Methods for internet communication security

US 10,374,803 B2
Filed: 10/05/2018
Issued: 08/06/2019
Est. Priority Date: 10/06/2017
Status: Active Grant

First Claim

Patent Images

1. A product for authorizing network communications in a hypervisor, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable in a hypervisor to perform communication management operations, the communication management operations comprising:

i) intercepting a first network packet in the hypervisor, the first network packet comprising a first higher-than-OSI layer three portion;

ii) decrypting, with a single-use cryptographic key, at least a portion of the first higher-than-OSI layer three portion to obtain one or more first packet parameters;

iii) authorizing the first network packet in the hypervisor, comprising;

comparing the one or more first packet parameters with one or more first expected values; and

iv) passing the authorized first network packet to a virtual device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

171 Citations

24 Claims

1. A product for authorizing network communications in a hypervisor, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable in a hypervisor to perform communication management operations, the communication management operations comprising:
- i) intercepting a first network packet in the hypervisor, the first network packet comprising a first higher-than-OSI layer three portion;
  
  ii) decrypting, with a single-use cryptographic key, at least a portion of the first higher-than-OSI layer three portion to obtain one or more first packet parameters;
  
  iii) authorizing the first network packet in the hypervisor, comprising;
  
  comparing the one or more first packet parameters with one or more first expected values; and
  
  iv) passing the authorized first network packet to a virtual device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The product of claim 1, wherein the communication management operations further comprise:
    - i) detecting negotiation of a secure communication pathway between a first remote node and the virtual device, the negotiation comprising a series of network packet communications between the first remote node and the virtual device;
      
      ii) aligning a series of cryptographic keys utilized in the hypervisor with a series of cryptographic keys utilized in the virtual device;
      
      iii) monitoring the series of network packet communications; and
      
      iv) confirming success of the negotiation prior to the passing the authorized first network packet.
  - 3. The product of claim 2, wherein the monitoring comprises:
    - a) detecting a nonpublic first identification code sent from the virtual device to a software port on the first remote node via a pre-established communication pathway;
      
      followed byb) further detecting a nonpublic second identification code sent from the remote node; and
      
      c) comparing the nonpublic second identification code with a pre-established value for the first remote node.
  - 4. The product of claim 3, wherein the communication management operations comprise:
    - determining the pre-established value for the first remote node from a software port number assigned to the software port.
  - 5. The product of claim 3, wherein the monitoring comprises:
    - a) detecting a first application identification code for a first user-application sent from the virtual device to the first remote node via the pre-established communication pathway;
      
      followed byb) detecting a second application identification code for a second user-application sent from the first remote node; and
      
      c) comparing the second application identification code with a pre-established value for the second user-application.
  - 6. The product of claim 5, wherein the communication management operations comprise:
    - determining the pre-established value for the first remote node from the software port number.
  - 7. The product of claim 1, wherein the communication management operations comprise:
    - determining the one or more first expected values from a one-to-one correspondence with an n-tuple comprising the one or more first expected values, a destination port number of the first network packet, and a destination network address of the first network packet.
  - 8. The product of claim 7, wherein the one or more first packet parameters comprise a source application identification code, the source application identification code referencing a source application program for the first network packet.
  - 9. The product of claim 8, wherein the one or more first packet parameters comprise a data model identification code.
  - 10. The product of claim 9, wherein the communication management operations comprise:
    - confirming at least a portion of a payload of the first network packet conforms to a data range, the data range determined from the data model identification code.
  - 11. The product of claim 9, wherein the communication management operations comprise:
    - confirming at least a portion of the payload of the first network packet conforms to a command type restriction, the command type restriction determined from the data model identification code.
  - 12. The product of claim 9, wherein the communication management operations comprise:
    - translating a first payload of the first network packet from a first pre-established format to a second pre-established format, the first pre-established format and the second pre-established format determined from the data model identification code and/or the destination port number.
  - 13. The product of claim 7, wherein the communication management operations comprise:
    - obtaining the one-to-one correspondence from an encrypted file loaded into memory of the hypervisor.
  - 14. The product of claim 7, wherein the communication management operations comprise:
    - obtaining the one-to-one correspondence from the virtual device via at least one encrypted communication pathway.
  - 15. The product of claim 1, wherein the communication management operations further comprise:
    - i) intercepting a second network packet in the hypervisor, the second network packet ingressed from the virtual device, the second network packet comprising a second higher-than-OSI layer three portion;
      
      ii) decrypting, with a single-use cryptographic key, at least a portion of the second higher-than-OSI layer three portion to obtain at least one packet parameter;
      
      iii) authorizing the second network packet in the hypervisor, comprising;
      
      comparing the one or more second packet parameters with one or more second expected values; and
      
      iv) passing the authorized second network packet to a remote second node.
  - 16. The product of claim 1, wherein the virtual device is a virtual machine.
  - 17. The product of claim 1, wherein the virtual device is a container.
  - 18. The product of claim 1, wherein the communication management operations comprise:
    - obtaining the at least one packet parameter from a payload of the first network packet.
  - 19. The product of claim 1, wherein the first remote node is a bare metal device.
  - 20. The product of claim 1, wherein the first remote node is a further virtual device.
  - 21. The product of claim 1, wherein the hypervisor provides at least one virtual interface to the virtual device.
  - 22. The product of claim 1, wherein the communication management operations are configured for a Type 1 hypervisor.
  - 23. The product of claim 1, wherein the communication management operations are configured for a Type 2 hypervisor.
  - 24. The product of claim 1, wherein the communication management operations are transparent to the virtual device and all computer programs running on the virtual device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
StealthPath, Inc.
Original Assignee
StealthPath, Inc.
Inventors
Clark, Mike, Gordon, Andrew, Clark, Matt
Primary Examiner(s)
Goodchild, William J.

Application Number

US16/153,409
Publication Number

US 20190109714A1
Time in Patent Office

305 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 9/45558   Hypervisor-specific managem...

H04L 45/745   Address table lookup; Addre...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/0876   based on the identity of th...

H04L 63/105   Multiple levels of security

H04L 63/1441   Countermeasures against mal...

H04L 63/205   involving negotiation or de...

H04L 67/565   Conversion or adaptation of...

H04L 69/08   Protocols for interworking;...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3226   using a predetermined code,...

H04L 9/3228   One-time or temporary data,...

Methods for internet communication security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

171 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for internet communication security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links