Detection of encrypted packet streams

US 7,761,705 B2
Filed: 09/17/2004
Issued: 07/20/2010
Est. Priority Date: 09/17/2004
Status: Active Grant

First Claim

Patent Images

1. A method carried out using a processor circuit, comprising:

detecting an observable parameter of an encrypted stream of packets, the parameter being observable despite encryption obscuring the contents of the encrypted stream of packets, wherein the observable parameter is observed without decrypting any portion of the stream of packets; and

estimating the type of data within the encrypted stream of packets from the observable parameter, wherein, despite the encryption, the type of data within the encrypted stream of packets may be estimated, wherein the type of data is estimated without decrypting any portion of the stream of packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and products are disclosed for detecting encrypted packet streams. One method notes an observable parameter of an encrypted stream of packets. The parameter is observable despite encryption obscuring the contents of the encrypted stream of packets. The type of data within the encrypted stream of packets is inferred from the observable parameter, wherein, despite the encryption, the type of data within the encrypted stream of packets may be inferred.

Citations

23 Claims

1. A method carried out using a processor circuit, comprising:
- detecting an observable parameter of an encrypted stream of packets, the parameter being observable despite encryption obscuring the contents of the encrypted stream of packets, wherein the observable parameter is observed without decrypting any portion of the stream of packets; and
  
  estimating the type of data within the encrypted stream of packets from the observable parameter, wherein, despite the encryption, the type of data within the encrypted stream of packets may be estimated, wherein the type of data is estimated without decrypting any portion of the stream of packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein detecting the observable parameter comprises at least one of i) measuring a size of an encrypted packet, ii) measuring a timing interval between encrypted packets, and iii) detecting a pattern of packets.
  - 3. A method according to claim 2, further comprising at least one of i) comparing to an expected packet size, ii) comparing to a minimum threshold packet size, iii) comparing to a maximum threshold packet size, and iv) comparing to a threshold range of packet sizes.
  - 4. A method according to claim 3, further comprising at least one of i) if the observable parameter equals the threshold, then estimating the type of data within the encrypted stream of packets;
    - ii) if the observable parameter exceeds the threshold, then estimating the type of data within the encrypted stream of packets; and
      
      iii) if the observable parameter is less than the threshold, then declining to estimate the type of data within the encrypted stream of packets.
  - 5. A method according to claim 2, further comprising at least one of i) comparing to an expected timing interval, ii) comparing to a minimum threshold timing interval, iii) comparing to a maximum threshold timing interval, and iv) comparing to a threshold range of timing intervals.
  - 6. A method according to claim 1, wherein detecting the observable parameter comprises at least one of i) computing an average timing interval within the encrypted stream of packets and ii) computing an average packet size within the encrypted stream of packets.
  - 7. A method according to claim 1, wherein the encrypted stream of packets comprises Voice Over Internet Protocol data, and estimating the type of data within the encrypted stream of packets comprises estimating the Voice Over Internet Protocol data from the observable parameter, wherein, despite the encryption, the Voice Over Internet Protocol data within the encrypted stream of packets may be estimated.
  - 8. A method according to claim 1 wherein the observable parameter is outside the encrypted stream of packets.

9. A system, comprising:
- a communications module stored in a memory device, and a processor communicating with the memory device;
  
  the communications module detecting an observable parameter of an encrypted stream of packets, the parameter being observable despite encryption obscuring the contents of the encrypted stream of packets, wherein the observable parameter is observed without decrypting any portion of the stream of packets, the communications module comparing the observable parameter to a threshold value, and the communications module estimating the type of data within the encrypted stream of packets from the observable parameter, wherein, despite the encryption, the type of data within the encrypted stream of packets may be estimated without decrypting any portion of the stream of packets.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. A system according to claim 9, wherein the communications module performs at least one of the following steps:
    - i) measures a size of an encrypted packet, ii) measures a timing interval between encrypted packets, and iii) detects a pattern of packets.
  - 11. A system according to claim 9, wherein the communications module compares the observable parameter to a threshold value.
  - 12. A system according to claim 11, wherein the communications module performs at least one of the following:
    - i) if the observable parameter equals the threshold value, then the communications module estimates the type of data within the encrypted stream of packets;
      
      ii) if the observable parameter exceeds the threshold value, then the communications module estimates the type of data within the encrypted stream of packets; and
      
      iii) if the observable parameter is less than the threshold value, then the communications module declines to estimate the type of data within the encrypted stream of packets.
  - 13. A system according to claim 9, wherein the stream of packets comprises Internet Protocol packets.
  - 14. A system according to claim 9, wherein the communications module performs at least one of the following:
    - i) computes an average timing interval within the encrypted stream of packets;
      
      ii) computes an average packet size within the encrypted stream of packets; and
      
      iii) if the encrypted stream of packets comprises Voice Over Internet Protocol data, then the communications module estimates the Voice Over Internet Protocol data from the observable parameter, wherein, despite the encryption, the Voice Over Internet Protocol data within the encrypted stream of packets may be estimated.
  - 15. A system according to claim 9 wherein the observable parameter is outside the encrypted stream of packets.

16. A computer program product comprising a non-transitory computer readable medium including instructions for performing the steps:
- detecting an observable parameter of an encrypted stream of packets, the parameter being observable despite encryption obscuring the contents of the encrypted stream of packets, wherein the observable parameter is observed without decrypting any portion of the stream of packets; and
  
  estimating the type of data within the encrypted stream of packets from the observable parameter, wherein, despite the encryption, the type of data within the encrypted stream of packets may be estimated, wherein the type of data is estimated without decrypting any portion of the stream of packets.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. A computer program product according to claim 16, wherein the instructions also perform at least one of i) measuring a size of an encrypted packet, ii) measuring a timing interval between encrypted packets, and iii) detecting a pattern of packets.
  - 18. A computer program product according to claim 16, wherein the instructions also perform comparing the observable parameter to a threshold value.
  - 19. A computer program product according to claim 18, wherein the instructions also perform at least one of the steps:
    - i) if the observable parameter equals the threshold value, then estimating the type of data within the encrypted stream of packets;
      
      ii) if the observable parameter exceeds the threshold value, then estimating the type of data within the encrypted stream of packets; and
      
      iii) if the observable parameter is less than the threshold value, then declining to estimate the type of data within the encrypted stream of packets.
  - 20. A computer program product according to claim 16, wherein the stream of packets comprises Internet Protocol packets.
  - 21. A computer program product according to claim 16, wherein the instructions also perform at least one of:
    - i) computing an average timing interval within the encrypted stream of packets and ii) computing an average packet size within the encrypted stream of packets.
  - 22. A computer program product according to claim 16, wherein if the encrypted stream of packets comprises Voice Over Internet Protocol data, then the instructions estimate the Voice Over Internet Protocol data from the observable parameter, wherein, despite the encryption, the Voice Over Internet Protocol data within the encrypted stream of packets may be estimated.
  - 23. A computer program product according to claim 16 wherein the observable parameter is outside the encrypted stream of packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Shrum, Jr., Edgar Vaughan, Aaron, Jeffrey A.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US10/944,229
Publication Number

US 20060064579A1
Time in Patent Office

2,132 Days
Field of Search

713/150, 713/151, 713/153, 713/160, 726/12, 726/13, 380/255
US Class Current

713/160
CPC Class Codes

H04L 63/04 for providing a confidentia...

Detection of encrypted packet streams

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of encrypted packet streams

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links