DNS snooping to create IP address-based trust database used to select deep packet inspection and storage of IP packets

US 9,628,442 B2
Filed: 06/22/2015
Issued: 04/18/2017
Est. Priority Date: 06/22/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a network device through which client devices communicate with a network;

creating an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with each said IP address wherein the respective trust metric for the domain name includes a respective domain name category represented as a number;

intercepting an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name;

using the destination IP address in the intercepted IP packet, retrieving from the IP address-based trust database the domain name trust metric, including the respective domain name category, mapped to the destination IP address; and

processing IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion, the processing including;

comparing the retrieved domain name category to a predetermined number range representative of the predetermined trust metric criterion to determine whether the retrieved domain name category is in the predetermined number range and, based on results of the comparing;

depending on whether the retrieved domain name category is in the predetermined number range or is not in the predetermined number range, respectively sending or not sending header information in each of the IP packets to a data store.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At a network device through which client devices communicate with a network, a database is created that maps Internet Protocol (IP) addresses each to a respective trust metric for a domain name associated with the IP address. An IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name is intercepted. Using the destination IP address in the intercepted IP packet, the domain name trust metric mapped to the destination IP address is retrieved from the database. IP packets received from the destination IP address are processed based on the retrieved domain name trust metric and a predetermined trust metric criterion.

18 Citations

View as Search Results

20 Claims

1. A method comprising:
- at a network device through which client devices communicate with a network;
  
  creating an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with each said IP address wherein the respective trust metric for the domain name includes a respective domain name category represented as a number;
  
  intercepting an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name;
  
  using the destination IP address in the intercepted IP packet, retrieving from the IP address-based trust database the domain name trust metric, including the respective domain name category, mapped to the destination IP address; and
  
  processing IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion, the processing including;
  
  comparing the retrieved domain name category to a predetermined number range representative of the predetermined trust metric criterion to determine whether the retrieved domain name category is in the predetermined number range and, based on results of the comparing;
  
  depending on whether the retrieved domain name category is in the predetermined number range or is not in the predetermined number range, respectively sending or not sending header information in each of the IP packets to a data store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein:
    - the creating includes creating the IP address-based trust database to map IP addresses each to a respective domain name reputation that represents the respective trust metric for the domain name;
      
      the retrieving includes retrieving from the IP address-based trust database the domain name reputation mapped to the destination IP address; and
      
      the processing includes;
      
      determining, based on the retrieved domain name reputation and a predetermined domain name reputation threshold representative of the predetermined trust metric criterion, whether deep packet inspection should be performed on IP packets received from the destination IP address; and
      
      upon determining that deep packet inspection should not be performed, passing the IP packets received from the destination IP address to the client device without performing deep packet inspection on the IP packets.
  - 3. The method of claim 2, wherein the processing further comprises:
    - upon determining that deep packet inspection should be performed, performing deep packet inspection on the IP packets received from the destination IP address.
  - 4. The method of claim 2, wherein the deep packet inspection includes Open System Interconnection (OSI) layer 7 inspection.
  - 5. The method of claim 2, wherein the determining includes:
    - comparing the retrieved domain name reputation to the predetermined domain name reputation threshold to determine whether the retrieved domain name reputation is above the domain name reputation threshold;
      
      if the comparing indicates that the domain name reputation is equal to or below the domain name reputation threshold, declaring that deep packet inspection should be performed; and
      
      if the comparing indicating that the domain name reputation is above the domain name reputation threshold, declaring that deep packet inspection should not be performed.
  - 6. The method of claim 1, whereinthe processing further includes:
    - determining, based on the retrieved domain name category and the predetermined domain name trust metric criterion, whether to send header information in each of the IP packets received from the destination IP address to the data store;
      
      upon determining to send the header information in each of the IP packets to the data store, sending the header information in each of the IP packets to the data store; and
      
      upon determining not to send the header information in each of the IP packets to the data store, not sending the header information in each of the IP packets to the data store.
  - 7. The method of claim 1, wherein the creating comprises:
    - intercepting domain name system (DNS) transactions between the client devices and a DNS database used to resolve domain names to respective IP addresses;
      
      accessing, in a predetermined domain name-based trust database, respective trust metrics for domain names; and
      
      generating, based on the intercepting and the accessing, entries in the IP address-based trust database each to map a respective one of the IP addresses to a respective domain name trust metric.
  - 8. The method of claim 7, wherein:
    - each DNS transaction includes a DNS query from each client device to the DNS IP address-based trust database to resolve a domain name in the DNS query to an IP address, and a DNS reply to the client device and that includes the resolved IP address from the DNS database; and
      
      intercepting DNS transactions includes intercepting each DNS reply.

9. An apparatus comprising:
- a network interface unit configured to communicate with client devices over a network; and
  
  a processor coupled to the network interface unit and configured to;
  
  create an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the each said IP address, wherein the respective trust metric for the domain name includes a respective domain name category represented as a number;
  
  intercept an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name;
  
  using the destination IP address in the intercepted IP packet, retrieve from the IP address-based trust database the domain name trust metric, including the respective domain name category, mapped to the destination IP address; and
  
  process IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion, wherein the processor is further configured to;
  
  compare the retrieved domain name category to a predetermined number range representative of the predetermined trust metric criterion to determine whether the retrieved domain name category is in the predetermined number range and, based on results of the compare;
  
  depending on whether the retrieved domain name category is in the predetermined number range or is not in the predetermined number range, respectively send or not send header information in each of the IP packets to a data store.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus of claim 9, wherein:
    - the processor is configured to create by creating the IP address-based trust database to map IP addresses each to a respective domain name reputation that represents the respective trust metric for the domain name;
      
      the processor is configured to retrieve by retrieving includes retrieving from the IP address-based trust database the domain name reputation mapped to the destination IP address; and
      
      the processor is configured to process by;
      
      determining, based on the retrieved domain name reputation and a predetermined domain name reputation threshold representative of the predetermined trust metric criterion, whether deep packet inspection should be performed on IP packets received from the destination IP address; and
      
      upon determining that deep packet inspection should not be performed, passing the IP packets received from the destination IP address to the client device without performing deep packet inspection on the IP packets.
  - 11. The apparatus of claim 10, wherein the processor is further configured to process by:
    - upon determining that deep packet inspection should be performed, performing deep packet inspection on the IP packets received from the destination IP address.
  - 12. The apparatus of claim 10, wherein the processor is configured to perform the determining by:
    - comparing the retrieved domain name reputation to the predetermined domain name reputation threshold to determine whether the retrieved domain name reputation is above the domain name reputation threshold;
      
      if the comparing indicates that the domain name reputation is equal to or below the domain name reputation threshold, declaring that deep packet inspection should be performed; and
      
      if the comparing indicating that the domain name reputation is above the domain name reputation threshold, declaring that deep packet inspection should not be performed.
  - 13. The apparatus of claim 9, whereinthe processor is configured to process by:
    - determining, based on the retrieved domain name category and the predetermined domain name trust metric criterion, whether to send header information in each of the IP packets received from the destination IP address to the data store;
      
      upon determining to send the header information in each of the IP packets to the data store, sending the header information in each of the IP packets to the data store; and
      
      upon determining not to send the header information in each of the IP packets to the data store, not sending the header information in each of the IP packets to the data store.
  - 14. The apparatus of claim 9, wherein the processor is configured to create by:
    - intercepting domain name system (DNS) transactions between the client devices and a DNS database used to resolve domain names to respective IP addresses;
      
      accessing, in a predetermined domain name-based trust database, respective trust metrics for domain names; and
      
      generating, based on the intercepting and the accessing, entries in the IP address-based trust database each to map a respective one of the IP addresses to a respective domain name trust metric.

15. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a network device through which client devices communicate with a network, cause the processor to:
- create an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the each said IP address, wherein the respective trust metric for the domain name includes a respective domain name category represented as a number;
  
  intercept an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name;
  
  using the destination IP address in the intercepted IP packet, retrieve from the IP address-based trust database the domain name trust metric, including the respective domain name category, mapped to the destination IP address; and
  
  process IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion, wherein the instructions to cause the processor to process include instructions to cause the processor to;
  
  compare the retrieved domain name category to a predetermined number range representative of the predetermined trust metric criterion to determine whether the retrieved domain name category is in the predetermined number range and, based on results of the compare;
  
  depending on whether the retrieved domain name category is in the predetermined number range or is not in the predetermined number range, respectively send or not sending header information in each of the IP packets to a data store.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable storage media of claim 15, wherein:
    - the instructions to cause the processor to create include instructions to cause the processor to create the IP address-based trust database to map IP addresses each to a respective domain name reputation that represents the respective trust metric for the domain name;
      
      the instructions to cause the processor to retrieve include instructions to cause the processor to retrieve from the IP address-based trust database the domain name reputation mapped to the destination IP address; and
      
      the instructions to cause the processor to process include instructions to cause the processor to;
      
      determine, based on the retrieved domain name reputation and a predetermined domain name reputation threshold representative of the predetermined trust metric criterion, whether deep packet inspection should be performed on IP packets received from the destination IP address; and
      
      upon determining that deep packet inspection should not be performed, pass the IP packets received from the destination IP address to the client device without performing deep packet inspection on the IP packets.
  - 17. The computer readable storage media of claim 16, wherein the instructions to cause the processor to process include further instructions to cause the processor to:
    - upon determining that deep packet inspection should be performed, perform deep packet inspection on the IP packets received from the destination IP address.
  - 18. The computer readable storage media of claim 16, wherein the instructions to cause the processor to determine include instructions to cause the processor to:
    - compare the retrieved domain name reputation to the predetermined domain name reputation threshold to determine whether the retrieved domain name reputation is above the domain name reputation threshold;
      
      if the compare indicates that the domain name reputation is equal to or below the domain name reputation threshold, declare that deep packet inspection should be performed; and
      
      if the compare indicates that the domain name reputation is above the domain name reputation threshold, declare that deep packet inspection should not be performed.
  - 19. The computer readable storage media of claim 15, wherein:
    - the instructions to cause the processor to process include instructions to cause the processor to;
      
      determine, based on the retrieved domain name category and the predetermined domain name trust metric criterion, whether to send header information in each of the IP packets received from the destination IP address to the data store;
      
      upon determining to send the header information in each of the IP packets to the data store, send the header information in each of the IP packets to the data store; and
      
      upon determining not to send the header information in each of the IP packets to the data store, not send the header information in each of the IP packets to the data store.
  - 20. The computer readable storage media of claim 15, wherein the instructions to cause the processor to create include instructions to cause the processor to:
    - intercept domain name system (DNS) transactions between the client devices and a DNS database used to resolve domain names to respective IP addresses;
      
      access, in a predetermined domain name-based trust database, respective trust metrics for domain names; and
      
      generate, based on the intercepting and the accessing, entries in the IP address-based trust database each to map a respective one of the IP addresses to a respective domain name trust metric.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zhu, Peter, Thirunarayanan, Ashok
Primary Examiner(s)
Zee, Edward

Application Number

US14/746,155
Publication Number

US 20160373409A1
Time in Patent Office

666 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/21   Design, administration or m...

G06F 16/84   Mapping; Conversion

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 69/22   Parsing or analysis of headers

H04L 69/329   in the application layer [O...

DNS snooping to create IP address-based trust database used to select deep packet inspection and storage of IP packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DNS snooping to create IP address-based trust database used to select deep packet inspection and storage of IP packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links