System, apparatuses, methods, and computer-readable media for identification of user and/or source of communication in a network

US 20040098619A1
Filed: 08/13/2003
Published: 05/20/2004
Est. Priority Date: 11/18/2002
Status: Active Grant

First Claim

Patent Images

1. (new) A method comprising:

transforming a user identifier and a source identifier for a header of a packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and program for preventing intrusion in a communications network. A source node initiates a request for network services, such as session establishment, database access, or application access. Known network resources and authorized user information is stored in a database at a network portal along with access policy rules that are device and user dependent. Identification of the source node is required before the source node can construct a transformed packet header that is included with a synchronization packet before transmission to a destination node. An appliance or firewall in the communications network receives and authenticates the synchronization packet before releasing the packet to its intended destination. The authentication process includes verification of the access policy associated with the source node. Once received at the destination node, the transformed packet header is reformed by extracting a key index value. The extracted key index is subsequently used to transform the packet header in the response transmitted to the source node.

118 Citations

View as Search Results

168 Claims

1. (new) A method comprising:
- transforming a user identifier and a source identifier for a header of a packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. (new) A method as claimed in claim 1 wherein the transformed user identifier is included in an initial sequence number field of the packet.
  - 3. (new) A method as claimed in claim 1 wherein the transformed source identifier comprises a non-zero value included in an acknowledgement field of the packet.
  - 4. (new) A method as claimed in claim 1 wherein the user identifier indicates a user associated with a source node that initiates communication over a network with a destination node by transmitting the packet from the source node to the destination node.
  - 5. (new) A method as claimed in claim 4 wherein the packet indicates a source node that initiates communication over a network with a destination node by transmitting the packet from the source node to the destination node.
  - 6. (new) A method as claimed in claim 1 wherein the packet indicates a source node that initiates communication over a network with a destination node by transmitting the packet from the source node to the destination node.
  - 7. (new) A method as claimed in claim 1 wherein the packet has a transfer control protocol/Internet protocol (TCP/IP) format.
  - 8. (new) A method as claimed in claim 1 wherein at least the user identifier is transformed using a general key.
  - 9. (new) A method as claimed in claim 8 wherein the user identifier is transformed using the general key that is retrieved from a key table using a randomly-generated general key index.
  - 10. (new) A method as claimed in claim 8 further comprising:
    - appending the general key index to the transformed user identifier.
  - 11. (new) A method as claimed in claim 1 wherein at least the source identifier is transformed using a session key.
  - 12. (new) A method as claimed in claim 1 wherein the transforming of the source identifier uses a session key retrieved using a randomly-generated session key index from a session key table stored in a source node at which the transforming is performed.
  - 13. (new) A method as claimed in claim 12 further comprising:
    - appending the session key index to the transformed source identifier.
  - 14. (new) A method as claimed in claim 12 wherein the transformed source identifier and appended session key index are further transformed using a byte shuffle.
  - 15. (new) A method as claimed in claim 12 wherein the transforming further comprises inserting the transformed source identifier into an acknowledgement field of a header of the packet.
  - 16. (new) A method as claimed in claim 1 further comprising:
    - transmitting a packet including the transformed user identifier and source identifier from the source node at which the transforming is performed, to a destination node.
  - 17. (new) A method as claimed in claim 16 the method further comprising:
    - receiving an acknowledgement packet from the destination node in response to the transmitted packet; and
      
      using the session key to reform initial sequence number data and acknowledgement data from the acknowledgement packet.
  - 18. (new) A method as claimed in claim 1 wherein the packet is a synchronization (SYN) packet used to initiate communication between source and destination nodes in transfer control protocol/Internet protocol (TCP/IP).

19. (new) A method comprising:
- retrieving a first key from a table using a first key index;
  
  transforming a user identifier using the first key to form a transformed user identifier;
  
  appending the first key index to the transformed user identifier; and
  
  inserting the transformed user identifier with appended first key index in a first field of a packet header.
- View Dependent Claims (20, 21, 22)
- - 20. (new) A method as claimed in claim 19 wherein the field is an initial sequence number field of the packet header.
  - 21. (new) A method as claimed in claim 19 further comprising:
    - retrieving a second key from a table using a second key index;
      
      transforming a source identifier using the second key to form a second transformed identifier;
      
      appending the second key index to the second transformed identifier; and
      
      inserting the transformed user identifier with appended second key index in a second field of the packet header.
  - 22. (new) A method as claimed in claim 21 wherein the field is an acknowledgement field of the packet header.

23. (new) A method comprising:
- retrieving a key from a table using a key index;
  
  transforming a source identifier using the key to form a transformed source identifier;
  
  appending the key index to the transformed source identifier; and
  
  inserting the transformed source identifier with appended key index in a field of the packet header.
- View Dependent Claims (24)
- - 24. (new) A method as claimed in claim 23 wherein the field is an acknowledgement field of the packet header.

25. (new) A method comprising:
- providing at least one node with software for transforming a user identifier and source identifier to form a transformed header in a packet.
- View Dependent Claims (26, 27, 28, 29)
- - 26. (new) A method as claimed in claim 25 wherein the packet is a synchronization (SYN) packet.
  - 27. (new) A method as claimed in claim 25 wherein the transforming is performed using different keys for the user identifier and source identifier.
  - 28. (new) A method as claimed in claim 25 further comprising:
    - distributing first and second key tables having first and second sets of keys to the node for use in transforming the user identifier and source identifier, respectively.
  - 29. (new) A method as claimed in claim 25 wherein the software is further for reforming a user identifier and source identifier of a request for a network resource hosted by the one node, that is received from at least one other node, to determine whether access to the network resource hosted by the one node is permissible.

30. (new) A method comprising:
- reforming a user identifier and a source identifier of a header of a packet.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 31. (new) A method as claimed in claim 30 wherein the reforming comprises:
    - retrieving a first key index from the header of the packet;
      
      retrieving a first key corresponding to the first key index;
      
      reforming the source identifier and a second key index from the header using the first key index;
      
      retrieving a second key using the second key index; and
      
      reforming the user identifier using the second key index.
  - 32. (new) A method as claimed in claim 30 wherein the user identifier and source identifier are used to retrieve policy data indicating whether a corresponding user and source are authorized to access a network resource identified by the packet header.
  - 33. (new) A method as claimed in claim 32 wherein the policy data is defined by at least one of the user indicated by the user identifier, the source indicated by the source identifier, a destination port indicated by the packet, and an application sought to be accessed by a request indicated by the packet.
  - 34. (new) A method as claimed in claim 32 wherein the network resource includes a destination node.
  - 35. (new) A method as claimed in claim 32 wherein the network resource includes an application.
  - 36. (new) A method as claimed in claim 32 wherein the network resource includes data.
  - 37. (new) A method as claimed in claim 30 further comprising:
    - determining whether the user and source identified by the user identifier and source identifier, respectively, are authorized to communicate with a destination node;
      
      permitting the packet to pass to the destination node if the communication requested by the packet is permitted; and
      
      prohibiting the packet from passing to the destination node if the communication requested by the packet is not permitted.
  - 38. (new) A method as claimed in claim 30 wherein the packet is a synchronization (SYN) packet.
  - 39. (new) A method as claimed in claim 30 further comprising:
    - switching the packet to a network node determined by the user identifier.
  - 40. (new) A method as claimed in claim 39 wherein the switching is further performed based on the source identifier.
  - 41. (new) A method as claimed in claim 30 further comprising:
    - switching the packet to a network node determined by the source identifier.
  - 42. (new) A method as claimed in claim 30 wherein the switching is performed by using a table to determine the destination node from the destination indicated by the packet.

43. (new) A method comprising:
- providing at least one node with software for reforming a user identifier and source identifier from a packet received from at least one other node to determine whether the packet is permitted to be passed to a destination indicated by a header of the packet.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 44. (new) A method as claimed in claim 43 wherein the packet is received from a public communications network.
  - 45. (new) A method as claimed in claim 43 wherein the public communications network is the Internet.
  - 46. (new) A method as claimed in claim 43 wherein the software can further be used to transform the user identifier and source identifier to form a transformed header in the packet.
  - 47. (new) A method as claimed in claim 46 wherein the software can be used to determine whether policy data exists based on at least one of the user identifier, the source identifier, a network resource requested by the packet, and a destination of the packet.
  - 48. (new) A method as claimed in claim 46 wherein the software can further be used to determine whether the user identifier and source identifier are associated with a trusted entity.
  - 49. (new) A method as claimed in claim 46 wherein the software can further be used to determine, if the packet originated from a trusted entity, whether an access policy exists for the trusted entity.
  - 50. (new) A method as claimed in claim 49 wherein, if the access policy exists, the software can be used to apply the access policy to determine whether the trusted entity is permitted access to a network resource and destination.
  - 51. (new) A method as claimed in claim 50 wherein, if the access policy does not exist, the software permits the trusted entity access to the requested network resource and entity.
  - 52. (new) A method as claimed in claim 51 wherein, if the software determines that the packet originates from an untrusted entity, the software determines whether an exception policy exists under which the untrusted entity may be permitted access to the requested network resource and destination.
  - 53. (new) A method as claimed in claim 52 wherein, if the software determines that no exception policy exists, the software terminates the request.
  - 54. (new) A method as claimed in claim 53 wherein, if the software terminates the request, the software reports the attempt of the untrusted entity to access the network resource and destination to a network administrator.
  - 55. (new) A method as claimed in claim 54 wherein, if the software terminates the request, the software stores a record of the attempt of the untrusted entity to access the network resource and destination in an unauthorized access database.
  - 56. (new) A method as claimed in claim 52 wherein, if the software determines that an exception policy exists for the untrusted entity, the software further determines whether the exception policy permits the untrusted entity to access the network resource and destination.
  - 57. (new) A method as claimed in claim 56 wherein, if the software determines that the untrusted entity is not permitted to access the network resource and destination indicated by the request, the software terminates the request.
  - 58. (new) A method as claimed in claim 57 wherein the software further reports the request attempting to access the network resource and destination to a network administrator.
  - 59. (new) A method as claimed in claim 57 wherein the software further stores a record of the request attempting to access the network resource and destination in an unauthorized access database.
  - 60. (new) A method as claimed in claim 59 wherein, if the software determines that the user is authorized to access the requested network resource and destination, the software transforms the user identifier and source identifier and inserts same in the header of the packet, inserts a non-zero value into the acknowledgement field of the packet, stores the non-zero value in a memory location accessible to the destination node indicated by the packet, and releases the packet with transformed packet header to the destination node.
  - 61. (new) A method as claimed in claim 43 wherein the packet is a synchronization (SYN) packet.
  - 62. (new) A method as claimed in claim 43 wherein the reforming is performed using different keys for the user identifier and source identifier.
  - 63. (new) A method as claimed in claim 43 further comprising:
    - distributing first and second key tables having first and second sets of keys to the node for use in transforming the user identifier and source identifier, respectively.
  - 64. (new) A method as claimed in claim 43 wherein the software can be used to switch the packet to a destination port indicated by the packet based on at least one of the user identifier and source identifier.
  - 65. (new) A method as claimed in claim 43 wherein the software can be used to switch the packet to a destination node based on the user identifier and source identifier.

66. (new) A method comprising:
- determining whether a synchronization packet has a non-zero value in an acknowledgement field of a header of the packet.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79)
- - 67. (new) A method as claimed in claim 66 further comprising:
    - if the packet has the non-zero value in the acknowledgement field, reforming at least one of a user identifier and source identifier contained in the packet header.
  - 68. (new) A method as claimed in claim 66 further comprising:
    - if the packet does not have the zero value in the acknowledgement field, reforming a user identifier and source identifier from the packet header.
  - 69. (new) A method as claimed in claim 68 wherein the reforming is performed using different keys for the user identifier and the source identifier.
  - 70. (new) A method as claimed in claim 68 wherein at least one of the user identifier and source identifier are used to determine whether access policy data exists to define rights of at least one of the user and source to access at least one of a network resource and destination port identified by the packet.
  - 71. (new) A method as claimed in claim 70 wherein the network resource comprises an application.
  - 72. (new) A method as claimed in claim 70 wherein the network resource comprises data.
  - 73. (new) A method as claimed in claim 70 wherein the destination port is associated with a destination node.
  - 74. (new) A method as claimed in claim 66 further comprising:
    - if the determining establishes that the acknowledgement field has a zero value, terminating a request for network service requested by the packet unless an exception policy authorizes the packet to proceed to a destination node indicated by the packet.
  - 75. (new) A method as claimed in claim 74 wherein the exception policy is defined based on at least one of a user identifier included in the packet, a source identifier included in the packet, a network resource requested by the packet, and a destination port indicated by the packet.
  - 76. (new) A method as claimed in claim 66 further comprising:
    - terminating communication associated with the packet if the policy data determines that transfer of the packet to a destination port indicated by the packet header is not authorized.
  - 77. (new) A method as claimed in claim 76 further comprising:
    - permitting the packet to pass to the destination port identified by the packet if the policy data indicates that communication with the packet header is authorized.
  - 78. (new) A method as claimed in claim 76 further comprising:
    - permitting the packet to pass to the destination port identified by the packet if the policy data indicates that communication with the packet header is authorized.
  - 79. (new) A method as claimed in claim 76 further comprising:
    - determining whether the packet has a transport control protocol/Internet protocol (TCP/IP) format, the determining whether the synchronization packet has the non-zero value performed only if the packet has the TCP/IP format.

80. (new) A method comprising:
- inserting a non-zero value into an acknowledgement field of a header of a synchronization (SYN) packet.
- View Dependent Claims (81, 82)
- - 81. (new) A method as claimed in claim 80 wherein the non-zero value comprises at least one of a transformed user identifier and a transformed source identifier.
  - 82. (new) A method as claimed in claim 80 wherein the non-zero value comprises a transformed user identifier and a transformed source identifier.

83. (new) A method comprising:
- determining whether a packet originated from a trusted entity, the determining performed by establishing whether an acknowledgement field of a header of the packet has a non-zero value.
- View Dependent Claims (84, 85, 86, 87, 88, 89)
- - 84. (new) A method as claimed in claim 83 wherein the identity of the trusted entity is defined by a user identifier and source identifier included in the packet.
  - 85. (new) A method as claimed in claim 83 further comprising:
    - if the determining establishes that the packet originated from a trusted entity, determining access rights of the trusted entity to access at least one of a network resource and destination node indicated by the packet.
  - 86. (new) A method as claimed in claim 85 wherein the access rights are defined based on at least one of a user identifier, a source identifier, a network resource, and a destination port indicated by the packet.
  - 87. (new) A method as claimed in claim 85 wherein the packet is a synchronization (SYN) packet.
  - 88. (new) A method as claimed in claim 83 further comprising:
    - if the determining establishes that the packet originated from an untrusted entity, determining access rights of the untrusted entity under an exception policy applied with respect to a request for a network resource indicated by the packet.
  - 89. (new) A method as claimed in claim 85 further comprising:
    - determining whether the packet is a synchronization packet, said determining whether the packet originated from the trusted entity performed only if the packet is determined to be a synchronization packet.

90. (new) A method comprising:
- determining whether a request to access a network resource originates from a trusted entity;
  
  if the request to access the network resource originates from a trusted entity, permitting the request to access the network resource if an access policy permits the trusted entity to access to the network resource or if no policy exists relative to the trusted entity; and
  
  if the request to access the network resource does not originate from a trusted entity, prohibiting the request to access the network resource unless an exception policy permits the untrusted entity to access the network resource.
- View Dependent Claims (91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101)
- - 91. (new) A method as claimed in claim 90 further comprising:
    - if the request to access the network resource is prohibited, storing a record of the request to access the network resource in an unauthorized request database.
  - 92. (new) A method as claimed in claim 91 wherein the record comprises an identity of the entity originating the request.
  - 93. (new) A method as claimed in claim 92 wherein determination of whether the entity is trusted is made on the basis of a user identifier included in the request.
  - 94. (new) A method as claimed in claim 93 wherein the determination of whether the entity is trusted is further made on the basis of a source identifier included in the request.
  - 95. (new) A method as claimed in claim 94 wherein the determination of whether the entity is trusted is made on the basis of a source identifier included in the request.
  - 96. (new) A method as claimed in claim 90 wherein the network resource comprises an application.
  - 97. (new) A method as claimed in claim 90 wherein the network resource comprises data.
  - 98. (new) A method as claimed in claim 90 wherein the determination of whether the request originates from a trusted entity is made based on whether an acknowledgement field in a packet including the request has a non-zero value.
  - 99. (new) A method as claimed in claim 90 wherein the request is contained in a synchronization (SYN) packet.
  - 100. (new) A method as claimed in claim 90 wherein the access policy is defined based on at least one of a user identifier included in the packet, a source identifier included in the packet, a network resource requested by the packet, and a destination port indicated by the packet.
  - 101. (new) A method as claimed in claim 90 wherein the exception policy is defined based on at least one of a user identifier included in the packet, a source identifier included in the packet, a network resource requested by the packet, and a destination port indicated by the packet.

102. (new) A method comprising:
- storing a table of general keys in association with corresponding general key indexes, and a table of session keys in association with corresponding session key indexes, for use in transforming user and source identifiers.
- View Dependent Claims (103, 104)
- - 103. (new) A method as claimed in claim 102 further comprising:
    - randomly selecting one of the general keys for use in transforming a user identifier for inclusion in a packet header.
  - 104. (new) A method as claimed in claim 102 further comprising:
    - randomly selecting one of the session keys for use in transforming a source identifier for inclusion in a packet header.

105. (new) A method comprising:
- storing a table of general keys in association with corresponding general key indexes, and a table of session keys in association with corresponding session key indexes, for use in reforming user and source identifiers.
- View Dependent Claims (106)
- - 106. (new) A method as claimed in claim 105 further comprising:
    - extracting a session key index from a packet;
      
      retrieving a session key with the session key index;
      
      extracting a source identifier and a general key index from the packet using the session key;
      
      retrieving a general key using the general key index;
      
      extracting a user identifier from the packet using the general key.

107. (new) A computer-readable medium storing a table of general keys in association with corresponding general key indexes, and a table of session keys in association with corresponding session key indexes, for use in transforming user and source identifiers.
- View Dependent Claims (108, 109)
- - 108. (new) A computer-readable medium as claimed in claim 107 wherein the general keys are randomly selected for use in transforming a user identifier for inclusion in a packet header
  - 109. (new) A computer-readable medium as claimed in claim 107 wherein the session keys are randomly selected for use in transforming a source identifier for inclusion in a packet header.

110. (new) A computer-readable medium storing a table of general keys in association with corresponding general key indexes, and a table of session keys in association with corresponding session key indexes, for use in reforming user and source identifiers.
- View Dependent Claims (111)
- - 111. (new) A computer-readable medium as claimed in claim 110 wherein the tables of general keys and session keys are used to extract general and session key indexes from a packet, using the general and session key indexes to retrieve general and session keys, respectively, and reforming user and source identifiers from the packet using the general and session keys.

112. (new) A method comprising:
- distributing first and second key tables to at least one node for use in establishing an entity associated with the node as a trusted entity.
- View Dependent Claims (113, 114, 115, 116)
- - 113. (new) A method as claimed in claim 112 wherein the first and second key tables are for use in transforming a user identifier and source identifier included in a request for a network resource generated by the node for transmission to at least one other node associated with another trusted entity.
  - 114. (new) A method as claimed in claim 112 wherein the first key table comprises general keys used to transform the user identifier included in the request.
  - 115. (new) A method as claimed in claim 114 wherein the second key table comprises session keys used to transform the source identifier included in the request.
  - 116. (new) A method as claimed in claim 112 wherein the second key table comprises session keys used to transform the source identifier included in the request.

117. (new) A method comprising:
- executing software comparing a source identifier of a node with a source identifier included in the software;
  
  if the source identifier of the node matches the source identifier of the software, continuing to execute the software; and
  
  if the source identifier of the node does not match the source identifier of the software, terminating execution of the software.
- View Dependent Claims (118, 119, 120)
- - 118. (new) A method as claimed in claim 117 wherein the source identifier is determined based on the media access control (MAC) address of the machine.
  - 119. (new) A method as claimed in claim 117 wherein the source identifier is further determined based on a timestamp.
  - 120. (new) A method as claimed in claim 117 wherein the timestamp is determined based on a time of registration of the node as a trusted node.

121. (new) A method comprising:
- providing an identifier identifying a node in software, the software executable by the node to compare the source identifier of the software with the source identifier of the node, the software continuing to execute if the identifier of the software matches the identifier of the node, and the software terminating execution if the identifier of the software does not match the identifier of the node.
- View Dependent Claims (122, 123, 124, 125, 126)
- - 122. (new) A method as claimed in claim 121 wherein the software can be used for secure communications between the node and at least one other node.
  - 123. (new) A method as claimed in claim 121 wherein the software can be used to authenticate the node to at least one other node.
  - 124. (new) A method as claimed in claim 121 wherein the identifier is derived from the media access control (MAC) address of the node.
  - 125. (new) A method as claimed in claim 124 wherein the identifier is further derived from a timestamp.
  - 126. (new) A method as claimed in claim 125 wherein the timestamp is associated with a time of registration of the node as corresponding to a trusted entity.

127. (new) A system for entities to communicate via a network, the system comprising:
- a first node executing software for transforming a user identifier and source identifier included in a request to access a network resource, the first node transmitting the request on the network. a second node connected to communicate with the first node via the network, the second node receiving the request from the first node and reforming the user identifier and source identifier contained in the request, the second node using the user identifier and the source identifier to determine whether the request is to be passed or terminated; and
  
  a third node connected to communicate with the second node, the third node indicated as the destination of the request for access to the network resource and receiving and executing the request if passed from the second node.
- View Dependent Claims (128, 129, 130, 131, 132, 133, 134, 135)
- - 128. (new) A system as claimed in claim 127 wherein the first node includes the request in a synchronization packet.
  - 129. (new) A system as claimed in claim 128 wherein the first node includes the transformed user identifier in an initial sequence number field of a packet containing the request.
  - 130. (new) A system as claimed in claim 129 wherein the first node includes the transformed source identifier in an acknowledgement field of the packet containing the request.
  - 131. (new) A system as claimed in claim 128 wherein the first node includes the transformed source identifier in an acknowledgement field of the packet containing the request.
  - 132. (new) system as claimed in claim 131 wherein the transformed source identifier has a non-zero value, the second node using the fact that the acknowledgement field contains such non-zero value to determine that the user identifier and source identifier are contained in the request.
  - 133. (new) A system as claimed in claim 131 wherein the second node reforms the user identifier and source identifier and compares same against stored data to determine whether the request is to be passed to the third node.
  - 134. (new) A system as claimed in claim 133 wherein the stored data comprises an access policy defined by at least one of the user identifier, source identifier, a requested network resource indicated by the request, and the identity of the third node to which the request is directed.
  - 135. (new) A system as claimed in claim 127 wherein the first, second, and third nodes comprise respective computers.

136. (new) An apparatus connected to communicate via a network, the apparatus comprising:
- a node connected to the network, for transforming a user identifier and source identifier for inclusion in a request for transmission on the network.
- View Dependent Claims (137, 138, 139, 140, 141, 142, 143, 144, 145)
- - 137. (new) An apparatus as claimed in claim 136 wherein the node includes the request in a synchronization packet.
  - 138. (new) An apparatus as claimed in claim 137 wherein the node includes the transformed user identifier in an initial sequence number field of a packet containing the request.
  - 139. (new) An apparatus as claimed in claim 138 wherein the node includes the transformed source identifier in an acknowledgement field of the packet containing the request.
  - 140. (new) An apparatus as claimed in claim 136 wherein the node includes the transformed source identifier in an acknowledgement field of the packet containing the request.
  - 141. (new) An apparatus as claimed in claim 136 wherein the transformed source identifier has a non-zero value.
  - 142. (new) An apparatus as claimed in claim 136 wherein the node transforms the user identifier with a general key.
  - 143. (new) An apparatus as claimed in claim 142 wherein the node transforms the source identifier with a session key.
  - 144. (new) An apparatus as claimed in claim 136 wherein the node transforms the source identifier with a session key.
  - 145. (new) An apparatus as claimed in claim 136 wherein the node comprises a computer.

146. (new) An apparatus connected to communicate via a network, the apparatus comprising:
- a node for receiving a request to access a network resource via the network, the node determining whether the request contains a transformed user identifier and source identifier, and if the request contains the transformed user identifier and source identifier, the node reforms the user identifier and source identifier.
- View Dependent Claims (147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165)
- - 147. (new) An apparatus as claimed in claim 146 wherein the node uses the user identifier and source identifier to determine whether the packet is to be released to a destination indicated by the request.
  - 148. (new) An apparatus as claimed in claim 147 wherein the node uses the user identifier and source identifier to switch the packet to a destination corresponding to at least the user identifier and source identifier and the destination indicated by the packet.
  - 149. (new) An apparatus as claimed in claim 148 wherein the node refers to a stored table of switching data to determine the destination to which the request is to be switched.
  - 150. (new) An apparatus as claimed in claim 147 wherein the request is contained in a synchronization packet.
  - 151. (new) An apparatus as claimed in claim 150 wherein the node determines that the request has a transformed user identifier and source identifier if the synchronization packet has a non-zero value in an acknowledgement field thereof due to inclusion of at least one of the user identifier and source identifier in such acknowledgement field.
  - 152. (new) An apparatus as claimed in claim 150 wherein the node reforms the source identifier with a session key obtained from a session key table stored at the node using a session key index contained in the synchronization packet.
  - 153. (new) An apparatus as claimed in claim 152 wherein the node reforms the user identifier using a general key obtained from a general key table stored at the node using a general key index contained in the synchronization packet.
  - 154. (new) An apparatus as claimed in claim 146 wherein, if the request contains the transformed user identifier and source identifier, the node reforms the user identifier and source identifier to determine whether corresponding access policy data exists to define whether the request to access the network resource is to be permitted.
  - 155. (new) An apparatus as claimed in claim 146 wherein the access policy data is defined based on at least one of the user identifier, the source identifier, the network resource indicated by the request, and the destination port indicated by the packet.
  - 156. (new) An apparatus as claimed in claim 146 wherein the node releases the request to a destination node indicated by the request if no access policy data exists for the user identifier and source identifier.
  - 157. (new) An apparatus as claimed in claim 146 wherein, if the node determines that the request contains no user identifier and source identifier, the node refers to stored exception policy data to determine whether the request is to be permitted to be released to a destination port indicated by the request.
  - 158. (new) An apparatus as claimed in claim 157 wherein the exception policy data is defined based on at least one of the user identifier, the source identifier, the network resource indicated by the request, and the destination port indicated by the packet.
  - 159. (new) An apparatus as claimed in claim 158 wherein the exception policy data indicates that the packet is to be released, and the node generates and inserts a non-zero value in the acknowledgement field of the synchronization packet, stores the non-zero value in a location accessible to a destination node at the destination port indicated by the packet, and releases the packet to the destination port for access by the destination node.
  - 160. (new) An apparatus as claimed in claim 158 wherein the node terminates the request if the exception policy indicates that the packet is not to be released to a destination port indicated by the packet.
  - 161. (new) An apparatus as claimed in claim 160 wherein the node reports the request to access the network resource to a network administrator.
  - 162. (new) An apparatus as claimed in claim 160 wherein the node stores a record of the request in an unauthorized access database.
  - 163. (new) An apparatus as claimed in claim 146 wherein the network resource comprises an application.
  - 164. (new) An apparatus as claimed in claim 146 wherein the network resource comprises data.
  - 165. (new) An apparatus as claimed in claim 146 wherein the node comprises a computer.

166. (new) An apparatus receiving a packet requesting a network service, the apparatus comprising:
- a node connected to receive a packet, the node determining whether the packet is a synchronization packet, and if the packet is a synchronization packet, the node determining whether an acknowledgement field of the packet contains a non-zero-value, if the packet has a non-zero value, the packet continuing to process the packet to provide the requested network service, and if the synchronization packet has a zero value in the acknowledgement field of the packet, the node dropping the packet.
- View Dependent Claims (167, 168)
- - 167. (new) An apparatus as claimed in claim 166 wherein, if the synchronization packet contains the non-zero value, the node continues to process the request by using an encryption key to reform the a source identifier and session key index, retrieving a session key from a table based on the session key index, and using the session key to reform an initial sequence number, the node zeroing the acknowledgement field, and storing the initial sequence number data and zeroed acknowledgement for use in communicating with a remote node from which the packet originated.
  - 168. (new) An apparatus as claimed in claim 167 wherein the node retrieves and uses the session key indicated by the session key index to transmit a packet to the remote node to continue packet communications for the session with the remote node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liquidware Labs, Inc.
Original Assignee
Trusted Network Technologies, Inc. (Liquidware Labs, Inc.)
Inventors
Shay, A. David

Granted Patent

US 7,823,194 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/162   at the data link layer

System, apparatuses, methods, and computer-readable media for identification of user and/or source of communication in a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

168 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatuses, methods, and computer-readable media for identification of user and/or source of communication in a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

168 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links