Encrypted peer-to-peer detection

US 8,892,665 B1
Filed: 05/24/2011
Issued: 11/18/2014
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor a network traffic from a first client to determine whether the first client is executing a peer-to-peer application; and

generate a network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client,wherein the generating of the network traffic that emulates peer-to-peer network traffic comprises;

send, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or send, to the second client, the emulated peer-to-peer network traffic indicating that no peers have a desired file requested via the peer-to-peer application, wherein the emulated peer-to-peer network traffic identifying the non-existent peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and

in the event that one of the non-existent peers is being contacted, emulate a peer-to-peer traffic response including dummy data; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encrypted peer-to-peer detection is provided. In some embodiments, encrypted peer-to-peer detection includes monitoring network traffic from a first client to determine whether the first client is executing a peer-to-peer application; and generating network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting unknown network traffic sent from the first client to the second client. In some embodiments, encrypted peer-to-peer detection includes monitoring network traffic from a client to determine that the client is sending a request for information for a peer-to-peer application executing on the client; and generating a network traffic response to the client that emulates peer-to-peer network traffic.

Citations

26 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor a network traffic from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  generate a network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client,wherein the generating of the network traffic that emulates peer-to-peer network traffic comprises;
  
  send, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or send, to the second client, the emulated peer-to-peer network traffic indicating that no peers have a desired file requested via the peer-to-peer application, wherein the emulated peer-to-peer network traffic identifying the non-existent peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and
  
  in the event that one of the non-existent peers is being contacted, emulate a peer-to-peer traffic response including dummy data; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The system recited in claim 1, wherein the monitored network traffic is unencrypted, wherein the first client is determined to be executing the peer-to-peer application using a protocol based signature, and wherein the peer-to-peer application matches a firewall policy.
  - 3. The system recited in claim 1, wherein the unknown network traffic is encrypted network traffic.
  - 4. The system recited in claim 1, wherein the peer-to-peer application is used for file sharing that communicates data using encrypted communications.
  - 5. The system recited in claim 1, wherein the peer-to-peer application is used for voice over Internet protocol (VoIP) calls that communicate data using encrypted communications.
  - 6. The system recited in claim 1, wherein the processor is further configured to:
    - monitor responses from the second client to the generated network traffic that emulates peer-to-peer network traffic.
  - 7. The system recited in claim 1, wherein the processor is further configured to:
    - monitor responses from the second client to the generated network traffic that emulates peer-to-peer network traffic; and
      
      determine whether the second client is executing the peer-to-peer application based on the monitored responses from the second client.
  - 8. The system recited in claim 1, wherein the processor is further configured to:
    - monitor responses from the second client to the generated network traffic that emulates peer-to-peer network traffic;
      
      determine whether the second client is executing the peer-to-peer application based on the monitored responses from the second client; and
      
      classify a monitored session between the first client and the second client as associated with the peer-to-peer application.
  - 9. The system recited in claim 1, wherein the processor is further configured to:
    - monitor responses from the second client to the generated network traffic that emulates peer-to-peer network traffic;
      
      determine whether the second client is executing the peer-to-peer application based on the monitored responses from the second client; and
      
      classify a monitored session between the first client and the second client as associated with the peer-to-peer application, wherein the monitored session is identified using a 3-tuple, including an identifier of the first client, a protocol type, and a port number.
  - 10. The system recited in claim 1, wherein the processor is further configured to:
    - log or report that the first client was determined to be executing the peer-to-peer application, wherein the log or report includes associated session information, including an identifier for the first client, a protocol type, and a port number.
  - 11. The system recited in claim 1, wherein the processor is further configured to:
    - notify another security function that the first client is executing the peer-to-peer application.
  - 12. The system recited in claim 1, wherein the processor is further configured to:
    - notify a security cloud service that the second client was determined to be executing the peer-to-peer application.
  - 13. The system recited in claim 1, wherein the processor is further configured to:
    - notify a security cloud service that the first client was determined to be executing the peer-to-peer application.
  - 14. The system recited in claim 1, wherein the processor is further configured to:
    - notify a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application.
  - 15. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application.
  - 16. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application, and wherein the host-based security function is configured to terminate, quarantine, or monitor a process associated with the port number.
  - 17. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application, and wherein the host-based security function is configured to throttle network traffic usage for a process associated with the port number.
  - 18. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the host-based security function is configured to generate a warning notification to a user of the first client.
  - 19. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a user of the first client, wherein the notification message includes information regarding a policy related to using the peer-to-peer application.
  - 20. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a network or security administrator that the first client was determined to be executing the peer-to-peer application.
  - 21. The system recited in claim 1, further comprising in the event that the monitoring to the network traffic determines that the first client is executing the peer-to-peer application, block traffic sent from the peer-to-peer application.
  - 22. The system recited in claim 1, wherein the generated network traffic is sent from a security appliance that includes a firewall function, wherein the client is located within a network perimeter protected by the security appliance, wherein the peer-to-peer application violates a firewall policy stored on the security appliance, and wherein the generated network traffic is sent using an IP address associated with the security appliance and a port number selected by the security appliance for communicating with the client to poison traffic associated with the peer-to-peer application executing on the client.
  - 23. The system recited in claim 1, further comprising:
    - in the event that one of the non-existent peers is being contacted, determine that the first client is executing the peer-to-peer application.

24. A method, comprising:
- monitoring a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  generating a network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client, wherein the generating of the network traffic that emulates peer-to-peer network traffic comprises;
  
  sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or sending, to the second client, the emulated peer-to-peer network traffic indicating that no peers have a desired file requested via the peer-to-peer application, wherein the emulated peer-to-peer network traffic identifying the non-existent peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and
  
  in the event that one of the non-existent peers is being contacted, emulating a peer-to-peer traffic response including dummy data.

25. A computer program being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  generating a network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client, wherein the generating of the network traffic that emulates peer-to-peer network traffic comprises;
  
  sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or sending, to the second client, the emulated peer-to-peer network traffic indicating that no peers have a desired file requested via the peer-to-peer application, wherein the emulated peer-to-peer network traffic identifying the non-existent peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and
  
  in the event that one of the non-existent peers is being contacted, emulating a peer-to-peer traffic response including dummy data.

26. A system, comprising:
- a processor configured to;
  
  monitor a network traffic from a client to determine that the client is sending a request for information for a peer-to-peer application executing on the client; and
  
  generate a network traffic response to the client that emulates peer-to-peer network traffic, wherein the generating of the network traffic that emulates peer-to-peer network traffic comprises;
  
  send, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or send, to the second client, the emulated peer-to-peer network traffic indicating that no peers have a desired file requested via the peer-to-peer application, wherein the emulated peer-to-peer network traffic identifying the non-existent peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and
  
  in the event that one of the non-existent peers is being contacted, emulate a peer-to-peer traffic response including dummy data; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Rostami-Hesarsorkh, Shadi, Xie, Huagang
Primary Examiner(s)
Lai, Andrew
Assistant Examiner(s)
Ganguly, Sumitra

Application Number

US13/115,025
Time in Patent Office

1,274 Days
Field of Search

709/204, 709/206, 709/207, 709/223, 709/224, 709/622, 709/231, 709/249, 726/12
US Class Current

709/206
CPC Class Codes

H04L 43/08   Monitoring or testing based...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/1491   using deception as counterm...

H04L 67/104   Peer-to-peer [P2P] networks

Encrypted peer-to-peer detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypted peer-to-peer detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links