Automatic detection of reverse tunnels

Assignee

• Cisco Technology, Inc. · US

Inventor

• Mark Stuart Day · Milton, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2463/144
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Presently disclosed are methods and apparatus for analyzing packets and packet flows to detect covert communications channels (including reverse tunnels) in real time. These systems actively probe a suspicious connection in ways that are not possible in prior art log-based techniques and may initiate countermeasures against discovered covert channels. The present system may be implemented in a network device, such as an intrusion detection system, content engine, or other intermediary device employing a web cache. Embodiments automatically detect suspicious activity at particular source addresses by using relatively simple tests to detect suspect packets that should receive more extensive scrutiny. After more rigorous secondary testing (optionally including active probing techniques), suspect packets are either returned to the occasionally-checked state or flagged for further action, such as raising an alert or taking automatic countermeasures against the covert channel or its originators.