HOST TRUST REPORT BASED FILTERING MECHANISM IN A REVERSE FIREWALL

US 20100162381A1
Filed: 12/19/2008
Published: 06/24/2010
Est. Priority Date: 12/19/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method to throttle traffic from a source internet protocol address, the method comprising:

inspecting payloads of a plurality of packets each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host;

responsive to detecting purported good content within at least one of the plurality of packets, forwarding packets having the source address;

determining whether a count of packets having the source address exceeds a safe threshold;

responsive to a determination that the count of packets having the source address exceeds the safe threshold, requesting a demanded positive trust report from the receiver host;

determining whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good; and

responsive to a determination that the positive trust report is received from the receiver host, analyzing a header of packet having the source address without analyzing a payload of the packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a computer implemented method and computer program product to throttle traffic from a source internet protocol address. The reverse firewall inspects payloads of a plurality of packets each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host. Responsive to detecting purported good content within at least one of the plurality of packets, the reverse firewall forwards packets having the source address. The reverse firewall determines whether a count of packets having the source address exceeds a safe threshold. The reverse firewall requests a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold. The reverse firewall determines whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good. The reverse firewall analyzes a header of packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host.

24 Citations

View as Search Results

20 Claims

1. A computer implemented method to throttle traffic from a source internet protocol address, the method comprising:
- inspecting payloads of a plurality of packets each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host;
  
  responsive to detecting purported good content within at least one of the plurality of packets, forwarding packets having the source address;
  
  determining whether a count of packets having the source address exceeds a safe threshold;
  
  responsive to a determination that the count of packets having the source address exceeds the safe threshold, requesting a demanded positive trust report from the receiver host;
  
  determining whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good; and
  
  responsive to a determination that the positive trust report is received from the receiver host, analyzing a header of packet having the source address without analyzing a payload of the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer implemented method of claim 1, further comprising:
    - responsive to a determination that the positive trust report is received from the receiver host, counting packets having the source internet protocol address to form a repose count;
      
      determining whether the repose count exceeds a repose threshold;
      
      responsive to a determination that the repose count exceeds the repose threshold, determining whether a negative trust report is received by the receiver host concerning the source internet protocol address; and
      
      responsive to a determination that the negative trust report is received by the receiver host concerning the source internet protocol address, determining whether a packet from the source internet protocol address was sent to receiver host in a recent period.
  - 3. The computer implemented method of claim 2, further comprising:
    - resetting the count of packets from the source internet protocol address in response the determination that the packet from the source internet protocol address was sent to the receiver host in the recent period; and
      
      determining whether the count of packets from the source internet protocol address exceeds the safe threshold.
  - 4. The computer implemented method of claim 3, wherein the trust report is received within a timeout period and is unexpired.
  - 5. The computer implemented method of claim 3, wherein the trust report is valid and positive.
  - 6. The computer implemented method of claim 3, wherein the recent period is during a prior two second interval.
  - 7. The computer implemented method of claim 1, further comprising:
    - determining if the source internet protocol address lacks an association with a good host profile, wherein the step of inspecting payloads is responsive to the determination that the source internet protocol address lacks association with a good host profile.

8. A computer implemented method to report a bad host, the method comprising:
- receiving a packet from a sender host;
  
  detecting that the packet contains suspect hostile content; and
  
  transmitting a negative trust report.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer implemented method of claim 8, wherein the step of transmitting a negative trust report is responsive to detecting that the packet contains suspect hostile content.
  - 10. The computer implemented method of claim 8 further comprising:
    - receiving a request for a demanded positive trust report;
      
      responsive to receiving a request for a demanded positive trust report, incrementing a count;
      
      determining if a threshold number of demands received from the reverse firewall is exceeded;
      
      determining whether the count is below a threshold number of demands;
      
      responsive to a determination that the count is below the threshold number of demands, determining whether the sender host is marked good; and
      
      responsive to a determination that the sender host is marked good, transmitting a positive trust report.
  - 11. The computer implemented method of claim 10, wherein transmitting a positive trust report is responsive to a determination that the sender host is marked good.
  - 12. The computer implemented method of claim 10, wherein the count determines a number of received demanded trust reports.
  - 13. The computer implemented method of claim 10, wherein the count determines a number of received demanded trust reports received during a recent period.

14. A computer program product for throttling traffic from a source internet protocol address, the computer program product comprising:
- a computer usable medium having computer usable program code embodied therewith, the computer program product comprising;
  
  computer usable program code configured to inspect payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host;
  
  computer usable program code configured to forward packets having the source address, responsive to detecting purported good content within at least one of the plurality of packets;
  
  computer usable program code configured to determine whether a count of packets having the source address exceeds a safe threshold;
  
  computer usable program code configured to request a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold;
  
  computer usable program code configured to determine whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good; and
  
  computer usable program code configured to analyze a header of packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program product of claim 14, further comprising:
    - computer usable program code configured to count packets having the source internet protocol address to form a repose count, responsive to a determination that the positive trust report is received from the receiver host;
      
      computer usable program code configured to determine whether the repose count exceeds a repose threshold;
      
      computer usable program code configured to determine whether a negative trust report is received by the receiver host concerning the source internet protocol address, responsive to a determination that the repose count exceeds the repose threshold; and
      
      computer usable program code configured to determine whether a packet from the source internet protocol address was sent to receiver host in a recent period, responsive to a determination that the negative trust report is received by the receiver host concerning the source internet protocol address.
  - 16. The computer program product of claim 15, further comprising:
    - computer usable program code configured to reset the count of packets from the source internet protocol address in response the determination that the packet from the source internet protocol address was sent to the receiver host in the recent period; and
      
      computer usable program code configured to determine whether the count of packets from the source internet protocol address exceeds the safe threshold.
  - 17. The computer program product of claim 16, wherein the trust report is received within a timeout period and is unexpired.
  - 18. The computer program product of claim 16, wherein the trust report is valid and positive.
  - 19. The computer program product of claim 16, wherein the recent period is during a prior two second interval.
  - 20. The computer program product of claim 14, further comprising:
    - computer usable program code configured to determine if the source internet protocol address lacks an association with a good host profile, wherein the step of inspecting payloads is responsive to the determination that the source internet protocol address lacks association with a good host profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sabarathinam, Suresh, Goyal, Anand, Kosanam, Silpa, Fried, Eric P.

Granted Patent

US 8,375,435 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/0227 Filtering policies mail mes...

HOST TRUST REPORT BASED FILTERING MECHANISM IN A REVERSE FIREWALL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HOST TRUST REPORT BASED FILTERING MECHANISM IN A REVERSE FIREWALL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links