Encrypted peer-to-peer detection

US 9,838,356 B2
Filed: 01/31/2017
Issued: 12/05/2017
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application; and

generate a network traffic emulating peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client, wherein generating the network traffic emulating the peer-to-peer network traffic comprises;

send, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers, wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the emulated peer-to-peer network traffic originated from a non-existent peer; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encrypted peer-to-peer detection is provided. In some embodiments, encrypted peer-to-peer detection includes monitoring network traffic from a first client to determine whether the first client is executing a peer-to-peer application; and generating network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting unknown network traffic sent from the first client to the second client. In some embodiments, encrypted peer-to-peer detection includes monitoring network traffic from a client to determine that the client is sending a request for information for a peer-to-peer application executing on the client; and generating a network traffic response to the client that emulates peer-to-peer network traffic.

8 Citations

24 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  generate a network traffic emulating peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client, wherein generating the network traffic emulating the peer-to-peer network traffic comprises;
  
  send, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers, wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the emulated peer-to-peer network traffic originated from a non-existent peer; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The system recited in claim 1, wherein the monitored network traffic is unencrypted, wherein the first client is determined to be executing the peer-to-peer application using a protocol based signature, and wherein the peer-to-peer application matches a firewall policy.
  - 3. The system recited in claim 1, wherein the unknown network traffic is encrypted network traffic.
  - 4. The system recited in claim 1, wherein the peer-to-peer application is used for file sharing and communicates data using encrypted communications.
  - 5. The system recited in claim 1, wherein the peer-to-peer application is used for voice over Internet protocol (VOIP) calls and communicates data using encrypted communications.
  - 6. The system recited in claim 1, wherein the generated network traffic is sent from a security appliance including a firewall function, wherein the first client is located within a network perimeter protected by the security appliance, wherein the peer-to-peer application violates a firewall policy stored on the security appliance, and wherein the generated network traffic is sent using an IP address associated with the security appliance and a port number selected by the security appliance for communicating with the second client to poison traffic associated with the peer-to-peer application executing on the first client.
  - 7. The system recited in claim 1, wherein a monitored session between the first client and the second client is classified as being associated with the peer-to-peer application, and wherein the processor is further configured to:
    - cache in a peer-to-peer mapping store a determination that the monitored session between the first client and the second client is associated with the peer-to-peer application.
  - 8. The system recited in claim 1, wherein the processor is further configured to:
    - monitor responses from the second client to the generated network traffic emulating the peer-to-peer network traffic.
  - 9. The system recited in claim 1, wherein the processor is further configured to:
    - monitor responses from the second client to the generated network traffic emulating the peer-to-peer network traffic; and
      
      determine whether the second client is executing the peer-to-peer application based on the monitored responses from the second client.
  - 10. The system recited in claim 1, wherein the processor is further configured to:
    - monitor responses from the second client to the generated network traffic emulating the peer-to-peer network traffic;
      
      determine whether the second client is executing the peer-to-peer application based on the monitored responses from the second client; and
      
      classify a monitored session between the first client and the second client as associated with the peer-to-peer application.
  - 11. The system recited in claim 1, wherein the processor is further configured to:
    - monitor responses from the second client to the generated network traffic emulating the peer-to-peer network traffic;
      
      determine whether the second client is executing the peer-to-peer application based on the monitored responses from the second client; and
      
      classify a monitored session between the first client and the second client as associated with the peer-to-peer application, wherein the monitored session is identified using a 3-tuple, including an identifier of the first client, a protocol type, and a port number.
  - 12. The system recited in claim 1, wherein the processor is further configured to:
    - report that the first client was determined to be executing the peer-to-peer application, wherein the report includes associated session information, including an identifier for the first client, a protocol type, and a port number.
  - 13. The system recited in claim 1, wherein the processor is further configured to:
    - notify a security cloud service that the second client was determined to be executing the peer-to-peer application.
  - 14. The system recited in claim 1, wherein the processor is further configured to:
    - notify a security cloud service that the first client was determined to be executing the peer-to-peer application.
  - 15. The system recited in claim 1, wherein the processor is further configured to:
    - notify a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application.
  - 16. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application.
  - 17. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application, and wherein the host-based security function is configured to terminate, quarantine, or monitor a process associated with the port number.
  - 18. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the notification message includes a port number associated with a current session determined to be associated with the peer-to-peer application, and wherein the host-based security function is configured to throttle network traffic usage for a process associated with the port number.
  - 19. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a host-based security function executing on the first client that the first client was determined to be executing the peer-to-peer application, wherein the host-based security function is configured to generate a warning notification to a user of the first client.
  - 20. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a user of the first client, wherein the notification message includes information regarding a policy related to using the peer-to-peer application.
  - 21. The system recited in claim 1, wherein the processor is further configured to:
    - send a notification message to a network administrator or a security administrator that the first client was determined to be executing the peer-to-peer application.
  - 22. The system recited in claim 1, wherein the processor is further configured to:
    - determine whether the first client is executing the peer-to-peer application; and
      
      block traffic sent from the peer-to-peer application.

23. A method, comprising:
- monitoring a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  generating a network traffic, using a processor, emulating peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client, wherein generating the network traffic emulating the peer-to-peer network traffic comprises;
  
  sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers, wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the emulated peer-to-peer network traffic originated from a non-existent peer.

24. A computer program being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- monitoring a network traffic sent from a first client to determine whether the first client is executing a peer-to-peer application; and
  
  generating a network traffic emulating peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting an unknown network traffic sent from the first client to the second client, wherein generating the network traffic emulating the peer-to-peer network traffic comprises;
  
  sending, to the second client, the emulated peer-to-peer network traffic identifying non-existent peers or spoofed peers, wherein the emulated peer-to-peer network traffic identifying the non-existent peers or the spoofed peers indicates that the emulated peer-to-peer network traffic originated from a non-existent peer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Rostami-Hesarsorkh, Shadi, Xie, Huagang
Primary Examiner(s)
Lai, Andrew
Assistant Examiner(s)
Ganguly, Sumitra

Application Number

US15/421,013
Publication Number

US 20170208034A1
Time in Patent Office

308 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/08   Monitoring or testing based...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/1491   using deception as counterm...

H04L 67/104   Peer-to-peer [P2P] networks

Encrypted peer-to-peer detection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypted peer-to-peer detection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links