System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set I

US 20050257249A1
Filed: 05/05/2005
Published: 11/17/2005
Est. Priority Date: 05/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising the steps of:

(a) receiving from a first computer at a second computer via a network a request message from the first computer to establish a network connection;

(b) retrieving security state data at the second computer;

(c) incorporating the security state data into a response message at the second computer; and

(d) transmitting the response message including the security state data from the second computer to the first computer via the network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed system, apparatuses, methods, and computer-readable media can be used by a computer to establish the security status of another computer before establishing a network connection to it. Responsive to a request message, security state data indicating this status can be incorporated into a response message as one of the first few packets exchanged by computers to establish a network connection. This enables a computer to determine whether the other computer'"'"'s security status is compliant with its security policy before establishing the network connection, reducing risk of infection by a virus, worm, or the like.

Citations

51 Claims

1. A method comprising the steps of:
- (a) receiving from a first computer at a second computer via a network a request message from the first computer to establish a network connection;
  
  (b) retrieving security state data at the second computer;
  
  (c) incorporating the security state data into a response message at the second computer; and
  
  (d) transmitting the response message including the security state data from the second computer to the first computer via the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. A method as claimed in claim 1 wherein the security state data comprises data generated by an anti-virus application running on the second computer.
  - 3. A method as claimed in claim 1 wherein the security state data comprises data generated by a firewall application running on the second computer.
  - 4. A method as claimed in claim 1 wherein the security state data comprises data generated by an operating system running on the second computer.
  - 5. A method as claimed in claim 1 wherein the security state data comprises data received via the Internet from a website of a developer of one or more of an anti-virus application, firewall application, and operating system.
  - 6. A method as claimed in claim 1 wherein the security state data comprises data indicating whether an anti-virus application running on the second computer is active to protect the first computer.
  - 7. A method as claimed in claim 6 wherein the security state data comprises data indicating whether the anti-virus application is up-to-date.
  - 8. A method as claimed in claim 1 wherein the security state data comprises data indicating whether a firewall application is running on the second computer.
  - 9. A method as claimed in claim 8 wherein the security state data comprises data indicating whether the firewall application is up-to-date.
  - 10. A method as claimed in claim 1 wherein the security state data comprises data indicating whether an operating system patch has been installed to close a vulnerability in the operating system running on the second computer.
  - 11. A method as claimed in claim 10 wherein the security state data comprises data indicating whether the operating system patch is up-to-date.
  - 12. A method as claimed in claim 1 wherein the response message is a TCP SYNACK packet.
  - 13. A method as claimed in claim 12 wherein the security state data is incorporated in a field in the header of the TCP SYNACK packet.
  - 14. A method as claimed in claim 13 wherein the field is the urgent pointer field.
  - 15. A method as claimed in claim 1 wherein the security state data is incorporated in the header of the response message.
  - 16. A method as claimed in claim 1 wherein the network is the Internet.
  - 17. A method as claimed in claim 1 further comprising the step of:
    - (e) receiving the response message including the security state data from the second computer at the first computer via the network;
      
      (f) determining at the first computer if the network connection to the second computer is permitted based on security policy data stored in the first computer and the security state data received from the second computer;
      
      (g) proceeding with establishing the network connection if the determining of step (f) establishes that the network connection to the second computer is permitted; and
      
      (h) terminating further processing to establish the network connection if the second computer determines in step (f) that the network connection to the second computer is not permitted.
  - 18. A method as claimed in claim 1 further comprising the steps of:
    - (e) receiving the response message including the security state data from the second computer at the first computer via the network;
      
      (f) determining at the first computer if security activation data stored at the first computer indicates that the security state data is to be processed in order to determine if network connection to the second computer is to be permitted; and
      
      if the determining in the step (f) establishes that the security activation data indicates that the security state data is to be processed, (g) determining at the first computer if the network connection to the second computer is permitted based on security policy data stored in the first computer and the security state data received from the second computer;
      
      (h) proceeding with establishing the network connection if the determining of step (g) establishes that connection to the second computer is permitted; and
      
      (i) terminating further processing to establish the network connection if the determining of step (g) establishes that the connection to the second computer is not permitted.

19. A computer-readable medium storing computer code for use related to a first computer communicating with a second computer to determine if a network connection to the second computer is permitted, the second computer executing the computer code to perform the following steps:
- (a) receiving from the first computer at the second computer via the network a request message from the first computer to establish the network connection;
  
  (b) retrieving security state data indicating the security status of the second computer at the second computer;
  
  (c) incorporating the security state data into a response message at the second computer; and
  
  (d) transmitting the response message including the security state data from the second computer to the first computer via the network.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 20. A computer-readable medium as claimed in claim 19 wherein the security state data comprises data generated by an anti-virus application running on the second computer.
  - 21. A computer-readable medium as claimed in claim 19 wherein the security state data comprises data generated by a firewall application running on the second computer.
  - 22. A computer-readable medium as claimed in claim 19 wherein the security state data comprises data generated by an operating system running on the second computer.
  - 23. A computer-readable medium as claimed in claim 19 wherein the security state data comprises data received via the Internet from a website of a developer of one or more of an anti-virus application, firewall application, and operating system.
  - 24. A computer-readable medium as claimed in claim 19 wherein the security state data comprises data indicating whether an anti-virus application is running on the first computer to protect the first computer.
  - 25. A computer-readable medium as claimed in claim 24 wherein the security state data comprises data indicating whether the anti-virus application is up-to-date.
  - 26. A computer-readable medium as claimed in claim 19 wherein the security state data comprises data indicating whether a firewall application is running on the first computer.
  - 27. A computer-readable medium as claimed in claim 26 wherein the security state data comprises data indicating whether the firewall application is up-to-date.
  - 28. A computer-readable medium as claimed in claim 19 wherein the security state data comprises data indicating whether an operating system patch has been installed to close a vulnerability in the operating system running on the first computer.
  - 29. A computer-readable medium as claimed in claim 28 wherein the security state data comprises data indicating whether the operating system patch is up-to-date.
  - 30. A computer-readable medium as claimed in claim 19 wherein the response message is a TCP SYNACK packet.
  - 31. A computer-readable medium as claimed in claim 30 wherein the security state data is incorporated in a field in the header of the TCP SYNACK packet.
  - 32. A computer-readable medium as claimed in claim 31 wherein the field is the urgent pointer field.
  - 33. A computer-readable medium as claimed in claim 19 wherein the security state data is incorporated in the header of the response message.
  - 34. A computer-readable medium as claimed in claim 19 wherein the network is the Internet.
  - 35. A computer-readable medium as claimed in claim 19 wherein the second computer executes the computer code stored in the computer-readable medium to perform the following further steps:
    - (e) receiving the response message including the security state data from the second computer at the first computer via the network;
      
      (f) determining at the first computer if the network connection to the second computer is permitted based on security policy data stored in the first computer and the security state data received from the second computer;
      
      (g) proceeding with establishing the network connection if the determining of step (f) establishes that the network connection to the second computer is permitted; and
      
      (h) terminating further processing to establish the network connection if the second computer determines in step (f) that the network connection to the second computer is not permitted.

36. An apparatus communicating via a network with a first computer, the apparatus comprising:
- a second computer connected to the network, the second computer receiving a request message to establish a network connection from the first computer via the network, retrieving security state data, incorporating the security state data into a response message, and transmitting the response message including the security state data from the second computer to the first computer via the network.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 37. A method as claimed in claim 36 wherein the security state data comprises data generated by an anti-virus application running on the second computer.
  - 38. A method as claimed in claim 36 wherein the security state data comprises data generated by a firewall application running on the second computer.
  - 39. A method as claimed in claim 36 wherein the security state data comprises data generated by an operating system running on the second computer.
  - 40. A method as claimed in claim 36 wherein the security state data comprises data received via the Internet from a website of a developer of one or more of an anti-virus application, firewall application, and operating system.
  - 41. An apparatus as claimed in claim 36 wherein the security state data includes data indicating whether an anti-virus application is running on the second computer to protect the second computer.
  - 42. An apparatus as claimed in claim 41 wherein the security state data comprises data indicating whether the anti-virus application is up-to-date.
  - 43. An apparatus as claimed in claim 36 wherein the security state data comprises data indicating whether a firewall application is running on the second computer.
  - 44. An apparatus as claimed in claim 43 wherein the security state data comprises data indicating whether the firewall application is up-to-date.
  - 45. An apparatus as claimed in claim 36 wherein the security state data comprises data indicating whether an operating system patch has been installed to close a vulnerability in the operating system running on the first computer.
  - 46. An apparatus as claimed in claim 45 wherein the security state data comprises data indicating whether the operating system patch is up-to-date.
  - 47. An apparatus as claimed in claim 36 wherein the response message is a TCP SYNACK packet.
  - 48. An apparatus as claimed in claim 47 wherein the security state data is incorporated in a field in the header of the TCP SYNACK packet.
  - 49. An apparatus as claimed in claim 48 wherein the field is the urgent pointer field.
  - 50. An apparatus as claimed in claim 36 wherein the security state data is incorporated in the header of the response message.
  - 51. An apparatus as claimed in claim 36 wherein the network is the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liquidware Labs, Inc.
Original Assignee
Trusted Network Technologies, Inc. (Liquidware Labs, Inc.)
Inventors
Shay, A. David

Granted Patent

US 7,591,001 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/1095   Replication or mirroring of...

System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set I

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set I

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links