Detecting secure or encrypted tunneling in a computer network
First Claim
1. A computer assisted method for detecting encrypted tunneling comprising:
- electronically receiving information from a proxy server;
extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information;
determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds;
attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination; and
for each of the at least one destination,determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority;
determining whether the destination is hosting an encrypted tunneling application, wherein the determining is based on characteristics of the SSL certificate;
in response to a determination that it is unable to be determined whether the destination is hosting an encrypted tunneling application based on characteristics of the SSL certificate, determining whether the destination is hosting an encrypted tunneling application based on characteristics of a response received from the destination over a transmission control protocol/Internet protocol (TCP/IP) connection; and
generating a security alert in response to a determination that the destination is hosting an encrypted tunneling application.
1 Assignment
0 Petitions
Accused Products
Abstract
Aspects of the present disclosure relate to a computer assisted method for detecting encrypted tunneling or proxy avoidance which may include electronically receiving information from a proxy server, extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information, determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds and attempting to negotiate a standard HTTPS session with each of the at least one destination. Further, the computer assisted method may further include, for each of the at least one destination, determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining may be based on characteristics of an Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a TCP/IP connection.
-
Citations
17 Claims
-
1. A computer assisted method for detecting encrypted tunneling comprising:
-
electronically receiving information from a proxy server; extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information; determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds; attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination; and for each of the at least one destination, determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority; determining whether the destination is hosting an encrypted tunneling application, wherein the determining is based on characteristics of the SSL certificate; in response to a determination that it is unable to be determined whether the destination is hosting an encrypted tunneling application based on characteristics of the SSL certificate, determining whether the destination is hosting an encrypted tunneling application based on characteristics of a response received from the destination over a transmission control protocol/Internet protocol (TCP/IP) connection; and generating a security alert in response to a determination that the destination is hosting an encrypted tunneling application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An encrypted tunneling detecting apparatus comprising:
-
at least one processor; and at least one memory storing computer executable instructions that cause the at least one processor to perform a method for detecting encrypted tunneling comprising; electronically receiving information from a proxy server; extracting information regarding a CONNECT function of Hypertext Transfer Protocol (HTTP) from the electronically received information; determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds; attempting to negotiate a standard Hypertext Transfer Protocol Secure (HTTPS) session with each of the at least one destination; and for each of the at least one destination, determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority, determining whether the destination is hosting an encrypted tunneling application, wherein the determining is based on characteristics of the SSL certificate or a response received from the destination over a Transmission Control Protocol/Internet Protocol (TCP/IP) connection; in response to a determination that it is unable to be determined whether the destination is hosting an encrypted tunneling application based on characteristics of the SSL certificate, determining whether the destination is hosting an encrypted tunneling application based on characteristics of a response received from the destination over a TCP/IP connection; and generating a security alert in response to a determination that the destination is hosting an encrypted tunneling application. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification