Context sharing between endpoint device and network security device using in-band communications
First Claim
1. A method comprising:
- at a network security device connected between a network and an endpoint device that is configured to host a client application, the client application configured to communicate with the network through the network security device using an in-band request-response protocol to which the network security device and the endpoint device add context headers including context information about the client application;
receiving from the client application a request that is destined for the network and that seeks a response from the network, the request having a context header added thereto including context information about the client application;
removing the context header from the request;
determining whether the client application or a file accessed by the client application has a suspicious nature based on the context information;
if the suspicious nature is determined;
blocking the request from the network;
sending to the client application a response indicating the blocking and having added thereto a context header including a query for further information useable to confirm the suspicious nature, and a request identifier associated with the query;
receiving from the endpoint device a second request destined for the network and having added thereto a context header that includes the further information and the request identifier to associate the context header in the second request with the query in the response; and
confirming the suspicious nature based on the further information; and
if the suspicious nature is not determined, forwarding the request without the context header to the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A network security device (NSD) is connected between a network and an endpoint device configured to host a client application. The client application communicates with the network through the network security device using a request-response protocol. The NSD receives from the client application a request destined for the network and that seeks a response from the network. The request has a context header including context information about the client application. The NSD determines whether the client application or a file accessed thereby has a suspicious nature based on the context information. If it is determined that the client application or the file accessed thereby has a suspicious nature, the NSD blocks the request from the network, and sends to the client application a response indicating the block.
-
Citations
22 Claims
-
1. A method comprising:
-
at a network security device connected between a network and an endpoint device that is configured to host a client application, the client application configured to communicate with the network through the network security device using an in-band request-response protocol to which the network security device and the endpoint device add context headers including context information about the client application; receiving from the client application a request that is destined for the network and that seeks a response from the network, the request having a context header added thereto including context information about the client application; removing the context header from the request; determining whether the client application or a file accessed by the client application has a suspicious nature based on the context information; if the suspicious nature is determined; blocking the request from the network; sending to the client application a response indicating the blocking and having added thereto a context header including a query for further information useable to confirm the suspicious nature, and a request identifier associated with the query; receiving from the endpoint device a second request destined for the network and having added thereto a context header that includes the further information and the request identifier to associate the context header in the second request with the query in the response; and confirming the suspicious nature based on the further information; and if the suspicious nature is not determined, forwarding the request without the context header to the network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
a network interface unit including network ports to connect with a network and an endpoint device that is configured to host a client application, the client application configured to communicate with the network through the apparatus using an in-band request-response protocol to which the network security device and the endpoint device add context headers including context information about the client application; and a processor coupled to the network interface and configured to; receive from the client application a request that is destined for the network and that seeks a response from the network, the request having a context header added thereto including context information about the client application; remove the context header from the request; determine whether the client application or a file accessed by the client application has a suspicious nature based on the context information; and if the suspicious nature is determined; block the request from the network; send to the client application a response indicating the blocking and having added thereto a context header including a query for further information useable to confirm the suspicious nature, and a request identifier associated with the query; receive from the endpoint device a second request destined for the network and having added thereto a context header that includes the further information and the request identifier to associate the context header in the second request with the query in the response; and confirm the suspicious nature based on the further information; and if the suspicious nature is not determined, forward the request without the context header to the network. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
at a context agent hosted on an endpoint device that is connected with a network security device, the network security device connected with a network, the endpoint point device configured to host a client application configured to communicate with the network through the endpoint context agent and the network security device, using an in-band request-response protocol to which the network security device and the endpoint device add context headers including context information about the client application; receiving from the client application a request destined for the network that seeks a response from the network; collecting context information about the client application; adding to the request a context header that includes the collected context information; sending to the network security device the request with the context header; receiving from the network security device a response indicating whether the request has been blocked from the network, wherein the response includes a context header added thereto by the network security device, the context header in the response including a query for further context information about the client application that is useable to confirm a suspicious nature thereof, and a request identifier associated with the query, and responsive to the query; collecting the further context information about the client application; adding to the second request a context header including the further context information and the request identifier to associate the context header in the second request with the query in the response; and sending to the network security device the second request with the context header; and removing the context header from the response and sending the response without the context header to the client application. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
Specification