Application signature authorization

US 10,382,398 B2
Filed: 06/30/2014
Issued: 08/13/2019
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a connection, the method comprising:

establishing a connection between a user client device and a server, the user client device having a plurality of applications, wherein the connection is established by the server and the user client device communicating over a computer network;

receiving data from the user client device via the established connection, the received data including authentication information for authenticating a user of the user client device;

classifying the user client device based on an identified device type of the user client device and an identified user type of the authenticated user, wherein the user client device classification is associated with an application control policy that allows application access to specified application data;

receiving application information derived from a requested application of the plurality of applications from the user client device in accordance with the application control policy associated with the user client device classification, wherein the application information derived from the requested application includes a signature generated at the user client device, and the signature is generated from an application certificate corresponding to the requested application; and

comparing the signature included in the application information to authorization information stored at the server, wherein the requested application is approved or denied based on the comparison.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. The applications may be analyzed to determine whether the application is good or bad, as what security configurations, approvals and denials are associated with the application.

Citations

36 Claims

1. A method for establishing a connection, the method comprising:
- establishing a connection between a user client device and a server, the user client device having a plurality of applications, wherein the connection is established by the server and the user client device communicating over a computer network;
  
  receiving data from the user client device via the established connection, the received data including authentication information for authenticating a user of the user client device;
  
  classifying the user client device based on an identified device type of the user client device and an identified user type of the authenticated user, wherein the user client device classification is associated with an application control policy that allows application access to specified application data;
  
  receiving application information derived from a requested application of the plurality of applications from the user client device in accordance with the application control policy associated with the user client device classification, wherein the application information derived from the requested application includes a signature generated at the user client device, and the signature is generated from an application certificate corresponding to the requested application; and
  
  comparing the signature included in the application information to authorization information stored at the server, wherein the requested application is approved or denied based on the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the signature includes a hash of at least the application certificate.
  - 3. The method of claim 2, wherein a failed request to access a corporate network is detected from a trusted user and client device pair.
  - 4. The method of claim 3, wherein the hash of the at least application certificate is added to the application information for the failed request, and subsequent requests having the added hash of the at least application certificate or including information that is listed in a list of failed requests corresponding to the application will be denied.
  - 5. The method of claim 2, wherein the hash is also created from the application information.
  - 6. The method of claim 5, wherein the hash changes based on changes to the application information.
  - 7. The method of claim 1, further comprising:
    - comparing the signature to a table of application signatures and corresponding application classifications; and
      
      processing traffic for the application based on the application classification.
  - 8. The method of claim 7, further comprising identifying that the application is classified as a bad application, and blocking the application traffic based on identifying that the application is classified as the bad application.
  - 9. The method of claim 7, further comprising identifying that the application is classified as a good application, and allowing the application traffic based on identifying that the application is classified as the good application.
  - 10. The method of claim 1, further comprising collecting application level information;
    - and comparing the application level information to an application policy to identify compliance of the application.
  - 11. The method of claim 10, further comprising adding a code signature for a trusted application to a list of code signatures that are acceptable for the trusted application.
  - 12. The method of claim 1, further comprising identifying that the application information does not satisfy a policy rule;
    - and processing traffic for the requested application based on the application information corresponding to a trusted application.

13. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for establishing a connection, the method comprising:
- establishing a connection between a user client device and a server, the user client device having a plurality of applications;
  
  receiving data from the user client device via the established connection, the received data including authentication information for authenticating a user of the user client device;
  
  classifying the user client device based on an identified device type of the user client device and an identified user type of the authenticated user, wherein the user client device classification is associated with an application control policy that allows application access to specified application data;
  
  receiving application information derived from a requested application of the plurality of applications from the user client device in accordance with the application control policy associated with the user client device classification, wherein the application information derived from the requested application includes a signature generated at the user client device, and the signature is generated from an application certificate corresponding to the requested application; and
  
  comparing the signature included in the application information to authorization information stored at the server, wherein the requested application is approved or denied based on the comparison.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the signature includes a hash of at least the application certificate.
  - 15. The non-transitory computer readable storage medium of claim 14, wherein a failed request to access a corporate network is detected from a trusted user and client device pair.
  - 16. The non-transitory computer readable medium of claim 15, wherein the hash of the at least application certificate is added to the application information for the failed request, and subsequent requests having the added hash of the at least application certificate or including information that is listed in a list of failed requests corresponding to the application will be denied.
  - 17. The non-transitory computer readable storage medium of claim 13, wherein the hash is also created from the application information.
  - 18. The non-transitory computer readable medium of claim 17, wherein the hash changes based on changes to the application information.
  - 19. The non-transitory computer readable storage medium of claim 13, the program further executable to:
    - compare the hash to a table of application hashes and corresponding application classifications; and
      
      process traffic for the application based on the application classification.
  - 20. The non-transitory computer readable storage medium of claim 19, the program further executable to identify that the application is classified as a bad application, wherein the application traffic corresponding to the bad application is blocked after the application is identified as being classified as the bad application.
  - 21. The non-transitory computer readable storage medium of claim 19, the program further executable to identify that the application is classified as a good application, wherein the application traffic corresponding to the good application is blocked after the application is identified as being classified as the good application.
  - 22. The non-transitory computer readable storage medium of claim 13, the program further executable to:
    - collect application level information; and
      
      compare the application level information to an application policy tocompliance of the application.
  - 23. The non-transitory computer readable storage medium of claim 13, the program further executable to:
    - identify that the application information does not satisfy a policy rule; and
      
      process traffic for the requested application of based on the application information corresponding to a trusted application.
  - 24. The non-transitory computer readable storage medium of claim 23, the program further executable to add a code signature for the trusted application to a list of code signatures that are acceptable for the trusted application.

25. A system for establishing a connection, the system including:
- a server in communication with a user client device, the server including a processor, memory, and one or more applications stored in memory at the server and executable to establish a connection between a user client device and the server, the user client device having a plurality of applications, wherein the server;
  
  receives data from the user client device via the established connection, the received data including authentication information for authenticating a user of the user client device;
  
  classifies the user client device based on an identified device type of the user client device and an identified user type of the authenticated user, wherein the user client device classification is associated with an application control policy that allows application access to specified application data;
  
  receives application information derived from a requested application of the plurality of applications from the user client device in accordance with the application control policy associated with the user client device classification, the application information derived from the requested application includes a signature generated at the user client device, and the signature is generated from an application certificate corresponding to the requested application, andcompares the signature included in the application information to authorization information stored at the server, wherein the requested application is approved or denied based on the comparison.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The system of claim 25, wherein the signature includes a hash of at least the application certificate.
  - 27. The system of claim 26, wherein a failed request to access a corporate network is detected from a trusted user and client device pair.
  - 28. The system of claim 27, wherein the hash of the at least application certificate is added to the application information for the failed request, and subsequent requests having the added hash of the at least application certificate or including information that is listed in a list of failed requests corresponding to the application will be denied.
  - 29. The system of claim 26, wherein the hash is also created from the application information.
  - 30. The system of claim 29, wherein the hash changes based on changes to the application information.
  - 31. The system of claim 25, wherein the server:
    - compares the signature to a table of application signatures and corresponding application classifications; and
      
      process traffic for the application based on the application classification.
  - 32. The system of claim 31, wherein the server is further executable to block the application traffic when the application is classified as a bad application.
  - 33. The system of claim 25, wherein the server is further executable to allow the application traffic when the application is classified as a good application.
  - 34. The system of claim 25, wherein the server is further executable to:
    - collect application level information; and
      
      compare the application level information to an application policy to identify compliance of the application.
  - 35. The system of claim 25, wherein the server is further executable to identify that the application information does not satisfy a policy rule and to process traffic for the requested application based on the application information corresponding to a trusted application.
  - 36. The system of claim 25, wherein the server is further executable to add a code signature for a trusted application to a list of code signatures that are acceptable for the trusted application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SonicWALL US Holdings, Inc. (SonicWall Holdings Ltd.)
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Medappa, Chemira, Peterson, Christopher D., Telehowski, David
Primary Examiner(s)
Goodchild, William J.

Application Number

US14/319,145
Publication Number

US 20150281282A1
Time in Patent Office

1,870 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/141   Setup of application sessio...

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Application signature authorization

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Application signature authorization

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links