Methods for internet communication security

US 10,367,811 B2
Filed: 04/10/2018
Issued: 07/30/2019
Est. Priority Date: 10/06/2017
Status: Active Grant

First Claim

Patent Images

1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device of the plurality of network computing devices to perform communication management operations, the communication management operations comprising:

i) forming a configured communication pathway by configuring a pre-established communication pathway to exclusively communicate application data between a first user-application on the first computing device and a second user-application on a second computing device of the plurality of network computing devices, the first user-application operated by a first user and the second user-application operated by a second user, the configuring comprising;

a) sending a first configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the first configuration packet containing a nonpublic first device identifier for the first computing device in an application layer portion of the first configuration packet;

b) receiving a second configuration packet from the second computing device, the second configuration packet containing a nonpublic second device identifier for the second computing device in an application layer portion of the second configuration packet;

c) confirming, in a kernel space of the first computing device, that the second computing device is authorized to communicate with the first user-application, comprising;

matching the nonpublic second device identifier to a preconfigured nonpublic second device code for the second computing device;

d) further sending a third configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the third configuration packet containing a nonpublic first user-application identifier in an application layer portion of the third configuration packet, wherein the nonpublic first user-application identifier is exclusive to the first user-application and the second user-application;

e) further receiving a fourth configuration packet from the second computing device, the fourth configuration packet containing a nonpublic second user-application identifier in an application layer portion of the fourth configuration packet; and

<

f) further confirming, in the kernel space of the first computing device, that the second user-application is authorized to receive the application data from the first user-application, comprising;

further matching the nonpublic second user-application identifier to a preconfigured nonpublic second user-application code, wherein the preconfigured nonpublic second user-application code is exclusive to the second user-application and the first user-application; and

ii) preventing any transport layer ports used by the configured communication pathway from being used by any other communication pathway.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

175 Citations

30 Claims

1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device of the plurality of network computing devices to perform communication management operations, the communication management operations comprising:
- i) forming a configured communication pathway by configuring a pre-established communication pathway to exclusively communicate application data between a first user-application on the first computing device and a second user-application on a second computing device of the plurality of network computing devices, the first user-application operated by a first user and the second user-application operated by a second user, the configuring comprising;
  
  a) sending a first configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the first configuration packet containing a nonpublic first device identifier for the first computing device in an application layer portion of the first configuration packet;
  
  b) receiving a second configuration packet from the second computing device, the second configuration packet containing a nonpublic second device identifier for the second computing device in an application layer portion of the second configuration packet;
  
  c) confirming, in a kernel space of the first computing device, that the second computing device is authorized to communicate with the first user-application, comprising;
  
  matching the nonpublic second device identifier to a preconfigured nonpublic second device code for the second computing device;
  
  d) further sending a third configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the third configuration packet containing a nonpublic first user-application identifier in an application layer portion of the third configuration packet, wherein the nonpublic first user-application identifier is exclusive to the first user-application and the second user-application;
  
  e) further receiving a fourth configuration packet from the second computing device, the fourth configuration packet containing a nonpublic second user-application identifier in an application layer portion of the fourth configuration packet; and
  
  <
  
  f) further confirming, in the kernel space of the first computing device, that the second user-application is authorized to receive the application data from the first user-application, comprising;
  
  further matching the nonpublic second user-application identifier to a preconfigured nonpublic second user-application code, wherein the preconfigured nonpublic second user-application code is exclusive to the second user-application and the first user-application; and
  
  ii) preventing any transport layer ports used by the configured communication pathway from being used by any other communication pathway.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The product of claim 1, wherein the communication management operations further comprise:
    - i) interrupting, on the first computing device, a connection request from the first user-application that requests a connection with a transport layer destination port that is assigned to the second user-application, the connection request comprising a destination port number for the destination port;
      
      ii) decrypting an encrypted read-only file and identifying a data record in the file that contains the destination port number in a destination port number field of the identified data record in the file, the file stored locally on the first computing device; and
      
      iii) verifying, in the kernel space of the first computing device, that the nonpublic first user-application identifier is present in a local user-application identification field of the identified data record and that the received nonpublic second user-application identifier is present in a remote user-application identification field of the identified data record.
  - 3. The product of claim 2, wherein the identified data record is the only data record in the file that contains the destination port number in the destination port number field.
  - 4. The product of claim 2, wherein the communication management operations prevent all user-applications from directly connecting to remote computing devices.
  - 5. The product of claim 2, wherein the communication management operations redirect all requests from user-applications to connect to remote computing devices to a loopback interface.
  - 6. The product of claim 2, wherein the communication management operations executed on the first computing device further comprise:
    - i) receiving a series of further network packets, the series of further network packets comprising (a) the application data, and (b) encrypted parameters in application layer portions of the further network packets;
      
      ii) decrypting, in the kernel space of the first computing device, the encrypted parameters using decryption keys to obtain decrypted parameters; and
      
      iii) confirming that the decrypted parameters match the nonpublic second user-application code prior to passing the application data to the first user-application.
  - 7. The product of claim 2, wherein the communication management operations executed on the first computing device further comprise:
    - i) receiving a series of further network packets, the series of further network packets comprising (a) at least portions of the application data, and (b) encrypted parameters in application layer portions of the further network packets;
      
      ii) decrypting, in the kernel space of the first computing device, the encrypted parameters using decryption keys to obtain decrypted parameters; and
      
      iii) confirming that the decrypted parameters match the nonpublic second user-application code prior to passing the at least portions of the application data to the first user-application.
  - 8. The product of claim 7, wherein the series of further network packets comprise all communications of user space data via the configured communication pathway.
  - 9. The product of claim 7, wherein the nonpublic first user-application identifier is further exclusive to one or more content requirements for the application data.
  - 10. The product of claim 7, wherein the communication management operations performed in the kernel space of the first computing device further comprise:
    - confirming that the at least portions of the application data conform to the one or more content requirements.
  - 11. The product of claim 7, wherein the one or more content requirements comprise a data range.
  - 12. The product of claim 7, wherein the one or more content requirements comprise a command type authorized to be present in the application data.
  - 13. The product of claim 7, wherein the one or more content requirements comprise a command type that is prohibited from being present in the application data.
  - 14. The product of claim 7, wherein the decryption keys are not applied to the application data.
  - 15. The product of claim 7, wherein the decryption keys are a series of different single-use decryption keys.
  - 16. The product of claim 2, wherein the pre-established communication pathway is configured to form the configured communication pathway prior to sending any data to the destination port.
  - 17. The product of claim 2, wherein the identified data record further comprises a flag in a flag field of the data record, the flag specifying whether the configured communication pathway is authorized for unidirectional or bidirectional data flow between the first user-application and the second user-application.
  - 18. The product of claim 2, wherein the communication management operations executed on the first computing device further comprise:
    - i) receiving a further network packet, the further network packet comprising (a) at least a portion of the application data, and (b) an encrypted parameter in an application layer portion of the further network packet;
      
      ii) decrypting, in the kernel space of the first computing device, the encrypted parameter using a decryption key to obtain a decrypted parameter; and
      
      iii) confirming that the decrypted parameter matches the nonpublic second user-application code prior to passing the at least a portion of the application data to the first user-application.
  - 19. The product of claim 1, wherein the pre-established communication pathway is a TCP connection.
  - 20. The product of claim 1, wherein the nonpublic first device identifier has a size of at least 2048 bits, wherein at least 90% of the nonpublic first device identifier is a randomly generated number.
  - 21. The product of claim 1, wherein the nonpublic first user-application identifier comprises an application identifier for the first user-application, a process owner identifier for the first user, and a randomly generated number.
  - 22. The product of claim 1, wherein the configuring comprises:
    - verifying that an authorized functional counterpart of the computer-readable program code is running on the second computing device.
  - 23. The product of claim 22, wherein the configured communication pathway uses a dedicated transport layer port for a process that performs at least a portion of the communication management operations in the kernel space of the first computing device.
  - 24. The product of claim 23, wherein the configured communication pathway uses a dedicated transport layer for a functional counterpart of the computer-readable program code on the second computing device.
  - 25. The product of claim 1, wherein the computer-readable program code comprises at least one kernel loadable module.
  - 26. The product of claim 1, wherein the first user-application is industrial control software.
  - 27. The product of claim 1, wherein the first user-application is a healthcare app.
  - 28. The product of claim 1, wherein the first computing device is a mobile device.
  - 29. The product of claim 1, wherein a portion of the communication management operations are configured for execution in an application space of the first computing device.
  - 30. The product of claim 1, wherein the nonpublic first device identifier, the nonpublic first user-application identifier, the nonpublic second device code, and the nonpublic second user-application code are shared secrets between the first computing device and the second computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
StealthPath, Inc.
Original Assignee
StealthPath, Inc.
Inventors
Clark, Mike, Gordon, Andrew, Clark, Matt
Primary Examiner(s)
Goodchild, William J.

Application Number

US15/949,749
Publication Number

US 20190109848A1
Time in Patent Office

476 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/6263   during internet communicati...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0428   wherein the data content is...

H04L 63/0869   for achieving mutual authen...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

H04L 67/12   specially adapted for propr...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3228   One-time or temporary data,...

H04W 4/70   Services for machine-to-mac...

Methods for internet communication security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

175 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Methods for internet communication security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others