SYSTEM AND METHOD FOR SELECTIVE INSPECTION OF ENCRYPTED TRAFFIC

US 20120290829A1
Filed: 04/13/2012
Published: 11/15/2012
Est. Priority Date: 04/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

analyzing data relating to users of a communication network, which carries multiple data connections conveying encrypted data, so as to establish one or more selection rules;

selecting a subset of the multiple data connections based on the selection rules; and

configuring an inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Inspection of encrypted network traffic where multiple network connections are monitored that carry encrypted data, but only a subset of the network connections are decrypted and inspected. Typically, only network connections that are associated with designated target users whose encrypted data is to be inspected are decrypted. A Network Monitor Center (NMC) dynamically establishes a list of rules for selection of encrypted data connections. The rules are provided to a Secure data Inspection Appliance (SIA) that accepts some or all of the network user encrypted traffic and checks it against a rule table. When detecting an encrypted connection that matches the rule table, the SIA decrypts the connection and provides a copy of the connection plain data to the NMC. The NMC then inspects the plain data for security threats. Once a security threat is found in a connection, the NMC applies predefined consequent actions to this connection.

Citations

20 Claims

1. A method, comprising:
- analyzing data relating to users of a communication network, which carries multiple data connections conveying encrypted data, so as to establish one or more selection rules;
  
  selecting a subset of the multiple data connections based on the selection rules; and
  
  configuring an inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein analyzing the data comprises identifying one or more target users of the communication network, and defining the selection rules to select the data connections associated with the target users.
  - 3. The method according to claim 1, wherein analyzing the data comprises obtaining respective identifiers of one or more target users by communicating with an authentication node of the communication network, and wherein selecting the subset comprises choosing the data connections associated with the obtained identifiers.
  - 4. The method according to claim 3, wherein the authentication node comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 5. The method according to claim 3, wherein the identifiers comprise temporary Internet Protocol (IP) addresses that are assigned to the target users.
  - 6. The method according to claim 1, wherein analyzing the data comprises defining the selection rules so as to identify one or more of the data connections that carry malicious content.
  - 7. The method according to claim 1, wherein selecting the subset comprises configuring a network switch to forward only the selected subset of the network connections to the inspection device.
  - 8. The method according to claim 7, wherein configuring the network switch comprises causing the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion.
  - 9. The method according to claim 1, wherein the encrypted data has been encrypted in accordance with a Secure Socket Layer (SSL) protocol.
  - 10. The method according to claim 1, wherein the encrypted data has been encrypted in accordance with a Transport Layer Security (TLS) protocol.

11. Apparatus, comprising:
- one or more network interfaces, which are configured to communicate with a communication network that carries multiple data connections conveying encrypted data; and
  
  a processor, which is configured to analyze data relating to users of the communication network so as to establish one or more selection rules, to select a subset of the multiple data connections based on the selection rules, and to configure an inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The apparatus according to claim 11, wherein the processor is configured to identify one or more target users of the communication network by analyzing the data, and to define the selection rules to select the data connections associated with the target users.
  - 13. The apparatus according to claim 11, wherein the processor is configured to obtain respective identifiers of one or more target users by communicating with an authentication node of the communication network, and to selecting the subset by choosing the data connections associated with the obtained identifiers.
  - 14. The apparatus according to claim 13, wherein the authentication node comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 15. The apparatus according to claim 13, wherein the identifiers comprise temporary Internet Protocol (IP) addresses that are assigned to the target users.
  - 16. The apparatus according to claim 11, wherein the processor is configured to define the selection rules so as to identify one or more of the data connections that carry malicious content.
  - 17. The apparatus according to claim 11, wherein the processor is configured to configure a network switch to forward only the selected subset of the network connections to the inspection device.
  - 18. The apparatus according to claim 17, wherein the processor is configured to cause the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion.
  - 19. The apparatus according to claim 11, wherein the encrypted data has been encrypted in accordance with one of a Secure Socket Layer (SSL) protocol and a Transport Layer Security (TLS) protocol.

20. Apparatus, comprising:
- a monitoring unit, which is configured to analyze data relating to users of a communication network, which carries multiple data connections conveying encrypted data, so as to establish one or more selection rules, to select a subset of the multiple data connections based on the selection rules, and to output an indication of the selected subset; and
  
  an inspection device, which is configured to receive the indication of the selected subset from the monitoring unit, to decrypt the encrypted data conveyed by the data connections in the selected subset, and to output the decrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Altman, Yuval

Granted Patent

US 8,959,329 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/168   above the transport layer

H04L 63/30   for supporting lawful inter...

SYSTEM AND METHOD FOR SELECTIVE INSPECTION OF ENCRYPTED TRAFFIC

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SELECTIVE INSPECTION OF ENCRYPTED TRAFFIC

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links