Methods and systems for identifying data sessions at a VPN gateway

US 10,313,494 B2
Filed: 06/05/2017
Issued: 06/04/2019
Est. Priority Date: 03/27/2014
Status: Active Grant

First Claim

Patent Images

1. A method for transmitting data packets from a host to a destination via a virtual private network (VPN) connection at a first VPN gateway, the method comprising:

A) receiving encapsulated packets via the VPN connection, wherein the encapsulated packets encapsulate the data packets originated from the host;

B) decapsulating the encapsulated packets to retrieve the data packets;

C) determining whether the data packets originated from an IoT device based on a control message received from a second VPN gateway;

D) when the host is the IoT device;

i) performing deep packet inspection (DPI) on the data packets;

ii) determining whether the data packets are allowed to be transmitted to the destination;

iii) transmitting the data packets when the data packets are allowed to be transmitted to the destination;

iv) storing the data packets for further processing when the data packets are not allowed to be transmitted to the destination;

E) when the host is not an IoT device;

i) performing deep packet inspection (DPI) on the data packets for collecting information on the data packets to update a DPI database; and

ii) transmitting the data packets to the destination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for transmitting data packets from a host to a destination via a virtual private network (VPN) connection at a VPN gateway. VPN gateway receives encapsulated packets via the VPN connection. The encapsulated packets encapsulate the data packets originated from the host. VPN gateway decapsulates the encapsulated packets to retrieve the data packets. VPN gateway determines whether the data packets originated from an IoT device based on IP address of the host. When the host is the IoT device, VPN gateway performs deep packet inspection (DPI) on the data packets. VPN gateway determines whether the data packets are allowed to be transmitted to the destination. When the data packets are allowed to be transmitted to the destination, VPN gateway transmits the data packets to the destination.

Citations

20 Claims

1. A method for transmitting data packets from a host to a destination via a virtual private network (VPN) connection at a first VPN gateway, the method comprising:
- A) receiving encapsulated packets via the VPN connection, wherein the encapsulated packets encapsulate the data packets originated from the host;
  
  B) decapsulating the encapsulated packets to retrieve the data packets;
  
  C) determining whether the data packets originated from an IoT device based on a control message received from a second VPN gateway;
  
  D) when the host is the IoT device;
  
  i) performing deep packet inspection (DPI) on the data packets;
  
  ii) determining whether the data packets are allowed to be transmitted to the destination;
  
  iii) transmitting the data packets when the data packets are allowed to be transmitted to the destination;
  
  iv) storing the data packets for further processing when the data packets are not allowed to be transmitted to the destination;
  
  E) when the host is not an IoT device;
  
  i) performing deep packet inspection (DPI) on the data packets for collecting information on the data packets to update a DPI database; and
  
  ii) transmitting the data packets to the destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10)
- - 2. The method according to claim 1, wherein the host is the IoT device and further comprising:
    - determining whether an address of the destination is on a whitelist;
      
      and when the address of the destination is on the whitelist;
      
      performing step D)i).
  - 3. The method according to claim 1, wherein the first VPN gateway is a VPN hub, wherein the VPN hub establishes one or more VPN connections with one or more other VPN gateways respectively, wherein the one or more other VPN gateways include the second VPN gateway.
  - 4. The method according to claim 1, further comprising:
    - after step D)i);
      
      identifying one or more data sessions the data packets belong to;
      
      updating a DPI database based on the one or more data sessions;
      
      displaying information corresponding to the one or more data sessions at a user interface, wherein the information comprises one or more of the following;
      
      correlation between IP addresses, protocols of encapsulating packets, host identity, VPN gateway identity, applications name, websites identity, and statistical information related to data sessions, wherein the information is retrieved from the DPI database; and
      
      performing step D)ii).
  - 5. The method according to claim 4, wherein the step of updating includes adding a new record in the DPI database if one or more data sessions are identified the first time.
  - 6. The method according to claim 5, wherein the information is categorized according to a plurality of categories.
  - 7. The method according to claim 6, wherein the information includes correlation among items in the plurality of categories.
  - 8. The method according to claim 7, wherein the user interface is shown on a display, wherein the display is not coupled to the VPN gateway.
  - 10. The method according to claim 2 or claim 9, wherein the whitelist is stored in one of, the VPN gateway or a remote server.

9. A method for transmitting data packets from a host to a destination via a virtual private network (VPN) connection at a first VPN gateway, the method comprising:
- E) receiving encapsulated packets via the VPN connection, wherein the encapsulated packets encapsulate the data packets originated from the host;
  
  F) decapsulating the encapsulated packets to retrieve the data packets;
  
  G) determining whether the data packets originated from an IoT device based on a control message received from a second VPN gateway;
  
  H) wherein when the host is the IoT device;
  
  i) determining whether an address of the destination is on a whitelist;
  
  ii) transmitting the data packets when the address of the destination is on the whitelist;
  
  iii) storing the data packets for further processing when the address of the destination is not on the whitelist; and
  
  I) when the host is not an IoT device;
  
  i) transmitting the data packets to the destination.

11. A first VPN gateway for transmitting data packets transmitted from a host to a destination via a VPN connection, comprising:
- at least one network interface;
  
  at least one processing unit;
  
  at least one main memory; and
  
  at least one computer readable storage medium comprising program instructions executable by the at least one processing unit for;
  
  A) receiving encapsulated packets via the VPN connection, wherein the encapsulated packets encapsulate the data packets originated from the host;
  
  B) decapsulating the encapsulated packets to retrieve the data packets;
  
  C) determining whether the data packets originated from an IoT device based on a control message received from a second VPN gateway;
  
  D) when the host is the IoT device;
  
  i) performing deep packet inspection (DPI) on the data packets;
  
  ii) determining whether the data packets are allowed to be transmitted to the destination;
  
  iii) transmitting the data packets when the data packets are allowed to be transmitted to the destination;
  
  iv) storing the data packets for further processing when the data packets are not allowed to be transmitted to the destination;
  
  E) when the host is not an IoT device;
  
  i) performing deep packet inspection (DPI) on the data packets for collecting information on the data packets to update a DPI database; and
  
  ii) transmitting the data packets to the destination.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 20)
- - 12. The first VPN gateway of claim 11, wherein the at least one computer readable storage medium further comprises program instructions executable by the at least one processing unit to perform the operation of, when the host is the IoT device, determining whether an address of the destination is on a whitelist and when the address of the destination is on the whitelist:
    - performing step D)i).
  - 13. The first VPN gateway of claim 11, wherein the first VPN gateway is a VPN hub, wherein the VPN hub establishes one or more VPN connections with one or more other VPN gateways respectively, wherein the one or more other VPN gateways includes the second VPN gateways.
  - 14. The first VPN gateway of claim 11, wherein the at least one computer readable storage medium further comprises program instructions executable by the at least one processing unit to perform, after step D)i), the operation of:
    - identifying one or more data sessions the data packets belong to;
      
      updating a DPI database based on the one or more data sessions;
      
      displaying information corresponding to the one or more data sessions at a user interface, wherein the information comprises one or more of the following;
      
      correlation between IP addresses, protocols of encapsulating packets, host identity, VPN gateway identity, applications name, websites identity, and statistical information related to data sessions, wherein the information is retrieved from the DPI database; and
      
      performing step D)ii).
  - 15. The first VPN gateway of claim 14, wherein the step of updating includes adding a new record in the DPI database if one or more data sessions are identified for the first time.
  - 16. The first VPN gateway of claim 15, wherein the information is categorized according to a plurality of categories.
  - 17. The first VPN gateway of claim 16, wherein the information includes correlation among items in the plurality of categories.
  - 18. The first VPN gateway of claim 17, wherein the user interface is shown on a display, wherein the display is not coupled to the first VPN gateway.
  - 20. The first VPN gateway of claim 12 or claim 19, wherein the whitelist is stored in one of, the first VPN gateway or a remote server.

19. A first VPN gateway for transmitting data packets transmitted from a host to a destination via a VPN connection, comprising:
- at least one network interface;
  
  at least one processing unit;
  
  at least one main memory; and
  
  at least one computer readable storage medium comprising program instructions executable by the at least one processing unit for;
  
  E) receiving encapsulated packets via the VPN connection, wherein the encapsulated packets encapsulate the data packets originated from the host;
  
  F) decapsulating the encapsulated packets to retrieve the data packets;
  
  G) determining whether the data packets originated from an IoT device based on a control message received from a second VPN gateway;
  
  H) wherein when the host is the IoT device;
  
  i) determining whether an address of the destination is on a whitelist;
  
  ii) transmitting the data packets when the address of the destination is on the whitelist;
  
  iii) storing the data packets for further processing when the address of the destination is not on the whitelist, andI) when the host is not an IoT device;
  
  i) transmitting the data packets to the destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pismo Labs Technology Limited
Original Assignee
Pismo Labs Technology Limited
Inventors
Kwan, Ying, Lam, Ho Cheung, Leung, Wan Chun, Chau, Kit Wai
Primary Examiner(s)
Patel, Ajit

Application Number

US15/613,412
Publication Number

US 20170272554A1
Time in Patent Office

729 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 12/413   with random access, e.g. ca...

H04L 12/417   with deterministic access, ...

H04L 12/4625   Single bridge functionality...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/64   Hybrid switching systems

H04L 12/6418   Hybrid transport

H04L 43/028   by filtering

H04L 43/045   for graphical visualisation...

H04L 43/106   using time related informat...

H04L 43/18   Protocol analysers

H04L 47/2483   involving identification of...

H04L 61/2514   between local and global IP...

H04L 61/2592   using tunnelling or encapsu...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 69/22   Parsing or analysis of headers

Methods and systems for identifying data sessions at a VPN gateway

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for identifying data sessions at a VPN gateway

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links