Methods for internet communication security

US 10,375,019 B2
Filed: 10/05/2018
Issued: 08/06/2019
Est. Priority Date: 10/06/2017
Status: Active Grant

First Claim

Patent Images

1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device to perform communication management operations, the communication management operations comprising:

i) consuming a first network packet to obtain an application layer first payload and a first port number, the first port number assigned to a transport layer first port for an end-user application program on a second computing device;

ii) decrypting an encrypted read-only first file and identifying a data record in the first file that contains the first port number in a first port number field of the identified data record in the first file, the first file stored locally on the first computing device;

iii) confirming the application layer first payload conforms to one or more formatting requirements named in the identified data record in the first file;

iv) negotiating an encrypted TCP connection with a network security software running on the second computing device, the encrypted TCP connection dedicated exclusively to routing communications that are a) directed to and/or originating from the transport layer first port, and b) formatted according to the named formatting requirements;

v) forming a second network packet, comprising;

inserting into an application layer portion of the second network packet;

a) at least a portion of the application layer first payload, b) a nonpublic identifier that is unique to the program code executable by the first computing device, c) a nonpublic user-identifier for a process owner running the program code executable by the first computing device, and d) an identifier for the one or more formatting requirements; and

vi) sending the second network packet to the network security software via the encrypted TCP connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

Citations

22 Claims

1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device to perform communication management operations, the communication management operations comprising:
- i) consuming a first network packet to obtain an application layer first payload and a first port number, the first port number assigned to a transport layer first port for an end-user application program on a second computing device;
  
  ii) decrypting an encrypted read-only first file and identifying a data record in the first file that contains the first port number in a first port number field of the identified data record in the first file, the first file stored locally on the first computing device;
  
  iii) confirming the application layer first payload conforms to one or more formatting requirements named in the identified data record in the first file;
  
  iv) negotiating an encrypted TCP connection with a network security software running on the second computing device, the encrypted TCP connection dedicated exclusively to routing communications that are a) directed to and/or originating from the transport layer first port, and b) formatted according to the named formatting requirements;
  
  v) forming a second network packet, comprising;
  
  inserting into an application layer portion of the second network packet;
  
  a) at least a portion of the application layer first payload, b) a nonpublic identifier that is unique to the program code executable by the first computing device, c) a nonpublic user-identifier for a process owner running the program code executable by the first computing device, and d) an identifier for the one or more formatting requirements; and
  
  vi) sending the second network packet to the network security software via the encrypted TCP connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The product of claim 1, wherein the first network packet is received from a first NIC, wherein the encrypted TCP connection is configured to not traverse the first NIC.
  - 3. The product of claim 1, wherein the at least a portion of the application layer first payload is all of the application layer first payload.
  - 4. The product of claim 1, wherein the one or more formatting requirements comprises a data type.
  - 5. The product of claim 1, wherein the one or more formatting requirements comprises a data range.
  - 6. The product of claim 1, wherein the first file is a binary file with variable data record lengths.
  - 7. The product of claim 1, wherein the nonpublic identifier that is unique to the program code executable by the first computing device, the nonpublic user-identifier for the process owner running the program code executable by the first computing device, or the identifier for the one or more formatting requirements are encrypted separately from the at least a portion of the application layer first payload inserted into the second network packet.
  - 8. The product of claim 1, further comprising:
    - i) obtaining a source port number for the first network packet; and
      
      ii) comparing the source port number to a list of port numbers authorized to provide data for communication to the end-user application and the user for the end-user application on the second computing device.
  - 9. The product of claim 1, wherein the communication management operations further comprise:
    - translating, prior to forming the second network packet, the at least a portion of the application layer first payload to a pre-established format expected by the network security software on the second computing device.
  - 10. The product of claim 9, wherein the communication management operations comprise determining the pre-established format based at least on the named formatting requirements.
  - 11. The product of claim 1, further comprising:
    - confirming the application layer first payload conforms to one or more content requirements named in the identified data record in the first file.
  - 12. The product of claim 11, wherein the one or more content requirements comprises a command type authorized to be present in the application layer first payload.
  - 13. The product of claim 11, wherein the one or more content requirements comprises a command type that is prohibited from being present in the application layer first payload.
  - 14. The product of claim 1, further comprising:
    - configuring the encrypted TCP connection for dedicated communications prior to the sending the second network packet, comprising;
      
      a) sending a nonpublic first identification code for the first computing device to the network security software via the encrypted TCP connection;
      
      b) receiving, in response to the sending the nonpublic first identification code for the first computing device, a nonpublic second identification code for the second computing device in an application layer portion of a third network packet; and
      
      c) comparing, in a kernel running on the first computing device, the nonpublic second identification code with a pre-established value for the second computing device.
  - 15. The product of claim 14, further comprising:
    - configuring the encrypted TCP connection for dedicated communications prior to the sending the second network packet, comprising;
      
      a) sending the nonpublic identifier that is unique to the program code executable by the first computing device and the nonpublic user-identifier for the process owner running the program code executable by the first computing device to the network security software via the encrypted TCP connection;
      
      b) receiving, in response to the sending the nonpublic identifier that is unique to the program code executable by the first computing device and the nonpublic user-identifier for the process owner running the program code executable by the first computing device, an identification code that is unique for the end-user application program on the second computing device and a nonpublic user-identifier of the end-user application program on the second computing device in an application layer portion of a fourth network packet; and
      
      c) comparing, in the kernel running on the first computing device, the remote application identification code with a pre-established value for the end-user application program and the nonpublic user-identifier of the end-user application program with a pre-established value for the user of the end-user application.
  - 16. The product of claim 15, further comprising:
    - configuring the encrypted TCP connection for dedicated communications prior to the sending the second network packet, comprising;
      
      a) sending the identifier for the one or more formatting requirements to the network security software via the encrypted TCP connection;
      
      b) receiving, in response to the sending the identifier for the one or more formatting requirements, the identifier for the one or more formatting requirements in the application layer portion of the fourth network packet; and
      
      c) comparing, in the kernel running on the first computing device, the received identifier for the one or more formatting requirements with a pre-established value for the identifier for the one or more formatting requirements.
  - 17. The product of claim 16, wherein the comparing the nonpublic second identification code, the comparing the remote application identification code, and the comparing the received identifier for the one or more formatting requirements are performed prior to the sending the second network packet.
  - 18. The product of claim 16, wherein the third network packet and the fourth network packet are the same network packet.
  - 19. The product of claim 16, further comprising:
    - i) decrypting an encrypted read-only second file and identifying a data record in the second file that contains the first port number in a first port number field of the identified data record in the second file, the second file stored locally on the first computing device; and
      
      ii) obtaining from the identified data record in the second file;
      
      a) the nonpublic first identification code;
      
      b) the pre-established value for the second computing device;
      
      c) the nonpublic identifier that is unique to the program code executable by the first computing device;
      
      d) the nonpublic user-identifier for the process owner running the program code executable by the first computing device;
      
      e) the pre-established value for the end-user application program;
      
      orf) the pre-established value for the user of the end-user application.
  - 20. The product of claim 19, wherein the first file and the second file are pre-loaded on the first computing device prior to the consuming the first network packet.
  - 21. The product of claim 19, wherein the identified data record in the first file is the only data record in the first file containing the first port number.
  - 22. The product of claim 19, wherein the identified data record in the second file is the only data record in the second file containing the first port number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
StealthPath, Inc.
Original Assignee
StealthPath, Inc.
Inventors
Clark, Mike, Gordon, Andrew, Clark, Matt
Primary Examiner(s)
Lipman, Jacob

Application Number

US16/153,448
Publication Number

US 20190109820A1
Time in Patent Office

305 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 47/19   at layers above the network...

H04L 47/24   Traffic characterised by sp...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0876   based on the identity of th...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/164   at the network layer

H04L 69/22   Parsing or analysis of headers

H04L 9/0861   Generation of secret inform...

H04L 9/16   the keys or algorithms bein...

H04L 9/3273   for mutual authentication n...

Methods for internet communication security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for internet communication security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links