Filtering network data transfers

US 10,505,898 B2
Filed: 06/21/2019
Issued: 12/10/2019
Est. Priority Date: 03/12/2013
Status: Active Grant

First Claim

Patent Images

1. A packet security gateway comprising:

at least one processor; and

memory comprising instructions that, when executed by the at least one processor, cause the packet security gateway to;

(a) identify a header of at least one application packet within one or more outbound IP packets filtered by the at least one processor;

(b) identify a field indicating an HTTP method value within the identified header of the at least one application packet, wherein the at least one application packet is associated with an HTTP method;

(c) determine if the identified field indicates a network exfiltration method that when executed would cause data stored within a protected network to be sent outside of the protected network; and

(d) change a forwarding of the one or more outbound IP packets when the identified field indicates the network exfiltration method that when executed would cause data stored within the protected network to be sent outside of the protected network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.

263 Citations

21 Claims

1. A packet security gateway comprising:
- at least one processor; and
  
  memory comprising instructions that, when executed by the at least one processor, cause the packet security gateway to;
  
  (a) identify a header of at least one application packet within one or more outbound IP packets filtered by the at least one processor;
  
  (b) identify a field indicating an HTTP method value within the identified header of the at least one application packet, wherein the at least one application packet is associated with an HTTP method;
  
  (c) determine if the identified field indicates a network exfiltration method that when executed would cause data stored within a protected network to be sent outside of the protected network; and
  
  (d) change a forwarding of the one or more outbound IP packets when the identified field indicates the network exfiltration method that when executed would cause data stored within the protected network to be sent outside of the protected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The packet security gateway of claim 1, wherein the network exfiltration method comprises a PUT method.
  - 3. The packet security gateway of claim 1, wherein the network exfiltration method comprises a POST method.
  - 4. The packet security gateway of claim 1, wherein the network exfiltration method comprises a GET method.
  - 5. The packet security gateway of claim 1, wherein the network exfiltration method comprises a CONNECT method.
  - 6. The packet security gateway of claim 1, wherein the at least one processor is configured to change the forwarding by sending the one or more outbound IP packets to an infinite sink within the protected network.
  - 7. The packet security gateway of claim 6, wherein the infinite sink within the protected network comprises a /dev/null device file.

8. A method of detecting a potential network exfiltration comprising:
- filtering one or more outbound IP packets departing from within a protected network that have a destination outside of the protected network;
  
  identifying at least one application packet contained in the one or more outbound IP packets;
  
  determining that the identified at least one application packet is associated with an HTTP or HTTPS protocol;
  
  identifying an HTTP method field within a header region of the identified at least one application packet;
  
  determining whether a value of the identified HTTP method field indicates one or more network exfiltration methods; and
  
  performing an operation on the one or more outbound IP packets when the HTTP method field indicates at least one of the network exfiltration methods.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the determining whether a value of the HTTP method field indicates one or more network exfiltration methods comprises determining whether a value of the HTTP method field indicates a POST method.
  - 10. The method of claim 8, wherein the determining whether a value of the HTTP method field indicates one or more network exfiltration methods comprises determining whether a value of the HTTP method field indicates a PUT method.
  - 11. The method of claim 8, wherein the determining whether a value of the HTTP method field indicates one or more network exfiltration methods comprises determining whether a value of the HTTP method field indicates a GET method.
  - 12. The method of claim 8, wherein the determining whether a value of the HTTP method field indicates one or more network exfiltration methods comprises determining whether a value of the HTTP method field indicates a CONNECT method.
  - 13. The method of claim 8, wherein the performing the operation on the one or more outbound IP packets comprises performing a drop operation on the one or more outbound IP packets.
  - 14. The method of claim 8, wherein the filtering the one or more outbound IP packets comprises capturing the one or more outbound IP packets.

15. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of a packet security gateway, cause the packet security gateway to:
- filter one or more outbound IP packets departing from within a protected network that have a destination outside of the protected network;
  
  identify at least one application packet contained in the one or more outbound IP packets;
  
  determine that the identified at least one application packet is associated with an HTTP or HTTPS protocol;
  
  identify an HTTP method field within a header region of the identified at least one application packet;
  
  determine whether a value of the identified HTTP method field indicates one or more network exfiltration methods; and
  
  perform an operation on the one or more outbound IP packets when the HTTP method field indicates at least one of the network exfiltration methods.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The one or more non-transitory computer-readable media of claim 15, wherein the instructions cause the packet security gateway to determine whether a value of the HTTP method field indicates one or more network exfiltration methods by causing the packet security gateway to determine whether a value of the HTTP method field indicates a POST method.
  - 17. The one or more non-transitory computer-readable media of claim 15, wherein the instructions cause the packet security gateway to determine whether a value of the HTTP method field indicates one or more network exfiltration methods by causing the packet security gateway to determine whether a value of the HTTP method field indicates a PUT method.
  - 18. The one or more non-transitory computer-readable media of claim 15, wherein the instructions cause the packet security gateway to determine whether a value of the HTTP method field indicates one or more network exfiltration methods by causing the packet security gateway to determine whether a value of the HTTP method field indicates a GET method.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein the instructions cause the packet security gateway to determine whether a value of the HTTP method field indicates one or more network exfiltration methods by causing the packet security gateway to determine whether a value of the HTTP method field indicates a CONNECT method.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein the instructions cause the packet security gateway to perform the operation on the one or more IP packets by causing the packet security gateway to perform a drop operation on the one or more IP packets.
  - 21. The one or more non-transitory computer-readable media of claim 15, wherein the instructions cause the packet security gateway to filter the one or more outbound IP packets by causing the packet security gateway to capture the one or more outbound IP packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Moore, Sean
Primary Examiner(s)
Nguyen, Anh Ngoc M

Application Number

US16/448,997
Publication Number

US 20190312845A1
Time in Patent Office

172 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

Filtering network data transfers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

263 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Filtering network data transfers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

263 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others