| CPC H04L 63/1416 (2013.01) [H04L 63/02 (2013.01); H04L 63/0428 (2013.01); H04L 63/1425 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01); H04L 63/166 (2013.01)] | 20 Claims |
|
1. A method, comprising:
monitoring, by a monitoring agent executing on an endpoint device, a memory space of the endpoint device associated with an application or a dedicated process hosted by the endpoint device;
detecting from the memory space, by the monitoring agent, a handshake initiated between an application hosted on the endpoint device and a remote entity, the handshake initiated to establish an encrypted traffic session between the application and the remote entity;
capturing from the memory space of the endpoint device, by the monitoring agent, session key information for the encrypted traffic session between the endpoint device and the remote entity, wherein session keys are established during the handshake and are obtained after the encrypted traffic session is formed;
transmitting the session key information to a traffic inspection service hosted on an intermediary device located between the endpoint device and the remote entity over a secure connection;
using, by the traffic inspection service, the session key information to decrypt encrypted traffic from the encrypted traffic session, resulting in decrypted traffic;
applying, by the traffic inspection service and based on the decrypted traffic comprising cleartext from the encrypted traffic session, a policy to the encrypted traffic session between the endpoint device and the remote entity to determine whether the decrypted traffic is malicious or against the policy; and
performing, by the traffic inspection service, a mitigation action in response to a determination that the decrypted traffic is malicious or against the policy.
|