Detecting network proxies through observation of symmetric relationships

US 7,475,420 B1
Filed: 01/31/2005
Issued: 01/06/2009
Est. Priority Date: 01/31/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting proxies, comprising:

analyzing network transmission data to detect symmetric relationships between network data transmissions, wherein a symmetric relationship is detected with respect to a first network data transmission sent by a first node to a second node if the second node is observed to send or have sent to a third node a second network data transmission that satisfies a prescribed first criterion that it is anticipated the second network data transmission would satisfy if it were used to forward to the third node at least part of the data comprising the first network data transmission; and

for each symmetric relationship found, performing further analysis to determine if the second node is configured to serve as a proxy;

wherein the further analysis comprises determining whether a third network data transmission is or was sent from the third node to the second node in response to the second network data transmission and, if so, determining whether a fourth network data transmission having a symmetric relationship with the third network data transmission is or was sent by the second node to the first node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting network proxies through the observation of symmetric relationships is disclosed. Network transmission data is analyzed to detect symmetric relationships between network data transmissions. A symmetric relationship is detected with respect to a first network data transmission sent by a first node to a second node if the second node is observed to send or have sent to a third node a second network data transmission that satisfies a prescribed first criterion that it is anticipated the second network data transmission would satisfy if it were used to forward to the third node at least part of the data comprising the first network data transmission. For each symmetric relationship found, further analysis is performed to determine if the second node is configured to serve as a proxy.

33 Citations

View as Search Results

27 Claims

1. A method for detecting proxies, comprising:
- analyzing network transmission data to detect symmetric relationships between network data transmissions, wherein a symmetric relationship is detected with respect to a first network data transmission sent by a first node to a second node if the second node is observed to send or have sent to a third node a second network data transmission that satisfies a prescribed first criterion that it is anticipated the second network data transmission would satisfy if it were used to forward to the third node at least part of the data comprising the first network data transmission; and
  
  for each symmetric relationship found, performing further analysis to determine if the second node is configured to serve as a proxy;
  
  wherein the further analysis comprises determining whether a third network data transmission is or was sent from the third node to the second node in response to the second network data transmission and, if so, determining whether a fourth network data transmission having a symmetric relationship with the third network data transmission is or was sent by the second node to the first node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as recited in claim 1, wherein a symmetric relationship is detected only if the second network data transmission is sent by the second node within a first interval after the sending of the first network data transmission.
  - 3. The method as recited in claim 1, wherein the prescribed first criterion is based at least in part on the size of the first network data transmission.
  - 4. The method as recited in claim 1, wherein the prescribed first criterion is satisfied if the size of second network data transmission is within a prescribed range based at least in part on the size of the first network data transmission.
  - 5. The method as recited in claim 1, wherein the prescribed first criterion comprises one of a set of one or more criteria, all of which must be satisfied by the second network data transmission in order for a symmetric relationship to be found.
  - 6. The method as recited in claim 1, wherein the further analysis further comprises:
    - determining whether said third network data transmission was sent to said from the third node to the second node within a second interval after the sending of the second network data transmission.
  - 7. The method as recited in claim 1, wherein the further analysis further comprises:
    - determining whether said third network data transmission is or was sent from the third node to the second node using a first source port that is the same as a first destination port to which the second network data transmission was sent and addressed to a second destination port that is the same as a second source port from which the second network data transmission was sent.
  - 8. The method as recited in claim 1, wherein the further analysis further comprises:
    - determining whether said third network data transmission is or was sent from the third node to the second node using a first source port that is the same as a first destination port to which the second network data transmission was sent and addressed to a second destination port that is the same as a second source port from which the second network data transmission was sent.
  - 9. The method as recited in claim 8, wherein the further analysis further comprises:
    - determining whether said fourth network data transmission having a symmetric relationship with the third network data transmission is or was sent by the second node to the first node using a third source port that is the same as a third destination port to which the first network data transmission was sent and addressed to a fourth destination port that is the same as a fourth source port from which the first network data transmission was sent.
  - 10. The method as recited in claim 1, wherein the further analysis further comprises:
    - determining whether the first node resides in a first network zone, the second node resides in a second network zone, and a third node resides in a third network zone;
      
      wherein the first node in the first network zone is permitted to directly communicate with the second node in the second network zone but is forbidden to directly communicate with the third node in the third network zone and the second node in the second network zone is permitted to directly communicate with both the first node in the first network zone and the third node in the third network zone.
  - 11. The method as recited in claim 1, wherein the further analysis further comprises performing further processing with respect to the pair comprising the first and second network data transmissions only if the first node resides in a first network zone and the second node resides in a second network zone.
  - 12. The method as recited in claim 1, wherein the further analysis further comprises performing further processing with respect to the pair comprising the first and second network data transmissions only if the first node resides in a first network zone and the second node resides in a second network zone and the second data transmission was sent under a communications protocol which the first node is forbidden to use to directly communicate with hosts outside the first network zone.
  - 13. The method as recited in claim 1, wherein the further analysis further comprises manually inspecting a host associated with the second node.
  - 14. The method as recited in claim 1, further comprising receiving the network transmission data in real time as the associated network data transmissions are sent.
  - 15. The method as recited in claim 1, further comprising receiving the network transmission data in the form of data recorded at a previous time when the associated network data transmissions were sent.

16. A method for detecting proxies, comprising:
- analyzing network transmission data to detect symmetric relationships between network data transmissions, wherein a symmetric relationship is detected with respect to a first network data transmission sent by a first node to a second node if the second node is observed to send or have sent to a third node a second network data transmission that satisfies a prescribed first criterion that it is anticipated the second network data transmission would satisfy if it were used to forward to the third node at least part of the data comprising the first network data transmission; and
  
  for each symmetric relationship found, performing further analysis to determine if the second node is configured to serve as a proxy, including by determining whether the first network data transmission was sent from the first node to the second node using a first destination port that is different from a second destination port to which the second node sends the second network data transmission.
- View Dependent Claims (17)
- - 17. The method as recited in claim 16, wherein the further analysis further comprises:
    - filtering the second network data transmission out from any further proxy detection processing with respect to the transmission pair comprising the first and second network data transmissions if it is determined that the first network data transmission was not sent from the first node to the second node using a first destination port that is different from a second destination port to which the second node sends the second network data transmission.

18. A system configured for detecting proxies, comprising:
- a communication interface configured to receive network transmission data; and
  
  a processor configured to;
  
  analyze network transmission data to detect symmetric relationships between network data transmissions, wherein a symmetric relationship is detected with respect to a first network data transmission sent by a first node to a second node if the second node is observed to send or have sent to a third node a second network data transmission that satisfies a prescribed first criterion that it is anticipated the second network data transmission would satisfy if it were used to forward to the third node at least part of the data comprising the first network data transmission; and
  
  for each symmetric relationship found, perform further analysis to determine if the second node is configured to serve as a proxy;
  
  wherein the further analysis comprises determining whether a third network data transmission is or was sent from the third node to the second node in response to the second network data transmission and, if so, determining whether a fourth network data transmission having a symmetric relationship with the third network data transmission is or was sent by the second node to the first node.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The system as recited in claim 18, wherein a symmetric relationship is detected only if the second network data transmission is sent by the second node within a first interval after the sending of the first network data transmission.
  - 20. The system as recited in claim 18, wherein the prescribed first criterion is based at least in part on the size of the first network data transmission.
  - 21. The system as recited in claim 18, wherein the processor is further configured to determine whether said third network data transmission is or was sent from the third node to the second node using a first source port that is the same as a first destination port to which the second network data transmission was sent and addressed to a second destination port that is the same as a second source port from which the second network data transmission was sent.
  - 22. The system as recited in claim 18, wherein the processor is further configured to determine whether the first network data transmission was sent from the first node to the second node using a first destination port that is different from a second destination port to which the second node sends the second network data transmission, and, if not, filter the second network data transmission out from any further proxy detection processing with respect to the transmission pair comprising the first and second network data transmissions.
  - 23. The system as recited in claim 18, wherein the processor is further configured to perform further processing with respect to the pair comprising the first and second network data transmissions only if the first node resides in a first network zone and the second node resides in a second network zone.

24. A system configured for detecting proxies, comprising:
- a communication interface configured to receive network transmission data; and
  
  a processor configured to;
  
  analyze network transmission data to detect symmetric relationships between network data transmissions, wherein a symmetric relationship is detected with respect to a first network data transmission sent by a first node to a second node if the second node is observed to send or have sent to a third node a second network data transmission that satisfies a prescribed first criterion that it is anticipated the second network data transmission would satisfy if it were used to forward to the third node at least part of the data comprising the first network data transmission; and
  
  for each symmetric relationship found, perform further analysis to determine if the second node is configured to serve as a proxy;
  
  wherein the processor is further configured to determine whether within a second interval after the sending of the second network data transmission a third network data transmission is or was sent from the third node to the second node and, if so, determine whether a fourth network data transmission having a symmetric relationship with the third network data transmission is or was sent by the second node to the first node.

25. A computer program product for detecting proxies, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
- analyzing network transmission data to detect symmetric relationships between network data transmissions, wherein a symmetric relationship is detected with respect to a first network data transmission sent by a first node to a second node if the second node is observed to send or have sent to a third node a second network data transmission that satisfies a prescribed first criterion that it is anticipated the second network data transmission would satisfy if it were used to forward to the third node at least part of the data comprising the first network data transmission; and
  
  for each symmetric relationship found, performing further analysis to determine if the second node is configured to serve as a proxy;
  
  wherein the further analysis comprises determining whether a third network data transmission is or was sent from the third node to the second node in response to the second network data transmission and, if so, determining whether a fourth network data transmission having a symmetric relationship with the third network data transmission is or was sent by the second node to the first node.
- View Dependent Claims (26, 27)
- - 26. The computer program product as recited in claim 25, wherein a symmetric relationship is detected only if the second network data transmission is sent by the second node within a first interval after the sending of the first network data transmission.
  - 27. The computer program product as recited in claim 25, wherein the prescribed first criterion is based at least in part on the size of the first network data transmission.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Hernacki, Brian
Primary Examiner(s)
Song; Hosuk

Application Number

US11/047,471
Time in Patent Office

1,436 Days
Field of Search

726 2- 4, 726 11- 12, 726 14- 15, 726 22- 25, 713/150, 713/153
US Class Current

726/2
CPC Class Codes

H04L 63/0281 Proxies

H04L 63/1425 Traffic logging, e.g. anoma...

Detecting network proxies through observation of symmetric relationships

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting network proxies through observation of symmetric relationships

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links