[go: up one dir, main page]

WO2016085412A1 - Systems and methods for intercepting, filtering and blocking content from internet in real-time - Google Patents

Systems and methods for intercepting, filtering and blocking content from internet in real-time Download PDF

Info

Publication number
WO2016085412A1
WO2016085412A1 PCT/SG2015/050473 SG2015050473W WO2016085412A1 WO 2016085412 A1 WO2016085412 A1 WO 2016085412A1 SG 2015050473 W SG2015050473 W SG 2015050473W WO 2016085412 A1 WO2016085412 A1 WO 2016085412A1
Authority
WO
WIPO (PCT)
Prior art keywords
content
filtering
internet
filtered
blocking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/SG2015/050473
Other languages
French (fr)
Inventor
Moo Tang FOO
Chang Kok Liang FRANKIE
Osillada Gonzales II EDGARDO
Kao-Chih CHEN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Pte Ltd Expert Team
Original Assignee
Pte Ltd Expert Team
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pte Ltd Expert Team filed Critical Pte Ltd Expert Team
Publication of WO2016085412A1 publication Critical patent/WO2016085412A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking

Definitions

  • Embodiments of the present invention generally relate to computer and digital processing systems for Internet content monitoring and more particularly to systems and methods for intercepting, filtering and blocking content (illegal content) from the Internet in near real-time.
  • ISP Internet Service Providers
  • NSP Network Service Provider
  • eThreats comprises a variety of attacks which can be classified into three main categories: worm- related, non-worm related (e.g., virus, Trojan), and probes (e.g., spyware, adware, identity theft, and phishing).
  • worm- related e.g., virus, Trojan
  • probes e.g., spyware, adware, identity theft, and phishing
  • Network Service Provider are vulnerable to eThreats propagated across networks.
  • information pertaining to illegal websites may be collected and analyzed by obtaining multiple network packets and determining if such packets contain the information and data pertaining to illegal websites.
  • information pertaining to the illegal websites may be categorized from which corresponding packets are transmitted if the analyzed packets include harmful information, and such information can be stored in a database for further action.
  • categorization technologies are mostly based on signatures and databases, and consequently, corresponding analysis requires lot of time, which may be hours, days or may be weeks, or even longer in some cases as it required human manual process and intervention. Therefore, such delays prevent real time monitoring, analysis and categorization of illegal websites.
  • Bloom Filters is based on the signature-based approach and is used to build a system that scans Internet traffic. Packets enter the system and are processed by Internet Protocol (IP) wrappers. The data in the packet goes to the input buffer and then flows through the content pipeline.
  • IP Internet Protocol
  • a system for intercepting, filtering, reconstructing and blocking content from the Internet in near real time includes: a filtering device mounted at a N etwork Service Provider for searching and filtering web content and generate the i ntended output with targeted filtered content.
  • the filtering device is capable of processed the targeted filtered content for decoding and reconstruction which allows visualization of the filtered content. That would eventually confirmed the accuracy of the filtered content in web content categorization.
  • the system further includes a collection, management and visualization device to allow the Authority (such as the Law Enforcement Agencies) to visualize and enforce the blocking on illegal content.
  • a method for intercepting, filtering and blocking content from Internet in near real-time includes the steps of retrieving t h e web content including multiple n e t w o r k packets from a source (usually from a network tap mounted on the Network Service Provider), stripping the network packet headers and abstracting information such as MAC addresses, IP addresses and the like from the n etwo rk packets by a dissector; grouping the n etwo rk packets belonging to the same flow together by a flow manager; determining a protocol to be used for each group of the packets by a protocol checker; abstracting application layer (layer 7) data by a protocol decoder and grouping the application layer data into multiple of layer 7 applications; and sending the application layer data for further processing.
  • layer 7 DPI filtering and the additional decoding and reconstruction in near real-time has allowed the system to accurately analyze and categorize the websites and allow near real-time content blocking automatically.
  • Fig. 1 illustrates overview deployment of a system for intercepting, filtering and blocking content from Internet in real time, according to an embodiment of the present invention
  • Fig. 2 illustrates system architecture of a system for intercepting, filtering and blocking content from internet in real time, according to another embodiment of the present invention.
  • Fig. 3 illustrates system architecture of a filter of the system for intercepting, filtering and blocking content from internet in real time, according to an embodiment of the present invention.
  • Various embodiments of the present invention relate to systems and methods for intercepting, filtering and blocking content from th e I nternet in near real time. More specifically, a network tap is placed in ISP i n f rastru ctu re n etwo rk (usually at the Exchange Router/Gateway Router/Border Router) before the Internet traffic leaves the National Internet Gateway. Consequently, the network tap taps and sends the traffic to the filtering device for processing in near real-time.
  • Fig. 1 illustrates overview deployment of a system 1 20 for intercepting, filtering and blocking content from internet in real time.
  • the system 120 may be employed between the Authority (such as the Law Enforcement Agency 1 15 and one or more internet service providers (ISPs) 1251 , 1252, 1 253, and the like.
  • the internet 105 is accessed via a national gateway 1 1 0, which makes possible the use of lawful interception solutions as provided by various embodiments of the present invention.
  • Fig. 2 illustrates system architecture of a system 200 for intercepting, filtering and blocking content from internet in real time.
  • the system 200 for intercepting, filtering and blocking content from the Internet in near real time includes: a filtering device 205 mounted at a Network Service Provider for retrieving and filtering web content in near real-time to generate targeted filtered content.
  • the filtering device is capable of transmitting the filtered content for further decoding and reconstruction.
  • the system 200 further includes a collection, management and visualization device 210 for receiving the targeted filtered content for further decoding, reconstruction, classification and content blocking.
  • the filtering device 205 includes a fabric switch 212 for distributing tapped Internet traffic, multiple filters 215 for receiving the Internet traffic from the fabric switch 212, filtering the Internet web content based on multiple pre-configured rules and parameters to generate the target filtered content and forwarding the filtered content to the collection, management and visualization device 210.
  • traffic of multiple 10Gbps/40Gbps/100Gbps links can be tapped and spanned to the fabric switch 212, which can then distribute the traffic by 10Gbps ports to multiple filters 215.
  • the multiple filters 215 are configured to handle up to 160Gbps line rate traffic throughput.
  • the multiple filters 215 are designed for layer 7 deep packet inspection (DPI) on header and payload packet content searching and filtering.
  • DPI layer 7 deep packet inspection
  • the multiple rules and parameters to generate the filtered content include pre-configured combination of REGEX text string pattern, keywords, IP addresses, URLs and the like.
  • multiple pre-configured keywords for online betting such as online betting, football betting, horse racing betting, football odds, betting odds, bookmarkers, Asian handicaps, and the like may be pre-configured or profiled into one or more filters.
  • the specific traffic (the entire traffic session or flow) will be filtered out and sent for further real-time decoding and reconstruction to allow further verification of the targeted traffic for accuracy with categorized visualization.
  • the combination of REGEX text string pattern, keywords, IP addresses, URLs and the like can be added from time to time to improve the multiple filters 215 capability.
  • third party signatures and custom made signatures can also be added from time to time to enhance our current filter capability for better categorization, visibility and accuracy.
  • the collection, management and visualization device 210 includes a classification unit 225 for decoding and classifying multiple network packets from the target filtered traffic in accordance with L7 protocols and a reconstruction unit 230 for decoding, reconstructing and retaining the filtered network packets utilizing the real-time packet reconstruction (RTPR) engine.
  • a classification unit 225 for decoding and classifying multiple network packets from the target filtered traffic in accordance with L7 protocols
  • a reconstruction unit 230 for decoding, reconstructing and retaining the filtered network packets utilizing the real-time packet reconstruction (RTPR) engine.
  • RTPR real-time packet reconstruction
  • the collection, management and visualization device 210 further includes one or more application programming interfaces (API) 235 for allowing further action to be taken automatically or manually.
  • API application programming interfaces
  • the API includes content filtering and content blocking 245, management and visualization 240 and the like.
  • the system 200 further includes a mediation device 220 for passing the target filtered traffic to the collection, management and visualization device 21 0 in standard format that also allows reading by any third party analyzer tools.
  • Fig. 3 illustrates system architecture of the filter 215 of the system 200 for intercepting, filtering and blocking content from Internet in near real time, according to an embodiment of the present invention.
  • each filter 215 includes a High Throughput Network Processor Unit (NPU) for data processing.
  • NPU High Throughput Network Processor Unit
  • multiple 10Gbps traffic may be spanned to the input ports of each filter. Subsequently, the traffic travels through the fabric switch, which is then distributed and sent to NPU for processing. Thereafter, the NPU performs the packet content searching and filtering according to pre-configured REGEX text string pattern, keywords and the like as explained above.
  • the system further includes a dissector for stripping the network packet headers and abstracting information such as MAC addresses, IP addresses and the like.
  • a dissector for stripping the network packet headers and abstracting information such as MAC addresses, IP addresses and the like.
  • the whole list of th e websites details like timestamp, source and destination IP addresses, source and destination MAC addresses, source and destination ports, URL links and also t h e f u l l content of t h e w e b s i t e s is made viewable to the Authority.
  • the Authority can also have the call to decide to manually block which URLs or IP addresses through the API integration with ISP other network security equipment, such as the web content filtering and blocking appliance, firewall and router.
  • the system further includes a flow manager for grouping the web content into multiple packets belonging to same flow.
  • the system further includes a protocol checker for determining a protocol to be used for each group of the network packets.
  • the protocol checker includes HTTP, POP3, SMTP, IMAP, FTP, VOIP, P2P and the like.
  • the system further includes a protocol decoder for abstracting application layer data and grouping the application layer data into multiple layer 7 applications.
  • the system further includes at least one database module for storing the target filtered and reconstructed traffic content.
  • the system further includes a graphical user interface (GUI) using web management for accessing the management and database module.
  • GUI graphical user interface
  • a method for intercepting, filtering and blocking content from Internet in near real time includes the steps of retrieving web content from the multiple network packets from a source, stripping headers and abstracting information such as MAC addresses, IP addresses and the like from the n e t w o r k packets by a dissector; grouping packets belonging to same flow together by a flow manager; determining a protocol to be used for each group of the packets by a protocol checker; abstracting application layer data by a protocol decoder and grouping the application layer data into multiple layer 7 applications; and sending the application layer data for further processing.
  • the method further includes the step of further decoding and reconstruction for further verification and ensure accuracy on categorization.
  • the method further includes the step of saving the target filtered and reconstructed data in at least one database module.
  • a method for intercepting, filtering and blocking content from internet in real time includes the steps of spanning the tapped traffic by multiple l OGbps ports to the filter. If it is determined that the traffic is encrypted, the filter will send the traffic to the RTPR engine which will decode the traffic and crawl the encrypted content from the Internet and find whether it matches the pre-configured REGEX text string pattern, keywords and the like to determine whether the types and categorization of the websites.
  • various embodiments of the present invention provide significant advantages, such as, for example, but not limited to near real-time decoding and reconstruction for further verification and accuracy that can allow the illegitimate websites objects to be identified (displayed) and the system can block the content automatically in near real-time or allowing the Authority to manually decide to manually block the content making use of the G U I web management and API integration.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system for intercepting, filtering and blocking content from the Internet in near real time which includes a filtering device mounted at the Network Service Provider (NSP) or Internet Service Provider (ISP) which obtain Internet traffic from network tap and perform searching and filtering of targeted web content, subsequently generate the output with the intended filtered content; and also includes a collection, management and visualization device for receiving the targeted filtered content for further near real-time decoding, reconstruction, classification and automatic or manual content blocking with full visibility and is manageable by the Authority.

Description

Title of Invention:
Systems and Methods for Intercepting, Filtering and Blocking Content from Internet in Real-Time
Technical Field
Embodiments of the present invention generally relate to computer and digital processing systems for Internet content monitoring and more particularly to systems and methods for intercepting, filtering and blocking content (illegal content) from the Internet in near real-time.
Background Art
It is common for legal regulatory authorities and government organizations of various countries to monitor a big data of Internet communication activities with a view to fight against illegal or terrorist activities which has escalated in the cyber world over the past few years.
Nowadays, the Internet provides a platform for a plethora of illegal activities ranging from credit card fraud, identity phishing, to money laundry to many others. Among these illegal activities, threat posed by t h e illegal websites is highly detrimental and hence, blocking such illegal websites becomes of extremely high importance. Examples of such illegal websites vary from different jurisdictions depending upon local laws and regulations. For example, o nl i ne gambling websites are classif i ed as illegal in Singapore while child pornography websites are class if ied as illegal in UK and so on.
One possible way to block such illegal websites is to block them at the intermediary level which is at the ISPs (Internet Service Providers) or Network Service Provider (NSP). Such blocking usually requires regulatory backing and consequently, the action varies for each jurisdiction. Moreover, the infrastructure of a large Network Service Provider (ISP) typically comprises a constantly growing network of heterogeneous routers, interconnecting millions of subscribers or customer premises devices. This network enables the subscribers to communicate and exchange data of various formats through access to rich number of applications and services.
Technical Problem
In recent years it has been observed we are all in the vicinity of electronic threats (eThreats) mainly from the Internet. For example, eThreats comprises a variety of attacks which can be classified into three main categories: worm- related, non-worm related (e.g., virus, Trojan), and probes (e.g., spyware, adware, identity theft, and phishing).
Furthermore, Network Service Provider (NSP) are vulnerable to eThreats propagated across networks. Generally, information pertaining to illegal websites may be collected and analyzed by obtaining multiple network packets and determining if such packets contain the information and data pertaining to illegal websites.
Subsequently, information pertaining to the illegal websites may be categorized from which corresponding packets are transmitted if the analyzed packets include harmful information, and such information can be stored in a database for further action. However, such categorization technologies are mostly based on signatures and databases, and consequently, corresponding analysis requires lot of time, which may be hours, days or may be weeks, or even longer in some cases as it required human manual process and intervention. Therefore, such delays prevent real time monitoring, analysis and categorization of illegal websites. Bloom Filters is based on the signature-based approach and is used to build a system that scans Internet traffic. Packets enter the system and are processed by Internet Protocol (IP) wrappers. The data in the packet goes to the input buffer and then flows through the content pipeline. As the packet passes through the pipeline, multiple Bloom engines scan different window lengths for signatures of different lengths. Subsequently, data leaves the content pipeline, flows to the output buffer, streams through the wrappers, and then packets are re-injected into the network. If a Bloom engine detects a match, a hash table is queried to determine if an exact match occurred. If the queried signature is an exact match, the malicious content can be blocked and an alert message is generated within a User Datagram Protocol (UDP) packet, informing a network administrator, an end-user or an automated process that a matching signature has been detected. Even though, the bloom filters provide a solution focused on throughput performance criteria, but can only deal with certain kinds of known eThreats that can be identified by their hashing or regular expression signature. Solution to Problem
As may be seen, the solutions described above only provide a partial solution to very small part of a particular problem. Moreover, they don't analyze, categorize and block the content online in real time. Accordingly, there exists a need in the art for systems and methods for intercepting, filtering, accurately categorize and block illegal content from the Internet in near realtime. Summary of the Invention
According to an aspect of the present invention, a system for intercepting, filtering, reconstructing and blocking content from the Internet in near real time, includes: a filtering device mounted at a N etwork Service Provider for searching and filtering web content and generate the i ntended output with targeted filtered content. In use, the filtering device is capable of processed the targeted filtered content for decoding and reconstruction which allows visualization of the filtered content. That would eventually confirmed the accuracy of the filtered content in web content categorization. In addition, the system further includes a collection, management and visualization device to allow the Authority (such as the Law Enforcement Agencies) to visualize and enforce the blocking on illegal content.
According to another aspect of the present invention, a method for intercepting, filtering and blocking content from Internet in near real-time includes the steps of retrieving t h e web content including multiple n e t w o r k packets from a source (usually from a network tap mounted on the Network Service Provider), stripping the network packet headers and abstracting information such as MAC addresses, IP addresses and the like from the n etwo rk packets by a dissector; grouping the n etwo rk packets belonging to the same flow together by a flow manager; determining a protocol to be used for each group of the packets by a protocol checker; abstracting application layer (layer 7) data by a protocol decoder and grouping the application layer data into multiple of layer 7 applications; and sending the application layer data for further processing. Advantageous Effects of Invention
The combination of layer 7 DPI filtering and the additional decoding and reconstruction in near real-time has allowed the system to accurately analyze and categorize the websites and allow near real-time content blocking automatically.
Brief Description of Drawings
In the drawings, like reference characters generally refer to the same part throughout the different views. The drawings are not necessary to scale, emphasis instead generally being placed upon illustrating the principles of the invention. In the following description, various embodiments are described with reference to the following drawings, in which:
Fig. 1 illustrates overview deployment of a system for intercepting, filtering and blocking content from Internet in real time, according to an embodiment of the present invention;
Fig. 2 illustrates system architecture of a system for intercepting, filtering and blocking content from internet in real time, according to another embodiment of the present invention; and
Fig. 3 illustrates system architecture of a filter of the system for intercepting, filtering and blocking content from internet in real time, according to an embodiment of the present invention. Detailed Description
Various embodiments of the present invention relate to systems and methods for intercepting, filtering and blocking content from th e I nternet in near real time. More specifically, a network tap is placed in ISP i n f rastru ctu re n etwo rk (usually at the Exchange Router/Gateway Router/Border Router) before the Internet traffic leaves the National Internet Gateway. Consequently, the network tap taps and sends the traffic to the filtering device for processing in near real-time. Fig. 1 illustrates overview deployment of a system 1 20 for intercepting, filtering and blocking content from internet in real time. In one embodiment, the system 120 may be employed between the Authority (such as the Law Enforcement Agency 1 15 and one or more internet service providers (ISPs) 1251 , 1252, 1 253, and the like. As may be seen, the internet 105 is accessed via a national gateway 1 1 0, which makes possible the use of lawful interception solutions as provided by various embodiments of the present invention.
Fig. 2 illustrates system architecture of a system 200 for intercepting, filtering and blocking content from internet in real time. In accordance with an embodiment of the present invention, the system 200 for intercepting, filtering and blocking content from the Internet in near real time, includes: a filtering device 205 mounted at a Network Service Provider for retrieving and filtering web content in near real-time to generate targeted filtered content. In use, the filtering device is capable of transmitting the filtered content for further decoding and reconstruction.
In accordance with an embodiment of the present invention, the system 200 further includes a collection, management and visualization device 210 for receiving the targeted filtered content for further decoding, reconstruction, classification and content blocking.
In accordance with an embodiment of the present invention, the filtering device 205 includes a fabric switch 212 for distributing tapped Internet traffic, multiple filters 215 for receiving the Internet traffic from the fabric switch 212, filtering the Internet web content based on multiple pre-configured rules and parameters to generate the target filtered content and forwarding the filtered content to the collection, management and visualization device 210. In use, traffic of multiple 10Gbps/40Gbps/100Gbps links can be tapped and spanned to the fabric switch 212, which can then distribute the traffic by 10Gbps ports to multiple filters 215. Generally, the multiple filters 215 are configured to handle up to 160Gbps line rate traffic throughput. In addition, the multiple filters 215 are designed for layer 7 deep packet inspection (DPI) on header and payload packet content searching and filtering. In accordance with an embodiment of the present invention, the multiple rules and parameters to generate the filtered content include pre-configured combination of REGEX text string pattern, keywords, IP addresses, URLs and the like. In use, for example, multiple pre-configured keywords for online betting such as online betting, football betting, horse racing betting, football odds, betting odds, bookmarkers, Asian handicaps, and the like may be pre-configured or profiled into one or more filters. Subsequently, when there is any traffic that met the pre-defined condition, the specific traffic (the entire traffic session or flow) will be filtered out and sent for further real-time decoding and reconstruction to allow further verification of the targeted traffic for accuracy with categorized visualization. Those of ordinary skill in the art will appreciate that the combination of REGEX text string pattern, keywords, IP addresses, URLs and the like can be added from time to time to improve the multiple filters 215 capability. For example, third party signatures and custom made signatures can also be added from time to time to enhance our current filter capability for better categorization, visibility and accuracy.
In accordance with an embodiment of the present invention, the collection, management and visualization device 210 includes a classification unit 225 for decoding and classifying multiple network packets from the target filtered traffic in accordance with L7 protocols and a reconstruction unit 230 for decoding, reconstructing and retaining the filtered network packets utilizing the real-time packet reconstruction (RTPR) engine.
In accordance with an embodiment of the present invention, the collection, management and visualization device 210 further includes one or more application programming interfaces (API) 235 for allowing further action to be taken automatically or manually. In use the API includes content filtering and content blocking 245, management and visualization 240 and the like.
In accordance with an embodiment of the present invention, the system 200 further includes a mediation device 220 for passing the target filtered traffic to the collection, management and visualization device 21 0 in standard format that also allows reading by any third party analyzer tools.
Fig. 3 illustrates system architecture of the filter 215 of the system 200 for intercepting, filtering and blocking content from Internet in near real time, according to an embodiment of the present invention. In accordance with an embodiment of the present invention, each filter 215 includes a High Throughput Network Processor Unit (NPU) for data processing. In use, multiple 10Gbps traffic may be spanned to the input ports of each filter. Subsequently, the traffic travels through the fabric switch, which is then distributed and sent to NPU for processing. Thereafter, the NPU performs the packet content searching and filtering according to pre-configured REGEX text string pattern, keywords and the like as explained above. In accordance with an embodiment of the present invention, the system further includes a dissector for stripping the network packet headers and abstracting information such as MAC addresses, IP addresses and the like. In use, the whole list of th e websites details like timestamp, source and destination IP addresses, source and destination MAC addresses, source and destination ports, URL links and also t h e f u l l content of t h e w e b s i t e s is made viewable to the Authority. Subsequently, the Authority can also have the call to decide to manually block which URLs or IP addresses through the API integration with ISP other network security equipment, such as the web content filtering and blocking appliance, firewall and router.
In accordance with an embodiment of the present invention, the system further includes a flow manager for grouping the web content into multiple packets belonging to same flow. In accordance with an embodiment of the present invention, the system further includes a protocol checker for determining a protocol to be used for each group of the network packets. In use, the protocol checker includes HTTP, POP3, SMTP, IMAP, FTP, VOIP, P2P and the like. In accordance with an embodiment of the present invention, the system further includes a protocol decoder for abstracting application layer data and grouping the application layer data into multiple layer 7 applications. In accordance with an embodiment of the present invention, the system further includes at least one database module for storing the target filtered and reconstructed traffic content.
In accordance with an embodiment of the present invention, the system further includes a graphical user interface (GUI) using web management for accessing the management and database module. In accordance with an embodiment of the present invention, a method for intercepting, filtering and blocking content from Internet in near real time includes the steps of retrieving web content from the multiple network packets from a source, stripping headers and abstracting information such as MAC addresses, IP addresses and the like from the n e t w o r k packets by a dissector; grouping packets belonging to same flow together by a flow manager; determining a protocol to be used for each group of the packets by a protocol checker; abstracting application layer data by a protocol decoder and grouping the application layer data into multiple layer 7 applications; and sending the application layer data for further processing.
In accordance with an embodiment of the present invention, the method further includes the step of further decoding and reconstruction for further verification and ensure accuracy on categorization. In accordance with an embodiment of the present invention, the method further includes the step of saving the target filtered and reconstructed data in at least one database module. In accordance with an embodiment of the present invention, a method for intercepting, filtering and blocking content from internet in real time includes the steps of spanning the tapped traffic by multiple l OGbps ports to the filter. If it is determined that the traffic is encrypted, the filter will send the traffic to the RTPR engine which will decode the traffic and crawl the encrypted content from the Internet and find whether it matches the pre-configured REGEX text string pattern, keywords and the like to determine whether the types and categorization of the websites.
However, if the traffic is not encrypted, the filter processes the traffic using the L7 DPI Filtering capability to filter out the traffic of interest based on REGEX text string pattern, keywords and the like, as explained above. Therefore, as may be seen, various embodiments of the present invention provide significant advantages, such as, for example, but not limited to near real-time decoding and reconstruction for further verification and accuracy that can allow the illegitimate websites objects to be identified (displayed) and the system can block the content automatically in near real-time or allowing the Authority to manually decide to manually block the content making use of the G U I web management and API integration.

Claims

Claims
[Claim 1 ] A system for intercepting, filtering and blocking content from Internet in near real time, said system comprising:
• A filtering device mounted at a Network Service Provider for retrieving and filtering web content in near real-time to generate target filtered traffic content, said filtering device being capable of transmitting said filtered traffic content for decoding and reconstruction; and,
• A collection, management and visualization device for receiving said filtered content for further d ecoding, reconstruction, classification and content blocking visible and manageable by the Authority.
[Claim 2 ] The system as claimed in Claim 1 , wherein said filtering device comprises:
• A fabric switch for distributing tapped Internet traffic; and,
• A plurality of filters for receiving said Internet traffic from said fabric switch, filtering said web content based on a plurality of rules and parameters to generate said target filtered content and forwarding said filtered content to said collection, management and visualization device.
[Claim 3 ] The system as claimed in Claim 2, wherein said plurality of filters are capable of layer 7 deep packet inspection (DPI) on both header and payload packet content searching and filtering. [Claim 4 ] The system as claimed in Claim 2, wherein said plurality of rules and parameters comprise REGEX text string patterns, keywords, IP addresses, URLs and the like.
[Claim 5 ] The system as claimed in Claim 1 , wherein said a collection, management and visualization device comprises:
• A classification unit for decoding and classifying multiple network packets from the target filtered traffic in accordance with L7 protocols; and
• A reconstruction unit for decoding, reconstructing and retaining the filtered network packets utilizing the real time packet reconstruction (RTPR) engine.
[Claim 6 ] The system as claimed in Claim 5, wherein said collection, management and visualization device further comprises at least one application programming interface (API) for allowing further action such as content blocking to be taken automatically or manually.
[Claim 7 ] The system as claimed in Claim 6, wherein at least one API comprises the content filtering and content blocking, management and visualization and the like.
[Claim 8 ] The system as claimed in Claim 2, wherein each filter of said plurality of filters comprises a High Throughput Network Processor Unit (NPU) for data processing that includes searching and filtering. [Claim 9 ] The system as claimed in Claim 1 , wherein said system further comprises a dissector for stripping packet headers and abstracting information such as MAC addresses, IP addresses and the like from said web content.
[Claim 10 ] The system as claimed in Claim 1 , wherein said system further comprises a flow manager for grouping said web content into a plurality of packets belonging to same flow.
[Claim 1 1 ] The system as claimed in Claim 1 , wherein said system further comprises a protocol checker for determining a protocol to be used for each group of said plurality of packets.
[Claim 12 ] The system as claimed in Claim 1 1 , wherein said protocol checker comprises HTTP, POP3, SMTP, IMAP, FTP, VOIP, P2P and the like.
[Claim 13 ] The system as claimed in Claim 1 , wherein said system further comprises a protocol decoder for abstracting application layer data and grouping said application layer data into a plurality of layer 7 applications.
[Claim 14 ] The system as claimed in Claim 1 , wherein said system further comprises at least one database module for storing the target filtered and reconstructed traffic content. [Claim 15 ] The system as claimed in Claim 1 , wherein said system further comprises a web management GUI for visualization and accessing the management and database module.
[Claim 16 ] A method for intercepting, filtering and blocking content from
Internet in near real time, said method comprising the steps of: retrieving t h e web content including multiple n e t w o r k packets from a source (usually from a network tap mounted on the Network Service Provider), stripping headers and abstracting information such as MAC addresses, IP addresses and the like from said plurality of network packets by a dissector; grouping said plurality of packets belonging to same flow together by a flow manager; determining a protocol to be used for each group of said plurality of network packets by a protocol checker; abstracting application layer data by a protocol decoder and grouping said application layer data into a plurality of layer 7 applications; and sending said application layer data for further processing.
[Claim 17 ] The system as claimed in Claim 16, wherein said method further comprises the step of decoding and reconstructing the filtered traffic content from the filter in near real-time.
[Claim 18 ] The system as claimed in Claim 16, wherein said method further comprises the step of saving and storing the data in the database module.
PCT/SG2015/050473 2014-11-28 2015-11-26 Systems and methods for intercepting, filtering and blocking content from internet in real-time Ceased WO2016085412A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
SG10201407948Y 2014-11-28
MY2014703577 2014-11-28
SG10201407948Y 2014-11-28
MY2014703577 2014-11-28

Publications (1)

Publication Number Publication Date
WO2016085412A1 true WO2016085412A1 (en) 2016-06-02

Family

ID=56074791

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2015/050473 Ceased WO2016085412A1 (en) 2014-11-28 2015-11-26 Systems and methods for intercepting, filtering and blocking content from internet in real-time

Country Status (1)

Country Link
WO (1) WO2016085412A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070812A (en) * 2017-05-02 2017-08-18 武汉绿色网络信息服务有限责任公司 A kind of HTTPS protocal analysises method and its system
WO2018056895A1 (en) * 2016-09-22 2018-03-29 Pte Ltd, Expert Team Real-time packet reconstruction technology - rtpr
CN108108471A (en) * 2018-01-02 2018-06-01 武汉斗鱼网络科技有限公司 Data filtering method, device, server and readable storage medium storing program for executing
US10230690B2 (en) 2017-03-23 2019-03-12 International Business Machines Corporation Digital media content distribution blocking
CN110537181A (en) * 2017-03-01 2019-12-03 赛门铁克公司 Manage data encryption applications
US10834214B2 (en) 2018-09-04 2020-11-10 At&T Intellectual Property I, L.P. Separating intended and non-intended browsing traffic in browsing history
CN112153045A (en) * 2020-09-24 2020-12-29 中国人民解放军战略支援部队信息工程大学 A method and system for identifying encrypted fields of a private protocol

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030227917A1 (en) * 2002-06-11 2003-12-11 Netrake Corporation Device for enabling trap and trace of internet protocol communications
US20080089238A1 (en) * 2006-10-13 2008-04-17 Safe Media, Corp. Network monitoring and intellectual property protection device, system and method
US20100199189A1 (en) * 2006-03-12 2010-08-05 Nice Systems, Ltd. Apparatus and method for target oriented law enforcement interception and analysis
US20130263247A1 (en) * 2000-06-23 2013-10-03 Peder J. Jungck Transparent Provisioning of Network Access to an Application

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130263247A1 (en) * 2000-06-23 2013-10-03 Peder J. Jungck Transparent Provisioning of Network Access to an Application
US20030227917A1 (en) * 2002-06-11 2003-12-11 Netrake Corporation Device for enabling trap and trace of internet protocol communications
US20100199189A1 (en) * 2006-03-12 2010-08-05 Nice Systems, Ltd. Apparatus and method for target oriented law enforcement interception and analysis
US20080089238A1 (en) * 2006-10-13 2008-04-17 Safe Media, Corp. Network monitoring and intellectual property protection device, system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Real Time Packet Reconstruction in Data Communication.", 25 September 2014 (2014-09-25), Retrieved from the Internet <URL:https://www.ipi-singapore.org/technology-offers/real-time-packet-reconstruction-data-communication> [retrieved on 20160229] *
"Real-Time Packet Reconstruction (RTPR) for Lawful Interception.", 3 November 2013 (2013-11-03), Retrieved from the Internet <URL:https://www.prlog.org/12235893-real-time-packet-reconstruction-rtpr-for-IawfuI-interception.htmlJ> [retrieved on 20160229] *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018056895A1 (en) * 2016-09-22 2018-03-29 Pte Ltd, Expert Team Real-time packet reconstruction technology - rtpr
CN110537181A (en) * 2017-03-01 2019-12-03 赛门铁克公司 Manage data encryption applications
CN110537181B (en) * 2017-03-01 2023-07-28 Ca公司 Method, computing device and storage medium for classifying application data
US10230690B2 (en) 2017-03-23 2019-03-12 International Business Machines Corporation Digital media content distribution blocking
US10693839B2 (en) 2017-03-23 2020-06-23 International Business Machines Corporation Digital media content distribution blocking
CN107070812A (en) * 2017-05-02 2017-08-18 武汉绿色网络信息服务有限责任公司 A kind of HTTPS protocal analysises method and its system
CN108108471A (en) * 2018-01-02 2018-06-01 武汉斗鱼网络科技有限公司 Data filtering method, device, server and readable storage medium storing program for executing
US10834214B2 (en) 2018-09-04 2020-11-10 At&T Intellectual Property I, L.P. Separating intended and non-intended browsing traffic in browsing history
US11228655B2 (en) 2018-09-04 2022-01-18 At&T Intellectual Property I, L.P. Separating intended and non-intended browsing traffic in browsing history
US11652900B2 (en) 2018-09-04 2023-05-16 At&T Intellectual Property I, L.P. Separating intended and non-intended browsing traffic in browsing history
CN112153045A (en) * 2020-09-24 2020-12-29 中国人民解放军战略支援部队信息工程大学 A method and system for identifying encrypted fields of a private protocol

Similar Documents

Publication Publication Date Title
US12375447B2 (en) Efficient packet capture for cyber threat analysis
JP7250703B2 (en) Assessment and remediation of correlation-driven threats
US9118702B2 (en) System and method for generating and refining cyber threat intelligence data
WO2016085412A1 (en) Systems and methods for intercepting, filtering and blocking content from internet in real-time
US8561129B2 (en) Unified network threat management with rule classification
EP1618724B1 (en) Intelligent integrated network security device
US7478429B2 (en) Network overload detection and mitigation system and method
CN101772921B (en) Method and unit for classifying traffic in IP networks
US20140157405A1 (en) Cyber Behavior Analysis and Detection Method, System and Architecture
CN112602301A (en) Method and system for efficient network protection
Padmanabhan et al. A multi-perspective view of Internet censorship in Myanmar
Ling et al. TorWard: Discovery of malicious traffic over Tor
US20160366171A1 (en) Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program
Sacramento et al. Flowhacker: Detecting unknown network attacks in big traffic data using network flows
KR101217647B1 (en) Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs
JP4774307B2 (en) Unauthorized access monitoring device and packet relay device
JP4768020B2 (en) Method of defending against DoS attack by target victim self-identification and control in IP network
CA3108494C (en) System and method for generating and refining cyber threat intelligence data
CN115017502A (en) Flow processing method and protection system
EP4310708B1 (en) Methods and systems for efficient threat context-aware packet filtering for network protection
MURAKAMI et al. Revealing Potential Threats of Multiple Malware Infections through Large-Scale ISP Flow Data Analysis
Krmıcek Hardware-Accelerated Anomaly Detection in High-Speed Networks
WO2023046999A2 (en) Method and server computer for controlling data traffic addressed to a website and/or server destination
Mohammed et al. Fast automated signature generation for polymorphic worms using double-honeynet
Akhlaq Improved performance high speed network intrusion detection systems (NIDS). A high speed NIDS architectures to address limitations of Packet Loss and Low Detection Rate by adoption of Dynamic Cluster Architecture and Traffic Anomaly Filtration (IADF).

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15862307

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15862307

Country of ref document: EP

Kind code of ref document: A1