypted network traffic, decrypt the encrypted network traffic, and transmit the decrypted network traffic;
  
  a sensor module configured to analyze network traffic; and
  
  an adaptor module configured to route network traffic from the protected network to the sensor module, route encrypted network traffic from the protected network to the decryption module, receive the decrypted network traffic from the decryption module, and route decrypted network traffic to a sensor module.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The security module of claim 5, wherein the decryption module is further configured to provide identification to the decrypted traffic as preprocessed network traffic before it is sent to the sensor module.
  - 7. The security module of claim 5, wherein the adaptor module is further configured to provide identification to the decrypted traffic as preprocessed network traffic before it is sent to the sensor module.
  - 8. The security module of claim 5, wherein the adaptor module is further configured to function at the operating system level.
  - 9. The security module of claim 5, wherein the decryption module is further configured to monitor network traffic to specific web sites or addresses on the network.
  - 10. The decryption module of claim 5, configured to hold multiple connections to secure web pages in a buffer.
  - 11. The adaptor module of claim 5, configured to detect traffic which has been blocked by the sensor module and block corresponding encrypted traffic.

12. An intrusion detection system for detecting network attacks within encrypted network traffic received by a protected network, comprising:
- a physical network interface card (NIC) configured to receive network traffic from the protected network;
  
  a decryption module configured to receive encrypted network traffic, decrypt the encrypted network traffic, and transmit the decrypted network traffic;
  
  a sensor module configured to receive network traffic and analyze network traffic for potential attacks; and
  
  a virtual NIC configured to receive network traffic from the physical NIC, route encrypted network traffic from the physical NIC to the decryption module, receive the decrypted network traffic from the decryption module, and route decrypted network traffic to the sensor module.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12, wherein the decryption module is configured to wrap the decrypted traffic with a Transmission Control Protocol/Internet Protocol (TCP/IP) envelope and route it to the virtual NIC.
  - 14. The system of claim 12, wherein the adaptor module is further configured to label the decrypted traffic as preprocessed network traffic before it is sent to the sensor module.

15. A enhanced intrusion detection system for detecting network attacks within encrypted network traffic received by a protected network, comprising:
- a NIC configured to receive all network traffic from the protected network;
  
  a decryption module configured to receive encrypted network traffic, decrypt the encrypted network traffic, and transmit the decrypted network traffic;
  
  a sensor module configured to receive network traffic and analyze network traffic for potential attacks; and
  
  a bonding module configured to receive network traffic from the NIC, pass encrypted traffic from the NIC to the decryption module, receive the decrypted network traffic from the decryption module, merge network traffic from the NIC and the decryption module into a single stream of traffic, bond decrypted traffic with non-encrypted traffic, and route decrypted network traffic to the sensor module.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the decryption module is configured to wrap the decrypted traffic with a envelope and route it to the bonding module.
  - 17. The system of claim 15, wherein the adaptor module is further configured to recognize traffic which has been blocked by the sensor module and block corresponding encrypted traffic.

18. A method, for use with a sensor module and security module, for identifying network attacks within encrypted packets received by a protected network comprising the steps of:
- routing encrypted packets from the protected network to the security module, decrypting the encrypted packets, receiving the decrypted packets from the security module and routing packets from the protected network to the sensor module, and routing decrypted packets to the sensor module.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the receiving step further comprises the step of emulating a network interface card (NIC).

20. A method for decrypting and processing network traffic for a sensor module, to protect a network from attacks, comprising the steps of:
- receiving network traffic, decrypting encrypted network traffic, routing decrypted network traffic to a sensor, routing non-encrypted network traffic to a sensor, and routing encrypted network traffic to a sensor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Kolton, Doron, Wexler, Asaf, Zahavi, Yoram, Stav, Adi, Frydman, Ariel

Granted Patent

US 7,895,652 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

System to enable detecting attacks within encrypted traffic

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System to enable detecting attacks within encrypted traffic

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links