Rule-based network-threat detection for encrypted communications

DC CAFC

US 9,917,856 B2
Filed: 12/23/2015
Issued: 03/13/2018
Est. Priority Date: 12/23/2015
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method comprising:

receiving, by a packet-filtering system comprising a hardware processor and a memory and configured to filter packets in accordance with a plurality of packet-filtering rules, data indicating a plurality of network-threat indicators, wherein at least one of the plurality of network-threat indicators comprises a domain name identified as a network threat;

identifying packets comprising unencrypted data;

identifying packets comprising encrypted data;

determining, by the packet-filtering system and based on a portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators, packets comprising encrypted data that corresponds to the one or more network-threat indicators;

filtering, by the packet-filtering system and based on at least one of a uniform resource identifier (URI) specified by the plurality of packet-filtering rules, data indicating a protocol version specified by the plurality of packet-filtering rules, data indicating a method specified by the plurality of packet-filtering rules, data indicating a request specified by the plurality of packet-filtering rules, or data indicating a command specified by the plurality of packet-filtering rules;

packets comprising the portion of the unencrypted data that corresponds to one or more network-threat indicators of the plurality of network-threat indicators; and

the determined packets comprising the encrypted data that corresponds to the one or more network-threat indicators; and

routing, by the packet-filtering system, filtered packets to a proxy system based on a determination that the filtered packets comprise data that corresponds to the one or more network-threat indicators.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

3 Petitions

Accused Products

Abstract

A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

169 Citations

25 Claims

1. A method comprising:
- receiving, by a packet-filtering system comprising a hardware processor and a memory and configured to filter packets in accordance with a plurality of packet-filtering rules, data indicating a plurality of network-threat indicators, wherein at least one of the plurality of network-threat indicators comprises a domain name identified as a network threat;
  
  identifying packets comprising unencrypted data;
  
  identifying packets comprising encrypted data;
  
  determining, by the packet-filtering system and based on a portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators, packets comprising encrypted data that corresponds to the one or more network-threat indicators;
  
  filtering, by the packet-filtering system and based on at least one of a uniform resource identifier (URI) specified by the plurality of packet-filtering rules, data indicating a protocol version specified by the plurality of packet-filtering rules, data indicating a method specified by the plurality of packet-filtering rules, data indicating a request specified by the plurality of packet-filtering rules, or data indicating a command specified by the plurality of packet-filtering rules;
  
  packets comprising the portion of the unencrypted data that corresponds to one or more network-threat indicators of the plurality of network-threat indicators; and
  
  the determined packets comprising the encrypted data that corresponds to the one or more network-threat indicators; and
  
  routing, by the packet-filtering system, filtered packets to a proxy system based on a determination that the filtered packets comprise data that corresponds to the one or more network-threat indicators.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein:
    - the packets comprising unencrypted data comprise one or more packets comprising at least one of a domain name system (DNS) query or a reply to the DNS query, the method further comprising;
      
      determining that the at least one of the DNS query or the reply to the DNS query comprises the domain name identified as the network threat.
  - 3. The method of claim 2, wherein the portion of the unencrypted data comprises one or more network addresses included in the at least one of the DNS query or the reply to the DNS query, the method further comprising:
    - determining that the packets comprising encrypted data comprise one or more packet headers comprising at least one of the one or more network addresses.
  - 4. The method of claim 2, wherein the portion of the unencrypted data comprises one or more network addresses included in one or more headers of the one or more packets comprising the at least one of the DNS query or the reply to the DNS query, the method further comprising:
    - determining that the packets comprising encrypted data comprise one or more packet headers comprising at least one of the one or more network addresses.
  - 5. The method of claim 4, wherein the one or more network addresses comprise a network address of a web proxy that generated the DNS query in response to a request received from a host, the method further comprising:
    - identifying one or more packets comprising the request.
  - 6. The method of claim 1, wherein one or more packets, of the packets comprising unencrypted data, comprise data configured to establish an encrypted communication session between a first host and a second host, the method further comprising:
    - routing the one or more packets comprising data configured to establish the encrypted communication session between the first host and the second host to the proxy system.
  - 7. The method of claim 6, the method further comprising:
    - routing the one or more packets to the proxy system based on a determination that at least one of the first host or the second host corresponds to the domain name identified as the network threat.
  - 8. The method of claim 6, wherein:
    - the plurality of packet-filtering rules indicate;
      
      one or more network addresses for which encrypted communications are to be established via the proxy system, andone or more network addresses for which encrypted communications are to not be established via the proxy system, the method further comprising;
      
      routing the one or more packets to the proxy system based on a determination that at least one of the first host or the second host corresponds to the one or more network addresses for which encrypted communications are to be established via the proxy system.
  - 9. The method of claim 6, wherein:
    - the packet-filtering system comprises;
      
      one or more interfaces interfacing the packet-filtering system with one or more communication links interfacing the first host and the second host, andone or more interfaces interfacing the packet-filtering system with the proxy system, the method further comprising;
      
      redirecting packets received via the one or more interfaces interfacing the packet-filtering system with the one or more communication links interfacing the first host and the second host to the one or more interfaces interfacing the packet-filtering system with the proxy system.
  - 10. The method of claim 6, wherein:
    - the packet-filtering system comprises;
      
      one or more interfaces interfacing the packet-filtering system with one or more communication links interfacing the first host and the second host, andone or more interfaces interfacing the packet-filtering system with the proxy system, the method further comprising;
      
      forwarding copies of packets received via the one or more interfaces interfacing the packet-filtering system with the one or more communication links interfacing the first host and the second host to the one or more interfaces interfacing the packet-filtering system with the proxy system.
  - 11. The method of claim 6, the method further comprising:
    - identifying, via a communication link interfacing the first host and the proxy system, the packets comprising encrypted data; and
      
      identifying, via an internal communication link of the proxy system, packets corresponding to the packets comprising encrypted data.
  - 12. The method of claim 11, the method further comprising:
    - identifying, via a communication link interfacing the proxy system and the second host, packets generated by the proxy system based on the packets corresponding to the packets comprising encrypted data.
  - 13. The method of claim 6, the method further comprising:
    - generating, by the proxy system, one or more packets based on the filtered packets, comprising encrypted data, routed to the proxy system by the packet-filtering system;
      
      responsive to determining that one or more packets generated by the proxy system correspond to one or more criteria specified by the plurality of packet-filtering rules, at least one of;
      
      dropping the one or more packets generated by the proxy system;
      
      logging the one or more packets generated by the proxy system;
      
      dropping one or more other packets generated by the proxy system;
      
      logging one or more other packets generated by the proxy system;
      
      dropping one or more other packets comprising encrypted data;
      
      orlogging one or more other packets comprising encrypted data.
  - 14. The method of claim 13, wherein the determining that one or more packets generated by the proxy system based on one or more of the packets comprising encrypted data correspond to one or more criteria specified by the plurality of packet-filtering rules comprises determining that the one or more packets generated by the proxy system comprise at least one of a uniform resource identifier (URI) specified by the plurality of packet-filtering rules, data indicating a protocol version specified by the plurality of packet-filtering rules, data indicating a method specified by the plurality of packet-filtering rules, data indicating a request specified by the plurality of packet-filtering rules, or data indicating a command specified by the plurality of packet-filtering rules.
  - 15. The method of claim 13, wherein the determining comprises determining that the one or more packets generated by the proxy system comprise a uniform resource identifier (URI) meeting a threshold size specified by the plurality of packet-filtering rules.
  - 16. The method of claim 6, the method further comprising:
    - identifying, via a communication link interfacing the proxy system and an Internet content adaptation protocol (ICAP) server, one or more packets comprising at least one of an ICAP request, a response generated by the ICAP server, or a modified request generated by the ICAP server.
  - 17. The method of claim 1, wherein the packets comprising encrypted data comprise packets received from a first host and destined for a second host, the method further comprising at least one of dropping or logging packets other than the packets comprising encrypted data based on a determination that the packets other than the packets comprising encrypted data were at least one of received from the second host or destined for the first host.
  - 18. The method of claim 1, wherein:
    - the packets comprising unencrypted data comprise one or more packets comprising one or more handshake messages configured to establish an encrypted communication session between a client and a server, the method further comprising;
      
      determining that the one or more handshake messages comprise the domain name identified as the network threat.
  - 19. The method of claim 18, the method further comprising:
    - responsive to determining that the one or more handshake messages comprise the domain name identified as the network threat, at least one of dropping or logging the packets comprising encrypted data.
  - 20. The method of claim 18, wherein:
    - the one or more handshake messages comprise at least one of a hello message generated by the client or a certificate message generated by the server; and
      
      the determining that the one or more handshake messages comprise the domain name identified as the network threat comprises determining the at least one of the hello message generated by the client or the certificate message generated by the server comprises the domain name identified as the network threat.
  - 21. The method of claim 18, wherein the portion of the unencrypted data comprises one or more network addresses included in one or more headers of the one or more packets comprising the one or more handshake messages, the method further comprisingdetermining that the packets comprising encrypted data comprise one or more packet headers comprising at least one of the one or more network addresses.
  - 22. The method of claim 21, wherein the one or more network addresses comprise a network address of the server and a network address of a web proxy, the method further comprising:
    - identifying one or more packets comprising one or more packet headers comprising the network address of the web proxy and a network address of the client; and
      
      determining that the packets comprising encrypted data comprise one or more packet headers comprising the network address of the server and the network address of the client.
  - 23. The method of claim 1, wherein the packets comprising unencrypted data comprise a certificate message for an encrypted communication session, the method further comprising:
    - at least one of dropping or logging one or more of the packets comprising encrypted data based on a determination that the certificate message comprises data indicating at least one of a serial number indicated by the plurality of packet-filtering rules, an issuer indicated by the plurality of packet-filtering rules, a validity time-range indicated by the plurality of packet-filtering rules, a key indicated by the plurality of packet-filtering rules, or a signing authority indicated by the plurality of packet-filtering rules.

24. A packet-filtering system comprising:
- at least one hardware processor; and
  
  memory storing instructions that when executed by the at least one hardware processor cause the packet-filtering system to;
  
  receive data indicating a plurality of network-threat indicators, wherein at least one of the plurality of network-threat indicators comprise a domain name identified as a network threat;
  
  identify packets comprising unencrypted data;
  
  identify packets comprising encrypted data;
  
  determine, based on a portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators, packets comprising encrypted data that corresponds to the one or more network-threat indicators;
  
  filter, based on at least one of a uniform resource identifier (URI) specified by a plurality of packet-filtering rules, data indicating a protocol version specified by the plurality of packet-filtering rules, data indicating a method specified by the plurality of packet-filtering rules, data indicating a request specified by the plurality of packet-filtering rules, or data indicating a command specified by the plurality of packet-filtering rules;
  
  packets comprising the portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators; and
  
  the determined packets comprising the encrypted data that corresponds to the one or more network-threat indicators; and
  
  route, by the packet-filtering system, filtered packets to a proxy system based on a determination that the filtered packets comprise data that corresponds to the one or more network-threat indicators.

25. One or more non-transitory computer-readable media comprising instructions that when executed by at least one hardware processor of a packet-filtering system cause the packet-filtering system to:
- receive data indicating a plurality of network-threat indicators, wherein at least one of the plurality of network-threat indicators comprise a domain name identified as a network threat;
  
  identify packets comprising unencrypted data;
  
  identify packets comprising encrypted data;
  
  determine, based on a portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators, packets comprising encrypted data that corresponds to the one or more network-threat indicators;
  
  filter, by the packet-filtering system and based on at least one of a uniform resource identifier (URI) specified by a plurality of packet-filtering rules indicating one or more of the plurality of network-threat indicators, data indicating a protocol version specified by the plurality of packet-filtering rules, data indicating a method specified by the plurality of packet-filtering rules, data indicating a request specified by the plurality of packet-filtering rules, or data indicating a command specified by the plurality of packet-filtering rules;
  
  packets comprising the portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators; and
  
  the determined packets comprising the encrypted data that corresponds to the one or more network-threat indicators; and
  
  route, by the packet-filtering system, filtered packets to a proxy system based on a determination that the filtered packets comprise data that corresponds to the one or more network-threat indicators.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., Moore, Sean, DiSabello, Douglas M.
Primary Examiner(s)
LEE, JASON T

Application Number

US14/757,638
Publication Number

US 20170187733A1
Time in Patent Office

811 Days
Field of Search

713153
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 69/22   Parsing or analysis of headers

Rule-based network-threat detection for encrypted communications

First Claim

2 Assignments

Litigations

3 Petitions

Accused Products

Abstract

169 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Rule-based network-threat detection for encrypted communications

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

3 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links