Encrypted peer-to-peer detection

US 9,596,155 B2
Filed: 10/13/2014
Issued: 03/14/2017
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising a processor, the system further comprising:

an application signature check engine executed on the processor for monitoring a network traffic from a first client to determine whether the first client is executing a peer-to-peer application; and

a peer-to-peer traffic generator executed on the processor for generating a network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client,wherein the peer-to-peer traffic generator for the generating of the network traffic that emulates peer-to-peer network traffic further comprises;

sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers, wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and

in the event that one of the non-existent peers or the spoofed peers is being contacted, emulating a peer-to-peer traffic response including dummy data.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encrypted peer-to-peer detection is provided. In some embodiments, encrypted peer-to-peer detection includes monitoring network traffic from a first client to determine whether the first client is executing a peer-to-peer application; and generating network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting unknown network traffic sent from the first client to the second client. In some embodiments, encrypted peer-to-peer detection includes monitoring network traffic from a client to determine that the client is sending a request for information for a peer-to-peer application executing on the client; and generating a network traffic response to the client that emulates peer-to-peer network traffic.

Citations

36 Claims

1. A system comprising a processor, the system further comprising:
- an application signature check engine executed on the processor for monitoring a network traffic from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  a peer-to-peer traffic generator executed on the processor for generating a network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client,wherein the peer-to-peer traffic generator for the generating of the network traffic that emulates peer-to-peer network traffic further comprises;
  
  sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers, wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and
  
  in the event that one of the non-existent peers or the spoofed peers is being contacted, emulating a peer-to-peer traffic response including dummy data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The system recited in claim 1, wherein the monitored network traffic is unencrypted, wherein the first client is determined to be executing the peer-to-peer application using a protocol based signature, and wherein the peer-to-peer application matches a firewall policy.
  - 3. The system recited in claim 1, wherein the unknown network traffic is encrypted network traffic.
  - 4. The system recited in claim 1, wherein the peer-to-peer application is used for file sharing that communicates data using encrypted communications.
  - 5. The system recited in claim 1, wherein the peer-to-peer application is used for voice over Internet protocol (VOIP) calls that communicate data using encrypted communications.
  - 6. The system recited in claim 1, wherein the generated network traffic is sent from a security appliance that includes a firewall function, wherein the first client is located within a network perimeter protected by the security appliance, wherein the peer-to-peer application violates a firewall policy stored on the security appliance, and wherein the generated network traffic is sent using an IP address associated with the security appliance and a port number selected by the security appliance for communicating with the first client to poison traffic associated with the peer-to-peer application executing on the first client.
  - 7. The system recited in claim 1, wherein a monitored session between the first client and the second client is classified as being associated with the peer-to-peer application, and wherein the system further comprises:
    - a peer-to-peer mapping store for caching a determination that the monitored session between the first client and the second client is associated with the peer-to-peer application.
  - 8. The system recited in claim 1, wherein the application signature check engine further comprises:
    - monitoring responses from the second client to the generated network traffic that emulates the peer-to-peer network traffic.
  - 9. The system recited in claim 1, wherein the application signature check engine further comprises:
    - monitoring responses from the second client to the generated network traffic that emulates the peer-to-peer network traffic; and
      
      determining whether the second client is executing the peer-to-peer application based on the monitored responses from the second client.
  - 10. The system recited in claim 1, wherein the application signature check engine further comprises:
    - monitoring responses from the second client to the generated network traffic that emulates the peer-to-peer network traffic;
      
      determining whether the second client is executing the peer-to-peer application based on the monitored responses from the second client; and
      
      classifying a monitored session between the first client and the second client as associated with the peer-to-peer application.
  - 11. The system recited in claim 1, wherein the application signature check engine further comprises:
    - monitoring responses from the second client to the generated network traffic that emulates the peer-to-peer network traffic;
      
      determining whether the second client is executing the peer-to-peer application based on the monitored responses from the second client; and
      
      classifying a monitored session between the first client and the second client as associated with the peer-to-peer application, wherein the monitored session is identified using a 3-tuple, including an identifier of the first client, a protocol type, and a port number.
  - 12. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for reporting to a network or a security administrator, a trusted network device or a trusted security device, and/or a security cloud service that the first client was determined to be executing the peer-to-peer application, wherein the report includes associated session information, including an identifier for the first client, a protocol type, and a port number.
  - 13. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for notifying a security function that the first client is executing the peer-to-peer application.
  - 14. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for notifying a security cloud service that the second client was determined to be executing the peer-to-peer application.
  - 15. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for notifying a security cloud service that the first client was determined to be executing the peer-to-peer application.
  - 16. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for notifying a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application.
  - 17. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for sending a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application.
  - 18. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for sending a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application, and wherein the host-based security function is configured to terminate, quarantine, or monitor a process associated with the port number.
  - 19. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for sending a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application, and wherein the host-based security function is configured to throttle network traffic usage for a process associated with the port number.
  - 20. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for sending a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the host-based security function is configured to generate a warning notification to a user of the first client.
  - 21. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for sending a notification message to a user of the first client, wherein the notification message includes information regarding a policy related to using the peer-to-peer application.
  - 22. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for sending a notification message to a network or a security administrator that the first client was determined to be executing the peer-to-peer application.
  - 23. The system recited in claim 1, wherein the system further comprises:
    - a report and policy enforce engine executed on the processor for blocking traffic sent from the peer-to-peer application in the event that the monitoring to the network traffic determines that the first client is executing the peer-to-peer application.

24. A method, comprising:
- monitoring a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  generating a network traffic, using a processor, that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client, wherein the generating of the network traffic that emulates the peer-to-peer network traffic comprises;
  
  sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers, wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and
  
  in the event that one of the non-existent peers or the spoofed peers is being contacted, emulating a peer-to-peer traffic response including dummy data.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 25. The method of claim 24, wherein the monitored network traffic is unencrypted, wherein the first client is determined to be executing the peer-to-peer application using a protocol based signature, and wherein the peer-to-peer application matches a firewall policy.
  - 26. The method of claim 24, wherein the unknown network traffic is encrypted network traffic.
  - 27. The method of claim 24, wherein the peer-to-peer application is used for file sharing that communicates data using encrypted communications.
  - 28. The method of claim 24, wherein the peer-to-peer application is used for voice over Internet protocol (VOIP) calls that communicate data using encrypted communications.
  - 29. The method of claim 24, wherein the generated network traffic is sent from a security appliance that includes a firewall function, wherein the first client is located within a network perimeter protected by the security appliance, wherein the peer-to-peer application violates a firewall policy stored on the security appliance, and wherein the generated network traffic is sent using an IP address associated with the security appliance and a port number selected by the security appliance for communicating with the first client to poison traffic associated with the peer-to-peer application executing on the first client.
  - 30. The method of claim 24, wherein a monitored session between the first client and the second client is classified as being associated with the peer-to-peer application, and further comprising:
    - caching a determination that the monitored session between the first client and the second client is associated with the peer-to-peer application in a peer-to-peer mapping store.
  - 31. The method of claim 24, further comprising:
    - monitoring responses from the second client to the generated network traffic that emulates the peer-to-peer network traffic.
  - 32. The method of claim 24, further comprising:
    - monitoring responses from the second client to the generated network traffic that emulates the peer-to-peer network traffic; and
      
      determining whether the second client is executing the peer-to-peer application based on the monitored responses from the second client.
  - 33. The method of claim 24, further comprising:
    - monitoring responses from the second client to the generated network traffic that emulates the peer-to-peer network traffic;
      
      determining whether the second client is executing the peer-to-peer application based on the monitored responses from the second client; and
      
      classifying a monitored session between the first client and the second client as associated with the peer-to-peer application.
  - 34. The method of claim 24, further comprising:
    - monitoring responses from the second client to the generated network traffic that emulates the peer-to-peer network traffic;
      
      determining whether the second client is executing the peer-to-peer application based on the monitored responses from the second client; and
      
      classifying a monitored session between the first client and the second client as associated with the peer-to-peer application, wherein the monitored session is identified using a 3-tuple, including an identifier of the first client, a protocol type, and a port number.
  - 35. The method of claim 24, further comprising:
    - blocking traffic sent from the peer-to-peer application in the event that the monitoring to the network traffic determines that the first client is executing the peer-to-peer application.

36. A computer program being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  generating a network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client, wherein the generating of the network traffic that emulates the peer-to-peer network traffic comprises;
  
  sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers, wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the emulated peer-to-peer network traffic originated from a peer that does not exist; and
  
  in the event that one of the non-existent peers or the spoofed peers is being contacted, emulating a peer-to-peer traffic response including dummy data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Rostami-Hesarsorkh, Shadi, Xie, Huagang
Primary Examiner(s)
Lai, Andrew
Assistant Examiner(s)
Ganguly, Sumitra

Application Number

US14/513,055
Publication Number

US 20150101013A1
Time in Patent Office

883 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 43/08   Monitoring or testing based...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/1491   using deception as counterm...

H04L 67/104   Peer-to-peer [P2P] networks

Encrypted peer-to-peer detection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypted peer-to-peer detection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links