| CPC H04L 63/145 (2013.01) [H04L 63/0236 (2013.01); H04L 63/1416 (2013.01)] | 20 Claims |
|
1. A system, comprising:
a processor configured to:
monitor HyperText Transfer Protocol (HTTP), HTTPS, and/or Domain Name System (DNS) network traffic at a firewall;
prefilter the monitored HTTP, HTTPS, and/or DNS network traffic at the firewall to select a subset of the HTTP, HTTPS, and/or DNS network traffic to forward to a cloud security service, comprising to:
determine whether the HTTP, HTTPS, and/or DNS network traffic includes a header value or a uniform resource identifier (URI) length check that falls within a predetermined range of header lengths; and
in response to a determination that the HTTP, HTTPS, and/or DNS network traffic includes the header value or the URI length check that falls within the predetermined range of header lengths:
determine whether the HTTP, HTTPS, and/or DNS network traffic is encoded in one of the following encoding techniques: base64, base64url, netbios, netbiosu, or mask; and
in response to a determination that the HTTP, HTTPS, and/or DNS network traffic is encoded in one of the following encoding techniques: base64, base64url, netbios, netbiosu, or mask, prefilter the HTTP, HTTPS, and/or DNS network traffic;
perform HTTP, HTTPS, and/or DNS probing of a target to detect whether the target is a server that generates malware traffic; and
perform an action in response to detecting that the target is the server; and
a memory coupled to the processor and configured to provide the processor with instructions.
|