Search International and National Patent Collections
Some content of this application is unavailable at the moment.
If this situation persists, please contact us atFeedback&Contact
1. (WO2017112535) RULE-BASED NETWORK-THREAT DETECTION FOR ENCRYPTED COMMUNICATIONS
Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

is claimed is:

A method comprising:

receiving, by a packet-filtering system configured to filter packets in accordance with a plurality of packet-filtering rules, data indicating a plurality of network-threat indicators; and

configuring, by the packet-filtering system, the plurality of packet-filtering rules to cause the packet-filtering system to:

identify packets comprising unencrypted data;

identify packets comprising encrypted data; and determine, based on a portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

2. The method of claim 1, wherein:

the one or more network-threat indicators comprise a domain name;

the packets comprising unencrypted data comprise one or more packets comprising at least one of a domain name system (DNS) query or a reply to the DNS query; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to determine that the at least one of the DNS query or the reply to the DNS query comprises the domain name.

3. The method of claim 2, wherein:

the portion of the unencrypted data comprises one or more network addresses included in the at least one of the DNS query or the reply to the DNS query; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to determine that the packets comprising encrypted data comprise one or more packet headers comprising at least one of the one or more network addresses.

4. The method of claim 2, wherein:

the portion of the unencrypted data comprises one or more network addresses included in one or more headers of the one or more packets comprising the at least one of the DNS query or the reply to the DNS query; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to determine that the packets comprising encrypted data comprise one or more packet headers comprising at least one of the one or more network addresses.

5. The method of claim 4, wherein:

the one or more network addresses comprise a network address of a web proxy that generated the DNS query in response to a request received from a host; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to identify one or more packets comprising the request.

6. The method of claim 1, wherein:

one or more packets of the packets comprising unencrypted data comprise data configured to establish an encrypted communication session between a first host and a second host; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to route the one or more of the packets to a proxy system.

7. The method of claim 6, wherein:

the one or more network-threat indicators comprise a domain name; and the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to route the one or more of the packets to the proxy system based on a determination that at least one of the first host or the second host corresponds to the domain name.

8. The method of claim 6, wherein:

the plurality of packet-filtering rules indicate:

one or more network addresses for which encrypted communications should be established via the proxy system, and

one or more network addresses for which encrypted communications should not be established via the proxy system; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to route the one or more of the packets to the proxy system based on a determination that at least one of the first host or the second host corresponds to the one or more network addresses for which encrypted communications should be established via the proxy system.

9. The method of claim 6, wherein:

the packet-filtering system comprises:

one or more interfaces interfacing the packet-filtering system with one or more communication links interfacing the first host and the second host, and one or more interfaces interfacing the packet-filtering system with the proxy system; and

the configuring the packet-filtering system to route the one or more of the packets to the proxy system comprises configuring the packet-filtering system to redirect packets received via the one or more interfaces interfacing the packet-filtering system with the one or more communication links interfacing the first host and the second host to the one or more interfaces interfacing the packet-filtering system with the proxy system.

10. The method of claim 6, wherein:

the packet-filtering system comprises:

one or more interfaces interfacing the packet-filtering system with one or more communication links interfacing the first host and the second host, and one or more interfaces interfacing the packet-filtering system with the proxy system; and

the configuring the packet-filtering system to route the one or more of the packets to the proxy system comprises configuring the packet-filtering system to forward copies of packets received via the one or more interfaces interfacing the

packet-filtering system with the one or more communication links interfacing the first host and the second host to the one or more interfaces interfacing the packet-filtering system with the proxy system.

The method of claim 6, wherein the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to:

identify, via a communication link interfacing the first host and the proxy system, the packets comprising encrypted data; and

identify, via an internal communication link of the proxy system, packets corresponding to the packets comprising encrypted data.

The method of claim 11, wherein the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to identify, via a communication link interfacing the proxy system and the second host, packets generated by the proxy system based on the packets corresponding to the packets comprising encrypted data.

The method of claim 6, wherein the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to, responsive to determining that one or more packets generated by the proxy system based on one or more of the packets comprising encrypted data correspond to one or more criteria specified by the plurality of packet-filtering rules, at least one of:

drop the one or more packets generated by the proxy system;

log the one or more packets generated by the proxy system;

drop one or more other packets generated by the proxy system;

log one or more other packets generated by the proxy system;

drop one or more other packets of the packets comprising encrypted data; or log one or more other packets of the packets comprising encrypted data.

The method of claim 13, wherein the determining comprises determining that the one or more packets generated by the proxy system comprise at least one of a uniform resource identifier (U I) specified by the plurality of packet-filtering rules, data indicating a protocol version specified by the plurality of packet-filtering rules, data indicating a method specified by the plurality of packet-filtering rules, data indicating a request specified by the plurality of packet-filtering rules, or data indicating a command specified by the plurality of packet-filtering rules.

15. The method of claim 13, wherein the determining comprises determining that the one or more packets generated by the proxy system comprise a uniform resource identifier (URI) meeting a threshold size specified by the plurality of packet-filtering rules.

16. The method of claim 6, wherein the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to identify, via a communication link interfacing the proxy system and an Internet content adaptation protocol (ICAP) server, one or more packets comprising at least one of an ICAP request, a response generated by the ICAP server, or a modified request generated by the ICAP server.

17. The method of claim 1, wherein the packets comprising encrypted data comprise packets received from a first host and destined for a second host, the method comprising configuring the plurality of packet-filtering rules to cause the packet- filtering system to at least one of drop or log packets other than the packets comprising encrypted data based on a determination that the packets other than the packets comprising encrypted data were at least one of received from the second host or destined for the first host.

18. The method of claim 1, wherein:

the one or more network-threat indicators comprise a domain name;

the packets comprising unencrypted data comprise one or more packets comprising one or more handshake messages configured to establish an encrypted communication session between a client and a server; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to determine that the one or more handshake messages comprise the domain name.

19. The method of claim 18, wherein the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to, responsive to determining that the one or more handshake messages comprise the domain name, at least one of drop or log the packets comprising encrypted data.

20. The method of claim 18, wherein:

the one or more handshake messages comprise at least one of a hello message generated by the client or a certificate message generated by the server; and

the configuring the packet-filtering system to determine that the one or more handshake messages comprise the domain name comprises configuring the packet- filtering system to determine the at least one of the hello message generated by the client or the certificate message generated by the server comprises the domain name.

21. The method of claim 18, wherein:

the portion of the unencrypted data comprises one or more network addresses included in one or more headers of the one or more packets comprising the one or more handshake messages; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to determine that the packets comprising encrypted data comprise one or more packet headers comprising at least one of the one or more network addresses.

22. The method of claim 21, wherein:

the one or more network addresses comprise a network address of the server and a network address of a web proxy; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to:

identify one or more packets comprising one or more packet headers comprising the network address of the web proxy and a network address of the client; and

determine that the packets comprising encrypted data comprise one or more packet headers comprising the network address of the server and the network address of the client.

23. The method of claim 1, wherein:

the packets comprising unencrypted data comprise a certificate message for an encrypted communication session; and

the configuring the plurality of packet-filtering rules comprises configuring the packet-filtering system to at least one of drop or log one or more of the packets comprising encrypted data based on a determination that the certificate message comprises data indicating at least one of a serial number indicated by the plurality of packet-filtering rules, an issuer indicated by the plurality of packet-filtering rules, a validity time-range indicated by the plurality of packet-filtering rules, a key indicated by the plurality of packet-filtering rules, or a signing authority indicated by the plurality of packet-filtering rules.

24. A packet-filtering system comprising:

at least one processor; and

a memory storing instructions that when executed by the at least one processor cause the packet-filtering system to:

receive data indicating a plurality of network-threat indicators;

configure a plurality of packet-filtering rules, in accordance with which the packet-filtering system is configured to filter packets, to cause the packet- filtering system to:

identify packets comprising unencrypted data;

identify packets comprising encrypted data; and

determine, based on a portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

One or more non-transitory computer-readable media comprising instructions that when executed by at least one processor of a packet-filtering system cause the packet-filtering system to:

receive data indicating a plurality of network-threat indicators;

configure a plurality of packet-filtering rules, in accordance with which the packet-filtering system is configured to filter packets, to cause the packet-filtering system to:

identify packets comprising unencrypted data;

identify packets comprising encrypted data; and

determine, based on a portion of the unencrypted data corresponding to one or more network-threat indicators of the plurality of network-threat indicators, that the packets comprising encrypted data correspond to the one or more network-threat indicators.