Secure labeling of network flows

US 10,721,210 B2
Filed: 05/08/2019
Issued: 07/21/2020
Est. Priority Date: 04/22/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for managing network flows at an endpoint in a network, computer program product comprising computer executable code embodied in a nontransitory computer readable medium that, when executing on one or more computing devices, performs operations comprising:

providing a first key to the endpoint;

receiving a data structure from a source on the endpoint, the data structure including a payload and a header;

generating, at the endpoint, a label for the data structure, the label including information about the source of the data structure on the endpoint;

using the first key provided to the endpoint, adding a cryptographic signature for the label to the header of the data structure;

transmitting the data structure from the endpoint to a remote location through a network device for the network;

at the network device, verifying an authenticity of the cryptographic signature using a corresponding second key; and

based on the information about the source of the data structure and the authenticity of the label, applying a routing rule at the network device to conditionally route the data structure to the remote location accessible from the endpoint through the network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.

Citations

20 Claims

1. A computer program product for managing network flows at an endpoint in a network, computer program product comprising computer executable code embodied in a nontransitory computer readable medium that, when executing on one or more computing devices, performs operations comprising:
- providing a first key to the endpoint;
  
  receiving a data structure from a source on the endpoint, the data structure including a payload and a header;
  
  generating, at the endpoint, a label for the data structure, the label including information about the source of the data structure on the endpoint;
  
  using the first key provided to the endpoint, adding a cryptographic signature for the label to the header of the data structure;
  
  transmitting the data structure from the endpoint to a remote location through a network device for the network;
  
  at the network device, verifying an authenticity of the cryptographic signature using a corresponding second key; and
  
  based on the information about the source of the data structure and the authenticity of the label, applying a routing rule at the network device to conditionally route the data structure to the remote location accessible from the endpoint through the network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer program product of claim 1, wherein the label includes an identifier for the endpoint.
  - 3. The computer program product of claim 1, wherein the label includes an identifier of a user of the source of the data structure on the endpoint.
  - 4. The computer program product of claim 1, further comprising code that performs an operation of encrypting information within the label.
  - 5. The computer program product of claim 1, wherein the label includes a health status of the endpoint.
  - 6. The computer program product of claim 1, further comprising code that performs an operation of determining a reputation of the source identified in the label, wherein applying the routing rule at the network device is further based on the reputation of the source identified in the label.

7. A method for managing network flows at an endpoint in a network, the method comprising:
- providing a first key to the endpoint;
  
  receiving a data structure from a source on the endpoint, the data structure including at least a header;
  
  generating, at the endpoint, a label for the data structure, the label including information about the source of the data structure on the endpoint;
  
  using the first key provided to the endpoint, adding a cryptographic signature for the label to the header of the data structure;
  
  transmitting the data structure from the endpoint to a remote location through a network device for the network;
  
  at the network device, verifying an authenticity of the cryptographic signature using a corresponding second key; and
  
  based on the information about the source of the data structure and the authenticity of the label, applying a routing rule at the network device to conditionally route the data structure to the remote location accessible from the endpoint through the network.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the label includes an identifier for the endpoint.
  - 9. The method of claim 7, wherein the label includes an identifier of a user of the source of the data structure on the endpoint.
  - 10. The method of claim 7, wherein the label includes a health status of the endpoint.
  - 11. The method of claim 7, further comprising determining a reputation of the source identified in the label, wherein applying the routing rule at the network device is further based on the reputation of the source identified in the label.

12. A system comprising:
- an endpoint including a first memory, a first processor, and a network interface configured to couple the endpoint in a communicating relationship with a data network, the first processor configured to execute instructions stored in the first memory to perform operations of receiving a first key to the endpoint, receiving a data structure from a source on the endpoint, the data structure including at least a header, generating a label for the data structure, the label including information about the source of the data structure on the endpoint, using the first key provided to the endpoint, adding a cryptographic signature for the label to the header of the data structure, and transmitting the data structure from the endpoint to a remote location through a network device for the data network; and
  
  the network device of the data network, the network device including a second memory and a second processor, the second processor configured to execute instructions stored in the second memory to perform operations of verifying an authenticity of the cryptographic signature using a corresponding second key, and, based on the information about the source of the data structure and the authenticity of the label, applying a routing rule at the network device to conditionally route the data structure to the remote location accessible from the endpoint through the data network.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the network device includes at least one of a gateway, a router, or a threat management facility.
  - 14. The system of claim 12, wherein the second processor is further configured to execute instructions stored in the second memory to perform an operation of determining a reputation of the source identified in the label, wherein applying the routing rule at the network device is further based on the reputation of the source identified in the label.
  - 15. The system of claim 12, wherein the label includes one or more of an identifier for the endpoint, a user of the source on the endpoint, or a health status of the endpoint.

16. A method for managing network flows at a network device, the method comprising:
- providing a first key to an endpoint;
  
  receiving, at the network device, a data structure from a source on the endpoint, the data structure including a label including information about the source of the data structure on the endpoint, and the label having a cryptographic signature added using the first key provided to the endpoint;
  
  processing the data structure on the network device to extract the label having the cryptographic signature;
  
  verifying an authenticity of the cryptographic signature using a corresponding second key; and
  
  based on information about the source of the data structure and the authenticity of the cryptographic signature of the label, applying a routing rule at the network device to conditionally route the data structure to a remote location accessible from the endpoint through the network.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein applying the routing rule at the network device is further based on a reputation of the source identified in the label.
  - 18. The method of claim 16, further comprising receiving an indication that the source is compromised and preventing routing of additional network traffic for the source through the network device.
  - 19. The method of claim 16, further comprising detecting an absence of an expected heartbeat from the endpoint for the source and preventing routing of additional network traffic for the source through the network device until the expected heartbeat is received.
  - 20. The method of claim 16, wherein the network device includes at least one of a gateway, a firewall, a router, and a threat management facility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Schiappa, Daniel Salvatore, Thomas, Andrew J., Ray, Kenneth D., Levy, Joseph H.
Primary Examiner(s)
Parsons, Theodore C

Application Number

US16/406,318
Publication Number

US 20190268303A1
Time in Patent Office

440 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0428   wherein the data content is...

H04L 63/126   the source of the received ...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 9/3247   involving digital signatures

Secure labeling of network flows

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure labeling of network flows

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links