Evaluating a questionable network communication

US 10,084,791 B2
Filed: 03/06/2018
Issued: 09/25/2018
Est. Priority Date: 08/14/2013
Status: Active Grant

First Claim

Patent Images

1. A system for controlling communication, comprising:

a first computing system comprising;

a first processor;

a first white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties; and

a first communication evaluator module that executes on the first processor;

a second computing system comprising;

a second processor;

a second white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties; and

a second communication evaluator module that executes on the second processor;

wherein the first communication evaluator module is configured to evaluate an outbound network communication that includes a network packet, by;

determining a first communication property that is associated with the outbound network communication, the first property including a destination IP address that is stored in the network packet and that identifies the second computing system;

determining a second communication property that is one of the one or more allowable communication properties in the first white list;

determining whether the outbound network communication is allowable, based on whether the first communication property is encompassed by the second communication property, including whether the destination IP address is identified as allowable by the second communication property; and

in response to determining that the outbound network communication is allowable, transmitting the packet to the second computing system, otherwise setting an indicator that the network communication is not allowed; and

wherein the second communication evaluator module is configured to evaluate an inbound network communication, by;

determining a first communication property that is associated with the inbound network communication, the first property including a source IP address that is stored in the network packet transmitted by the first computing system, the source IP address identifying the first computing system;

determining a second communication property that is one of the one or more allowable communication properties in the second white list;

determining whether the inbound network communication is allowable, based on whether the first communication property is encompassed by the second communication property, including whether the source IP address is identified as allowable by the second communication property; and

in response to determining that the inbound network communication is allowable, forwarding the packet to a recipient program executing on the second computing system, otherwise setting an indicator that the network communication is not allowed.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for evaluating a questionable network communication are disclosed. In some implementations, a network of computing systems or devices is provided. Each system includes an evaluation module that determines whether an outbound or inbound network communication is allowable based on one or more factors or properties of the communication, including one or more of an IP address, a listening port, a geographic location, time of day, or the like. The systems in the network may be configured to only communicate with other devices that are identified in a white list of trusted computing systems.

88 Citations

View as Search Results

20 Claims

1. A system for controlling communication, comprising:
- a first computing system comprising;
  
  a first processor;
  
  a first white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties; and
  
  a first communication evaluator module that executes on the first processor;
  
  a second computing system comprising;
  
  a second processor;
  
  a second white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties; and
  
  a second communication evaluator module that executes on the second processor;
  
  wherein the first communication evaluator module is configured to evaluate an outbound network communication that includes a network packet, by;
  
  determining a first communication property that is associated with the outbound network communication, the first property including a destination IP address that is stored in the network packet and that identifies the second computing system;
  
  determining a second communication property that is one of the one or more allowable communication properties in the first white list;
  
  determining whether the outbound network communication is allowable, based on whether the first communication property is encompassed by the second communication property, including whether the destination IP address is identified as allowable by the second communication property; and
  
  in response to determining that the outbound network communication is allowable, transmitting the packet to the second computing system, otherwise setting an indicator that the network communication is not allowed; and
  
  wherein the second communication evaluator module is configured to evaluate an inbound network communication, by;
  
  determining a first communication property that is associated with the inbound network communication, the first property including a source IP address that is stored in the network packet transmitted by the first computing system, the source IP address identifying the first computing system;
  
  determining a second communication property that is one of the one or more allowable communication properties in the second white list;
  
  determining whether the inbound network communication is allowable, based on whether the first communication property is encompassed by the second communication property, including whether the source IP address is identified as allowable by the second communication property; and
  
  in response to determining that the inbound network communication is allowable, forwarding the packet to a recipient program executing on the second computing system, otherwise setting an indicator that the network communication is not allowed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein determining whether the outbound network communication is allowable includes determining, based on an entry in the first white list, whether a destination port stored in the packet is identified as allowable by the first white list.
  - 3. The system of claim 1, wherein determining whether the outbound network communication is allowable includes:
    - determining a name or type of program that is communicating via the network communication; and
      
      determining, based on an entry in the first white list and the name or type of program, whether the program is allowed to communicate with the second computing system.
  - 4. The system of claim 1, wherein the first communication evaluator module is further configured to evaluate an inbound network communication, by:
    - determining whether or not the inbound network communication is allowable based on an entry in the first white list and a source IP address stored in a network packet received by the first computing system.
  - 5. The system of claim 1, wherein determining whether the inbound network communication is allowable is further based on whether a listening port is identified as allowable by the second white list, wherein the listening port has been opened on the second computing system.
  - 6. The system of claim 5, wherein determining whether the inbound network communication is allowable includes:
    - determining a name or type of program that is communicating via the listening port; and
      
      determining, based on an entry in the second white list and the name or type of program, whether the program is allowed to communicate via the listening port.
  - 7. The system of claim 5, further comprising:
    - determining a connection limit associated with the listening port and/or the source IP address; and
      
      determining whether a total number of current connections via the listening port is less than a maximum allowed number of connections identified in the white list.
  - 8. The system of claim 7, wherein the connection limit is further based on a geographic region associated with the source IP address.
  - 9. The system of claim 7, wherein the connection limit is expressed as one of:
    - a maximum number of current connections established via the listening port, a maximum number of connections opened via the listening port during a time interval, a maximum bandwidth utilization by connections established via the listening port.
  - 10. The system of claim 1, wherein the second communication evaluator module is further configured to:
    - determine that a denial of service attack is in progress, based on a number of connections opened during a time interval, wherein all of the connections are to a same destination address; and
      
      refuse to open additional connections to the destination address.
  - 11. The system of claim 1, wherein the first computing system is a client computing system, and wherein the second computing system is a server computing system.
  - 12. The system of claim 1, wherein the first computing system rejects all communication attempts to computing systems that are not identified in the first white list, and wherein the second computing system rejects all communication attempts from computing systems that are not identified in the second white list.

13. A method for controlling communication, comprising:
- by first communication evaluator module executing on a first computing system, evaluating an outbound network communication that includes a network packet, by;
  
  receiving a first white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties;
  
  determining a first communication property that is associated with the outbound network communication, the first property including a destination IP address that is stored in the network packet and that identifies a second computing system;
  
  determining a second communication property that is one of the one or more allowable communication properties in the first white list;
  
  determining whether the outbound network communication is allowable, based on whether the first communication property is encompassed by the second communication property, including whether the destination IP address is identified as allowable by the second communication property; and
  
  in response to determining that the outbound network communication is allowable, transmitting the packet to the second computing system, otherwise setting an indicator that the network communication is not allowed.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, further comprising:
    - by a second communication evaluator module executing on a second computing system, evaluating an inbound network communication by;
      
      receiving a second white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties;
      
      determining a first communication property that is associated with the inbound network communication, the first property including a source IP address that is stored in the network packet transmitted by the first computing system, the source IP address identifying the first computing system;
      
      determining a second communication property that is one of the one or more allowable communication properties in the second white list;
      
      determining whether the inbound network communication is allowable, based on whether the first communication property is encompassed by the second communication property, including whether the source IP address is identified as allowable by the second communication property; and
      
      in response to determining that the inbound network communication is allowable, forwarding the packet to a recipient program executing on the second computing system, otherwise setting an indicator that the network communication is not allowed.
  - 15. The method of claim 14, wherein determining whether the inbound network communication is allowable is further based on whether a listening port is identified as allowable by the second white list, wherein the listening port has been opened on the second computing system.
  - 16. The method of claim 15, wherein determining whether the inbound network communication is allowable includes:
    - determining a name or type of program that is communicating via the listening port; and
      
      determining a connection limit associated with the listening port and/or the source IP address; and
      
      determining whether a total number of current connections via the listening port is less than a maximum allowed number of connections identified in the white list; and
      
      determining, based on an entry in the second white list, the name or type of program, and the maximum allowed number of connections, whether the program is allowed to communicate via the listening port.
  - 17. The method of claim 13, wherein determining whether the outbound network communication is allowable includes determining, based on an entry in the first white list, whether a destination port stored in the packet is identified as allowable by the first white list.
  - 18. The method of claim 13, wherein determining whether the outbound network communication is allowable includes:
    - determining a name or type of program that is communicating via the network communication; and
      
      determining, based on an entry in the first white list and the name or type of program, whether the program is allowed to communicate with the second computing system.
  - 19. The method of claim 13, wherein the first communication evaluator module is further configured to evaluate an inbound network communication, by:
    - determining whether or not the inbound network communication is allowable based on an entry in the first white list and a source IP address stored in a network packet received by the first computing system.

20. A non-transitory computer readable medium, comprising executable instructions for causing a first computing system to perform a method comprising:
- by first communication evaluator module executing on the first computing system,evaluating an outbound network communication that includes a first network packet, by;
  
  receiving a first white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties;
  
  determining whether the outbound network communication is allowable, based on whether a destination IP address in the network packet is identified as allowable based on the white list; and
  
  in response to determining that the outbound network communication is allowable, transmitting the packet to the second computing system, otherwise setting an indicator that the network communication is not allowed; and
  
  evaluating an inbound network communication that includes a second network packet, by;
  
  determining whether the inbound network communication is allowable, based on (1) whether a source IP address in the network packet is identified as allowable based on the white list and (2) whether a listening port that is open and has received the second network packet is identified as allowable based on the white list; and
  
  in response to determining that the inbound network communication is allowable, forwarding the packet to a recipient program executing on the first computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daniel Chien
Original Assignee
Daniel Chien
Inventors
Chien, Daniel
Primary Examiner(s)
Algibhah, Hamza N

Application Number

US15/913,889
Publication Number

US 20180198796A1
Time in Patent Office

203 Days
Field of Search

709229
US Class Current
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 45/74   Address processing for routing

H04L 61/2514   between local and global IP...

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

Evaluating a questionable network communication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Evaluating a questionable network communication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links