Examination of connection handshake to enhance classification of encrypted network traffic

US 7,778,194 B1
Filed: 08/13/2004
Issued: 08/17/2010
Est. Priority Date: 08/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method facilitating classification of data flows traversing a computer network, comprisingdetecting, at a network device, a handshake in a data flow between a first node and a second node, wherein the handshake comprises an exchange of messages including information useful to establish an encrypted connection between the first node and the second node, wherein the information includes a digital certificate;

classifying, using the network device, the data flow based on an encrypted connection protocol identified in the exchange of messages;

examining, using the network device, the messages corresponding to the handshake relative to at least one handshake attribute and examining the digital certificate to identify one or more digital certificate attributes, wherein the one or more digital certificate attributes are contained in the digital certificate; and

further classifying, using the network device, the data flow into a network-application-specific traffic classification based at least in part on at least one digital certificate attribute of the one or more digital certificate attributes.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems directed to the classification of encrypted network traffic. In one implementation, the present invention facilitates the classification of network traffic that has been encrypted according to a dynamically-created encryption mechanism involving a handshake between two end-systems, such as the SSL and TLS protocols. In one implementation, the present invention observes and analyzes attributes of the handshake between two nodes to enhance the classification of network traffic. In one embodiment, the enhanced classification mechanisms described herein operate seamlessly with other Layer 7 traffic classification mechanisms that operate on attributes of the packets themselves. Implementations of the present invention can be incorporated into a variety of network devices, such as traffic monitoring devices, packet capture devices, firewalls, and bandwidth management devices.

Citations

20 Claims

1. A method facilitating classification of data flows traversing a computer network, comprisingdetecting, at a network device, a handshake in a data flow between a first node and a second node, wherein the handshake comprises an exchange of messages including information useful to establish an encrypted connection between the first node and the second node, wherein the information includes a digital certificate;
- classifying, using the network device, the data flow based on an encrypted connection protocol identified in the exchange of messages;
  
  examining, using the network device, the messages corresponding to the handshake relative to at least one handshake attribute and examining the digital certificate to identify one or more digital certificate attributes, wherein the one or more digital certificate attributes are contained in the digital certificate; and
  
  further classifying, using the network device, the data flow into a network-application-specific traffic classification based at least in part on at least one digital certificate attribute of the one or more digital certificate attributes.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the digital certificate comprises a common name;
    - and wherein the digital certificate attribute comprises the common name of the digital certificate.
  - 3. The method of claim 1 wherein the handshake is a SSL protocol handshake.
  - 4. The method of claim 1 wherein the handshake is a TLS protocol handshake.

5. A method facilitating classification of data flows traversing a computer network, comprisingdetecting, at a network device, a handshake in a data flow between a first node and a second node, wherein the handshake comprises an exchange of messages that establishes an encrypted connection between the first node and the second node, wherein one or more of the messages includes a digital certificate;
- classifying, using the network device, the data flow based on an encrypted connection protocol identified during the handshake;
  
  examining, using the network device, the digital certificate to identify one or more handshake attributes, wherein at least one handshake attribute of the one or more handshake attributes is an attribute of the digital certificate, wherein the one or more digital certificate attributes are contained in the digital certificate; and
  
  further classifying, using the network device, the data flow into a network-application-specific traffic classification based at least in part on at least one handshake attribute in the monitoring step.
- View Dependent Claims (6)
- - 6. The method of claim 5 wherein the classifying step comprisesmatching the data flow to a traffic class from a plurality of traffic classes, wherein at least one traffic class in the plurality of traffic classes is defined at least in part by a handshake attribute.

7. An apparatus comprisinga packet processor operative todetect data flows in network traffic traversing a communications path, the data flows each comprising at least one packet;
- parse at least one packet associated with a data flow into a flow specification, a traffic classification engine operative toclassify the data flow based on an encrypted connection protocol identified during a handshake between a first host and a second host;
  
  identify handshake packets of the data flow, wherein one or more of the handshake packets includes a digital certificate; and
  
  examine the digital certificate for one or more handshake attributes, wherein at least one handshake attribute is an attribute contained in the digital certificate;
  
  further classify the data flow by matching the data flow against a plurality of traffic classes, at least one of the traffic classes defined by the attribute of the digital certificate;
  
  having found a matching traffic class, associate the flow specification corresponding to the data flow with a traffic class from the plurality of traffic classes.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The apparatus of claim 7 wherein at least one of the plurality of traffic classes is defined by one or more matching attributes, wherein said matching attributes are explicitly presented in the packets associated with the data flows.
  - 9. The apparatus of claim 8 wherein said flow specification contains, and wherein the one or more matching attributes include, at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, a digital certificate common name, and a pointer to an application-specific attribute.
  - 10. The apparatus of claim 7 wherein said flow specification contains at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, a digital certificate common name, and a pointer to an application-specific attribute.
  - 11. The apparatus of claim 7 further comprisinga flow control module operative to apply bandwidth utilization controls to the data flows based on the traffic class associated with the data flows.
  - 12. The apparatus of claim 7 wherein the digital certificate comprises a common name;
    - and wherein the handshake attribute comprises the common name of the digital certificate.
  - 13. The apparatus of claim 7 wherein the handshake packets are formatted according to the SSL protocol.
  - 14. The apparatus of claim 7 wherein the handshake packets are formatted according to the TLS protocol.

15. A method facilitating classification of data flows, comprisingdetecting, at a network device, a data flow in network traffic traversing a communications path, the data flows each comprising at least one packet;
- parsing, using the network device, explicit attributes at least one packet associated with the data flow into a flow specification,detecting, at the network device, a handshake in a data flow between a first node and a second node, wherein the handshake comprises an exchange of messages including information useful to establish an encrypted connection between the first node and the second node, wherein the information includes a digital certificate;
  
  classifying, using the network device, the data flow based on an encrypted connection protocol identified during the handshake;
  
  examining, using the network device, the messages corresponding to the handshake to identify the digital certificate;
  
  examining, using the network device, the digital certificate to identify one or more handshake attributes;
  
  further classifying, using the network device, the data flow by matching the flow specification against a first plurality of traffic classes, wherein at least one of the first plurality of traffic classes is defined in part by a handshake attribute that is an attribute contained in the digital certificate,having found a matching traffic class, associating the flow specification corresponding to the data flow with a traffic class from the first plurality of traffic classes.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 wherein the flow specification contains at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, and a pointer to an application-specific attribute.
  - 17. The method of claim 15 wherein said flow specification contains, and wherein the one or more matching attributes include, at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, and a pointer to an application-specific attribute.
  - 18. The method of claim 15 wherein the digital certificate comprises a common name;
    - and wherein the handshake attribute comprises the common name of the digital certificate.
  - 19. The method of claim 15 wherein the handshake is a SSL protocol handshake.
  - 20. The method of claim 15 wherein the handshake is a TLS protocol handshake.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Packeteer Incorporated (Gen Digital Inc.)
Inventors
Yung, Weng-Chin
Primary Examiner(s)
Chou; Albert T

Application Number

US10/917,952
Time in Patent Office

2,195 Days
Field of Search

370/235, 370/252, 713/201, 709/224, 709/223
US Class Current

370/252
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0896   Bandwidth or capacity manag...

H04L 43/00   Arrangements for monitoring...

H04L 43/026   using flow identification

H04L 43/0894   Packet rate

H04L 47/10   Flow control; Congestion co...

H04L 47/2441   relying on flow classificat...

H04L 47/2475   for supporting traffic char...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

Examination of connection handshake to enhance classification of encrypted network traffic

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Examination of connection handshake to enhance classification of encrypted network traffic

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links