Systems and methods for secure communication in cloud computing environments

US 10,491,613 B1
Filed: 01/22/2019
Issued: 11/26/2019
Est. Priority Date: 01/22/2019
Status: Active Grant

First Claim

Patent Images

1. A system for network intrusion detection comprising:

one or more memory devices storing instructions;

a first private network, and a second network wherein the first and the second networks comprise respective subsets of plurality of communication devices arranged in a cloud environment of a single vendor; and

one or more processors, the processors not part of the first or second networks, configured to execute the instructions to perform operations comprising;

receiving a request from the first network of plurality of communication devices to communicate with the second network of a plurality of communication devices, the request comprising;

a set of destination network addresses associated with the plurality of communication devices in the second network; and

data to be transmitted to the set of destination addresses in the second network;

unmarshaling the received data to be transmitted;

routing the unmarshaled data to a detection device;

analyzing the data, using the detection device, to determine signs of network intrusion; and

when the analysis does not indicate a network intrusion;

determining a set of routes to the respective destination network addresses;

marshaling the received data; and

forwarding the request, along with the marshaled data, to the destination network addresses in the second network; and

when the analysis indicates a network intrusion;

identifying a set of compromised unmarshaled data associated with the intrusion; and

discarding the compromised data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed embodiments provide systems, methods, and computer-readable storage media for secure data communication between two devices. A disclosed system responds to a request from an originating communication device in a first network to connect with a communication device in a second network, for communication, by receiving a request from the communication device in the first network, the request including payload data and a destination network address in the second network. The system then transmits the received payload data to the destination address in the second network after analyzing the payload data for network intrusion. When the analysis does not indicate network intrusion, the system determines a route to the destination network address by looking up the destination address in a routing table and forwarding the payload data to the destination network address in the second network. If the analysis indicates network intrusion, the system discards the payload data.

Citations

17 Claims

1. A system for network intrusion detection comprising:
- one or more memory devices storing instructions;
  
  a first private network, and a second network wherein the first and the second networks comprise respective subsets of plurality of communication devices arranged in a cloud environment of a single vendor; and
  
  one or more processors, the processors not part of the first or second networks, configured to execute the instructions to perform operations comprising;
  
  receiving a request from the first network of plurality of communication devices to communicate with the second network of a plurality of communication devices, the request comprising;
  
  a set of destination network addresses associated with the plurality of communication devices in the second network; and
  
  data to be transmitted to the set of destination addresses in the second network;
  
  unmarshaling the received data to be transmitted;
  
  routing the unmarshaled data to a detection device;
  
  analyzing the data, using the detection device, to determine signs of network intrusion; and
  
  when the analysis does not indicate a network intrusion;
  
  determining a set of routes to the respective destination network addresses;
  
  marshaling the received data; and
  
  forwarding the request, along with the marshaled data, to the destination network addresses in the second network; and
  
  when the analysis indicates a network intrusion;
  
  identifying a set of compromised unmarshaled data associated with the intrusion; and
  
  discarding the compromised data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the analyzing includes detecting differing patterns of communication to determine a risk of network intrusion.
  - 3. The system of claim 2, wherein the first network and second network are partitioned into separate networks using separate IP address ranges.
  - 4. The system of claim 1, wherein each of the networks are in different regions.
  - 5. The system of claim 4, wherein the networks in different regions are in different geographical locations.
  - 6. The system of claim 1, wherein the first network is not directly connected to the second network.
  - 7. The system of claim 1, wherein the first network can only indirectly reach the respective destination addresses in the second network.
  - 8. The system of claim 2, wherein detecting differing patterns of communication to determine a risk of network intrusion further includes utilizing signature-based or anomaly-based criteria.
  - 9. The system of claim 1, wherein, when the analysis indicates a network intrusion, the one or more processors not part of the first or second networks are further configured to perform the operations comprising:
    - marshaling the received data without the discarded compromised data; and
      
      forwarding the marshaled data to the destination network addresses in the second network.
  - 10. The system of claim 1, wherein detection device further comprises a firewall or a detection monitor.

11. A method, performed by one or more processors, for detecting network intrusion, the method comprising:
- receiving a request from a first private network, of a plurality of communication devices, to communicate with a second network of a plurality of communication devices, wherein the first and the second networks comprise respective subsets of plurality of communication devices arranged in a cloud environment of a single vendor, and the processors are not part of the first and second networks of a plurality of communication devices, the request comprising;
  
  a set of destination network addresses associated with the plurality of communication devices in the second network; and
  
  data to be transmitted to the set of destination addresses in the second network;
  
  unmarshaling the received data to be transmitted;
  
  routing the unmarshaled data to a detection device;
  
  analyzing the data, using the detection device, to determine signs of network intrusion; and
  
  when the analysis does not indicate a network intrusion;
  
  determining a set of routes to the respective destination network addresses;
  
  marshaling the received data; and
  
  forwarding the request, along with the marshaled data, to the destination network addresses in the second network; and
  
  when the analysis indicates a network intrusion;
  
  identifying a set of compromised unmarshaled data associated with the intrusion; and
  
  discarding the compromised data.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein analyzing the data comprises using a software.
  - 13. The method of claim 12, wherein the software used to detect intrusion detects differing patterns of communication.
  - 14. The method of claim 11, wherein the first network is not directly connected to the second network.
  - 15. The method of claim 13, wherein detecting differing patterns of communication to determine a risk of network intrusion further includes utilizing signature-based or anomaly-based criteria.
  - 16. The method of claim 11, wherein, when the analysis indicates a network intrusion, the method further comprises:
    - marshaling the received data without the discarded compromised data; and
      
      forwarding the marshaled data to the destination network addresses in the second network.

17. A non-transitory computer-readable storage medium storing instructions that are executable by a network intrusion detection system that includes one or more processors to perform operations for network intrusion detection, the operations comprising:
- receiving a request from a first private network of a plurality of communication devices, to communicate with a second network of a plurality of communication devices, wherein the first and the second networks comprise respective subsets of plurality of communication devices arranged in a cloud environment of a single vendor, and the processors are not part of the first and second networks of a plurality of communication devices, the request comprising;
  
  a set of destination network addresses associated with the plurality of communication devices in the second network; and
  
  data to be transmitted to the set of destination addresses in the second network;
  
  unmarshaling the received data to be transmitted;
  
  analyzing the data to determine signs of network intrusion; and
  
  when the analysis does not indicate a network intrusion;
  
  determining a set of routes-to the respective destination network addresses;
  
  marshaling the received data; and
  
  forwarding the request, along with the marshaled data, to the destination network addresses in the second network; and
  
  when the analysis indicates a network intrusion;
  
  identifying a set of compromised unmarshaled data associated with the intrusion; and
  
  discarding the compromised data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Mayes, Paul Ellis
Primary Examiner(s)
Khan, Sher A

Application Number

US16/253,427
Time in Patent Office

308 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Systems and methods for secure communication in cloud computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure communication in cloud computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links