WO2016209756A1 - Dns snooping to create ip address-based trust database used to select deep packet inspection and storage of ip packets - Google Patents
Dns snooping to create ip address-based trust database used to select deep packet inspection and storage of ip packets Download PDFInfo
- Publication number
- WO2016209756A1 WO2016209756A1 PCT/US2016/038319 US2016038319W WO2016209756A1 WO 2016209756 A1 WO2016209756 A1 WO 2016209756A1 US 2016038319 W US2016038319 W US 2016038319W WO 2016209756 A1 WO2016209756 A1 WO 2016209756A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- domain name
- address
- destination
- trust
- processor
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/80—Information retrieval; Database structures therefor; File system structures therefor of semi-structured data, e.g. markup language structured data such as SGML, XML or HTML
- G06F16/84—Mapping; Conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
Definitions
- the present disclosure relates to selection of deep packet inspection (DPI) of data packets and storage thereof for security purposes.
- DPI deep packet inspection
- a network device that performs security functions is commonly used to protect networks, servers, and clients.
- a security function performed by a firewall on a flow of data packets passing through the firewall is Deep Packet Inspection (DPI).
- DPI occurs at the application layer, i.e., layer 7, of the Open System Interconnection (OSI) model.
- OSI Open System Interconnection
- Layer 7 DPI is generally resource-intensive because all of the data packets associated with a particular data packet flow need to be parsed down to layer 7 in real-time.
- experience shows that some reputable websites such as google.com and yahoo.com can be trusted, and thus a security -motivated layer 7 DPI on data packet flows from such websites may not be necessary. In such cases, performing layer 7 DPI wastes resources.
- the network device may also gather data packets or portions thereof and store the gathered information to repositories for subsequent access by security-related analytics, reporting, forensics, and so on.
- the network security device In a packet data flow, to determine which data packets include information that should be stored to the repositories, e.g., to discover which packets include information deemed suspicious or that poses a security risk, the network security device generally performs DPI on all of the data packets, even though many may originate from reputable or trustworthy sources. Performing DPI on all of the data packets, including those from reputable sources, wastes resources.
- FIG. 1 is a block diagram of a network environment in which techniques presented herein may be implemented, according to an example embodiment.
- FIG. 2 is a block diagram of a network device configured to implement the techniqaues presented herein, according to an example embodiment.
- FIG. 3 is a block diagram of an arrangement of various devices from the network environment of FIG. 1 interconnected by various flows indicative of operations performed to create an Internet Protocol (IP) address-based reputation/category or "trust" database, according to an example embodiment.
- IP Internet Protocol
- FIG. 4 is a flowchart of operations used to create the IP address-based trust database, according to an example embodiment.
- FIG. 5 is an illustration of an example of a domain name-based reputation/category or "trust" database, according to an example embodiment.
- FIG. 6 is an illustration of an example of the IP address-based trust database created using the operations of FIG. 4, according to an example embodiment.
- FIG. 7 is a block diagram of an arrangement of various devices shown in the network environment of FIG. 1 interconnected by flows indicative of operations performed to implement call processing based on the IP address-based trust database, according to an example embodiment.
- FIGs. 8A and 8B illustrate a flowchart of operations used to perform call processing based on the IP address-based trust database, according to an example embodiment.
- FIG. 9 is a flowchart of a generalized method that combines operations from FIGs. 4, 8A, and 8B, according to an example embodiment.
- Client devices communicate with a network through a network device.
- An Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address is created at the network device.
- IP Internet Protocol
- An IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name is intercepted.
- the domain name trust metric mapped to the destination IP address is retrieved from the IP address-based trust database.
- IP packets received from the destination IP address are processed based on the retrieved domain name trust metric and a predetermined trust metric criterion.
- Network environment 100 includes a network device 102, such as a network switch, a network router, or a network security device or appliance (e.g., a firewall), or a combination thereof, connected to a local network 104, such as a local area network (LAN), and a communication network 106 that may include one or more wide area networks (WANs), such as the Internet, and one or more local area network (LANs).
- Local network 104 includes client devices clientl-clientN (also referred to as "clients" clientl-clientN), which may include computer devices and/or applications hosted on computer devices that communicate with communication network 106 through network device 102.
- Network device 102 also communicates with one or more local storage collectors or repositories 108 to store information provided by the network device.
- Collectors 108 include large memory stores and may be part of local network 104 or separately connected to network device 102.
- Network environment 100 also includes various resources connected with communication network 106 and thus accessible to network device 102 and clients clientl- clientN through the network device, including: a Domain Name System (DNS) server 110 that stores network domain name-based databases that map various network domain names to corresponding Internet Protocol (IP) addresses for accessing resources (e.g., sources of content, such as content servers) associated with the domain names; a reputation server 112 that stores databases that map domain name reputations and/or domain name categories to corresponding domain names; various content servers CS1, CS2 that represent network- accessible resources (e.g., sources of content) associated with corresponding domain names (e.g., domain namel and domain name2, respectively) and that are accessible using the IP addresses associated with the domain names; and a management or central server 120 to provide control information to network device 102 that is used in embodiments described herein.
- DNS Domain Name System
- IP Internet Protocol
- Clients clientl-clientN establish connections with content servers (e.g., content servers CS1, CS2) through network device 102 and then exchange IP packets with the content servers through the network device.
- content servers e.g., content servers CS1, CS2
- network device 102 may perform resource-intensive layer 7 DPI on some of the IP packets flowing from content servers; however, much of the content hosted by reputable content sources, e.g., websites, can be trusted because the sources are associated with a trusted domain name, thus layer 7 DPI on IP packets from such sources can be avoided. Accordingly, embodiments presented herein determine in an efficient manner whether to avoid layer 7 DPI on IP packets originated from content servers associated with domain names having corresponding domain name reputations.
- network device 102 may store to collectors 108 security-relevant portions of IP packets "of interest" originated from content servers (e.g., content servers CS1, CS2).
- An IP packet "of interest” is one that originates from a known threat source (e.g., threat server) or contains information of interest from a network security perspective. Such information of interest is often found at layer 7 of the IP packet.
- network device 102 may perform layer 7 DPI on all IP packets regardless of where they originated to determine which of the IP packets contain information of interest and thus should be stored to collectors 108. This wastes resources because many content sources are know to be trustworthy and layer 7 DPI on IP packets from such sources can be avoided. Accordingly, further embodiments herein determine whether the IP packets are of interest and thus should be stored to collectors 108, without performing layer 7 DPI on all of the IP packets.
- network device 102 initially creates an IP address-based reputation/category or "trust" database 122 having entries that map IP addresses associated with domain names to respective reputations and categories of the domain names.
- network device 102 downloads information from reputation server 112 into a domain name-based reputation/category or "trust" database 126 that maps domain names to respective reputations and categories, which are "trust metrics" indicative of domain name trustworthiness from a network security perspective, (ii) intercepts or "snoops" DNS transactions that clients clientl-clientN use to resolve domain names to IP addresses associated with the domain names, and (iii) combines the reputations and categories (corresponding to the snooped domain names) with snooped IP addresses associated with the domain names to create entries in IP address-based trust database 122.
- IP address-based trust database 122 indicates different levels of trust for different IP addresses (associated with different domain names) based on reputations and/or categories associated with the IP addresses.
- network device 102 creates IP address-based trust database 122, the network device uses that database to determine whether IP packets flowing from a source (e.g., a content server) associated with a domain name should be subjected to layer 7 DNI snooping and/or stored to collectors 108 based on the IP address of the source indicated in IP packets originated at the source and the reputation and/or category stored in the entries of database 122.
- a source e.g., a content server
- Network device 102 includes a network interface unit 205 configured to enable network communications so as to send messages to and receive messages from communication network 106, local network 104, and collectors 108.
- processors 210 are provided that execute software stored in memory 220.
- Processor(s) 210 include, for example, one or more microprocessors and/or microcontrollers.
- the memory 220 stores instructions for software stored in the memory that are executed by processor(s) 210 to perform the methods described herein.
- Memory 220 may comprise read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices.
- the memory 220 may comprise one or more tangible (non-transitory) computer readable storage media (e.g., a memory device) encoded with software comprising computer executable instructions and when the software is executed (by the processor(s) 210) it is operable to perform the operations described herein.
- Memory 220 may store control logic 235 (also referred to as "snooping logic" to implement methods described herein.
- FIG. 3 is a block diagram of an arrangement 300 of network device 102, DNS server 110, and clientl interconnected by various enumerated flows to indicate message transactions and operations (collectively referred to as "operations") that are correspondingly enumerated in FIG. 4. A given flow in FIG.
- FIG. 4 is a flowchart of operations 400 (individually enumerated in FIG. 3) used to create IP address-based trust database 122.
- Network device 102 executes control logic 235 to perform various ones of the operations 400.
- the description of operations 400 references actions initiated and performed with respect to clientl and content server CS1 by way of example only; the description applies generally to any client and content server or other source of content.
- network device 102 periodically downloads information from reputation server 112 into domain name-based trust database (DB) 126.
- Database 126 includes entries each to map a domain name to a respective domain name reputation and a respective domain name category, which are examples of domain name trust metrics.
- the "category" associated with a domain name may be based on the types of functions performed or services provided by the network-accessible resources (such as content servers) associated with the domain name.
- database 126 configured as a table.
- the rows of database 126 each correspond to a different domain name.
- database 126 includes columns for domain name, reputation score (also referred to herein simply as "reputation"), and domain name category.
- the reputation of a given domain name may be any number in a range from 0 to 10, where 0 is a lowest reputation indicative of a least trustworthy domain name and 10 is a highest reputation indicative of a most trustworthy domain name.
- the category of a given domain name includes a numerical value, but may also include a text description. For example, in the first row of database 126, the domain name www.google.com is assigned a reputation 10 and a category 1020 (search engine and portal).
- clientl before clientl can request content from content server CS1 associated with domain namel, the client initiates a DNS transaction to resolve domain namel into an IP address through which the content server can be accessed.
- clientl sends a DNS query indicating domain namel to either a local DNS database (e.g., database 255) or, if the local database is unable to satisfy the DNS query, DNS server 110.
- a local DNS database e.g., database 255
- a DNS reply including domain namel taken from the DNS query and a resolved IP address associated with domain namel is sent from DNS server 110 (or from local DNS database 255, e.g., via an application programming interface (API) associated with the local database) toward clientl .
- API application programming interface
- network device 102 intercepts and reviews or "snoops" the DNS reply.
- Network device 102 parses the "snooped" DNS replay packet to extract the domain name (e.g., domain namel) and the IP address therein (e.g., the IP address of content server CS1) associated with the domain name.
- Network device 102 uses the extracted or snooped domain name (e.g., domain namel) as an index into domain name-based trust database 126 to access the reputation and category for the domain name from the database.
- domain name e.g., domain namel
- network device 102 combines the IP address associated with the domain name, the domain name reputation, and the domain name category into an entry of IP address-based trust database 122 that maps the IP address to the domain name reputation and category and, in this way, creates the entry in the database.
- IP address-based trust database 122 maps the IP address to the domain name reputation and category and, in this way, creates the entry in the database.
- network device 102 sends the DNS reply to clientl so that clientl can make subsequent content requests to content serverl .
- IP address- based trust database 122 there in an illustration of an example of IP address- based trust database 122.
- the rows or entries of database 122 each correspond to a different IP address associated with (i.e., used to access resources of) a respective domain name.
- database 122 includes columns for a snooped IP address associated with a given domain name, domain name reputation, domain name category, a creation/modification time for a time and a date when a given entry/row was created in the database, a querying client unique IP list to list IP addresses of querying clients (e.g., IP addresses for clients among clientl-clientN that initiated DNS transactions for a given domain name), an domain name associated with the IP address (this is optional).
- IP address- based trust database 122 is similar to domain name-based trust database 126, except that the IP address-based trust database replaces the domain name in the domain name field of the domain name-based trust database with the IP address associated with that domain name.
- More than one querying/client IP address may be associated with the same domain name (e.g., www.google.com) because many of clients 1-clientsN may wish to connect with a content server of a given domain name.
- network device 102 creates or updates an entry in IP address-based trust database 122 each time the network device snoops a new DNS transaction (DNS query/response). Once created, an entry in IP address-based trust database 122 may not be deleted even if the particular client that initiated the DNS query leading to that entry finishes its network activities (e.g., accessing the corresponding content server).
- IP address-based trust database 122 for a particular content server may already exists before a next client initiates another DNS query to the domain name corresponding to that existing entry.
- the creation/modification time field in IP address-based trust database 122 may be used to purge older entries therein when the database grows too large. For example, entries having times and dates that indicate the entries have been in IP address-based trust database 122 for over a predetermined age-out time may be deleted.
- DNS change malware protection of IP address-based trust database 122 may be implemented based on the client unique IP list field in the database. To implement this protection, each entry of the database is enabled only when a predetermined minimum, e.g., 5, queries from different clients for that entry are indicated in the client unique IP list field for that entry. This prevents a few, e.g., 5, clients among clientl-clientN infected with DNS change malware from poisoning IP address-based trust database 122.
- network device 102 uses the database to assist with processing or handling flows between clients clientl-clientN and various content servers (e.g., content servers CS1, CS2).
- content servers e.g., content servers CS1, CS2.
- FIGs. 7 and 8 the process by which network device 102 uses IP address-based trust database 122 to determine whether (e.g., layer 7) DPI should be performed on IP packets in a call flow and/or whether the IP packets (or portions thereof) should be stored in collectors 108, is now described.
- FIG. 7 is a block diagram of an example arrangement 700 of network device 102, DNS server 110, and clientl interconnected by various enumerated flows to indicate message transactions and operations (collectively "operations") that are correspondingly enumerated in FIGs. 8 A and 8B.
- a given flow in FIG. 7 may coincide with references numerals indicating multiple operations associated with that flow.
- FIGs. 8A and 8B are a flowchart of operations 800 (individually enumerated in FIG. 7) used to determine whether (e.g., layer 7) DPI should be performed on IP packets in a call flow and/or whether the IP packets (or portions thereof) should be stored in collectors 108.
- the description of operations 800 references actions initiated and performed with respect to clientl and content server CSl by way of example only; the description applies generally to any client and content server or other source of content.
- FIGs 8A and 8B are performed after those of FIG 4 are performed. Therefore, prior to the operations of FIGs. 8A and 8B, clientl has already resolved a domain name of interest (e.g., domain namel) to an IP address of a source of content (e.g., content server CSl) for that domain name. Operations 800 continue from that point in time.
- domain name of interest e.g., domain namel
- source of content e.g., content server CSl
- predetermined configuration information 712 including a predetermined reputation threshold for performing DPI and a predetermined category range, is configured on network device 102 through management server 120 using a command line interface or a user interface, for example.
- clientl sends an initial IP packet (e.g., a Transmission Control Protocol (TCP) SYN packet) to connect to content server CSl .
- IP Transmission Control Protocol
- network device 102 intercepts the initial IP packet from clientl and creates a flow data structure 725 (also referred to more simply as a "flow structure" 725) to maintain stateful information for an anticipated connection between clientl and content server CSl .
- Flow structure 725 is keyed with the 5 tuples: source IP address (e.g., the address of requesting clientl), destination IP address (e.g., the IP address of content source CSl), source and destination ports of network device 102, and a communication protocol to be used over the connection.
- source IP address e.g., the address of requesting clientl
- destination IP address e.g., the IP address of content source CSl
- source and destination ports of network device 102 e.g., the IP address of content source CSl
- network device 102 may also store in flow structure 725 certain security information that may be forwarded to collectors 108.
- Such security information may include the domain name, the reputation, and the category (e.g., of the domain name associated with content server CS1).
- network device 102 uses the destination IP address (e.g., of content server CS1) in the intercepted IP packet to retrieve the reputation, the category, and the domain name (if available) for that IP address from IP address-based trust database 122.
- Even further security information may include information that maps between a content source IP (e.g., destination IP for content server CS1), a source user name, and a source user group, which may be ascertained through user authentication or access to an external database such an Authentication, Authorization, and Accounting (AAA) server (not shown in the Figures).
- AAA Authentication, Authorization, and Accounting
- network device 102 accesses predetermined configuration information 712, including the predetermined reputation threshold and the predetermined category range.
- network device 102 retrieves from IP address-based trust database 122 the reputation corresponding to the destination IP address (e.g., the reputation of content server CS1).
- Network device 102 determines whether to perform DPI on IP packets subsequently received from the destination IP address based on the retrieved reputation and the predetermined reputation threshold. For example, network device 102 compares the retrieved reputation to the predetermined reputation threshold.
- network device 102 declares that DPI should not be performed and sets a "DPI needed” flag in flow structure 725 to "No.” If the retrieved reputation is less than or equal to the retrieved threshold, network device 102 declares that DPI should be performed and sets the "DPI needed" flag in flow structure 725 to "yes.”
- network device 102 retrieves from IP address-based trust database 122 the category corresponding to the destination IP address (e.g., the category of content server CS1).
- Network device 102 determines whether to store to collectors 108 records that include the above-mentioned security information and portions of IP packets (e.g., IP packet header information) subsequently received from the destination IP address based on the retrieved category and/or the retrieved reputation.
- Network device 102 may determine whether to store the records using the following example rules: a. Store the records only if the reputation falls into a predetermined reputation range, e.g., between 0 and 4, inclusive.
- b. Store the records only if the category belongs to one or more predetermined categories, e.g., adult or hacking.
- c. Store the records only for a certain source user name or source user group.
- d. Store the records to different collectors among collectors 108 based on reputation and category. For example, store records associated with a reputation below 5 to a first one of collectors 108 and store records associated with a reputation above or equal to 5 to a second one of the collectors. e. Store the records based on various combination of rules (a)-(d).
- the initial IP packet is sent to content server CS1, which replies, and a client-server connection between clientl and content server CS1 is established.
- clientl issues a content request such as Hypertext Transfer Protocol (HTTP) GET, for example, which is received at network device 102.
- HTTP Hypertext Transfer Protocol
- network device 102 forwards the content request to content server CS1 without inspection.
- Content server CS1 sends a reply (e.g., sends an IP packet that indicates "200 OK" for HTTP GET).
- network device 102 receives the reply from content server CS1. To process the reply, network device accesses information in flow structure 725 based on the 5 tuples indicated as IP header information in the reply. If the "DPI needed" flag in flow structure 725 is set to "No,” network device 102 does not perform DPI on the reply. If the "DPI needed” flag is set to "Yes,” network device 102 performs DPI. Subsequent IP packets flowing from content server CS1 to clientl are handled similarly.
- network device 102 passes the reply to clientl .
- network device 102 if it is determined that network device 102 should send a record for the reply to collectors 108 based on one or more of the rules (a)-(d) mentioned above, the network device sends the record to the collectors. Otherwise, network device 102 does not send the record to collectors 108. Subsequent IP packets flowing from content server CS1 to clientl are handled similarly.
- FIG. 9 there is a flowchart of an example generalized method 900 of creating and using IP address-based trust database 122.
- domain name reputation and category are considered examples of domain name trustworthiness metrics (more simply referred to as "trust metrics").
- the operations of method 900 include various operations described above in connection with FIGs. 4, 8A, and 8B.
- network device 102 creates IP address-based trust database 122 that maps IP addresses each to a respective trust metric (e.g., reputation and/or category) for a domain name associated with the IP address.
- a trust metric e.g., reputation and/or category
- network device 102 intercepts an IP packet sent from a client device (e.g., from one of clients clientl -clientN) to network 106 and that indicates a destination IP address for a network-accessible resource (e.g., a content server that sources content) associated with a domain name.
- a client device e.g., from one of clients clientl -clientN
- a network-accessible resource e.g., a content server that sources content
- network device 102 use the destination IP address in the intercepted IP packet to retrieve from IP address-based trust database 122 the trust metric (reputation/category) mapped to the destination IP address.
- Network 102 also retrieves predetermined configuration information 712 (e.g., the predetermined reputation threshold and/or the predetermined category range).
- predetermined configuration information 712 is also referred to as predetermined trust metric criteria or constraints, e.g., the reputation threshold is a first predetermined trust metric criterion and the category range is a second predetermined trust metric criterion.
- network 102 processes IP packets received from the destination IP address based on the retrieved trust metric (e.g., domain name reputation and/or category) and predetermined configuration information 712 (e.g., the predetermined reputation threshold and/or the predetermined category range). For example, network 102 determines whether to perform DPI on the IP packets and/or whether to store IP packets and related security information to collectors 108.
- the trust metric e.g., domain name reputation and/or category
- predetermined configuration information 712 e.g., the predetermined reputation threshold and/or the predetermined category range
- DNS snooping is used to learn the mapping between a domain name and its IP address.
- the mapping helps a firewall build an IP address- based trust data base (e.g., IP address-based reputation/category database), which is consulted to determine the reputation for the flow packets from a content server. If the reputation is larger than a configured threshold value, server packet inspection can be safely skipped. Since the IP address-based trust database is keyed/indexed by the server IP address, the server packets only need to be parsed up to the layer 3 (IP layer) to obtain a reputation. This greatly improves firewall performance to make a real-time decision if an inspection is required. Conventional techniques require the IP packets to be parsed up to layer 7 to make a decision if an inspection is needed.
- IP layer IP layer
- the DNS snooping may also be used to build the IP address-based trust database so that its content can be used for deciding whether to store received IP packet related records. This approach avoids the need for performing DPI on packets in a flow of data packets to determine whether the packets or information related thereto is to be stored to collectors.
- the generation and sending of the records to a collector can be further filtered based on security information for the flow of packets.
- a method comprising: at a network device through which client devices communicate with a network: creating an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address; intercepting an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name; using the destination IP address in the intercepted IP packet, retrieving from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and processing IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
- IP Internet Protocol
- an apparatus in another form, includes a network interface unit configured to communicate with client devices over a network; and a processor coupled to the network interface unit and configured to: create an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address; intercept an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name; using the destination IP address in the intercepted IP packet, retrieve from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and process IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
- IP Internet Protocol
- a non-transitory processor readable medium stores instructions that, when executed by a processor, cause the processor to: create an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address; intercept an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name; using the destination IP address in the intercepted IP packet, retrieve from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and process IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
- IP Internet Protocol
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
At a network device through which client devices communicate with a network, a database is created that maps Internet Protocol (IP) addresses each to a respective trust metric for a domain name associated with the IP address. An IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name is intercepted. Using the destination IP address in the intercepted IP packet, the domain name trust metric mapped to the destination IP address is retrieved from the database. IP packets received from the destination IP address are processed based on the retrieved domain name trust metric and a predetermined trust metric criterion.
Description
DNS SNOOPING TO CREATE IP ADDRESS-BASED TRUST DATABASE USED TO SELECT DEEP PACKET INSPECTION AND STORAGE OF IP PACKETS
TECHNICAL FIELD
[001] The present disclosure relates to selection of deep packet inspection (DPI) of data packets and storage thereof for security purposes.
BACKGROUND
[002] A network device that performs security functions, such as a firewall, is commonly used to protect networks, servers, and clients. A security function performed by a firewall on a flow of data packets passing through the firewall is Deep Packet Inspection (DPI). Often, DPI occurs at the application layer, i.e., layer 7, of the Open System Interconnection (OSI) model. Layer 7 DPI is generally resource-intensive because all of the data packets associated with a particular data packet flow need to be parsed down to layer 7 in real-time. On the other hand, experience shows that some reputable websites such as google.com and yahoo.com can be trusted, and thus a security -motivated layer 7 DPI on data packet flows from such websites may not be necessary. In such cases, performing layer 7 DPI wastes resources.
[003] The network device may also gather data packets or portions thereof and store the gathered information to repositories for subsequent access by security-related analytics, reporting, forensics, and so on. In a packet data flow, to determine which data packets include information that should be stored to the repositories, e.g., to discover which packets include information deemed suspicious or that poses a security risk, the network security device generally performs DPI on all of the data packets, even though many may originate from reputable or trustworthy sources. Performing DPI on all of the data packets, including those from reputable sources, wastes resources.
BRIEF DESCRIPTION OF THE DRAWINGS
[004] FIG. 1 is a block diagram of a network environment in which techniques presented herein may be implemented, according to an example embodiment.
[005] FIG. 2 is a block diagram of a network device configured to implement the techniqaues presented herein, according to an example embodiment.
[006] FIG. 3 is a block diagram of an arrangement of various devices from the network environment of FIG. 1 interconnected by various flows indicative of operations performed to create an Internet Protocol (IP) address-based reputation/category or "trust" database, according to an example embodiment.
[007] FIG. 4 is a flowchart of operations used to create the IP address-based trust database, according to an example embodiment.
[008] FIG. 5 is an illustration of an example of a domain name-based reputation/category or "trust" database, according to an example embodiment.
[009] FIG. 6 is an illustration of an example of the IP address-based trust database created using the operations of FIG. 4, according to an example embodiment.
[010] FIG. 7 is a block diagram of an arrangement of various devices shown in the network environment of FIG. 1 interconnected by flows indicative of operations performed to implement call processing based on the IP address-based trust database, according to an example embodiment.
[Oil] FIGs. 8A and 8B illustrate a flowchart of operations used to perform call processing based on the IP address-based trust database, according to an example embodiment.
[012] FIG. 9 is a flowchart of a generalized method that combines operations from FIGs. 4, 8A, and 8B, according to an example embodiment.
DESCRIPTION OF EXAMPLE EMB ODEVIENT S
Overview
[013] Client devices communicate with a network through a network device. An Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address is created at the network device. An IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name is intercepted. Using the destination IP address in the intercepted IP packet, the domain name trust metric mapped to the destination IP address is retrieved from the IP address-based trust database. IP
packets received from the destination IP address are processed based on the retrieved domain name trust metric and a predetermined trust metric criterion.
Example Embodiments
[014] Referring first to FIG. 1, there is shown a block diagram of an example network environment 100 in which embodiments presented herein may be implemented. Network environment 100 includes a network device 102, such as a network switch, a network router, or a network security device or appliance (e.g., a firewall), or a combination thereof, connected to a local network 104, such as a local area network (LAN), and a communication network 106 that may include one or more wide area networks (WANs), such as the Internet, and one or more local area network (LANs). Local network 104 includes client devices clientl-clientN (also referred to as "clients" clientl-clientN), which may include computer devices and/or applications hosted on computer devices that communicate with communication network 106 through network device 102. Network device 102 also communicates with one or more local storage collectors or repositories 108 to store information provided by the network device. Collectors 108 include large memory stores and may be part of local network 104 or separately connected to network device 102.
[015] Network environment 100 also includes various resources connected with communication network 106 and thus accessible to network device 102 and clients clientl- clientN through the network device, including: a Domain Name System (DNS) server 110 that stores network domain name-based databases that map various network domain names to corresponding Internet Protocol (IP) addresses for accessing resources (e.g., sources of content, such as content servers) associated with the domain names; a reputation server 112 that stores databases that map domain name reputations and/or domain name categories to corresponding domain names; various content servers CS1, CS2 that represent network- accessible resources (e.g., sources of content) associated with corresponding domain names (e.g., domain namel and domain name2, respectively) and that are accessible using the IP addresses associated with the domain names; and a management or central server 120 to provide control information to network device 102 that is used in embodiments described herein. For convenience, only two content servers are shown in FIG. 1; however, there will typically be a large number of content servers connected with communication network 106
[016] Clients clientl-clientN establish connections with content servers (e.g., content servers CS1, CS2) through network device 102 and then exchange IP packets with the content servers through the network device. In support of network security operations, network device 102 may perform resource-intensive layer 7 DPI on some of the IP packets flowing from content servers; however, much of the content hosted by reputable content sources, e.g., websites, can be trusted because the sources are associated with a trusted domain name, thus layer 7 DPI on IP packets from such sources can be avoided. Accordingly, embodiments presented herein determine in an efficient manner whether to avoid layer 7 DPI on IP packets originated from content servers associated with domain names having corresponding domain name reputations.
[017] In further support of network security operations, network device 102 may store to collectors 108 security-relevant portions of IP packets "of interest" originated from content servers (e.g., content servers CS1, CS2). An IP packet "of interest" is one that originates from a known threat source (e.g., threat server) or contains information of interest from a network security perspective. Such information of interest is often found at layer 7 of the IP packet. In one approach, network device 102 may perform layer 7 DPI on all IP packets regardless of where they originated to determine which of the IP packets contain information of interest and thus should be stored to collectors 108. This wastes resources because many content sources are know to be trustworthy and layer 7 DPI on IP packets from such sources can be avoided. Accordingly, further embodiments herein determine whether the IP packets are of interest and thus should be stored to collectors 108, without performing layer 7 DPI on all of the IP packets.
[018] At a high-level, network device 102 initially creates an IP address-based reputation/category or "trust" database 122 having entries that map IP addresses associated with domain names to respective reputations and categories of the domain names. To create IP address-based trust database 122, network device 102 (i) downloads information from reputation server 112 into a domain name-based reputation/category or "trust" database 126 that maps domain names to respective reputations and categories, which are "trust metrics" indicative of domain name trustworthiness from a network security perspective, (ii) intercepts or "snoops" DNS transactions that clients clientl-clientN use to resolve domain names to IP addresses associated with the domain names, and (iii) combines the reputations and categories (corresponding to the snooped domain names) with snooped IP addresses
associated with the domain names to create entries in IP address-based trust database 122. Thus, IP address-based trust database 122 indicates different levels of trust for different IP addresses (associated with different domain names) based on reputations and/or categories associated with the IP addresses. Once network device 102 creates IP address-based trust database 122, the network device uses that database to determine whether IP packets flowing from a source (e.g., a content server) associated with a domain name should be subjected to layer 7 DNI snooping and/or stored to collectors 108 based on the IP address of the source indicated in IP packets originated at the source and the reputation and/or category stored in the entries of database 122.
[019] With reference to FIG. 2, there is a block diagram of network device 102 configured to implement the embodiments described herein, according to an example embodiment. Network device 102 includes a network interface unit 205 configured to enable network communications so as to send messages to and receive messages from communication network 106, local network 104, and collectors 108. One or more processors 210 are provided that execute software stored in memory 220. Processor(s) 210 include, for example, one or more microprocessors and/or microcontrollers. To this end, the memory 220 stores instructions for software stored in the memory that are executed by processor(s) 210 to perform the methods described herein.
[020] Memory 220 may comprise read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. Thus, in general, the memory 220 may comprise one or more tangible (non-transitory) computer readable storage media (e.g., a memory device) encoded with software comprising computer executable instructions and when the software is executed (by the processor(s) 210) it is operable to perform the operations described herein. Memory 220 may store control logic 235 (also referred to as "snooping logic") to implement methods described herein.
[021] In addition, memory 220 stores data 250 used and generated by the processor 210 when executing logic 235 described above. Data 250 may include IP address-based trust database 122, domain name-based trust database 126, and a DNS database 255 that stores local DNS records downloaded from DNS server 110.
[022] With reference to FIGs. 3 and 4 together, the process by which network device 102 creates IP address-based trust database 122 is now described. FIG. 3 is a block diagram of an arrangement 300 of network device 102, DNS server 110, and clientl interconnected by various enumerated flows to indicate message transactions and operations (collectively referred to as "operations") that are correspondingly enumerated in FIG. 4. A given flow in FIG. 3 may coincide with multiple references numerals indicating multiple operations associated with that flow. FIG. 4 is a flowchart of operations 400 (individually enumerated in FIG. 3) used to create IP address-based trust database 122. Network device 102 executes control logic 235 to perform various ones of the operations 400. The description of operations 400 references actions initiated and performed with respect to clientl and content server CS1 by way of example only; the description applies generally to any client and content server or other source of content.
[023] At 310, network device 102 periodically downloads information from reputation server 112 into domain name-based trust database (DB) 126. Database 126 includes entries each to map a domain name to a respective domain name reputation and a respective domain name category, which are examples of domain name trust metrics. The "category" associated with a domain name may be based on the types of functions performed or services provided by the network-accessible resources (such as content servers) associated with the domain name.
[024] With reference to FIG. 5, there in an illustration of an example of domain name- based trust database 126 configured as a table. The rows of database 126 each correspond to a different domain name. Moving left-to-right, database 126 includes columns for domain name, reputation score (also referred to herein simply as "reputation"), and domain name category. In the example of FIG. 5, the reputation of a given domain name may be any number in a range from 0 to 10, where 0 is a lowest reputation indicative of a least trustworthy domain name and 10 is a highest reputation indicative of a most trustworthy domain name. The category of a given domain name includes a numerical value, but may also include a text description. For example, in the first row of database 126, the domain name www.google.com is assigned a reputation 10 and a category 1020 (search engine and portal).
[025] Returning to method 400, at 320, before clientl can request content from content server CS1 associated with domain namel, the client initiates a DNS transaction to resolve
domain namel into an IP address through which the content server can be accessed. To initiate the DNS transaction, clientl sends a DNS query indicating domain namel to either a local DNS database (e.g., database 255) or, if the local database is unable to satisfy the DNS query, DNS server 110.
[026] At 330, a DNS reply including domain namel taken from the DNS query and a resolved IP address associated with domain namel is sent from DNS server 110 (or from local DNS database 255, e.g., via an application programming interface (API) associated with the local database) toward clientl .
[027] At 340, network device 102 intercepts and reviews or "snoops" the DNS reply. Network device 102 parses the "snooped" DNS replay packet to extract the domain name (e.g., domain namel) and the IP address therein (e.g., the IP address of content server CS1) associated with the domain name. Network device 102 uses the extracted or snooped domain name (e.g., domain namel) as an index into domain name-based trust database 126 to access the reputation and category for the domain name from the database. As a result, network device 102 has the domain name, the IP address associated with the domain name, the domain name reputation, and the domain name category.
[028] At 350, network device 102 combines the IP address associated with the domain name, the domain name reputation, and the domain name category into an entry of IP address-based trust database 122 that maps the IP address to the domain name reputation and category and, in this way, creates the entry in the database. Although only one DNS transaction is snooped in this example, over time, network device 102 snoops many DNS transactions across clients clientl -clientN to create many entries in database 122, where each entry maps an IP address associated with a domain name to a respective reputation and a respective category of the domain name.
[029] At 360, network device 102 sends the DNS reply to clientl so that clientl can make subsequent content requests to content serverl .
[030] With reference to FIG. 6, there in an illustration of an example of IP address- based trust database 122. The rows or entries of database 122 each correspond to a different IP address associated with (i.e., used to access resources of) a respective domain name. Moving left-to-right, database 122 includes columns for a snooped IP address associated with a given domain name, domain name reputation, domain name category, a
creation/modification time for a time and a date when a given entry/row was created in the database, a querying client unique IP list to list IP addresses of querying clients (e.g., IP addresses for clients among clientl-clientN that initiated DNS transactions for a given domain name), an domain name associated with the IP address (this is optional). IP address- based trust database 122 is similar to domain name-based trust database 126, except that the IP address-based trust database replaces the domain name in the domain name field of the domain name-based trust database with the IP address associated with that domain name.
[031] More than one querying/client IP address may be associated with the same domain name (e.g., www.google.com) because many of clients 1-clientsN may wish to connect with a content server of a given domain name. As mentioned above, network device 102 creates or updates an entry in IP address-based trust database 122 each time the network device snoops a new DNS transaction (DNS query/response). Once created, an entry in IP address-based trust database 122 may not be deleted even if the particular client that initiated the DNS query leading to that entry finishes its network activities (e.g., accessing the corresponding content server). Therefore, it is likely that an entry in IP address-based trust database 122 for a particular content server may already exists before a next client initiates another DNS query to the domain name corresponding to that existing entry. The creation/modification time field in IP address-based trust database 122 may be used to purge older entries therein when the database grows too large. For example, entries having times and dates that indicate the entries have been in IP address-based trust database 122 for over a predetermined age-out time may be deleted.
[032] DNS change malware protection of IP address-based trust database 122 may be implemented based on the client unique IP list field in the database. To implement this protection, each entry of the database is enabled only when a predetermined minimum, e.g., 5, queries from different clients for that entry are indicated in the client unique IP list field for that entry. This prevents a few, e.g., 5, clients among clientl-clientN infected with DNS change malware from poisoning IP address-based trust database 122.
[033] Once network device 102 creates IP address-based trust database 122 in accordance with method 400, the network device uses the database to assist with processing or handling flows between clients clientl-clientN and various content servers (e.g., content servers CS1, CS2). With reference to FIGs. 7 and 8, the process by which network device 102 uses IP address-based trust database 122 to determine whether (e.g., layer 7) DPI should
be performed on IP packets in a call flow and/or whether the IP packets (or portions thereof) should be stored in collectors 108, is now described.
[034] FIG. 7 is a block diagram of an example arrangement 700 of network device 102, DNS server 110, and clientl interconnected by various enumerated flows to indicate message transactions and operations (collectively "operations") that are correspondingly enumerated in FIGs. 8 A and 8B. A given flow in FIG. 7 may coincide with references numerals indicating multiple operations associated with that flow. FIGs. 8A and 8B are a flowchart of operations 800 (individually enumerated in FIG. 7) used to determine whether (e.g., layer 7) DPI should be performed on IP packets in a call flow and/or whether the IP packets (or portions thereof) should be stored in collectors 108. The description of operations 800 references actions initiated and performed with respect to clientl and content server CSl by way of example only; the description applies generally to any client and content server or other source of content.
[035] It is assumed that the operations of FIGs 8A and 8B are performed after those of FIG 4 are performed. Therefore, prior to the operations of FIGs. 8A and 8B, clientl has already resolved a domain name of interest (e.g., domain namel) to an IP address of a source of content (e.g., content server CSl) for that domain name. Operations 800 continue from that point in time.
[036] At 710, predetermined configuration information 712, including a predetermined reputation threshold for performing DPI and a predetermined category range, is configured on network device 102 through management server 120 using a command line interface or a user interface, for example.
[037] At 720, clientl sends an initial IP packet (e.g., a Transmission Control Protocol (TCP) SYN packet) to connect to content server CSl .
[038] At 730, network device 102 intercepts the initial IP packet from clientl and creates a flow data structure 725 (also referred to more simply as a "flow structure" 725) to maintain stateful information for an anticipated connection between clientl and content server CSl . Flow structure 725 is keyed with the 5 tuples: source IP address (e.g., the address of requesting clientl), destination IP address (e.g., the IP address of content source CSl), source and destination ports of network device 102, and a communication protocol to be used over the connection.
[039] In addition, network device 102 may also store in flow structure 725 certain security information that may be forwarded to collectors 108. Such security information may include the domain name, the reputation, and the category (e.g., of the domain name associated with content server CS1). To access this security information, network device 102 uses the destination IP address (e.g., of content server CS1) in the intercepted IP packet to retrieve the reputation, the category, and the domain name (if available) for that IP address from IP address-based trust database 122. Even further security information may include information that maps between a content source IP (e.g., destination IP for content server CS1), a source user name, and a source user group, which may be ascertained through user authentication or access to an external database such an Authentication, Authorization, and Accounting (AAA) server (not shown in the Figures).
[040] At 740, network device 102 accesses predetermined configuration information 712, including the predetermined reputation threshold and the predetermined category range.
[041] At 750, based on the destination IP address (of content server CS1) in the intercepted initial IP packet, network device 102 retrieves from IP address-based trust database 122 the reputation corresponding to the destination IP address (e.g., the reputation of content server CS1). Network device 102 determines whether to perform DPI on IP packets subsequently received from the destination IP address based on the retrieved reputation and the predetermined reputation threshold. For example, network device 102 compares the retrieved reputation to the predetermined reputation threshold. If the retrieved reputation is greater than the retrieved threshold, network device 102 declares that DPI should not be performed and sets a "DPI needed" flag in flow structure 725 to "No." If the retrieved reputation is less than or equal to the retrieved threshold, network device 102 declares that DPI should be performed and sets the "DPI needed" flag in flow structure 725 to "yes."
[042] Also at 750, based on the destination IP address (e.g., of content server CS1) in the intercepted initial IP packet, network device 102 retrieves from IP address-based trust database 122 the category corresponding to the destination IP address (e.g., the category of content server CS1). Network device 102 determines whether to store to collectors 108 records that include the above-mentioned security information and portions of IP packets (e.g., IP packet header information) subsequently received from the destination IP address based on the retrieved category and/or the retrieved reputation. Network device 102 may determine whether to store the records using the following example rules:
a. Store the records only if the reputation falls into a predetermined reputation range, e.g., between 0 and 4, inclusive. b. Store the records only if the category belongs to one or more predetermined categories, e.g., adult or hacking. c. Store the records only for a certain source user name or source user group. d. Store the records to different collectors among collectors 108 based on reputation and category. For example, store records associated with a reputation below 5 to a first one of collectors 108 and store records associated with a reputation above or equal to 5 to a second one of the collectors. e. Store the records based on various combination of rules (a)-(d).
[043] At 760, the initial IP packet is sent to content server CS1, which replies, and a client-server connection between clientl and content server CS1 is established.
[044] At 770, after the client-server connection is established, clientl issues a content request such as Hypertext Transfer Protocol (HTTP) GET, for example, which is received at network device 102.
[045] At 780, network device 102 forwards the content request to content server CS1 without inspection. Content server CS1 sends a reply (e.g., sends an IP packet that indicates "200 OK" for HTTP GET).
[046] At 782, network device 102 receives the reply from content server CS1. To process the reply, network device accesses information in flow structure 725 based on the 5 tuples indicated as IP header information in the reply. If the "DPI needed" flag in flow structure 725 is set to "No," network device 102 does not perform DPI on the reply. If the "DPI needed" flag is set to "Yes," network device 102 performs DPI. Subsequent IP packets flowing from content server CS1 to clientl are handled similarly.
[047] At 784, network device 102 passes the reply to clientl .
[048] At 786, if it is determined that network device 102 should send a record for the reply to collectors 108 based on one or more of the rules (a)-(d) mentioned above, the network device sends the record to the collectors. Otherwise, network device 102 does not
send the record to collectors 108. Subsequent IP packets flowing from content server CS1 to clientl are handled similarly.
[049] Operations described above in connection with FIGs. 4, 8A and 8B associated with creating IP address-based trust database 122 to map IP addresses to domain name reputations and then using the database during flow processing to determine whether to perform DPI on IP packets may be performed separately and independently of operations associated with creating IP address-based trust database 122 to map IP addresses to domain name categories and/or reputations and then using the trust database to determine whether to store records associated with IP packets to collectors 108.
[050] With reference to FIG. 9, there is a flowchart of an example generalized method 900 of creating and using IP address-based trust database 122. In the ensuing description, domain name reputation and category are considered examples of domain name trustworthiness metrics (more simply referred to as "trust metrics"). The operations of method 900 include various operations described above in connection with FIGs. 4, 8A, and 8B.
[051] At 905, network device 102 creates IP address-based trust database 122 that maps IP addresses each to a respective trust metric (e.g., reputation and/or category) for a domain name associated with the IP address.
[052] At 910, network device 102 intercepts an IP packet sent from a client device (e.g., from one of clients clientl -clientN) to network 106 and that indicates a destination IP address for a network-accessible resource (e.g., a content server that sources content) associated with a domain name.
[053] At 915, network device 102 use the destination IP address in the intercepted IP packet to retrieve from IP address-based trust database 122 the trust metric (reputation/category) mapped to the destination IP address. Network 102 also retrieves predetermined configuration information 712 (e.g., the predetermined reputation threshold and/or the predetermined category range). Predetermined configuration information 712 is also referred to as predetermined trust metric criteria or constraints, e.g., the reputation threshold is a first predetermined trust metric criterion and the category range is a second predetermined trust metric criterion.
[054] At 920, network 102 processes IP packets received from the destination IP address based on the retrieved trust metric (e.g., domain name reputation and/or category) and predetermined configuration information 712 (e.g., the predetermined reputation threshold and/or the predetermined category range). For example, network 102 determines whether to perform DPI on the IP packets and/or whether to store IP packets and related security information to collectors 108.
[055] In summary, in one embodiment, DNS snooping is used to learn the mapping between a domain name and its IP address. The mapping helps a firewall build an IP address- based trust data base (e.g., IP address-based reputation/category database), which is consulted to determine the reputation for the flow packets from a content server. If the reputation is larger than a configured threshold value, server packet inspection can be safely skipped. Since the IP address-based trust database is keyed/indexed by the server IP address, the server packets only need to be parsed up to the layer 3 (IP layer) to obtain a reputation. This greatly improves firewall performance to make a real-time decision if an inspection is required. Conventional techniques require the IP packets to be parsed up to layer 7 to make a decision if an inspection is needed.
[056] The DNS snooping may also be used to build the IP address-based trust database so that its content can be used for deciding whether to store received IP packet related records. This approach avoids the need for performing DPI on packets in a flow of data packets to determine whether the packets or information related thereto is to be stored to collectors. The generation and sending of the records to a collector can be further filtered based on security information for the flow of packets.
[057] In summary, in one form, a method is provided comprising: at a network device through which client devices communicate with a network: creating an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address; intercepting an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name; using the destination IP address in the intercepted IP packet, retrieving from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and processing IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
[058] In another form, an apparatus is provided that includes a network interface unit configured to communicate with client devices over a network; and a processor coupled to the network interface unit and configured to: create an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address; intercept an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name; using the destination IP address in the intercepted IP packet, retrieve from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and process IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
[059] In yet another form, a non-transitory processor readable medium is provided. The processor readable medium stores instructions that, when executed by a processor, cause the processor to: create an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address; intercept an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name; using the destination IP address in the intercepted IP packet, retrieve from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and process IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
[060] The above description is intended by way of example only. Various modifications and structural changes may be made therein without departing from the scope of the concepts described herein and within the scope and range of equivalents of the claims.
Claims
1. A method comprising:
at a network device through which client devices communicate with a network: creating an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address;
intercepting an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name;
using the destination IP address in the intercepted IP packet, retrieving from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and
processing IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
2. The method of claim 1, wherein:
the creating includes creating the IP address-based trust database to map IP addresses each to a respective domain name reputation that represents the respective trust metric for the domain name;
the retrieving includes retrieving from the IP address-based trust database the domain name reputation mapped to the destination IP address; and
the processing includes:
determining, based on the retrieved domain name reputation and a
predetermined domain name reputation threshold representative of the predetermined trust metric criterion, whether deep packet inspection should be performed on IP packets received from the destination IP address; and
upon determining that deep packet inspection should not be performed, passing the IP packets received from the destination IP address to the client device without performing deep packet inspection on the IP packets.
3. The method of claim 2, wherein the processing further comprises:
upon determining that deep packet inspection should be performed, performing deep packet inspection on the IP packets received from the destination IP address.
4. The method of claim 2, wherein the deep packet inspection includes Open System Interconnection (OSI) layer 7 inspection.
5. The method of claim 2, wherein the determining includes:
comparing the retrieved domain name reputation to the predetermined domain name reputation threshold to determine whether the retrieved domain name reputation is above the domain name reputation threshold;
if the comparing indicates that the domain name reputation is equal to or below the domain name reputation threshold, declaring that deep packet inspection should be performed; and
if the comparing indicating that the domain name reputation is above the domain name reputation threshold, declaring that deep packet inspection should not be performed.
6. The method of claim 1, wherein:
the creating includes creating the IP address-based trust database to map IP addresses each to a respective domain name category that represents the respective trust metric for the domain name;
the retrieving includes retrieving from the IP address-based trust database the domain name category mapped to the destination IP address; and
the processing includes:
determining, based on the retrieved domain name category and the predetermined domain name trust metric criterion, whether to send header information in each of the IP packets received from the destination IP address to a data store;
upon determining to send the header information in each of the IP packets to the data store, sending the header information in each of the IP packets to the data store; and
upon determining not to send the header information in each of the IP packets to the data store, not sending the header information in each of the IP packets to the data store.
7. The method of claim 6, wherein:
each domain name category is represented as a number; and
the determining includes:
comparing the retrieved domain name category to a predetermined number range representative of the predetermined trust metric criterion to determine whether the retrieved domain name category falls within the predetermined number range; if the comparing indicates that the domain name category falls within the number range, declaring that the header information should be sent to the data store; and
if the comparing indicates that the domain name category does not fall within the number range, declaring that the header information should not be sent to the data store.
8. The method of claim 1, wherein the creating comprises:
intercepting domain name system (DNS) transactions between the client devices and a DNS database used to resolve domain names to respective IP addresses;
accessing, in a predetermined domain name-based trust database, respective trust metrics for domain names; and
generating, based on the intercepting and the accessing, entries in the IP address- based trust database each to map a respective one of the IP addresses to a respective domain name trust metric.
9. The method of claim 8, wherein:
each DNS transaction includes a DNS query from each client device to the DNS IP address-based trust database to resolve a domain name in the DNS query to an IP address, and a DNS reply to the client device and that includes the resolved IP address from the DNS database; and
intercepting DNS transactions includes intercepting each DNS reply.
10. An apparatus comprising:
a network interface unit configured to communicate with client devices over a network; and
a processor coupled to the network interface unit and configured to:
create an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address;
intercept an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name;
using the destination IP address in the intercepted IP packet, retrieve from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and
process IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
11. The apparatus of claim 10, wherein:
the processor is configured to create by creating the IP address-based trust database to map IP addresses each to a respective domain name reputation that represents the respective trust metric for the domain name;
the processor is configured to retrieve by retrieving includes retrieving from the IP address-based trust database the domain name reputation mapped to the destination IP address; and
the processor is configured to process by:
determining, based on the retrieved domain name reputation and a
predetermined domain name reputation threshold representative of the predetermined trust metric criterion, whether deep packet inspection should be performed on IP packets received from the destination IP address; and
upon determining that deep packet inspection should not be performed, passing the IP packets received from the destination IP address to the client device without performing deep packet inspection on the IP packets.
12. The apparatus of claim 11, wherein the processor is further configured to process by: upon determining that deep packet inspection should be performed, performing deep packet inspection on the IP packets received from the destination IP address.
13. The apparatus of claim 11, wherein the processor is configured to perform the determining by:
comparing the retrieved domain name reputation to the predetermined domain name reputation threshold to determine whether the retrieved domain name reputation is above the domain name reputation threshold;
if the comparing indicates that the domain name reputation is equal to or below the domain name reputation threshold, declaring that deep packet inspection should be performed; and
if the comparing indicating that the domain name reputation is above the domain name reputation threshold, declaring that deep packet inspection should not be performed.
14. The apparatus of claim 10, wherein:
the processor is configured to create by creating the IP address-based trust database to map IP addresses each to a respective domain name category that represents the respective trust metric for the domain name;
the processor is configured to retrieve by retrieving from the IP address-based trust database the domain name category mapped to the destination IP address; and
the processor is configured to process by:
determining, based on the retrieved domain name category and the predetermined domain name trust metric criterion, whether to send header information in each of the IP packets received from the destination IP address to a data store;
upon determining to send the header information in each of the IP packets to the data store, sending the header information in each of the IP packets to the data store; and
upon determining not to send the header information in each of the IP packets to the data store, not sending the header information in each of the IP packets to the data store.
15. The apparatus of claim 14, wherein each domain name category is represented as a number, and the processor is configured to perform the determining by:
comparing the retrieved domain name category to a predetermined number range representative of the predetermined trust metric criterion to determine whether the retrieved domain name category falls within the predetermined number range; if the comparing indicates that the domain name category falls within the number range, declaring that the header information should be sent to the data store; and
if the comparing indicates that the domain name category does not fall within the number range, declaring that the header information should not be sent to the data store.
16. The apparatus of claim 10, wherein the processor is configured to create by:
intercepting domain name system (DNS) transactions between the client devices and a
DNS database used to resolve domain names to respective IP addresses;
accessing, in a predetermined domain name-based trust database, respective trust metrics for domain names; and
generating, based on the intercepting and the accessing, entries in the IP address- based trust database each to map a respective one of the IP addresses to a respective domain name trust metric.
17. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a network device through which client devices communicate with a network, cause the processor to:
create an Internet Protocol (IP) address-based trust database that maps IP addresses each to a respective trust metric for a domain name associated with the IP address;
intercept an IP packet sent from a client device to the network and that indicates a destination IP address for a network-accessible resource associated with a domain name; using the destination IP address in the intercepted IP packet, retrieve from the IP address-based trust database the domain name trust metric mapped to the destination IP address; and
process IP packets received from the destination IP address based on the retrieved domain name trust metric and a predetermined trust metric criterion.
18. The computer readable storage media of claim 17, wherein:
the instructions to cause the processor to create include instructions to cause the processor to create the IP address-based trust database to map IP addresses each to a respective domain name reputation that represents the respective trust metric for the domain name;
the instructions to cause the processor to retrieve include instructions to cause the processor to retrieve from the IP address-based trust database the domain name reputation mapped to the destination IP address; and
the instructions to cause the processor to process include instructions to cause the processor to:
determine, based on the retrieved domain name reputation and a predetermined domain name reputation threshold representative of the predetermined trust metric criterion, whether deep packet inspection should be performed on IP packets received from the destination IP address; and
upon determining that deep packet inspection should not be performed, pass the IP packets received from the destination IP address to the client device without performing deep packet inspection on the IP packets.
19. The computer readable storage media of claim 18, wherein the instructions to cause the processor to process include further instructions to cause the processor to:
upon determining that deep packet inspection should be performed, perform deep packet inspection on the IP packets received from the destination IP address.
20. The computer readable storage media of claim 18, wherein the instructions to cause the processor to determine include instructions to cause the processor to:
compare the retrieved domain name reputation to the predetermined domain name reputation threshold to determine whether the retrieved domain name reputation is above the domain name reputation threshold;
if the compare indicates that the domain name reputation is equal to or below the domain name reputation threshold, declare that deep packet inspection should be performed; and
if the compare indicates that the domain name reputation is above the domain name reputation threshold, declare that deep packet inspection should not be performed.
21. The computer readable storage media of claim 17, wherein:
the instructions to cause the processor to create include instructions to cause the processor to create the IP address-based trust database to map IP addresses each to a respective domain name category that represents the respective trust metric for the domain name;
the instructions to cause the processor to retrieve include instructions to cause the processor to retrieve from the IP address-based trust database the domain name category mapped to the destination IP address; and
the instructions to cause the processor to process include instructions to cause the processor to:
determine, based on the retrieved domain name category and the predetermined domain name trust metric criterion, whether to send header
information in each of the IP packets received from the destination IP address to a data store;
upon determining to send the header information in each of the IP packets to the data store, send the header information in each of the IP packets to the data store; and
upon determining not to send the header information in each of the IP packets to the data store, not send the header information in each of the IP packets to the data store.
22. The computer readable storage media of claim 21, wherein:
each domain name category is represented as a number; and
the instructions to cause the processor to determine include instructions to cause the processor to:
compare the retrieved domain name category to a predetermined number range representative of the predetermined trust metric criterion to determine whether the retrieved domain name category falls within the predetermined number range;
if the compare indicates that the domain name category falls within the number range, declare that the header information should be sent to the data store; and if the compare indicates that the domain name category does not fall within the number range, declare that the header information should not be sent to the data store.
23. The computer readable storage media of claim 17, wherein the instructions to cause the processor to create include instructions to cause the processor to:
intercept domain name system (DNS) transactions between the client devices and a DNS database used to resolve domain names to respective IP addresses;
access, in a predetermined domain name-based trust database, respective trust metrics for domain names; and
generate, based on the intercepting and the accessing, entries in the IP address-based trust database each to map a respective one of the IP addresses to a respective domain name trust metric.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/746,155 US9628442B2 (en) | 2015-06-22 | 2015-06-22 | DNS snooping to create IP address-based trust database used to select deep packet inspection and storage of IP packets |
US14/746,155 | 2015-06-22 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016209756A1 true WO2016209756A1 (en) | 2016-12-29 |
Family
ID=56551525
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2016/038319 WO2016209756A1 (en) | 2015-06-22 | 2016-06-20 | Dns snooping to create ip address-based trust database used to select deep packet inspection and storage of ip packets |
Country Status (2)
Country | Link |
---|---|
US (1) | US9628442B2 (en) |
WO (1) | WO2016209756A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP4167524A1 (en) * | 2021-10-13 | 2023-04-19 | Cujo LLC | Local network device connection control |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI513239B (en) * | 2014-09-03 | 2015-12-11 | Hon Hai Prec Ind Co Ltd | Network device and method for routing |
EP3332517B1 (en) * | 2015-08-05 | 2024-05-15 | Qualcomm Incorporated | Deep packet inspection indication for a mobile cdn |
US10848514B2 (en) * | 2015-12-15 | 2020-11-24 | Flying Cloud Technologies, Inc. | Data surveillance for privileged assets on a computer network |
US10542026B2 (en) * | 2015-12-15 | 2020-01-21 | Flying Cloud Technologies, Inc. | Data surveillance system with contextual information |
US10516689B2 (en) * | 2015-12-15 | 2019-12-24 | Flying Cloud Technologies, Inc. | Distributed data surveillance in a community capture environment |
US9979740B2 (en) * | 2015-12-15 | 2018-05-22 | Flying Cloud Technologies, Inc. | Data surveillance system |
US10887330B2 (en) * | 2015-12-15 | 2021-01-05 | Flying Cloud Technologies, Inc. | Data surveillance for privileged assets based on threat streams |
US10523698B2 (en) * | 2015-12-15 | 2019-12-31 | Flying Cloud Technologies, Inc. | Data surveillance system with patterns of centroid drift |
US10547636B2 (en) * | 2016-12-28 | 2020-01-28 | Verisign, Inc. | Method and system for detecting and mitigating denial-of-service attacks |
ES2963965T3 (en) * | 2017-04-28 | 2024-04-03 | Opanga Networks Inc | Domain name tracking system and procedure for network management |
US10609081B1 (en) | 2017-06-20 | 2020-03-31 | Cisco Technology, Inc. | Applying computer network security policy using domain name to security group tag mapping |
US11677713B2 (en) * | 2018-10-05 | 2023-06-13 | Vmware, Inc. | Domain-name-based network-connection attestation |
US11445340B2 (en) | 2021-01-21 | 2022-09-13 | Flying Cloud Technologies, Inc. | Anomalous subject and device identification based on rolling baseline |
CN115150314B (en) * | 2021-03-31 | 2023-08-25 | 腾讯科技(深圳)有限公司 | Method and device for transmitting data packets across network domains, storage medium and electronic equipment |
EP4246891A1 (en) * | 2022-03-19 | 2023-09-20 | Sandvine Corporation | System and method for detecting fraudulent network traffic |
US11470100B1 (en) | 2022-03-21 | 2022-10-11 | Flying Cloud Technologies, Inc. | Data surveillance in a zero-trust network |
CN114650271B (en) * | 2022-03-23 | 2023-12-05 | 杭州迪普科技股份有限公司 | Global load DNS neighbor site learning method and device |
CN114844722B (en) * | 2022-06-08 | 2023-03-24 | 郑州龙名网络科技有限公司 | Network security detection method based on domain name |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100188975A1 (en) * | 2009-01-28 | 2010-07-29 | Gregory G. Raleigh | Verifiable device assisted service policy implementation |
US20140259140A1 (en) * | 2013-03-11 | 2014-09-11 | Sakthikumar Subramanian | Using learned flow reputation as a heuristic to control deep packet inspection under load |
WO2015084327A1 (en) * | 2013-12-03 | 2015-06-11 | Hewlett-Packard Development Company, L.P. | Security action of network packet based on signature and reputation |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6400996B1 (en) | 1999-02-01 | 2002-06-04 | Steven M. Hoffberg | Adaptive pattern recognition based control system and method |
US6473406B1 (en) | 1997-07-31 | 2002-10-29 | Cisco Technology, Inc. | Method and apparatus for transparently proxying a connection |
US6006268A (en) | 1997-07-31 | 1999-12-21 | Cisco Technology, Inc. | Method and apparatus for reducing overhead on a proxied connection |
US6324647B1 (en) | 1999-08-31 | 2001-11-27 | Michel K. Bowman-Amuah | System, method and article of manufacture for security management in a development architecture framework |
ATE374493T1 (en) | 2002-03-29 | 2007-10-15 | Global Dataguard Inc | ADAPTIVE BEHAVIORAL INTRUSION DETECTION |
US7681235B2 (en) | 2003-05-19 | 2010-03-16 | Radware Ltd. | Dynamic network protection |
US7506371B1 (en) | 2004-01-22 | 2009-03-17 | Guardium, Inc. | System and methods for adaptive behavior based access control |
US7610375B2 (en) | 2004-10-28 | 2009-10-27 | Cisco Technology, Inc. | Intrusion detection in a data center environment |
US7735116B1 (en) | 2006-03-24 | 2010-06-08 | Symantec Corporation | System and method for unified threat management with a relational rules methodology |
US7849502B1 (en) | 2006-04-29 | 2010-12-07 | Ironport Systems, Inc. | Apparatus for monitoring network traffic |
US20080082662A1 (en) | 2006-05-19 | 2008-04-03 | Richard Dandliker | Method and apparatus for controlling access to network resources based on reputation |
US8589503B2 (en) * | 2008-04-04 | 2013-11-19 | Mcafee, Inc. | Prioritizing network traffic |
US10084806B2 (en) * | 2012-08-31 | 2018-09-25 | Damballa, Inc. | Traffic simulation to identify malicious activity |
-
2015
- 2015-06-22 US US14/746,155 patent/US9628442B2/en active Active
-
2016
- 2016-06-20 WO PCT/US2016/038319 patent/WO2016209756A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100188975A1 (en) * | 2009-01-28 | 2010-07-29 | Gregory G. Raleigh | Verifiable device assisted service policy implementation |
US20140259140A1 (en) * | 2013-03-11 | 2014-09-11 | Sakthikumar Subramanian | Using learned flow reputation as a heuristic to control deep packet inspection under load |
WO2015084327A1 (en) * | 2013-12-03 | 2015-06-11 | Hewlett-Packard Development Company, L.P. | Security action of network packet based on signature and reputation |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP4167524A1 (en) * | 2021-10-13 | 2023-04-19 | Cujo LLC | Local network device connection control |
US11700235B2 (en) | 2021-10-13 | 2023-07-11 | Cujo LLC | Local network device connection control |
US11979374B2 (en) | 2021-10-13 | 2024-05-07 | Cujo LLC | Local network device connection control |
Also Published As
Publication number | Publication date |
---|---|
US9628442B2 (en) | 2017-04-18 |
US20160373409A1 (en) | 2016-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9628442B2 (en) | DNS snooping to create IP address-based trust database used to select deep packet inspection and storage of IP packets | |
US11012459B2 (en) | Rule-based network-threat detection | |
US9935969B2 (en) | Domain classification based on client request behavior | |
CN108616544B (en) | Method, system, and medium for detecting updates to a domain name system recording system | |
US11916935B1 (en) | Systems and methods for detecting malware domain names | |
EP3332533B1 (en) | Parallel detection of updates to a domain name system record system using a common filter |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16744939 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16744939 Country of ref document: EP Kind code of ref document: A1 |