Filtering outbound network traffic

US 10,523,635 B2
Filed: 06/17/2016
Issued: 12/31/2019
Est. Priority Date: 06/17/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

responsive to a client authenticating to a computer system of an internal network, the client being outside the internal network and the authenticating providing the client access to the computer system of the internal network, and further responsive to activity, by the client on the computer system after authenticating to the computer system, causing generation of new outbound network traffic that originates on the computer system and is to be sent by the computer system to another component of the internal network, obtaining, in association with the generating, user account information of a user account on behalf of which the computer system generated the outbound network traffic, the user account being an account that the client uses to properly authenticate to the computer system, wherein the outbound network traffic comprises network packets generated by the computer system, wherein each network packet of the generated network packets has individual metadata associated therewith by the computer system as part of the generating, and the individual metadata comprises the user account information of that user account on behalf of which the network packet was generated, wherein the activity causing the generation of the outbound network traffic comprises interaction by the client with a user space application installed on the computer system, the user space application generating the outbound network traffic, and wherein the obtaining the user account information comprises calling one or more system application programming interfaces to identify the user account information and associate it with a network packet of the network packets;

installing a hook into a networking stack of the computer system via a system-level application programming interface; and

performing filtering of the outbound network traffic based on the obtained user account information of the user account on behalf of which the outbound network traffic is generated, wherein the filtering is further based on one or more rules, and the filtering comprises blocking or allowing sending of the outbound network traffic from the computer system to the another component of the internal network, the blocking or allowing sending of the outbound network traffic comprising, for each network packet of the generated network packets, blocking or allowing sending of the network packet from the computer system to the another component based at least in part on the user account information of the metadata associated with the network packet, wherein a determination whether to block or allow sending of the network packet is made by comparing the identified user account information to the one or more rules, wherein the filtering is implemented by a driver added to a kernel of an operating system of the computer system, wherein the driver is built on top of the system-level application programming interface of the computer system, and wherein the driver comprises a hook procedure for handling the hook installed into the networking stack of the computer system via the system level application programming interface.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Obtaining, in association with origination of outbound network traffic to be sent by a system, user account information of a user account on behalf of which the outbound network traffic is generated, and performing filtering of the outbound network traffic based on the obtained user account information of the user account on behalf of which the outbound network traffic is generated, where the filtering is further based on one or more rules, and the filtering includes determining whether to block or allow sending of the outbound network traffic from the system.

Citations

18 Claims

1. A method comprising:
- responsive to a client authenticating to a computer system of an internal network, the client being outside the internal network and the authenticating providing the client access to the computer system of the internal network, and further responsive to activity, by the client on the computer system after authenticating to the computer system, causing generation of new outbound network traffic that originates on the computer system and is to be sent by the computer system to another component of the internal network, obtaining, in association with the generating, user account information of a user account on behalf of which the computer system generated the outbound network traffic, the user account being an account that the client uses to properly authenticate to the computer system, wherein the outbound network traffic comprises network packets generated by the computer system, wherein each network packet of the generated network packets has individual metadata associated therewith by the computer system as part of the generating, and the individual metadata comprises the user account information of that user account on behalf of which the network packet was generated, wherein the activity causing the generation of the outbound network traffic comprises interaction by the client with a user space application installed on the computer system, the user space application generating the outbound network traffic, and wherein the obtaining the user account information comprises calling one or more system application programming interfaces to identify the user account information and associate it with a network packet of the network packets;
  
  installing a hook into a networking stack of the computer system via a system-level application programming interface; and
  
  performing filtering of the outbound network traffic based on the obtained user account information of the user account on behalf of which the outbound network traffic is generated, wherein the filtering is further based on one or more rules, and the filtering comprises blocking or allowing sending of the outbound network traffic from the computer system to the another component of the internal network, the blocking or allowing sending of the outbound network traffic comprising, for each network packet of the generated network packets, blocking or allowing sending of the network packet from the computer system to the another component based at least in part on the user account information of the metadata associated with the network packet, wherein a determination whether to block or allow sending of the network packet is made by comparing the identified user account information to the one or more rules, wherein the filtering is implemented by a driver added to a kernel of an operating system of the computer system, wherein the driver is built on top of the system-level application programming interface of the computer system, and wherein the driver comprises a hook procedure for handling the hook installed into the networking stack of the computer system via the system level application programming interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the obtained user account information indicates the user account, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the user account and indicating whether sending of network traffic generated on behalf of the user account is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the user account by the metadata associated with each respective network packet.
  - 3. The method of claim 1, wherein the user is included in a user group for authenticating to an operating system of the computer system, wherein the obtained user account information indicates the user group, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the user group and indicating whether sending of network traffic generated on behalf of users included in the user group is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the user group by the metadata associated with each respective network packet.
  - 4. The method of claim 1, wherein the user authenticates to the computer system by logging onto an operating system (OS) environment authentication domain, wherein the obtained user account information indicates the authentication domain, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the authentication domain and indicating whether sending of network traffic generated on behalf of users authenticating to the computer system by logging onto the authentication domain is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the authentication domain by the metadata associated with each respective network packet.
  - 5. The method of claim 1, wherein a client system external to the internal network authenticates to the computer system using the user account, wherein the outbound network traffic comprises an attempted access of the another system, and wherein the filtering prevents the attempted access the another system.
  - 6. The method of claim 1, wherein the application programming interface that-abstracts an operating system-provided transport layer to facilitate communicating configuration requests between userspace and the driver in kernel space to configure the filtering.
  - 7. The method of claim 1, wherein the filtering comprises inspecting the network packets to identify one or more network traffic types, wherein the filtering of the outbound network traffic based on the obtained user account information applies to the one or more network traffic types, wherein network packets of a network traffic type other than the one or more networking traffic types are not subject to the filtering.
  - 8. The method of claim 7, wherein the one or more network traffic types comprises Transmission Control Protocol (TCP) packets or User Datagram Protocol (UDP) packets.
  - 9. The method of claim 1, wherein a firewall of an operating system of the computer system indicates to a callout component the metadata associated with a network packet of the network packets.
  - 10. The method of claim 1, wherein the network packets comprise TCP/IP packets, and wherein the user account is an operating system-level user account with which the client properly authenticates to an operating system of the computer system using credentials of the operating system-level user account.

11. A computer program product comprising:
- a non-transitory computer-readable storage medium comprising program instructions for execution to perform a method comprising;
  
  responsive to a client authenticating to a computer system of an internal network, the client being outside the internal network and the authenticating providing the client access to the computer system of the internal network, and further responsive to activity, by the client on the computer system after authenticating to the computer system, causing generation of new outbound network traffic that originates on the computer system and is to be sent by the computer system to another component of the internal network, obtaining, in association with the generating, user account information of a user account on behalf of which the computer system generated the outbound network traffic, the user account being an account that the client uses to properly authenticate to the computer system, wherein the outbound network traffic comprises network packets generated by the computer system, wherein each network packet of the generated network packets has individual metadata associated therewith by the computer system as part of the generating and the individual metadata comprises the user account information of that user account on behalf of which the network packet was generated, wherein the activity causing the generation of the outbound network traffic comprises interaction by the client with a user space application installed on the computer system, the user space application generating the outbound network traffic, and wherein the obtaining the user account information comprises calling one or more system application programming interfaces to identify the user account information and associate it with a network packet of the network packets; and
  
  installing a hook into a networking stack of the computer system via a system-level application programming interface; and
  
  performing filtering of the outbound network traffic based on the obtained user account information of the user account on behalf of which the outbound network traffic is generated, wherein the filtering is further based on one or more rules, and the filtering comprises blocking or allowing sending of the outbound network traffic from the computer system to the another component of the internal network, the blocking or allowing sending of the outbound network traffic comprising, for each network packet of the generated network packets, blocking or allowing sending of the network packet from the computer system to the another component based at least in part on the user account information of the metadata associated with the network packet, wherein a determination whether to block or allow sending of the network packet is made by comparing the identified user account information to the one or more rules, wherein the filtering is implemented by a driver added to a kernel of an operating system of the computer system, wherein the driver is built on top of the system-level application programming interface of the computer system, and wherein the driver comprises a hook procedure for handling the hook installed into the networking stack of the computer system via the system level application programming interface.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product of claim 11, wherein the obtained user account information indicates the user account, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the user account and indicating whether sending of network traffic generated on behalf of the user account is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the user account by the metadata associated with each respective network packet.
  - 13. The computer program product of claim 11, wherein the user is included in a user group for authenticating to an operating system of the computer system, wherein the obtained user account information indicates the user group, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the user group and indicating whether sending of network traffic generated on behalf of users included in the user group is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the user group by the metadata associated with each respective network packet.
  - 14. The computer program product of claim 11, wherein the user authenticates to the computer system by logging onto an operating system (OS) environment authentication domain, wherein the obtained user account information indicates the authentication domain, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the authentication domain and indicating whether sending of network traffic generated on behalf of users authenticating to the computer system by logging onto the authentication domain is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the authentication domain by the metadata associated with each respective network packet.

15. A computer system comprising:
- a memory; and
  
  a processing circuit in communication with the memory, wherein the computer system is configured to perform a method comprising;
  
  responsive to a client authenticating to a computer system of an internal network, the client being outside the internal network and the authenticating providing the client access to the computer system of the internal network, and further responsive to activity, by the client on the computer system after authenticating to the computer system, causing generation of new outbound network traffic that originates on the computer system and is to be sent by the computer system to another component of the internal network, obtaining, in association with the generating, user account information of a user account on behalf of which the computer system generated the outbound network traffic, the user account being an account that the client uses to properly authenticate to the computer system, wherein the outbound network traffic comprises network packets generated by the computer system, wherein each network packet of the generated network packets has individual metadata associated therewith by the computer system as part of the generating and the individual metadata comprises the user account information of that user account on behalf of which the network packet was generated, wherein the activity causing the generation of the outbound network traffic comprises interaction by the client with a user space application installed on the computer system, the user space application generating the outbound network traffic, and wherein the obtaining the user account information comprises calling one or more system application programming interfaces to identify the user account information and associate it with a network packet of the network packets;
  
  installing a hook into a networking stack of the computer system via a system-level application programming interface; and
  
  performing filtering of the outbound network traffic based on the obtained user account information of the user account on behalf of which the outbound network traffic is generated, wherein the filtering is further based on one or more rules, and the filtering comprises blocking or allowing sending of the outbound network traffic from the computer system to the another component of the internal network, the blocking or allowing sending of the outbound network traffic comprising, for each network packet of the generated network packets, blocking or allowing sending of the network packet from the computer system to the another component based at least in part on the user account information of the metadata associated with the network packet, wherein a determination whether to block or allow sending of the network packet is made by comparing the identified user account information to the one or more rules, wherein the filtering is implemented by a driver added to a kernel of an operating system of the computer system, wherein the driver is built on top of the system-level application programming interface of the computer system, and wherein the driver comprises a hook procedure for handling the hook installed into the networking stack of the computer system via the system level application programming interface.
- View Dependent Claims (16, 17, 18)
- - 16. The computer system of claim 15, wherein the obtained user account information indicates the user account, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the user account and indicating whether sending of network traffic generated on behalf of the user account is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the user account by the metadata associated with each respective network packet.
  - 17. The computer system of claim 15, wherein the user is included in a user group for authenticating to an operating system of the computer system, wherein the obtained user account information indicates the user group, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the user group and indicating whether sending of network traffic generated on behalf of users included in the user group is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the user group by the metadata associated with each respective network packet.
  - 18. The computer system of claim 15, wherein the user authenticates to the system by logging onto an operating system (OS) environment authentication domain, wherein the obtained user account information indicates the authentication domain, and wherein the filtering comprises:
    - checking a rule of the one or more rules, the rule specifying the authentication domain and indicating whether sending of network traffic generated on behalf of users authenticating to the computer system by logging onto the authentication domain is to be blocked or is to be allowed for a particular scope applicable to the outbound network traffic; and
      
      determining, based on the checking, whether to block or allow sending of the outbound network traffic, the determining whether to block or allow sending of the outbound network traffic being on a packet-by-packet basis, based on the indication of the authentication domain by the metadata associated with each respective network packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assured Information Security, Inc.
Original Assignee
Assured Information Security, Inc.
Inventors
Wright, Jared, Torrey, Jacob
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Malinowski, Walter J

Application Number

US15/185,229
Publication Number

US 20170366505A1
Time in Patent Office

1,292 Days
Field of Search

726 13, 726 1
US Class Current
CPC Class Codes

H04L 47/196   Integration of transport la...

H04L 47/20   Traffic policing

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 67/306   User profiles

Filtering outbound network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering outbound network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links