Detecting secure or encrypted tunneling in a computer network

US 8,782,794 B2
Filed: 11/17/2011
Issued: 07/15/2014
Est. Priority Date: 04/16/2010
Status: Active Grant

First Claim

Patent Images

1. A computer assisted method for detecting encrypted tunneling comprising:

electronically receiving information from a proxy server;

extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information;

determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds;

attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination;

for each of the at least one destination,determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority;

determining whether the destination is hosting an encrypted tunneling application, wherein the determining whether the destination is hosting an encrypted tunneling application includes;

identifying a plurality of characteristics of the SSL certificate;

comparing the plurality of characteristics of the SSL certificate with a list of authentic characteristics to determine whether the SSL certificate is authentic;

wherein identifying the plurality of characteristics includes determining at least a name of at least one of;

to whom the SSL certificate was issued and who issued the SSL certificate; and

identifying, based on the identified plurality of characteristics of the SSL certificate, a type of encrypted tunneling application associated with the at least one destination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer assisted method for detecting encrypted tunneling or proxy avoidance is presented. The method may include electronically receiving information from a proxy server, extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information, determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds and attempting to negotiate a standard HTTPS session with each of the at least one destination. Further, the computer assisted method may further include, for each of the at least one destination, determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining may be based on characteristics of an Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a TCP/IP connection.

Citations

19 Claims

1. A computer assisted method for detecting encrypted tunneling comprising:
- electronically receiving information from a proxy server;
  
  extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information;
  
  determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds;
  
  attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination;
  
  for each of the at least one destination,determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority;
  
  determining whether the destination is hosting an encrypted tunneling application, wherein the determining whether the destination is hosting an encrypted tunneling application includes;
  
  identifying a plurality of characteristics of the SSL certificate;
  
  comparing the plurality of characteristics of the SSL certificate with a list of authentic characteristics to determine whether the SSL certificate is authentic;
  
  wherein identifying the plurality of characteristics includes determining at least a name of at least one of;
  
  to whom the SSL certificate was issued and who issued the SSL certificate; and
  
  identifying, based on the identified plurality of characteristics of the SSL certificate, a type of encrypted tunneling application associated with the at least one destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein the at least one destination is at least one IP address or at least one IP address in combination with at least one port number.
  - 3. The method according to claim 1, further comprising:
    - determining if a destination, of the at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds, is a destination that has been previously identified by the method as a destination hosting an encrypted tunneling or proxy avoidance application by comparing the destination with a database of previously identified destinations.
  - 4. The method according to claim 1, further comprising:
    - for each destination of the at least one destination,comparing the destination with a database of previously identified destinations identified as hosting an encrypted tunneling application; and
      
      determining if the destination, is a previously identified destination.
  - 5. The method according to claim 4, further comprising:
    - upon determining the destination is hosting an encrypted tunneling application, recording the destination in a database of previously identified destinations identified as hosting an encrypted tunneling application.
  - 6. The method according to claim 1, further comprising:
    - upon determining the destination is hosting an encrypted tunneling application, generating a security alert.
  - 7. The method according to claim 1, wherein the determining whether the destination is hosting an encrypted tunneling application includes determining whether the SSL certificate is self signed.
  - 8. The method according to claim 1, wherein the determining whether the destination is hosting an encrypted tunneling application includes determining whether at least the name of at least one of:
    - to whom the SSL certificate was issued and who issued the SSL certificate, contains a string of random characters that is unintelligible.
  - 9. The method according to claim 1, wherein the determining whether the destination is hosting an encrypted tunneling application includes determining a service being operated at the destination.
  - 10. The method according to claim 1, wherein the determining whether the destination is hosting an encrypted tunneling application includes determining at least one of:
    - a port or channel hopping patterns of a service being operated at the destination, a length of traffic of a service being operated at the destination.
  - 11. The method according to claim 1, wherein the extracting information regarding a CONNECT function of HTTP from the electronically received information and the determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds occur immediately upon the electronically received information from the proxy server being received.

12. An encrypted tunneling detecting apparatus comprising:
- at least one processor; and
  
  at least one memory storing computer executable instructions that cause the at least one processor to perform a method for detecting encrypted tunneling comprising;
  
  electronically receiving information from a proxy server;
  
  extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information;
  
  determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds;
  
  attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination;
  
  for each of the at least one destination,determining if a Secure Socket Layer (SSL) certificate associated with the destination has been issued by a trusted certificate authority; and
  
  determining whether the destination is hosting an encrypted tunneling application, wherein the determining whether the destination is hosting an encrypted tunneling application includes;
  
  identifying a plurality of characteristics of the SSL certificate;
  
  comparing the plurality of characteristics of the SSL certificate with a list of authentic characteristics to determine whether the SSL certificate is authentic;
  
  wherein identifying the plurality of characteristics includes determining at least a name of at least one of;
  
  to whom the SSL certificate was issued and who issued the SSL certificate; and
  
  identifying, based on the identified plurality of characteristics of the SSL certificate, a type of encrypted tunneling application associated with the at least one destination.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The apparatus according to claim 12, further comprising:
    - determining if a destination, of the at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds, is a destination that has been previously identified by the method as a destination hosting an encrypted tunneling or proxy avoidance application by comparing the destination with a database of previously identified destinations.
  - 14. The apparatus according to claim 12, further comprising:
    - for each destination of the at least one destination,comparing the destination with a database of previously identified destinations identified as hosting an encrypted tunneling application; and
      
      determining if the destination, is a previously identified destination.
  - 15. The apparatus according to claim 14, further comprising:
    - upon determining the destination is hosting an encrypted tunneling application, recording the destination in a database of previously identified destinations identified as hosting an encrypted tunneling application.
  - 16. The apparatus according to claim 12, further comprising:
    - upon determining the destination is hosting an encrypted tunneling application, generating a security alert.
  - 17. The apparatus according to claim 12, wherein the determining whether the destination is hosting an encrypted tunneling application includes determining whether the SSL certificate is self signed.
  - 18. The apparatus according to claim 12, wherein the determining whether the destination is hosting an encrypted tunneling application includes determining a service being operated at the destination.

19. A computer assisted method for detecting encrypted tunneling or proxy avoidance comprising:
- electronically receiving information from a proxy server;
  
  extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information;
  
  determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds;
  
  attempting to negotiate a standard Hyper Text Transport Protocol Secure (HTTPS) session with each of the at least one destination;
  
  for each of the at least one destination,determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining includes;
  
  identifying a plurality of characteristics of a Secure Socket Layer (SSL) certificate associated with the at least one destination, wherein identifying the plurality of characteristics includes determining at least a name of at least one of;
  
  to whom the SSL certificate was issued and who issued the SSL certificate;
  
  comparing the plurality of characteristics of the SSL certificate with a list of authentic characteristics to determine whether the SSL certificate is authentic; and
  
  identifying, based on the identified plurality of characteristics of the SSL certificate, a type of encrypted tunneling application associated with the at least one destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Ramcharran, Ronald
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US13/298,597
Publication Number

US 20120060211A1
Time in Patent Office

971 Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/556   involving covert channels, ...

H04L 12/4633   Interconnection of networks...

H04L 61/2592   using tunnelling or encapsu...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

Detecting secure or encrypted tunneling in a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting secure or encrypted tunneling in a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links