Examination of connection handshake to enhance classification of encrypted network traffic
First Claim
1. A method facilitating classification of data flows traversing a computer network, comprisingdetecting, at a network device, a handshake in a data flow between a first node and a second node, wherein the handshake comprises an exchange of messages including information useful to establish an encrypted connection between the first node and the second node, wherein the information includes a digital certificate;
- classifying, using the network device, the data flow based on an encrypted connection protocol identified in the exchange of messages;
examining, using the network device, the messages corresponding to the handshake relative to at least one handshake attribute and examining the digital certificate to identify one or more digital certificate attributes, wherein the one or more digital certificate attributes are contained in the digital certificate; and
further classifying, using the network device, the data flow into a network-application-specific traffic classification based at least in part on at least one digital certificate attribute of the one or more digital certificate attributes.
12 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatuses and systems directed to the classification of encrypted network traffic. In one implementation, the present invention facilitates the classification of network traffic that has been encrypted according to a dynamically-created encryption mechanism involving a handshake between two end-systems, such as the SSL and TLS protocols. In one implementation, the present invention observes and analyzes attributes of the handshake between two nodes to enhance the classification of network traffic. In one embodiment, the enhanced classification mechanisms described herein operate seamlessly with other Layer 7 traffic classification mechanisms that operate on attributes of the packets themselves. Implementations of the present invention can be incorporated into a variety of network devices, such as traffic monitoring devices, packet capture devices, firewalls, and bandwidth management devices.
-
Citations
20 Claims
-
1. A method facilitating classification of data flows traversing a computer network, comprising
detecting, at a network device, a handshake in a data flow between a first node and a second node, wherein the handshake comprises an exchange of messages including information useful to establish an encrypted connection between the first node and the second node, wherein the information includes a digital certificate; -
classifying, using the network device, the data flow based on an encrypted connection protocol identified in the exchange of messages; examining, using the network device, the messages corresponding to the handshake relative to at least one handshake attribute and examining the digital certificate to identify one or more digital certificate attributes, wherein the one or more digital certificate attributes are contained in the digital certificate; and further classifying, using the network device, the data flow into a network-application-specific traffic classification based at least in part on at least one digital certificate attribute of the one or more digital certificate attributes. - View Dependent Claims (2, 3, 4)
-
-
5. A method facilitating classification of data flows traversing a computer network, comprising
detecting, at a network device, a handshake in a data flow between a first node and a second node, wherein the handshake comprises an exchange of messages that establishes an encrypted connection between the first node and the second node, wherein one or more of the messages includes a digital certificate; -
classifying, using the network device, the data flow based on an encrypted connection protocol identified during the handshake; examining, using the network device, the digital certificate to identify one or more handshake attributes, wherein at least one handshake attribute of the one or more handshake attributes is an attribute of the digital certificate, wherein the one or more digital certificate attributes are contained in the digital certificate; and further classifying, using the network device, the data flow into a network-application-specific traffic classification based at least in part on at least one handshake attribute in the monitoring step. - View Dependent Claims (6)
-
-
7. An apparatus comprising
a packet processor operative to detect data flows in network traffic traversing a communications path, the data flows each comprising at least one packet; -
parse at least one packet associated with a data flow into a flow specification, a traffic classification engine operative to classify the data flow based on an encrypted connection protocol identified during a handshake between a first host and a second host; identify handshake packets of the data flow, wherein one or more of the handshake packets includes a digital certificate; and examine the digital certificate for one or more handshake attributes, wherein at least one handshake attribute is an attribute contained in the digital certificate; further classify the data flow by matching the data flow against a plurality of traffic classes, at least one of the traffic classes defined by the attribute of the digital certificate; having found a matching traffic class, associate the flow specification corresponding to the data flow with a traffic class from the plurality of traffic classes. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A method facilitating classification of data flows, comprising
detecting, at a network device, a data flow in network traffic traversing a communications path, the data flows each comprising at least one packet; -
parsing, using the network device, explicit attributes at least one packet associated with the data flow into a flow specification, detecting, at the network device, a handshake in a data flow between a first node and a second node, wherein the handshake comprises an exchange of messages including information useful to establish an encrypted connection between the first node and the second node, wherein the information includes a digital certificate; classifying, using the network device, the data flow based on an encrypted connection protocol identified during the handshake; examining, using the network device, the messages corresponding to the handshake to identify the digital certificate; examining, using the network device, the digital certificate to identify one or more handshake attributes; further classifying, using the network device, the data flow by matching the flow specification against a first plurality of traffic classes, wherein at least one of the first plurality of traffic classes is defined in part by a handshake attribute that is an attribute contained in the digital certificate, having found a matching traffic class, associating the flow specification corresponding to the data flow with a traffic class from the first plurality of traffic classes. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification