Automatic detection of reverse tunnels

US 8,151,348 B1
Filed: 06/30/2004
Issued: 04/03/2012
Est. Priority Date: 06/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a covert communications channel in a network, comprising:

monitoring in real-time a plurality of packets in said network, each said packet belonging to a packet flow having a flow identifier;

classifying each said packet into a first category if said packet meets a first criterion indicative of the presence of said covert communications channel and into a second category otherwise, wherein said classifying comprises using one or more tests; and

for each of said packets classified into said first category, probing said packet in real-time, wherein said probing comprises re-classifying each said packet into a third category if said packet meets a second criterion indicative of said covert communications channel,wherein said re-classifying comprises using one or more additional tests;

wherein said covert communications channel is a reverse tunnel; and

wherein said classifying comprises randomly selecting according to a frequency distribution a subset of the one or more tests to apply to each said respective packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Presently disclosed are methods and apparatus for analyzing packets and packet flows to detect covert communications channels (including reverse tunnels) in real time. These systems actively probe a suspicious connection in ways that are not possible in prior art log-based techniques and may initiate countermeasures against discovered covert channels. The present system may be implemented in a network device, such as an intrusion detection system, content engine, or other intermediary device employing a web cache. Embodiments automatically detect suspicious activity at particular source addresses by using relatively simple tests to detect suspect packets that should receive more extensive scrutiny. After more rigorous secondary testing (optionally including active probing techniques), suspect packets are either returned to the occasionally-checked state or flagged for further action, such as raising an alert or taking automatic countermeasures against the covert channel or its originators.

38 Citations

View as Search Results

52 Claims

1. A method of detecting a covert communications channel in a network, comprising:
- monitoring in real-time a plurality of packets in said network, each said packet belonging to a packet flow having a flow identifier;
  
  classifying each said packet into a first category if said packet meets a first criterion indicative of the presence of said covert communications channel and into a second category otherwise, wherein said classifying comprises using one or more tests; and
  
  for each of said packets classified into said first category, probing said packet in real-time, wherein said probing comprises re-classifying each said packet into a third category if said packet meets a second criterion indicative of said covert communications channel,wherein said re-classifying comprises using one or more additional tests;
  
  wherein said covert communications channel is a reverse tunnel; and
  
  wherein said classifying comprises randomly selecting according to a frequency distribution a subset of the one or more tests to apply to each said respective packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 45, 49, 50, 51, 52)
- - 2. The method of claim 1, wherein said classifying employs said flow identifier.
  - 3. The method of claim 1, wherein said classifying further comprises using said classifying of prior packets in said packet flow to classify each said packet into said first category.
  - 4. The method of claim 1, wherein said probing employs said flow identifier.
  - 5. The method of claim 1, wherein said re-classifying employs said flow identifier.
  - 6. The method of claim 1, wherein at least one of said tests comprises determining whether the packet represents a connection open longer that a predetermined amount of time.
  - 7. The method of claim 1, wherein at least one of said tests comprises determining whether the packet represents a connection that has uploaded more bits by an amount that is greater than a predetermined threshold from a client to a server than from said server to said client.
  - 8. The method of claim 1, wherein at least one of said tests comprises determining if the packet represents a connection that was opened with data that includes predetermined data signatures.
  - 9. The method of claim 1, wherein at least one of said tests comprises determining whether the packet represents a connection related to previous connections from a client that were opened at regular intervals.
  - 10. The method of claim 1, wherein said probing comprises modifying the timing of said packets in said packet flow using one or more probe vectors.
  - 11. The method of claim 1, further comprising, for each of said packets classified into said third category, performing countermeasures against the covert communications channel.
  - 45. The method of claim 1, wherein said probing comprises:
    - sending a probing packet to a source of said packet flow for each said packet in a first category;
      
      receiving a responsive packet from said source, wherein said responsive packet is sent in response to said probing packet; and
      
      categorizing said responsive packet into said third category if said responsive packet meets said second criterion indicative of said covert communications channel, wherein said categorizing said responsive packet comprises using one or more additional tests.
  - 49. The method of claim 1, wherein for each said packet classified into said first category, said probing is performed after said classifying.
  - 50. The method of claim 1, wherein said classifying utilizes less overhead than said probing.
  - 51. The method of claim 1, wherein said probing each said packet includes tracing said packet flow of said packet.
  - 52. The method of claim 1, wherein said probing each said packet includes delivering a fake password file and determining if an attempted login using data from the fake password file follows.

12. An apparatus for monitoring a network, comprising:
- a first classifier configured to monitor a plurality of packets from said network, each packet belonging to a packet flow having a flow identifier; and
  
  a first data store operably connected to said first classifier, said first data store comprising one or more first classification criteria,wherein said first classifier compares each packet in said plurality of packets to at least one of said first classification criteria to determine a first classification for each said corresponding packet, said first classification determining one or more selected packets;
  
  a second classifier configured to receive said selected packets from said first classifier; and
  
  a second data store operably connected to said second classifier, said second data store comprising one or more second classification criteria,wherein said second classifier compares each said selected packet to at least one of said second classification criteria to determine a revised classification for each said selected packet, said revised classification determining one or more marked packets;
  
  a probing subsystem configured to receive said selected packets from said first classifier; and
  
  a third data store operably connected to said probing subsystem, said third data store comprising one or more predetermined probe vectors,wherein said probing subsystem injects packets into said network in response to each said selected packet from said first classifier and waits for a response from said network, and wherein said response or lack thereof is also used by said second classifier to determine said revised classification; and
  
  wherein said covert communications channel is a reverse tunnel; and
  
  wherein said first classifier, when comparing each packet in said plurality of packets to the at least one of said first classification criteria to determine the first classification for each said corresponding packet, is configured to randomly select, according to a frequency distribution, a subset of said first classification criteria to apply to each said respective packet.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 46)
- - 13. The apparatus of claim 12, wherein said first classification criteria employs said flow identifier.
  - 14. The apparatus of claim 12, wherein said first classifier employs said first classification of prior packets in said packet flow to determine said first classification for each said corresponding packet.
  - 15. The apparatus of claim 12, wherein said probing subsystem employs said flow identifier.
  - 16. The apparatus of claim 12, wherein said second classification criteria employs said flow identifier.
  - 17. The apparatus of claim 12, wherein said first criteria comprises whether the packet represents a connection open longer that a predetermined amount of time.
  - 18. The apparatus of claim 12, wherein said first criteria comprises whether the packet represents a connection that has uploaded more bits by an amount that is greater than a predetermined threshold from a client to a server than from said server to said client.
  - 19. The apparatus of claim 12, wherein said first criteria comprises whether the packet represents a connection that was opened with data that includes predetermined data signatures.
  - 20. The apparatus of claim 12, wherein said first criteria comprises whether the packet represents a connection related to previous connections from a client that were opened at regular intervals.
  - 21. The apparatus of claim 12, wherein said probing subsystem comprises means for modifying the timing of said packets in said packet flow using said one or more probe vectors.
  - 22. The apparatus of claim 12, further comprising a countermeasures subsystem configured to receive said marked packets from said second classifier and to perform countermeasures against said covert communications channel.
  - 46. The apparatus of claim 12, wherein said probing comprises:
    - sending a probing packet to a source of said packet flow for each said packet in a first category;
      
      receiving a responsive packet from said source, wherein said responsive packet is sent in response to said probing packet; and
      
      categorizing said responsive packet into said third category if said responsive packet meets said second criterion indicative of said covert communications channel, wherein said categorizing said responsive packet comprises using one or more additional tests.

23. An apparatus for detecting a covert communications channel in a network, comprising:
- means for monitoring in real-time a plurality of packets in said network, each said packet belonging to a packet flow having a flow identifier;
  
  means for classifying each said packet into a first category if said packet meets a first criterion indicative of the presence of said covert communications channel and into a second category otherwise, wherein said means for classifying comprises means for using one or more tests; and
  
  means for probing each of said packets classified into said first category in real-time, wherein said means for probing comprises means for re-classifying each said packet into a third category if said packet meets a second criterion indicative of said covert communications channel,wherein said means for re-classifying comprises means for using one or more additional tests; and
  
  wherein said covert communications channel is a reverse tunnel; and
  
  wherein said means for using one or more tests comprises means for randomly selecting, according to a frequency distribution, a subset of the one or more tests to apply to each said respective packet.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 47)
- - 24. The apparatus of claim 23, wherein said means for classifying employs said flow identifier.
  - 25. The apparatus of claim 23, wherein said means for classifying further comprises means for using said classifying of prior packets in said packet flow to classify each said packet into said first category.
  - 26. The apparatus of claim 23, wherein said means for probing employs said flow identifier.
  - 27. The apparatus of claim 23, wherein said means for re-classifying employs said flow identifier.
  - 28. The apparatus of claim 23, wherein at least one of said tests comprises determining whether the packet represents a connection open longer that a predetermined amount of time.
  - 29. The apparatus of claim 23, wherein at least one of said tests comprises determining whether the packet represents a connection that has uploaded more bits by an amount that is greater than a predetermined threshold from a client to a server than from said server to said client.
  - 30. The apparatus of claim 23, wherein at least one of said tests comprises determining if the packet represents a connection that was opened with data that includes predetermined data signatures.
  - 31. The apparatus of claim 23, wherein at least one of said tests comprises determining whether the packet represents a connection related to previous connections from a client that were opened at regular intervals.
  - 32. The apparatus of claim 23, wherein said means for probing comprises modifying the timing of said packets in said packet flow using one or more probe vectors.
  - 33. The apparatus of claim 23, further comprising means for performing countermeasures for each of said packets classified into said third category against the covert communications channel.
  - 47. The apparatus of claim 23, wherein said means for probing comprises:
    - means for sending a probing packet to a source of said packet flow for each said packet in a first category;
      
      means for receiving a responsive packet from said source, wherein said responsive packet is sent in response to said probing packet; and
      
      means for categorizing said responsive packet into said third category if said responsive packet meets said second criterion indicative of said covert communications channel, wherein said means for categorizing said responsive packet comprises means for using one or more additional tests.

34. A non-transitory computer-readable medium storing a computer program executable by a plurality of server computers, the computer program comprising computer instructions, which, when carried out by a server computer of the plurality of server computers, cause the server computer to perform the operations of:
- monitoring in real-time a plurality of packets in said network, each said packet belonging to a packet flow having a flow identifier;
  
  classifying each said packet into a first category if said packet meets a first criterion indicative of the presence of said covert communications channel and into a second category otherwise, wherein said classifying comprises using one or more tests; and
  
  for each of said packets classified into said first category, probing said packet in real-time, wherein said probing comprises re-classifying each said packet into a third category if said packet meets a second criterion indicative of said covert communications channel,wherein said re-classifying comprises using one or more additional tests; and
  
  wherein said covert communications channel is a reverse tunnel; and
  
  wherein said classifying comprises randomly selecting according to a frequency distribution a subset of the one or more tests to apply to each said respective packet.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 48)
- - 35. The computer-readable medium of claim 34, wherein said computer instructions for classifying employ said flow identifier.
  - 36. The computer-readable medium of claim 34, wherein said computer instructions for classifying further comprise computer instructions for using said classifying of prior packets in said packet flow to classify each said packet into said first category.
  - 37. The computer-readable medium of claim 34, wherein said computer instructions for probing employ said flow identifier.
  - 38. The computer-readable medium of claim 34, wherein said computer instructions for re-classifying employ said flow identifier.
  - 39. The computer-readable medium of claim 34, wherein at least one of said tests comprises determining whether the packet represents a connection open longer that a predetermined amount of time.
  - 40. The computer-readable medium of claim 34, wherein at least one of said tests comprises determining whether the packet represents a connection that has uploaded more bits by an amount that is greater than a predetermined threshold from a client to a server than from said server to said client.
  - 41. The computer-readable medium of claim 34, wherein at least one of said tests comprises determining if the packet represents a connection that was opened with data that includes predetermined data signatures.
  - 42. The computer-readable medium of claim 34, wherein at least one of said tests comprises determining whether the packet represents a connection related to previous connections from a client that were opened at regular intervals.
  - 43. The computer-readable medium of claim 34, wherein said computer instructions for probing comprise computer instructions for modifying the timing of said packets in said packet flow using one or more probe vectors.
  - 44. The computer-readable medium of claim 34, further comprising, for each of said packets classified into said third category, computer instructions for performing countermeasures against the covert communications channel.
  - 48. The computer-readable medium of claim 34, wherein said computer instructions for probing comprises:
    - computer instructions for sending a probing packet to a source of said packet flow for each said packet in a first category;
      
      computer instructions for receiving a responsive packet from said source, wherein said responsive packet is sent in response to said probing packet; and
      
      computer instructions for categorizing said responsive packet into said third category if said responsive packet meets said second criterion indicative of said covert communications channel, wherein said computer instructions for categorizing said responsive packet comprises computer instructions for using one or more additional tests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Day, Mark Stuart
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US10/881,613
Time in Patent Office

2,834 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

Automatic detection of reverse tunnels

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic detection of reverse tunnels

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links