System and method for selective inspection of encrypted traffic

US 8,959,329 B2
Filed: 04/13/2012
Issued: 02/17/2015
Est. Priority Date: 04/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting data from a communication network, wherein the communication network carries data connections conveying the data, wherein the data relates to users of the communication network, and wherein the data comprises encrypted data;

determining or identifying plain data from the intercepted data, wherein the plain data comprises unencrypted data;

analyzing the plain data, by an apparatus with a hardware module comprising a processor, to establish one or more selection rules by;

detecting predefined criteria,searching the plain data for an IP address allocated to at least one of the data connections,searching the plain data for an association between the predefined criteria and the IP address,upon discovering the searched association, adding the discovered IP address to a selection rule table;

selecting a subset of the data connections for selective inspection of encrypted data, wherein the selection is based on the selection rules, wherein selecting the subset further comprises configuring a network switch to forward only the selected subset of the network connections to an inspection device, and wherein configuring the network switch further comprises causing the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion; and

configuring the inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Inspection of encrypted network traffic where multiple network connections are monitored that carry encrypted data, but only a subset of the network connections are decrypted and inspected. Typically, only network connections that are associated with designated target users whose encrypted data is to be inspected are decrypted. A Network Monitor Center (NMC) dynamically establishes a list of rules for selection of encrypted data connections. The rules are provided to a Secure data Inspection Appliance (SIA) that accepts some or all of the network user encrypted traffic and checks it against a rule table. When detecting an encrypted connection that matches the rule table, the SIA decrypts the connection and provides a copy of the connection plain data to the NMC. The NMC then inspects the plain data for security threats. Once a security threat is found in a connection, the NMC applies predefined consequent actions to this connection.

36 Citations

View as Search Results

16 Claims

1. A method comprising:
- intercepting data from a communication network, wherein the communication network carries data connections conveying the data, wherein the data relates to users of the communication network, and wherein the data comprises encrypted data;
  
  determining or identifying plain data from the intercepted data, wherein the plain data comprises unencrypted data;
  
  analyzing the plain data, by an apparatus with a hardware module comprising a processor, to establish one or more selection rules by;
  
  detecting predefined criteria,searching the plain data for an IP address allocated to at least one of the data connections,searching the plain data for an association between the predefined criteria and the IP address,upon discovering the searched association, adding the discovered IP address to a selection rule table;
  
  selecting a subset of the data connections for selective inspection of encrypted data, wherein the selection is based on the selection rules, wherein selecting the subset further comprises configuring a network switch to forward only the selected subset of the network connections to an inspection device, and wherein configuring the network switch further comprises causing the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion; and
  
  configuring the inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein analyzing the plain data comprises identifying one or more target users of the communication network, and defining the selection rules so that one or more data connections associated with the target users are included in the selected subset.
  - 3. The method according to claim 1, wherein analyzing the plain data comprises obtaining respective identifiers of one or more target users by communicating with an authentication node of the communication network, and wherein selecting the subset comprises choosing the data connections associated with the obtained identifiers.
  - 4. The method according to claim 3, wherein the authentication node comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 5. The method according to claim 3, wherein the identifiers comprise temporary Internet Protocol (IP) addresses that are assigned to the target users.
  - 6. The method according to claim 1, wherein analyzing the plain data comprises defining the selection rules so as to identify one or more of the data connections that carry malicious content.
  - 7. The method according to claim 1, wherein the encrypted data has been encrypted in accordance with a Secure Socket Layer (SSL) protocol.
  - 8. The method according to claim 1, wherein the encrypted data has been encrypted in accordance with a Transport Layer Security (TLS) protocol.

9. An apparatus comprising:
- a network interface that intercepts data from a communication network, wherein the communication network carries data connections conveying the data, wherein the data relates to users of the communication network, and wherein the data comprises encrypted data; and
  
  a hardware module comprising a processor that;
  
  determines or identifies plain data from the intercepted data, wherein the plain data comprises unencrypted data;
  
  analyses the plain data to establish one or more selection rules by detecting predefined criteria,searching the plain data for an IP address allocated to at least one of the data connections,searching the plain data for an association between the predefined criteria and the IP address, andupon discovering the searched association, adding the discovered IP address to a selection rule table;
  
  selects a subset of the data connections for selective inspection of encrypted data, wherein the selection is based on the selection rules, wherein the processor configures a network switch to forward only the selected subset of the network connections to an inspection device, and further wherein the processor causes the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion; and
  
  configures the inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus according to claim 9, wherein the processor identifies one or more target users of the communication network by analyzing the plain data and defining the selection rules to include the data connections associated with the target users.
  - 11. The apparatus according to claim 9, wherein the processor obtains respective identifiers of one or more target users by communicating with an authentication node of the communication network, and selects the subset by choosing the data connections associated with the obtained identifiers.
  - 12. The apparatus according to claim 11, wherein the authentication node comprises a Remote Authentication Dial-In User Service (RADIUS) server.
  - 13. The apparatus according to claim 11, wherein the identifiers comprise temporary Internet Protocol (IP) addresses that are assigned to the target users.
  - 14. The apparatus according to claim 9, wherein the processor defines the selection rules so as to identify one or more of the data connections that carry malicious content.
  - 15. The apparatus according to claim 9, wherein the encrypted data has been encrypted in accordance with one of a Secure Socket Layer (SSL) protocol and a Transport Layer Security (TLS) protocol.

16. An apparatus comprising a processor coupled to a memory:
- a monitoring unit thatintercepts data from a communication network, wherein the communication network carries data connections conveying the data, wherein the data relates to users of the communication network, and wherein the data comprises encrypted data,determines or identifies plain data from the intercepted data, wherein the plain data comprises unencrypted data,analyzes the plain data to establish one or more selection rules by detecting predefined criteria,searching the plain data for an IP address allocated to at least one of the data connections,searching the plain data for an association between the predefined criteria and the IP address, andupon discoverying the searched association, adding the IP address to a selection rule table,selects a subset of the data connections for selective inspection of encrypted data, wherein the selection is based on the selection rules, wherein the monitoring unit configures a network switch to forward only the selected subset of the network connections to an inspection device, and further wherein the monitoring unit causes the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion, andoutputs an indication of the selected subset; and
  
  the inspection device thatreceives the indication of the selected subset from the monitoring unit;
  
  decrypts the encrypted data conveyed by the data connections in the selected subset, and outputs the decrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Altman, Yuval
Primary Examiner(s)
Desrosiers, Evans

Application Number

US13/446,338
Publication Number

US 20120290829A1
Time in Patent Office

1,040 Days
Field of Search

713/150, 713153-154, 709225-226, 709/229
US Class Current

713/150
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/168   above the transport layer

H04L 63/30   for supporting lawful inter...

System and method for selective inspection of encrypted traffic

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for selective inspection of encrypted traffic

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links