Encrypted network traffic interception and inspection

摘要

A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.

主权项

1. A method of operating a computer comprising at least one processor, the method comprising:
with the at least one processor: receiving at least one request from an application at a first component, wherein the application directed the request to a second component configured to encrypt unencrypted data, and wherein the application is unaware of the receipt by the first component; receiving encrypted data generated by the second component upon the second component encrypting the unencrypted data in response to the request of the application; sending the encrypted data to a data inspection facility; and sending the unencrypted data to the data inspection facility, wherein the data inspection facility determines whether portions of the encrypted data correspond with portions of the unencrypted data, and wherein the data inspection facility determines whether to allow through-pass of the received encrypted data over a network based on, at least in part, a result of the determination of correspondence.