ACCESS, PRIORITY AND BANDWIDTH MANAGEMENT BASED ON APPLICATION IDENTITY

US 20090241170A1
Filed: 03/18/2009
Published: 09/24/2009
Est. Priority Date: 03/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method of controlling packet flow, comprising:

receiving packets destined for one or more resources, the respective packets each including an inserted application identifier and user identifier identifying a registered application and a user, respectively;

determining, by a packet processor of a security node, the inserted application identifier for each of the respective packets received;

determining, for each of the received packets, whether the user identifier is authorized to use an application and a resource included in a set of security rules based on the inserted application identifier of the received packet; and

if the user is authorized to use the application and the resource, controlling, by the packet processor, the packet flow of each of the received packets sent from the security node by adjusting one or more of a priority of the received packets or a bandwidth to the resource.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method or system for managing packet flow is disclosed. The packets each include an inserted application identifier identifying a registered application. The method includes receiving packets destined for one or more resources, determining, by a packet processor, the inserted application identifier for each of the respective packets received and managing the packet flow of each received packet sent from a security node based at least in part on the inserted application identifier of the received packet.

Citations

20 Claims

1. A method of controlling packet flow, comprising:
- receiving packets destined for one or more resources, the respective packets each including an inserted application identifier and user identifier identifying a registered application and a user, respectively;
  
  determining, by a packet processor of a security node, the inserted application identifier for each of the respective packets received;
  
  determining, for each of the received packets, whether the user identifier is authorized to use an application and a resource included in a set of security rules based on the inserted application identifier of the received packet; and
  
  if the user is authorized to use the application and the resource, controlling, by the packet processor, the packet flow of each of the received packets sent from the security node by adjusting one or more of a priority of the received packets or a bandwidth to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the determining of the inserted application identifier occurs in the security node in an Open Systems Interconnect (OSI) layer below an application layer.
  - 3. The method of claim 1, wherein the determining of the inserted application identifier occurs in a network layer.
  - 4. The method of claim 1, further comprising:
    - establishing, by the security node, a list of registered applications and unique application identifiers associated therewith; and
      
      securely sending, by the security node to a sending node, the list of registered applications and the associated unique application identifiers.
  - 5. The method of claim 1, further comprising:
    - inserting, by a program processor of the sending node, the application identifier identifying the registered application into packets to be sent from sending node; and
      
      sending the packets destined for the one or more resources via the security node.
  - 6. The method of claim 5, wherein the inserting of the application identifier includes:
    - embedding at least the application identifier and a user identifier in a security tag; and
      
      inserting the security tag into each of the packets sent by the sending node, as an in-band metadata tag.
  - 7. The method of claim 5, wherein the inserting of the application identifier into packets to be sent from the sending node includes:
    - selectively inserting a respective application identifier into each packet;
      
      (1) associated with an application in a list of registered applications; and
      
      (2) destined for one of the one or more resources such that application identifiers are prevented from being inserted into packets that are associated with an application not in the list of registered applications or that are not destined for one of the one or more resources.
  - 8. The method of claim 6, wherein the determining of the inserted application identifier for each of the respective packets received by the security node includes:
    - scanning for the embedded security tag in each of the packets received by the security node; and
      
      extracting the inserted application and user identifiers from the scanned security tags of the packets received by the security node.
  - 9. The method of claim 1, wherein the adjustment of one or more of a priority of the received packets or a bandwidth to the resource is based on at least the application identifier and the user identifier inserted in the received packets.
  - 10. The method of claim 1, further comprising:
    - if the user is non-authorized to use the application or the resource included in the set of security rules, blocking the flow of the packets associated with the non-authorized user to the application or the resource, respectively.
  - 11. The method of claim 1, further comprising:
    - generating audit logs from the received packets that include at least information to watermark application associated with the received packets.

12. A method of inserting an application identifier into respective outgoing packets from a sending node destined for a resource on a network, comprising:
- storing, in an electronic database of the sending node, information identifying registered applications including associated application identifiers;
  
  determining, by a program processor of the sending node, each currently executing process and at least a process identifier corresponding to each currently executing process;
  
  matching, using the electronic database of the sending node, the information identifying registered applications with information associated with the process identifiers of each currently executing process to determine a matched application identifier associated with each currently executing process; and
  
  inserting, by the program processor of the sending node, the matched application identifier in each packet to authenticate that the registered application corresponding to the matched application identifier is associated with the respective packets.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, wherein the inserting of the matched application identifier in each packet includes at least one of:
    - (1) obfuscating the application identifier;
      
      or (2) encrypting the application identifier using a session key.
  - 14. The method of claim 12, wherein the matching of the information identifying registered applications with the information associated with the process identifiers of each currently executing process includes:
    - determining from the currently executing process a file invoking the currently executing process; and
      
      matching characteristics of the file invoking the currently executing process to the information identifying registered applications to authenticate the application associated with the currently executing process.
  - 15. The method of claim 14, wherein the matching of the characteristics of the file include at least one of:
    - (1) a digital digest of the file;
      
      (2) a date and time the file was last edited;
      
      (3) a version of the file;
      
      or (4) publisher information.
  - 16. The method of claim 12, further comprising:
    - storing information identifying each executed process and a parent process which invoked the executed process; and
      
      validating, responsive to the currently executing process being invoked, that each of the parent processes in a sequence of parent processes of the currently executing process are associated with registered applications in the electronic database.
  - 17. The method of claim 14, wherein the inserting of the matched application identifier in each outgoing packet is responsive to validation of each of the parent processes of the currently executing process.

18. A security node for managing packet flow between a sending node and one or more resources on a network, comprising:
- a registration unit for registering applications that are authorized to access the one or more resources on the network; and
  
  a packet processor for determining an application identifier and a user identifier inserted in each received packet, for determining, for each received packet, whether the user identifier is authorized to use an application and a resource included in a set of security rules based on the inserted application identifier of the received packet; and
  
  if the user is authorized to use the application and the resource, for controlling the packet flow of each received packet sent from the security node by adjusting one or more of a priority of each received packet or a bandwidth to the resource.
- View Dependent Claims (19)
- - 19. The security node of claim 18, further comprising:
    - an event logger for generating audit logs from the received packets that includes at least information to watermark an application associated with the received packets.

20. A sending node for managing packet flow to one or more resources on a network, comprising:
- an electronic database for storing information identifying registered applications including associated application identifiers;
  
  a program processor for determining each currently executing process and at least a process identifier corresponding to each currently executing process, the information identifying registered applications being matched with information associated with the process identifiers of each currently executing process to determine a matched application identifier associated with each currently executing process, the program processor inserting the matched application identifier in respective packets to authenticate that the registered application corresponding to the matched application identifier is associated with the respective packets; and
  
  a sending unit for sending the respective packets destined for the one or more resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Applied Identity, Co.
Inventors
Kumar, Srinivas, Bettadapura, Vijayashree S., Shah, Shadab Munam

Granted Patent

US 9,240,945 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/2458   Modification of priorities ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

ACCESS, PRIORITY AND BANDWIDTH MANAGEMENT BASED ON APPLICATION IDENTITY

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS, PRIORITY AND BANDWIDTH MANAGEMENT BASED ON APPLICATION IDENTITY

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links