Methods for internet communication security
First Claim
1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device of the plurality of networked computing devices to perform communication management operations, the communication management operations comprising:
- i) forming a configured communication pathway by configuring a pre-established communication pathway to exclusively communicate application data between a first user-application on the first computing device and a second user-application on a second computing device of the plurality of networked computing devices, the first user-application operated by a first user and the second user-application operated by a second user, the configuring comprising;
a) sending a first configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the first configuration packet containing a nonpublic first device identifier for the first computing device in an application layer portion of the first configuration packet;
b) receiving a second configuration packet from the second computing device, the second configuration packet containing a nonpublic second device identifier for the second computing device in an application layer portion of the second configuration packet;
c) confirming, in a kernel space of the first computing device, that the second computing device is authorized to communicate with the first user-application, comprising;
matching the nonpublic second device identifier to a preconfigured nonpublic second device code for the second computing device;
d) further sending a third configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the third configuration packet containing a nonpublic first user-application identifier in an application layer portion of the third configuration packet, wherein the nonpublic first user-application identifier is exclusive to the first user-application and the second user-application;
e) further receiving a fourth configuration packet from the second computing device, the fourth configuration packet containing a nonpublic second user-application identifier in an application layer portion of the fourth configuration packet; and
f) further confirming, in the kernel space of the first computing device, that the second user-application is authorized to receive outgoing application data from the first user-application via the configured communication pathway, comprising;
further matching the nonpublic second user-application identifier to a preconfigured nonpublic second user-application code, wherein the preconfigured nonpublic second user-application code is exclusive to the second user-application and the first user-application;
ii) preventing any transport layer ports used by the configured communication pathway from being used by any other communication pathway;
iii) verifying that incoming application data received via the configured communication pathway conforms to a plurality of content requirements, the plurality of content requirements comprising;
a) a data type;
b) a data range; and
c) a command type authorized to be present in the incoming application data; and
iv) passing the verified incoming application data to the first user-application;
wherein the nonpublic first user-application identifier is unique to the first user-application, the first user, and the plurality of content requirements;
wherein the preconfigured nonpublic second user-application code is unique to the second user-application, the second user, and the plurality content requirements; and
wherein files containing values for the nonpublic first device identifier, the preconfigured nonpublic second device code, the nonpublic first user-application identifier, and the preconfigured nonpublic second user-application code are sent to the first computing device and to the second computing device from a provisioning server prior to performing the communication management operations.
1 Assignment
0 Petitions
Accused Products
Abstract
The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.
165 Citations
29 Claims
-
1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device of the plurality of networked computing devices to perform communication management operations, the communication management operations comprising:
-
i) forming a configured communication pathway by configuring a pre-established communication pathway to exclusively communicate application data between a first user-application on the first computing device and a second user-application on a second computing device of the plurality of networked computing devices, the first user-application operated by a first user and the second user-application operated by a second user, the configuring comprising; a) sending a first configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the first configuration packet containing a nonpublic first device identifier for the first computing device in an application layer portion of the first configuration packet; b) receiving a second configuration packet from the second computing device, the second configuration packet containing a nonpublic second device identifier for the second computing device in an application layer portion of the second configuration packet; c) confirming, in a kernel space of the first computing device, that the second computing device is authorized to communicate with the first user-application, comprising;
matching the nonpublic second device identifier to a preconfigured nonpublic second device code for the second computing device;d) further sending a third configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the third configuration packet containing a nonpublic first user-application identifier in an application layer portion of the third configuration packet, wherein the nonpublic first user-application identifier is exclusive to the first user-application and the second user-application; e) further receiving a fourth configuration packet from the second computing device, the fourth configuration packet containing a nonpublic second user-application identifier in an application layer portion of the fourth configuration packet; and f) further confirming, in the kernel space of the first computing device, that the second user-application is authorized to receive outgoing application data from the first user-application via the configured communication pathway, comprising;
further matching the nonpublic second user-application identifier to a preconfigured nonpublic second user-application code, wherein the preconfigured nonpublic second user-application code is exclusive to the second user-application and the first user-application;ii) preventing any transport layer ports used by the configured communication pathway from being used by any other communication pathway; iii) verifying that incoming application data received via the configured communication pathway conforms to a plurality of content requirements, the plurality of content requirements comprising; a) a data type; b) a data range; and c) a command type authorized to be present in the incoming application data; and iv) passing the verified incoming application data to the first user-application; wherein the nonpublic first user-application identifier is unique to the first user-application, the first user, and the plurality of content requirements; wherein the preconfigured nonpublic second user-application code is unique to the second user-application, the second user, and the plurality content requirements; and wherein files containing values for the nonpublic first device identifier, the preconfigured nonpublic second device code, the nonpublic first user-application identifier, and the preconfigured nonpublic second user-application code are sent to the first computing device and to the second computing device from a provisioning server prior to performing the communication management operations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification