Context sharing between endpoint device and network security device using in-band communications

US 10,027,627 B2
Filed: 10/07/2015
Issued: 07/17/2018
Est. Priority Date: 10/07/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a network security device connected between a network and an endpoint device that is configured to host a client application, the client application configured to communicate with the network through the network security device using an in-band request-response protocol to which the network security device and the endpoint device add context headers including context information about the client application;

receiving from the client application a request that is destined for the network and that seeks a response from the network, the request having a context header added thereto including context information about the client application;

removing the context header from the request;

determining whether the client application or a file accessed by the client application has a suspicious nature based on the context information;

if the suspicious nature is determined;

blocking the request from the network;

sending to the client application a response indicating the blocking and having added thereto a context header including a query for further information useable to confirm the suspicious nature, and a request identifier associated with the query;

receiving from the endpoint device a second request destined for the network and having added thereto a context header that includes the further information and the request identifier to associate the context header in the second request with the query in the response; and

confirming the suspicious nature based on the further information; and

if the suspicious nature is not determined, forwarding the request without the context header to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security device (NSD) is connected between a network and an endpoint device configured to host a client application. The client application communicates with the network through the network security device using a request-response protocol. The NSD receives from the client application a request destined for the network and that seeks a response from the network. The request has a context header including context information about the client application. The NSD determines whether the client application or a file accessed thereby has a suspicious nature based on the context information. If it is determined that the client application or the file accessed thereby has a suspicious nature, the NSD blocks the request from the network, and sends to the client application a response indicating the block.

Citations

22 Claims

1. A method comprising:
- at a network security device connected between a network and an endpoint device that is configured to host a client application, the client application configured to communicate with the network through the network security device using an in-band request-response protocol to which the network security device and the endpoint device add context headers including context information about the client application;
  
  receiving from the client application a request that is destined for the network and that seeks a response from the network, the request having a context header added thereto including context information about the client application;
  
  removing the context header from the request;
  
  determining whether the client application or a file accessed by the client application has a suspicious nature based on the context information;
  
  if the suspicious nature is determined;
  
  blocking the request from the network;
  
  sending to the client application a response indicating the blocking and having added thereto a context header including a query for further information useable to confirm the suspicious nature, and a request identifier associated with the query;
  
  receiving from the endpoint device a second request destined for the network and having added thereto a context header that includes the further information and the request identifier to associate the context header in the second request with the query in the response; and
  
  confirming the suspicious nature based on the further information; and
  
  if the suspicious nature is not determined, forwarding the request without the context header to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the query for further information includes a query for further information about the client application or the file accessed by the client application that is useable to confirm the suspicious nature of the client application or the file accessed by the client application.
  - 3. The method of claim 2, wherein:
    - the receiving from the endpoint device the second request includes receiving from the endpoint device the second request destined for the network from either the client application or a different client application;
      
      the confirming the suspicious nature includes confirming the suspicious nature of the client application or the file accessed thereby based on the further information; and
      
      the method further comprises, at the network security device, upon confirming the suspicious nature, sending to the endpoint device a second response having a context header that includes a request to perform remediation with respect to the client application or the file accessed by the client application.
  - 4. The method of claim 3, wherein:
    - the context information in the context header of the request includes a hash value of the client application or the file accessed by the client application, and the determining includes determining the suspicious nature based on the hash value;
      
      the query in the context header of the response includes a query for operating system registry information of the client application; and
      
      the further information in the context header of the second request includes the operating system registry information, and the confirming includes confirming the suspicious nature based on the operating system registry information.
  - 5. The method of claim 3, wherein the context header in the request and the context header in the response each includes a same request identifier.
  - 6. The method of claim 3, wherein:
    - the request-response protocol includes the Hypertext Transfer Protocol (HTTP);
      
      the request and the second request include HTTP requests; and
      
      the response and the second response include HTTP responses.
  - 7. The method of claim 1, wherein the request-response protocol includes the Hypertext Transfer Protocol (HTTP).

8. An apparatus comprising:
- a network interface unit including network ports to connect with a network and an endpoint device that is configured to host a client application, the client application configured to communicate with the network through the apparatus using an in-band request-response protocol to which the network security device and the endpoint device add context headers including context information about the client application; and
  
  a processor coupled to the network interface and configured to;
  
  receive from the client application a request that is destined for the network and that seeks a response from the network, the request having a context header added thereto including context information about the client application;
  
  remove the context header from the request;
  
  determine whether the client application or a file accessed by the client application has a suspicious nature based on the context information; and
  
  if the suspicious nature is determined;
  
  block the request from the network;
  
  send to the client application a response indicating the blocking and having added thereto a context header including a query for further information useable to confirm the suspicious nature, and a request identifier associated with the query;
  
  receive from the endpoint device a second request destined for the network and having added thereto a context header that includes the further information and the request identifier to associate the context header in the second request with the query in the response; and
  
  confirm the suspicious nature based on the further information; and
  
  if the suspicious nature is not determined, forward the request without the context header to the network.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, wherein the query for further information includes a query for further information about the client application or the file accessed by the client application that is useable to confirm the suspicious nature of the client application or the file accessed by the client application.
  - 10. The apparatus of claim 9, wherein:
    - the processor is configured to receive from the endpoint device the second request by receiving from the endpoint device the second request destined for the network from either the client application or a different client application;
      
      the processor is configured to confirm the suspicious nature by confirming the suspicious nature of the client application or the file accessed thereby based on the further information; and
      
      the processor is further configured to, upon confirming the suspicious nature, send to the endpoint device a second response having a context header that includes a request to perform remediation with respect to the client application or the file accessed by the client application.
  - 11. The apparatus of claim 10, wherein:
    - the context information in the context header of the request includes a hash value of the client application or the file accessed by the client application, and the processor is configured to determine by determining the suspicious nature based on the hash value;
      
      the query in the context header of the response includes a query for operating system registry information of the client application; and
      
      the further information in the context header of the second request includes the operating system registry information, and the processor is configured to confirm by confirming the suspicious nature based on the operating system registry information.
  - 12. The apparatus of claim 10, wherein:
    - the context header in the request and the context header in the response each includes a same request identifier.
  - 13. The apparatus of claim 8, wherein the request-response protocol includes the Hypertext Transfer Protocol (HTTP).

14. A method comprising:
- at a context agent hosted on an endpoint device that is connected with a network security device, the network security device connected with a network, the endpoint point device configured to host a client application configured to communicate with the network through the endpoint context agent and the network security device, using an in-band request-response protocol to which the network security device and the endpoint device add context headers including context information about the client application;
  
  receiving from the client application a request destined for the network that seeks a response from the network;
  
  collecting context information about the client application;
  
  adding to the request a context header that includes the collected context information;
  
  sending to the network security device the request with the context header;
  
  receiving from the network security device a response indicating whether the request has been blocked from the network, wherein the response includes a context header added thereto by the network security device, the context header in the response including a query for further context information about the client application that is useable to confirm a suspicious nature thereof, and a request identifier associated with the query, and responsive to the query;
  
  collecting the further context information about the client application;
  
  adding to the second request a context header including the further context information and the request identifier to associate the context header in the second request with the query in the response; and
  
  sending to the network security device the second request with the context header; and
  
  removing the context header from the response and sending the response without the context header to the client application.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14, further comprising, at the context agent:
    - receiving from the network security device a second response that is responsive to the second request.
  - 16. The method of claim 15, wherein the second response from the network security device includes a context header having a command to initiate remediation on the endpoint device with respect to the client application, the method further comprising:
    - responsive to the command to initiate remediation, initiating the remediation on the endpoint device with respect to the client application.
  - 17. The method of claim 15, wherein:
    - the request-response protocol includes the Hypertext Transfer Protocol (HTTP);
      
      the request and the second request include HTTP requests; and
      
      the response and the second response include HTTP responses.
  - 18. The method of claim 15, wherein:
    - the context header including the query in the response from the network security device and the context header including the further context information from the context agent each includes a same request identifier to associate the further context information with the query.
  - 19. The method of claim 15, wherein;
    - the collecting the context information includes collecting a hash value of the client application or a file accessed thereby, and the adding includes adding the collected hash value to the context header of the request; and
      
      the collecting the further context information includes collecting operating system registry information related to the client application, and the adding the further context information includes adding the operating system registry information to the context header of the second request.
  - 20. The method of claim 15, further comprising, at the context agent:
    - receiving the second request from the client application without any context header therein,wherein the adding the further context information includes adding the further context information to the second request received from the client application.
  - 21. The method of claim 15, further comprising, at the context agent:
    - originating the second request as a mock request that does not originate at the client application,wherein the adding includes adding the collected further context information to the context header of the mock request originated at the context agent.
  - 22. The method of claim 14, wherein the request-response protocol includes the Hypertext Transfer Protocol (HTTP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Parla, Vincent E., Shankar, Hari, Kleopa, Constantinos, Gautam, Venkatesh N., Selvam, Gerald N. A.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US14/877,116
Publication Number

US 20170104722A1
Time in Patent Office

1,014 Days
Field of Search

726 12
US Class Current
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/1425   Traffic logging, e.g. anoma...

Context sharing between endpoint device and network security device using in-band communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Context sharing between endpoint device and network security device using in-band communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links