System and method for protocol fingerprinting and reputation correlation

US 9,106,680 B2
Filed: 06/27/2011
Issued: 08/11/2015
Est. Priority Date: 06/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

determining data packets received over a network connection at a firewall use an unrecognized protocol;

extracting properties of the data packets that indicate the unrecognized protocol, wherein the properties include one or more properties associated with behaviors of the data packets and one or more properties associated with contents of the data packets, wherein the one or more properties associated with the contents of the data packets include entropy of the contents of the data packets;

generating, by a hardware processor, a fingerprint based on the properties extracted from the data packets received over the network connection;

requesting a reputation value based on the fingerprint; and

taking a policy action on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes generating a fingerprint based on properties extracted from data packets received over a network connection and requesting a reputation value based on the fingerprint. A policy action may be taken on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. The method may additionally include displaying information about protocols based on protocol fingerprints, and more particularly, based on fingerprints of unrecognized protocols. In yet other embodiments, the reputation value may also be based on network addresses associated with the network connection.

Citations

31 Claims

1. A method, comprising:
- determining data packets received over a network connection at a firewall use an unrecognized protocol;
  
  extracting properties of the data packets that indicate the unrecognized protocol, wherein the properties include one or more properties associated with behaviors of the data packets and one or more properties associated with contents of the data packets, wherein the one or more properties associated with the contents of the data packets include entropy of the contents of the data packets;
  
  generating, by a hardware processor, a fingerprint based on the properties extracted from the data packets received over the network connection;
  
  requesting a reputation value based on the fingerprint; and
  
  taking a policy action on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 30)
- - 2. The method of claim 1, further comprising storing the fingerprint in an audit log.
  - 3. The method of claim 1, further comprising displaying information about a protocol based on the fingerprint.
  - 4. The method of claim 1, wherein the reputation value is further based on a network address associated with the network connection.
  - 5. The method of claim 1, wherein the reputation value is based on a protocol reputation associated with the fingerprint and on a connection reputation associated with the network connection.
  - 6. The method of claim 1, wherein the reputation value is based on a protocol reputation associated with the fingerprint and correlated with a connection reputation associated with the network connection.
  - 7. The method of claim 1, wherein the policy action comprises blocking the network connection.
  - 8. The method of claim 1, wherein the policy action comprises alerting an administrator.
  - 9. The method of claim 1, further comprising receiving an alert if the fingerprint is subsequently associated with malicious activity.
  - 10. The method of claim 1, further comprising requesting global intelligence data associated with the fingerprint and displaying the global intelligence data based on the fingerprint.
  - 30. The method of claim 1, further comprising:
    - providing for display on a user interface information associated with the unrecognized protocol, wherein the information includes one or more of (1) a geographic distribution of remote host addresses associated with the unrecognized protocol, (2) a reputation of the remote host addresses, or (3) a number of sites reporting the unrecognized protocol.

11. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- determining data packets received over a network connection at a firewall use an unrecognized protocol;
  
  extracting properties of the data packets that indicate the unrecognized protocol, wherein the properties are to include one or more properties associated with behaviors of the data packets and one or more properties associated with contents of the data packets, wherein the one or more properties associated with the contents of the data packets are to include entropy of the contents of the data packets;
  
  generating a fingerprint based on the properties extracted from the data packets received over the network connection;
  
  requesting a reputation value based on the fingerprint; and
  
  taking a policy action on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 31)
- - 12. The encoded logic of claim 11, wherein the operations further comprise storing the fingerprint in an audit log.
  - 13. The encoded logic of claim 11, wherein the operations further comprise displaying information about a protocol based on the fingerprint.
  - 14. The encoded logic of claim 11, wherein the reputation value is further based on a network address associated with the network connection.
  - 15. The encoded logic of claim 11, wherein the reputation value is based on a protocol reputation associated with the fingerprint and on a connection reputation associated with the network connection.
  - 16. The encoded logic of claim 11, wherein the reputation value is based on a protocol reputation associated with the fingerprint and correlated with a connection reputation associated with the network connection.
  - 17. The encoded logic of claim 11, wherein the policy action comprises blocking the network connection.
  - 18. The encoded logic of claim 11, wherein the policy action comprises alerting an administrator.
  - 19. The encoded logic of claim 11, further comprising receiving an alert if the fingerprint is subsequently associated with malicious activity.
  - 31. The encoded logic of claim 11, wherein the code, when executed by the one or more processors is operable to perform further operations comprising:
    - providing for display on a user interface information associated with the unrecognized protocol, wherein the information includes one or more of (1) a geographic distribution of remote host addresses associated with the unrecognized protocol, (2) a reputation of the remote host addresses, or (3) a number of sites reporting the unrecognized protocol.

20. An apparatus, comprising:
- a fingerprinting engine; and
  
  one or more hardware processors operable to execute instructions associated with the fingerprinting engine, the one or more hardware processors being operable to perform operations comprising;
  
  determining data packets received over a network connection by the apparatus use an unrecognized protocol;
  
  extracting properties of the data packets that indicate the unrecognized protocol, wherein the properties are to include one or more properties associated with behaviors of the data packets and one or more properties associated with contents of the data packets, wherein the one or more properties associated with the contents of the data packets are to include entropy of the contents of the data packets;
  
  generating a fingerprint based on the properties extracted from the data packets received over the network connection;
  
  requesting a reputation value based on the fingerprint; and
  
  taking a policy action on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The apparatus of claim 20, wherein the operations further comprise storing the fingerprint in an audit log.
  - 22. The apparatus of claim 20, wherein the operations further comprise displaying information about a protocol based on the fingerprint.
  - 23. The apparatus of claim 20, wherein the reputation value is further based on a network address associated with the network connection.
  - 24. The apparatus of claim 20, wherein the reputation value is based on a protocol reputation associated with the fingerprint and on a connection reputation associated with the network connection.
  - 25. The apparatus of claim 20, wherein the reputation value is based on a protocol reputation associated with the fingerprint and correlated with a connection reputation associated with the network connection.
  - 26. The apparatus of claim 20, wherein the policy action comprises blocking the network connection.
  - 27. The apparatus of claim 20, wherein the policy action comprises alerting an administrator.
  - 28. The apparatus of claim 20, further comprising receiving an alert if the fingerprint is subsequently associated with malicious activity.
  - 29. The apparatus of claim 20, the one or more hardware processors being operable to perform further operations comprising:
    - providing for display on a user interface information associated with the unrecognized protocol, wherein the information includes one or more of (1) a geographic distribution of remote host addresses associated with the unrecognized protocol, (2) a reputation of the remote host addresses, or (3) a number of sites reporting the unrecognized protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alperovitch, Dmitri, Bu, Zheng, Diehl, David Frederick, Krasser, Sven
Primary Examiner(s)
Khoshnoodi, Nadia
Assistant Examiner(s)
Nguyen, Ngoc D

Application Number

US13/170,163
Publication Number

US 20120331556A1
Time in Patent Office

1,506 Days
Field of Search

726/11, 726/13, 726/23, 726/24
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

System and method for protocol fingerprinting and reputation correlation

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protocol fingerprinting and reputation correlation

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links