System and method for protocol fingerprinting and reputation correlation
First Claim
Patent Images
1. A method, comprising:
- determining data packets received over a network connection at a firewall use an unrecognized protocol;
extracting properties of the data packets that indicate the unrecognized protocol, wherein the properties include one or more properties associated with behaviors of the data packets and one or more properties associated with contents of the data packets, wherein the one or more properties associated with the contents of the data packets include entropy of the contents of the data packets;
generating, by a hardware processor, a fingerprint based on the properties extracted from the data packets received over the network connection;
requesting a reputation value based on the fingerprint; and
taking a policy action on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes generating a fingerprint based on properties extracted from data packets received over a network connection and requesting a reputation value based on the fingerprint. A policy action may be taken on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. The method may additionally include displaying information about protocols based on protocol fingerprints, and more particularly, based on fingerprints of unrecognized protocols. In yet other embodiments, the reputation value may also be based on network addresses associated with the network connection.
-
Citations
31 Claims
-
1. A method, comprising:
-
determining data packets received over a network connection at a firewall use an unrecognized protocol; extracting properties of the data packets that indicate the unrecognized protocol, wherein the properties include one or more properties associated with behaviors of the data packets and one or more properties associated with contents of the data packets, wherein the one or more properties associated with the contents of the data packets include entropy of the contents of the data packets; generating, by a hardware processor, a fingerprint based on the properties extracted from the data packets received over the network connection; requesting a reputation value based on the fingerprint; and taking a policy action on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 30)
-
-
11. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
determining data packets received over a network connection at a firewall use an unrecognized protocol; extracting properties of the data packets that indicate the unrecognized protocol, wherein the properties are to include one or more properties associated with behaviors of the data packets and one or more properties associated with contents of the data packets, wherein the one or more properties associated with the contents of the data packets are to include entropy of the contents of the data packets; generating a fingerprint based on the properties extracted from the data packets received over the network connection; requesting a reputation value based on the fingerprint; and taking a policy action on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 31)
-
-
20. An apparatus, comprising:
-
a fingerprinting engine; and one or more hardware processors operable to execute instructions associated with the fingerprinting engine, the one or more hardware processors being operable to perform operations comprising; determining data packets received over a network connection by the apparatus use an unrecognized protocol; extracting properties of the data packets that indicate the unrecognized protocol, wherein the properties are to include one or more properties associated with behaviors of the data packets and one or more properties associated with contents of the data packets, wherein the one or more properties associated with the contents of the data packets are to include entropy of the contents of the data packets; generating a fingerprint based on the properties extracted from the data packets received over the network connection; requesting a reputation value based on the fingerprint; and taking a policy action on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification