Method and system for network access control based on traffic monitoring and vulnerability detection using process related information

US 10,630,698 B2
Filed: 12/18/2015
Issued: 04/21/2020
Est. Priority Date: 12/18/2014
Status: Active Grant

First Claim

Patent Images

1. A system for network access control based on traffic monitoring and vulnerability detection using process related information, the system comprising:

computer executable code embodied in a non-transitory computer readable medium that, when executing one or more processors provide a plurality of process intercepting units, a pattern matching unit, and an intrusion prevention unit,a plurality of devices for receiving at least one connection request from a process running on a host, each of the plurality of devices comprising a process intercepting unit of the plurality of process intercepting units configured for extracting the process related information and forwarding information including one or more of process related information, connection information, and network packet information,the pattern matching unit configured for receiving the information from the process intercepting unit and forwarding the information; and

the intrusion prevention unit configured for receiving the information from the pattern matching unit, the intrusion prevention unit including a processing unit and a database, the database including a plurality of signatures defining a set of rules to detect attacks or intrusive activities on a network that can occur through the process, the plurality of signatures prepared based on information relating to the process, the intrusion prevention unit further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities, establish a verification report based on the known vulnerability, and send the verification report to the pattern matching unit,wherein the pattern matching unit is further configured to receive the verification report from the intrusion prevention unit, verify whether the verification report is applicable to the process associated with network packet by matching a first signature identification code in the verification report with a second signature identification code stored in an application process information database, and send an authorization decision to the process intercepting unit regarding allowing continuing or blocking of the connection request from the process running on the host.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments of method and system for network access control. The method may involve traffic monitoring and vulnerability detection using process information. The system may analyze the vulnerability as a process malfunctioning where preventive action focuses on process blocking as opposed to host blocking, which can lead to improved performance and productivity of a network. Techniques may use process related information, connection information, and network packet information for network control. The information may be matched against a plurality of signatures to identify and detect a known vulnerability in network activities. On the basis of a match, a verification report may be established. Techniques may further check whether a verification report is applicable to a process associated with a network packet and allow or block the process running on the host based in the report.

112 Citations

17 Claims

1. A system for network access control based on traffic monitoring and vulnerability detection using process related information, the system comprising:
- computer executable code embodied in a non-transitory computer readable medium that, when executing one or more processors provide a plurality of process intercepting units, a pattern matching unit, and an intrusion prevention unit,a plurality of devices for receiving at least one connection request from a process running on a host, each of the plurality of devices comprising a process intercepting unit of the plurality of process intercepting units configured for extracting the process related information and forwarding information including one or more of process related information, connection information, and network packet information,the pattern matching unit configured for receiving the information from the process intercepting unit and forwarding the information; and
  
  the intrusion prevention unit configured for receiving the information from the pattern matching unit, the intrusion prevention unit including a processing unit and a database, the database including a plurality of signatures defining a set of rules to detect attacks or intrusive activities on a network that can occur through the process, the plurality of signatures prepared based on information relating to the process, the intrusion prevention unit further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities, establish a verification report based on the known vulnerability, and send the verification report to the pattern matching unit,wherein the pattern matching unit is further configured to receive the verification report from the intrusion prevention unit, verify whether the verification report is applicable to the process associated with network packet by matching a first signature identification code in the verification report with a second signature identification code stored in an application process information database, and send an authorization decision to the process intercepting unit regarding allowing continuing or blocking of the connection request from the process running on the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1 wherein the process related information includes a process name and a process version.
  - 3. The system of claim 1 wherein each of the plurality of signatures includes a unique signature identification code.
  - 4. The system of claim 1 wherein the first signature identification code in the verification report includes a unique signature identification code.
  - 5. The system of claim 4 wherein the application process information database stores a unique signature identification code, a signature name, an applicable process name, and an applicable process version for each of a plurality of application processes.
  - 6. The system of claim 1 wherein the process intercepting unit of one of the plurality of devices is further configured for disallowing only the process and not the host for communication if the authorization decision indicates a matching of the first signature identification code mentioned in the verification report with the second signature identification code stored in an application process information database.
  - 7. The system of claim 1 wherein the pattern matching unit is deployed in an inline mode.
  - 8. The system of claim 1 wherein the pattern matching unit is deployed in an out of band mode.

9. A method for network access control based on traffic monitoring and vulnerability detection using process related information, the method comprising:
- receiving, by a device, at least one connection request from a process running on a host;
  
  extracting, by a process intercepting unit of the device, process related information;
  
  forwarding, by the process intercepting unit to a pattern matching unit, information including one or more of process related information, connection information, and network packet information;
  
  receiving, by the pattern matching unit, the information from the process intercepting unit and forwarding the information to an intrusion prevention unit;
  
  receiving, by the intrusion prevention unit, the information from the pattern matching unit;
  
  verifying, by the intrusion prevention unit, the information against a plurality of signatures stored in a database of the intrusion prevention unit to identify and detect a known vulnerability in network activity;
  
  establishing, by the intrusion prevention unit, a verification report based on verification of the information against the plurality of signatures;
  
  sending, by the intrusion prevention unit, the verification report to the pattern matching unit;
  
  receiving, by the pattern matching unit, the verification report from the intrusion prevention unit;
  
  verifying, by the pattern matching unit, whether the verification report is applicable to the process associated with a network packet by matching a first signature identification code in the verification report with a second signature identification code stored in an application process information database; and
  
  sending, by the pattern matching unit, an authorization decision to the process intercepting unit regarding continuing or blocking of the connection request from the process running on the host.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9 wherein the process related information includes a process name and a process version.
  - 11. The method of claim 9 wherein the one of the plurality of signatures defines a set of rules to detect attacks or intrusive activities on a network that can occur through the process, and wherein the one of the plurality of signatures is prepared based on information relating to the process.
  - 12. The method of claim 11 wherein each of the plurality of signatures includes a unique signature identification code.
  - 13. The method of claim 12 wherein the first signature identification code in the verification report includes a unique signature identification code.
  - 14. The method of claim 12 wherein the application process information database contains a unique signature identification code, a signature name, an applicable process name, and an applicable process version for each of a plurality of application processes.
  - 15. The method of claim 14 further comprising disallowance, by the process intercepting unit, of the process and not the host for communication, if an authorization decision indicates matching of the first signature identification code mentioned in the verification report with the second signature identification code stored in the application process information database.
  - 16. The method of claim 9 wherein the pattern matching unit is deployed in an inline mode.
  - 17. The method of claim 9 wherein the pattern matching unit is deployed in an out of band mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Mahadevia, Jimit Hareshkumar, Dave, Shalvi D., Trivedi, Bhushan H.
Primary Examiner(s)
Steinle, Andrew J

Application Number

US15/527,783
Publication Number

US 20170339172A1
Time in Patent Office

1,586 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Method and system for network access control based on traffic monitoring and vulnerability detection using process related information

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for network access control based on traffic monitoring and vulnerability detection using process related information

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links