Automatic detection of reverse tunnels
First Claim
1. A method of detecting a covert communications channel in a network, comprising:
- monitoring in real-time a plurality of packets in said network, each said packet belonging to a packet flow having a flow identifier;
classifying each said packet into a first category if said packet meets a first criterion indicative of the presence of said covert communications channel and into a second category otherwise, wherein said classifying comprises using one or more tests; and
for each of said packets classified into said first category, probing said packet in real-time, wherein said probing comprises re-classifying each said packet into a third category if said packet meets a second criterion indicative of said covert communications channel,wherein said re-classifying comprises using one or more additional tests;
wherein said covert communications channel is a reverse tunnel; and
wherein said classifying comprises randomly selecting according to a frequency distribution a subset of the one or more tests to apply to each said respective packet.
1 Assignment
0 Petitions
Accused Products
Abstract
Presently disclosed are methods and apparatus for analyzing packets and packet flows to detect covert communications channels (including reverse tunnels) in real time. These systems actively probe a suspicious connection in ways that are not possible in prior art log-based techniques and may initiate countermeasures against discovered covert channels. The present system may be implemented in a network device, such as an intrusion detection system, content engine, or other intermediary device employing a web cache. Embodiments automatically detect suspicious activity at particular source addresses by using relatively simple tests to detect suspect packets that should receive more extensive scrutiny. After more rigorous secondary testing (optionally including active probing techniques), suspect packets are either returned to the occasionally-checked state or flagged for further action, such as raising an alert or taking automatic countermeasures against the covert channel or its originators.
38 Citations
52 Claims
-
1. A method of detecting a covert communications channel in a network, comprising:
-
monitoring in real-time a plurality of packets in said network, each said packet belonging to a packet flow having a flow identifier; classifying each said packet into a first category if said packet meets a first criterion indicative of the presence of said covert communications channel and into a second category otherwise, wherein said classifying comprises using one or more tests; and for each of said packets classified into said first category, probing said packet in real-time, wherein said probing comprises re-classifying each said packet into a third category if said packet meets a second criterion indicative of said covert communications channel, wherein said re-classifying comprises using one or more additional tests; wherein said covert communications channel is a reverse tunnel; and wherein said classifying comprises randomly selecting according to a frequency distribution a subset of the one or more tests to apply to each said respective packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 45, 49, 50, 51, 52)
-
-
12. An apparatus for monitoring a network, comprising:
-
a first classifier configured to monitor a plurality of packets from said network, each packet belonging to a packet flow having a flow identifier; and a first data store operably connected to said first classifier, said first data store comprising one or more first classification criteria, wherein said first classifier compares each packet in said plurality of packets to at least one of said first classification criteria to determine a first classification for each said corresponding packet, said first classification determining one or more selected packets; a second classifier configured to receive said selected packets from said first classifier; and a second data store operably connected to said second classifier, said second data store comprising one or more second classification criteria, wherein said second classifier compares each said selected packet to at least one of said second classification criteria to determine a revised classification for each said selected packet, said revised classification determining one or more marked packets; a probing subsystem configured to receive said selected packets from said first classifier; and a third data store operably connected to said probing subsystem, said third data store comprising one or more predetermined probe vectors, wherein said probing subsystem injects packets into said network in response to each said selected packet from said first classifier and waits for a response from said network, and wherein said response or lack thereof is also used by said second classifier to determine said revised classification; and wherein said covert communications channel is a reverse tunnel; and wherein said first classifier, when comparing each packet in said plurality of packets to the at least one of said first classification criteria to determine the first classification for each said corresponding packet, is configured to randomly select, according to a frequency distribution, a subset of said first classification criteria to apply to each said respective packet. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 46)
-
-
23. An apparatus for detecting a covert communications channel in a network, comprising:
-
means for monitoring in real-time a plurality of packets in said network, each said packet belonging to a packet flow having a flow identifier; means for classifying each said packet into a first category if said packet meets a first criterion indicative of the presence of said covert communications channel and into a second category otherwise, wherein said means for classifying comprises means for using one or more tests; and means for probing each of said packets classified into said first category in real-time, wherein said means for probing comprises means for re-classifying each said packet into a third category if said packet meets a second criterion indicative of said covert communications channel, wherein said means for re-classifying comprises means for using one or more additional tests; and wherein said covert communications channel is a reverse tunnel; and wherein said means for using one or more tests comprises means for randomly selecting, according to a frequency distribution, a subset of the one or more tests to apply to each said respective packet. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 47)
-
-
34. A non-transitory computer-readable medium storing a computer program executable by a plurality of server computers, the computer program comprising computer instructions, which, when carried out by a server computer of the plurality of server computers, cause the server computer to perform the operations of:
-
monitoring in real-time a plurality of packets in said network, each said packet belonging to a packet flow having a flow identifier; classifying each said packet into a first category if said packet meets a first criterion indicative of the presence of said covert communications channel and into a second category otherwise, wherein said classifying comprises using one or more tests; and for each of said packets classified into said first category, probing said packet in real-time, wherein said probing comprises re-classifying each said packet into a third category if said packet meets a second criterion indicative of said covert communications channel, wherein said re-classifying comprises using one or more additional tests; and wherein said covert communications channel is a reverse tunnel; and wherein said classifying comprises randomly selecting according to a frequency distribution a subset of the one or more tests to apply to each said respective packet. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 48)
-
Specification