Detecting secure or encrypted tunneling in a computer network
First Claim
1. A computer assisted method for detecting encrypted tunneling comprising:
- electronically receiving information from a proxy server;
extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information;
determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds;
attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination; and
for each of the at least one destination,determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority;
determining whether the destination is hosting an encrypted tunneling application, wherein the determining is based on characteristics of the SSL certificate; and
in response to a determination that it is unable to be determined whether the destination is hosting an encrypted tunneling application based on characteristics of the SSL certificate, determining whether the destination is hosting an encrypted tunneling application based on characteristics of a response received from the destination over a Transmission Control Protocol/Internet Protocol (TCP/IP) connection.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer assisted method for detecting encrypted tunneling or proxy avoidance is provided. The method may include electronically receiving information from a proxy server, extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information, determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds and attempting to negotiate a standard HTTPS session with each of the at least one destination. Further, the computer assisted method may further include, for each of the at least one destination, determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining may be based on characteristics of an Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a TCP/IP connection.
-
Citations
18 Claims
-
1. A computer assisted method for detecting encrypted tunneling comprising:
-
electronically receiving information from a proxy server; extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information; determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds; attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination; and for each of the at least one destination, determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority; determining whether the destination is hosting an encrypted tunneling application, wherein the determining is based on characteristics of the SSL certificate; and in response to a determination that it is unable to be determined whether the destination is hosting an encrypted tunneling application based on characteristics of the SSL certificate, determining whether the destination is hosting an encrypted tunneling application based on characteristics of a response received from the destination over a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An encrypted tunneling detecting apparatus comprising:
-
at least one processor; and at least one memory storing computer executable instructions that cause the at least one processor to perform a method for detecting encrypted tunneling comprising; electronically receiving information from a proxy server; extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information; determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds; attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination; for each of the at least one destination, determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority; determining whether the destination is hosting an encrypted tunneling application, wherein the determining is based on characteristics of the SSL certificate; and in response to a determination that it is unable to be determined whether the destination is hosting an encrypted tunneling application based on characteristics of the SSL certificate, determining whether the destination is hosting an encrypted tunneling application based on characteristics of a response received from the destination over a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. One or more non-transitory computer-readable media having computer-executable instructions stored thereon that, when executed, cause at least one computing device to:
-
electronically receive information from a proxy server; extract information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information; determine at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds; attempt to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination; for each of the at least one destination, determine whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining is based on characteristics of a Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a Transmission Control Protocol/Internet Protocol (TCP/IP) connection; and in response to a determination that it is unable to be determined whether the destination is hosting an encrypted tunneling application based on characteristics of the SSL certificate, determine whether the destination is hosting an encrypted tunneling application based on characteristics of a response received from the destination over the TCP/IP connection.
-
Specification