Obfuscating network traffic from previously collected network traffic

US 8,996,728 B2
Filed: 10/01/2010
Issued: 03/31/2015
Est. Priority Date: 10/01/2010
Status: Active Grant

First Claim

Patent Images

1. A system for generating obfuscated network traffic, the system comprising:

a network monitor for separating a first network traffic flow into application content and network header content based on a first network model by separately extracting the application content and network header content in accordance with the first network model;

a computer-readable storage device comprising;

an application content database operative to store application content extracted from the first network traffic flow by the network monitor;

a network header content database operative to store network header content extracted from the first network traffic flow by the network monitor; and

an obfuscated network traffic database operative to store obfuscated network header content;

a masking attribute selector operative to receive an input specifying one or more network header attributes to be masked;

a data masking processor operative to;

retrieve the network header content stored in the network header content database; and

mask at least a selected portion of the network header content to generate the obfuscated network header content, wherein the data masking processor is further operative to mask the selected portion of the network header based on the input received by the masking attribute selector; and

an obfuscated network traffic request interface operative to;

receive a request for obfuscated network traffic; and

transmit the obfuscated network header content stored in the obfuscated network traffic database based upon the request for obfuscated network traffic;

where said mask is at least one of;

a bitwise operation, analyzing the IP addresses in the network header content and changing or replacing the IP addresses with a set of IP addresses, replacing one or more network priority bits of the network header content with a different but consistent set of network priority bits, replacing one or more portions of the network header content requested from the network header content database, replacing content with content stored in another database, and replacing content with randomly generated content or pseudo-randomly generated content.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An obfuscated network traffic server is operative to generate obfuscated network traffic. The obfuscated network traffic server maintains the relationship between extracted application content and extracted network header content such that the obfuscated network traffic is indistinguishable from the monitored network traffic. The obfuscated network traffic server may include a network monitor operative to monitor network traffic and to extract application content and network header content from the monitored network traffic. The obfuscated network traffic server may also include a data masking processor operative to mask a portion of the separated application content and/or the separated network header content. The obfuscated network traffic server may further include a masking attribute selector operative to specify the attributes of the application content and/or the network header content that is to be masked.

232 Citations

20 Claims

1. A system for generating obfuscated network traffic, the system comprising:
- a network monitor for separating a first network traffic flow into application content and network header content based on a first network model by separately extracting the application content and network header content in accordance with the first network model;
  
  a computer-readable storage device comprising;
  
  an application content database operative to store application content extracted from the first network traffic flow by the network monitor;
  
  a network header content database operative to store network header content extracted from the first network traffic flow by the network monitor; and
  
  an obfuscated network traffic database operative to store obfuscated network header content;
  
  a masking attribute selector operative to receive an input specifying one or more network header attributes to be masked;
  
  a data masking processor operative to;
  
  retrieve the network header content stored in the network header content database; and
  
  mask at least a selected portion of the network header content to generate the obfuscated network header content, wherein the data masking processor is further operative to mask the selected portion of the network header based on the input received by the masking attribute selector; and
  
  an obfuscated network traffic request interface operative to;
  
  receive a request for obfuscated network traffic; and
  
  transmit the obfuscated network header content stored in the obfuscated network traffic database based upon the request for obfuscated network traffic;
  
  where said mask is at least one of;
  
  a bitwise operation, analyzing the IP addresses in the network header content and changing or replacing the IP addresses with a set of IP addresses, replacing one or more network priority bits of the network header content with a different but consistent set of network priority bits, replacing one or more portions of the network header content requested from the network header content database, replacing content with content stored in another database, and replacing content with randomly generated content or pseudo-randomly generated content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further comprising a replacement application content database operative to store replacement application content, wherein:
    - at least a portion of the application content extracted by the network monitor is replaced with the replacement application content stored in the replacement application content database.
  - 3. The system of claim 1, wherein:
    - the application content is identified as being sensitive application content not intended to be viewed by a recipient other than the recipient identified in the network header content; and
      
      the application content is replaced with replacement application content having similar characteristics as the identified application content.
  - 4. The system of claim 1, wherein:
    - the first network traffic flow is a first type of network traffic flow;
      
      the application content database is further operative to store application content extracted from a second network traffic flow;
      
      the network header content database is further operative to store network header content extracted from the second network traffic flow; and
      
      the second network traffic flow is a second type of network traffic flow different from the first type of network flow, wherein the network monitor separates the second network traffic flow into application content and network header content based on a second network model.
  - 5. The system of claim 4, wherein:
    - the first type of network traffic flow comprises the File Transfer Protocol (“
      
      FTP”
      
      ); and
      
      the second type of network traffic flow comprises the Hypertext Transfer Protocol (“
      
      HTTP”
      
      ).
  - 6. The system of claim 1, wherein:
    - the first network flow is identified based on a destination port specified in the network header content.
  - 7. The system of claim 1, further comprising:
    - a network traffic flow multiplexer operative to;
      
      receive obfuscated network header content from the data masking processor;
      
      request application content from the application content database based on an application content identifier;
      
      reconstruct an obfuscated network traffic flow comprising the requested obfuscated network header content and the requested application content; and
      
      store the obfuscated network traffic flow in the obfuscated network traffic database.
  - 8. The system of claim 7, wherein the network traffic flow multiplexer is further operative to:
    - replace the requested obfuscated network traffic header content stored in the obfuscated network traffic database with the reconstructed obfuscated network traffic flow.
  - 9. The system of claim 1, wherein the obfuscated network traffic database is segmented according to an obfuscated network traffic database schema, the obfuscated network traffic database schema comprising:
    - an Internet Protocol (“
      
      IP”
      
      ) packet segment specifying IP packet attributes for the obfuscated network header content;
      
      a request and response segment specifying request and response attributes for the obfuscated network header content;
      
      a time segment specifying time attributes for the obfuscated network header content;
      
      a server segment specifying server attributes for the obfuscated network header content;
      
      a customer segment specifying customer attributes for the obfuscated network header content; and
      
      a Uniform Resource Locator (“
      
      URL”
      
      ) segment specifying URL attributes for the obfuscated network header content.

10. A method for generating masked network traffic, the method comprising:
- receiving extracted application content of a first network traffic flow and extracted network header content of the first network traffic flow;
  
  receiving, with a masking attribute selector, an input specifying one or more network header attributes to be masked;
  
  masking, with a data masking processor, at least a selected portion of the network header content to generate masked network header content, wherein the masking of the selected portion of the network header by the data masking processor is based on the input received by the masking attribute selector;
  
  combining the masked network header content with the separated application content based on a maintained relationship between the application content and the network header content; and
  
  transmitting the combined masked network header content and application content in response to a request for masked network traffic;
  
  where said masking comprises at least one of;
  
  a bitwise operation, analyzing the IP addresses in the network header content and changing or replacing the IP addresses with a set of IP addresses, replacing one or more network priority bits of the network header content with a different but consistent set of network priority bits, replacing one or more portions of the network header content requested from the network header content database, replacing content with content stored in another database, and replacing content with randomly generated content or pseudo-randomly generated content.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10, further comprising:
    - storing replacement application content in a computer-readable storage device; and
      
      replacing at least a portion of the application content separated from the network header content with the replacement application content stored in the computer-readable storage device.
  - 12. The method of claim 10, further comprising:
    - identifying the application content as being sensitive application content not intended to be viewed by a recipient other than the recipient identified in the network header content; and
      
      replacing the sensitive application content with replacement application content having similar characteristics as the identified sensitive application content.
  - 13. The method of claim 10, wherein the first network traffic flow is a first type of network traffic flow, and further comprising:
    - receiving extracted application content of a second network traffic flow and extracted network header content of the second network traffic flow, wherein;
      
      the second network traffic flow is a second type of network traffic flow different from the first type of network flow.
  - 14. The method of claim 13, wherein:
    - the first type of network traffic flow comprises the File Transfer Protocol (“
      
      FTP”
      
      ); and
      
      the second type of network traffic flow comprises the Hypertext Transfer Protocol (“
      
      HTTP”
      
      ).
  - 15. The method of claim 10, wherein:
    - the first network flow is identified based on a destination port specified in the network header content.
  - 16. The method of claim 10, wherein:
    - the application content and the network header content are separated based on a network traffic type of the first network traffic flow.
  - 17. The method of claim 10, further comprising:
    - masking, with the data masking processor, the application content of the first network traffic flow based on at least one first masking attribute.
  - 18. The method of claim 17, wherein:
    - the network header content of the first network traffic flow is first network header content;
      
      the application content of the first network traffic flow is first application content;
      
      the masked application of the first network traffic flow is first masked application content; and
      
      , further comprising;
      
      receiving second network header content and second application content extracted from a second network traffic flow; and
      
      masking, with the data masking processor, the second application content based on at least one second masking attribute;
      
      wherein;
      
      the at least one first masking attribute and the at least one second masking attribute are different.
  - 19. The method of claim 10, further comprising:
    - establishing a masked network traffic database operative to store the masked network header content;
      
      segmenting the masked network traffic database according to a masked network traffic database schema, wherein maintaining the relationship between the separated application content and separated network header content is based on the masked network traffic database schema; and
      
      storing the masked network header content in the masked network traffic database according to the masked network traffic database schema.
  - 20. The method of claim 19, wherein the masked network traffic database schema comprises:
    - an Internet Protocol (“
      
      IP”
      
      ) packet segment specifying IP packet attributes for the masked network header content;
      
      a request and response segment specifying request and response attributes for the masked network header content;
      
      a time segment specifying time attributes for the masked network header content;
      
      a server segment specifying server attributes for the masked network header content;
      
      a customer segment specifying customer attributes for the masked network header content; and
      
      a Uniform Resource Locator (“
      
      URL”
      
      ) segment specifying URL masked for the obfuscated network header content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Original Assignee
Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Inventors
Cochinwala, Munir, Pucci, Marc
Primary Examiner(s)
ELFERVIG, TAYLOR A

Application Number

US12/895,973
Publication Number

US 20120084464A1
Time in Patent Office

1,642 Days
Field of Search

709/246, 709/223
US Class Current

709/246
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/18   Protocol analysers

H04L 43/50   Testing arrangements

Obfuscating network traffic from previously collected network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

232 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Obfuscating network traffic from previously collected network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

232 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links