Encrypted network traffic interception and inspection
First Claim
1. A method of operating a computer comprising at least one processor, the method comprising:
- with the at least one processor;
intercepting a request from an application to encrypt unencrypted data by an encryption component;
acquiring encrypted data generated by the encryption component by encrypting the unencrypted data in response to the request;
providing the encrypted data to a data inspection facility; and
forwarding the unencrypted data and an identifier of the encrypted data to the data inspection facility, wherein the data inspection facility establishes a correspondence between the encrypted data and the unencrypted data using the identifier of the encrypted data, wherein the data inspection facility determines whether to allow transmission of the provided encrypted data over a network based on an inspection of the corresponding unencrypted data.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.
238 Citations
30 Claims
-
1. A method of operating a computer comprising at least one processor, the method comprising:
-
with the at least one processor; intercepting a request from an application to encrypt unencrypted data by an encryption component; acquiring encrypted data generated by the encryption component by encrypting the unencrypted data in response to the request; providing the encrypted data to a data inspection facility; and forwarding the unencrypted data and an identifier of the encrypted data to the data inspection facility, wherein the data inspection facility establishes a correspondence between the encrypted data and the unencrypted data using the identifier of the encrypted data, wherein the data inspection facility determines whether to allow transmission of the provided encrypted data over a network based on an inspection of the corresponding unencrypted data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer system for controlling transmission of data over a network, the system comprising:
-
at least one application, executed by at least one processor, that attempts to send data over the network; and an interception component that; intercepts a request from the at least one application to an encryption component to encrypt unencrypted data; acquires encrypted data generated by the encryption component by encrypting the unencrypted data in response to the request; and forwards the unencrypted data and an identifier of the encrypted data to a data inspection facility; wherein the encrypted data is provided to the data inspection facility by; providing, by the at least one application, the encrypted data to a service provide interface; providing, by the service provide interface, the encrypted data to a networking manager; and providing, by the networking manager;
the encrypted data to the data inspection facility, wherein the data inspection facility determines that the encrypted data is an encrypted form of the unencrypted data using the identifier of the encrypted data, wherein the data inspection facility further inspects the unencrypted data to determine whether to allow sending the encrypted data over the network. - View Dependent Claims (12)
-
-
13. A computer readable storage memory comprising computer-executable instructions, that when executed by a processor, perform a method comprising:
-
intercepting a request comprising a call to an encryption component of an operating system to encrypt unencrypted data; acquiring encrypted data generated by the encryption component by encrypting the unencrypted data in response to the request; providing the encrypted data to a data inspection facility; and providing the unencrypted data and an identifier of the encrypted data to a data inspection facility that determines whether to allow transmission of the encrypted data over a network, wherein the data inspection facility; establishes a correspondence between the unencrypted data and the encrypted data using the identifier of the encrypted data; and determines whether to allow transmission of the encrypted data over a network based on an inspection of the corresponding unencrypted data. - View Dependent Claims (14, 15)
-
-
16. A method of operating a data inspection facility comprising at least one processor, the method comprising:
-
receiving an identifier associated with encrypted data, wherein the encrypted data is an encrypted form of unencrypted data; establishing a correspondence between the encrypted data and the unencrypted data based on the received identifier; accessing an inspection result of the corresponding unencrypted data; and determining whether to allow transmission of the encrypted data based on the inspection result of the corresponding unencrypted data. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A computer system for controlling transmission of data, the system comprising:
-
a data inspection facility that; receives an identifier associated with encrypted data, wherein the encrypted data is an encrypted form of unencrypted data; establishes a correspondence between the encrypted data and the unencrypted data based on the received identifier; accesses an inspection result of the corresponding unencrypted data; and determines whether to allow transmission of the encrypted data based on the inspection result of the corresponding unencrypted data, wherein the data inspection facility comprises at least one processor. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A computer readable storage memory comprising computer-executable instructions, that when executed by a processor, perform a method comprising:
-
receiving an identifier associated with encrypted data, wherein the encrypted data is an encrypted form of unencrypted data; establishing a correspondence between the encrypted data and the unencrypted data based on the received identifier; accessing an inspection result of the corresponding unencrypted data; and determining whether to allow transmission of the encrypted data based on the inspection result of the corresponding unencrypted data. - View Dependent Claims (27, 28, 29, 30)
-
Specification