Blocking unidentified encrypted communication sessions
First Claim
1. A method comprising:
- receiving a network packet;
determining whether the packet represents a key exchange,identifying a key exchange for a communication session for the packet,making a record of the key exchange for the communication session after identifying the key exchange,using an application-layer header of the packet, determining whether the packet is associated with an identifiable network application;
when the packet is not determined to be associated with an identifiable network application, determining whether data in the packet is encrypted by calculating a randomness value of the packet from a payload of the packet that includes the application-layer header and an application-layer payload and determining that the packet is encrypted when the randomness value exceeds a randomness threshold; and
when the data in the packet is determined to be encrypted, executing a programmed response, wherein executing a programmed response comprises;
determining whether a key exchange has been recorded for the communication session associated with the packet; and
when a key exchange has not been recorded, dropping the packet, andwhen a key exchange has been recorded, forwarding the packet.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are described for blocking unidentified encrypted communication sessions. In one embodiment, a device includes an interface to receive a packet, an application identification module to attempt to identify an application associated with the packet, an encryption detection module to determine whether the packet is encrypted when the application identification module is unable to identify an application associated with the packet, and an attack detection module to determine whether the packet is associated with a network attack, to forward the packet when the packet is not associated with a network attack, and to take a response when the packet is associated with a network attack, wherein the encryption detection module sends a message to the attack detection module that indicates whether the packet is encrypted, wherein when the message indicates that packet is encrypted, the attack detection module determines that the packet is associated with a network attack.
79 Citations
17 Claims
-
1. A method comprising:
-
receiving a network packet; determining whether the packet represents a key exchange, identifying a key exchange for a communication session for the packet, making a record of the key exchange for the communication session after identifying the key exchange, using an application-layer header of the packet, determining whether the packet is associated with an identifiable network application; when the packet is not determined to be associated with an identifiable network application, determining whether data in the packet is encrypted by calculating a randomness value of the packet from a payload of the packet that includes the application-layer header and an application-layer payload and determining that the packet is encrypted when the randomness value exceeds a randomness threshold; and when the data in the packet is determined to be encrypted, executing a programmed response, wherein executing a programmed response comprises;
determining whether a key exchange has been recorded for the communication session associated with the packet; andwhen a key exchange has not been recorded, dropping the packet, and when a key exchange has been recorded, forwarding the packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A network device comprising:
-
an interface to receive a packet; an application identification module to attempt to identify an application associated with the packet; an encryption detection module to determine whether the packet is encrypted when the application identification module is unable to identify an application associated with the packet; and an attack detection module to determine whether the packet is associated with a network attack, to forward the packet when the packet is not associated with a network attack, and to take a response when the packet is associated with a network attack, wherein the encryption detection module sends a message to the attack detection module that indicates whether the packet is encrypted, wherein when the message indicates that packet is encrypted, the attack detection module determines that the packet is associated with a network attack, wherein the attack detection module determines whether the packet represents a key exchange, records whether a key exchange has been detected for a communication session, and, when a key exchange has not been detected for a communication session associated with the packet and the encryption detection module has determined that the packet is encrypted, drops the packet, and when a key exchange has been detected for the communication session associated with the packet and the encryption detection module has determined that the packet is encrypted, forwards the packet. - View Dependent Claims (13, 14)
-
-
15. A non-transitory computer-readable medium comprising instructions that cause a programmable processor to:
-
receive a network packet; determine whether the packet represents a key exchange, identify a key exchange for a communication session for the packet, make a record of the key exchange for the communication session after identifying the key exchange, determine whether the packet is associated with a network application using an application-layer header of the packet; determine whether data in the packet is encrypted, when the packet is not determined to be associated with an identifiable network application, by calculating a randomness value of the packet from a payload of the packet that includes the application-layer header and an application-layer payload and determining that the packet is encrypted when the randomness value exceeds a randomness threshold; and when the data in the packet is determined to be encrypted, execute a response, and when the data in the packet is determined not to be encrypted, forward the packet, wherein the response comprises;
determining, when the data in the packet is determined to be encrypted, whether a key exchange has been recorded for the communication session associated with the packet; andwhen a key exchange has not been recorded, dropping the packet, and when a key exchange has been recorded, forwarding the packet. - View Dependent Claims (16, 17)
-
Specification