Encrypted network traffic interception and inspection

US 8,578,486 B2
Filed: 06/18/2010
Issued: 11/05/2013
Est. Priority Date: 06/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method of operating a computer comprising at least one processor, the method comprising:

with the at least one processor;

intercepting a request from an application to encrypt unencrypted data by an encryption component;

acquiring encrypted data generated by the encryption component by encrypting the unencrypted data in response to the request;

providing the encrypted data to a data inspection facility; and

forwarding the unencrypted data and an identifier of the encrypted data to the data inspection facility, wherein the data inspection facility establishes a correspondence between the encrypted data and the unencrypted data using the identifier of the encrypted data, wherein the data inspection facility determines whether to allow transmission of the provided encrypted data over a network based on an inspection of the corresponding unencrypted data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.

238 Citations

30 Claims

1. A method of operating a computer comprising at least one processor, the method comprising:
- with the at least one processor;
  
  intercepting a request from an application to encrypt unencrypted data by an encryption component;
  
  acquiring encrypted data generated by the encryption component by encrypting the unencrypted data in response to the request;
  
  providing the encrypted data to a data inspection facility; and
  
  forwarding the unencrypted data and an identifier of the encrypted data to the data inspection facility, wherein the data inspection facility establishes a correspondence between the encrypted data and the unencrypted data using the identifier of the encrypted data, wherein the data inspection facility determines whether to allow transmission of the provided encrypted data over a network based on an inspection of the corresponding unencrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the encryption component is a Secure Socket Layer (SSL) component.
  - 3. The method of claim 1, further comprising providing the encrypted data to the data inspection facility.
  - 4. The method of claim 1, wherein providing the encrypted data to the data inspection facility comprises:
    - forwarding the encrypted data from the application to a service provider interface that forwards the encrypted data to a networking manager; and
      
      forwarding the encrypted data from the networking manager to the data inspection facility.
  - 5. The method of claim 4, wherein the service provider interface comprises WinSock.
  - 6. The method of claim 4, wherein the networking manager forwards the encrypted data to the data inspection facility via a driver.
  - 7. The method of claim 1, wherein forwarding the unencrypted data and the identifier of the encrypted data to the data inspection facility comprises forwarding the unencrypted data and the identifier of the encrypted data to the data inspection facility via a remote procedure call.
  - 8. The method of claim 1, wherein the data inspection facility establishes a correspondence between the encrypted data and the unencrypted data using the identifier.
  - 9. The method of claim 1, wherein the request comprises an application programming interface (“
    - API”
      
      ) call to the encryption component of an operating system.
  - 10. The method of claim 1, wherein intercepting the request from the application is performed using an application programming interface (“
    - API”
      
      ) hooking programming technique.

11. A computer system for controlling transmission of data over a network, the system comprising:
- at least one application, executed by at least one processor, that attempts to send data over the network; and
  
  an interception component that;
  
  intercepts a request from the at least one application to an encryption component to encrypt unencrypted data;
  
  acquires encrypted data generated by the encryption component by encrypting the unencrypted data in response to the request; and
  
  forwards the unencrypted data and an identifier of the encrypted data to a data inspection facility;
  
  wherein the encrypted data is provided to the data inspection facility by;
  
  providing, by the at least one application, the encrypted data to a service provide interface;
  
  providing, by the service provide interface, the encrypted data to a networking manager; and
  
  providing, by the networking manager;
  
  the encrypted data to the data inspection facility, wherein the data inspection facility determines that the encrypted data is an encrypted form of the unencrypted data using the identifier of the encrypted data, wherein the data inspection facility further inspects the unencrypted data to determine whether to allow sending the encrypted data over the network.
- View Dependent Claims (12)
- - 12. The computer system of claim 11, wherein the identifier of the encrypted data comprises a prefix of the encrypted data.

13. A computer readable storage memory comprising computer-executable instructions, that when executed by a processor, perform a method comprising:
- intercepting a request comprising a call to an encryption component of an operating system to encrypt unencrypted data;
  
  acquiring encrypted data generated by the encryption component by encrypting the unencrypted data in response to the request;
  
  providing the encrypted data to a data inspection facility; and
  
  providing the unencrypted data and an identifier of the encrypted data to a data inspection facility that determines whether to allow transmission of the encrypted data over a network, wherein the data inspection facility;
  
  establishes a correspondence between the unencrypted data and the encrypted data using the identifier of the encrypted data; and
  
  determines whether to allow transmission of the encrypted data over a network based on an inspection of the corresponding unencrypted data.
- View Dependent Claims (14, 15)
- - 14. The computer readable storage memory of claim 13, wherein the identifier of the encrypted data comprises a prefix of the encrypted data.
  - 15. The computer readable storage memory of claim 13, wherein the encryption component is a Secure Socket Layer (SSL) component.

16. A method of operating a data inspection facility comprising at least one processor, the method comprising:
- receiving an identifier associated with encrypted data, wherein the encrypted data is an encrypted form of unencrypted data;
  
  establishing a correspondence between the encrypted data and the unencrypted data based on the received identifier;
  
  accessing an inspection result of the corresponding unencrypted data; and
  
  determining whether to allow transmission of the encrypted data based on the inspection result of the corresponding unencrypted data.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the inspection result of the corresponding unencrypted data is based on a policy.
  - 18. The method of claim 17, wherein the policy defines a type of information that is not to be transmitted.
  - 19. The method of claim 16, wherein the inspection result of the corresponding unencrypted data indicates that the unencrypted data comprises malicious data.
  - 20. The method of claim 16, the inspection result of the corresponding unencrypted data indicates that the unencrypted data comprises confidential information.

21. A computer system for controlling transmission of data, the system comprising:
- a data inspection facility that;
  
  receives an identifier associated with encrypted data, wherein the encrypted data is an encrypted form of unencrypted data;
  
  establishes a correspondence between the encrypted data and the unencrypted data based on the received identifier;
  
  accesses an inspection result of the corresponding unencrypted data; and
  
  determines whether to allow transmission of the encrypted data based on the inspection result of the corresponding unencrypted data,wherein the data inspection facility comprises at least one processor.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer system of claim 21, wherein the inspection result of the corresponding unencrypted data is based on a policy.
  - 23. The computer system of claim 22, wherein the policy defines a type of information that is not to be transmitted.
  - 24. The computer system of claim 21, wherein the inspection result of the corresponding unencrypted data indicates that the unencrypted data comprises malicious data.
  - 25. The computer system of claim 21, the inspection result of the corresponding unencrypted data indicates that the unencrypted data comprises confidential information.

26. A computer readable storage memory comprising computer-executable instructions, that when executed by a processor, perform a method comprising:
- receiving an identifier associated with encrypted data, wherein the encrypted data is an encrypted form of unencrypted data;
  
  establishing a correspondence between the encrypted data and the unencrypted data based on the received identifier;
  
  accessing an inspection result of the corresponding unencrypted data; and
  
  determining whether to allow transmission of the encrypted data based on the inspection result of the corresponding unencrypted data.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The computer readable storage memory of claim 26, wherein the inspection result of the corresponding unencrypted data is based on a policy.
  - 28. The computer readable storage memory of claim 27, wherein the policy defines a type of information that is not to be transmitted.
  - 29. The computer readable storage memory of claim 26, wherein the inspection result of the corresponding unencrypted data indicates that the unencrypted data comprises malicious data.
  - 30. The computer readable storage memory of claim 26, the inspection result of the corresponding unencrypted data indicates that the unencrypted data comprises confidential information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lifliand, Vladimir, Ben-Menahem, Avraham Michael
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sanders, Stephen

Application Number

US12/818,605
Publication Number

US 20110314270A1
Time in Patent Office

1,236 Days
Field of Search

727/22, 726/22
US Class Current

726/22
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/30   for supporting lawful inter...

Encrypted network traffic interception and inspection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

238 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypted network traffic interception and inspection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

238 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links