US 11,916,887 B2
Detecting domain fronting through correlated connections
David McGrew, Poolesville, MD (US); and Blake Harrell Anderson, Chapel Hill, NC (US)
Assigned to CISCO TECHNOLOGY, INC., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Jan. 27, 2023, as Appl. No. 18/160,820.
Application 18/160,820 is a continuation of application No. 17/498,392, filed on Oct. 11, 2021, granted, now 11,582,208.
Prior Publication US 2023/0179581 A1, Jun. 8, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/0428 (2013.01) [H04L 63/166 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A detection system, the detection system comprising:
one or more processors; and
one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the detection system to perform operations comprising:
receiving, from a client, a first message and a second message associated with connecting the client and a first host, wherein:
the first message comprises an encrypted portion indicating the first host; and
the second message comprises a server name extension indicating a second host;
determining a first set of links, wherein the first set of links are associated with the first host and are determined based on monitoring a result of connecting the client and the first host;
determining a second set of links, wherein the second set of links associated with the second host;
determining, based on comparing the first set of links and the second set of links, whether the first host differs from the second host; and
detecting domain fronting in response to determining that the first host differs from the second host;
wherein monitoring the result of connecting the client and the first host comprises detecting zero or more subsequent connections initiated by the client within a pre-determined time period of connecting the client and the first host.