SYSTEM AND METHOD FOR REGULATING COMMUNICATIONS TO OR FROM AN APPLICATION

US 20110119751A1
Filed: 11/12/2010
Published: 05/19/2011
Est. Priority Date: 12/29/1999
Status: Active Grant

First Claim

Patent Images

1. A method for regulating communications to or from a first application executing on a host machine, including:

detecting an attempt to communicate to or from the first application;

determining trusted information about the attempted communication; and

sending a message to at least one security element based upon the determined trusted information about the attempted communication.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The flow of information to or from an application on a host machine is regulated by a trusted agent operating in conjunction with at least one security element, such as a firewall or a policy server. When a communication to or from the application is detected by the trusted agent, the trusted agent gathers information about the attempted communication, and formulates and sends a message based upon the gathered information to at least one security element. The security element makes a decision to permit or block at least part of the attempted communication based upon the message received from the trusted agent.

33 Citations

25 Claims

1. A method for regulating communications to or from a first application executing on a host machine, including:
- detecting an attempt to communicate to or from the first application;
  
  determining trusted information about the attempted communication; and
  
  sending a message to at least one security element based upon the determined trusted information about the attempted communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining trusted information about the attempted communication includes determining at least one from the group of:
    - the identity of the first application;
      
      the identity of the host machine;
      
      the identity of a second application at the host machine;
      
      the identity of a user employing the application;
      
      a port number to which the communication is to be assigned;
      
      state information about the first application; and
      
      the type of information to be conveyed in the communication.
  - 3. The method of claim 1, wherein a security element includes one from the group of:
    - a firewall, a proxy server and a policy server.
  - 4. The method of claim 1, further including deciding at the host machine if the attempted communication is permitted.
  - 5. The method of claim 4, wherein deciding if the attempted communication is permitted includes consulting an access control list.
  - 6. The method of claim 4, wherein deciding if the attempted communication is permitted includes verifying a credential received from an application that is attempting to communicate.
  - 7. The method of claim 1, wherein the attempt to communicate by an application is detected by a trusted agent, wherein information about the application is determined by the trusted agent and sent to a policy server, and further including:
    - determining at the policy server if the communication is permitted based upon the information received from the trusted agent; and
      
      sending a message from the policy server to a firewall through which the communication to or from the application must pass, wherein the message instructs the firewall to permit or block the communication.
  - 8. The method of claim 1, wherein the attempt to communicate by an application is detected by a trusted agent, wherein information about the application is determined by the trusted agent and sent to a policy server, and further including:
    - determining at the policy server if the communication is permitted based upon the information received from the trusted agent; and
      
      sending a message from the policy server to the trusted agent, wherein the message instructs the trusted agent to permit or block the communication.

9. A system for regulating communications to or from a first application executing on a host machine, including:
- a trusted agent executing on the host machine, wherein said trusted agent obtains information about the attempted communication to or from the first application; and
  
  a security element that receives information about the attempted communication from the trusted agent, and determines if the attempted communication is to be permitted based upon the received information.
- View Dependent Claims (10, 11)
- - 10. The system of claim 9, wherein the security element includes one of the group of:
    - a firewall, a proxy server and a policy server.
  - 11. The system of claim 9, wherein the information received by the security element about the first application includes one of the group of:
    - an identifier of the first application;
      
      an identifier of a second application stored at the host machine;
      
      an identifier of the host machine;
      
      an identifier of a user of the first application;
      
      a port number to which the attempted communication is intended to be assigned;
      
      state information about the first application; and
      
      the type of information meant to be conveyed by the attempted communication.

12. A medium storing instructions adapted to be executed by a processor to perform steps including:
- detecting an attempt to communicate between a first application executing on a host machine and an external application;
  
  determining information about the attempted communication; and
  
  sending a message to at least one security element, wherein the contents of the message are based upon the information determined about the attempted communication.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The medium of claim 12, wherein the instructions are adapted to be executed by a processor in a trusted environment.
  - 14. The medium of claim 12, wherein the instructions are tamper-resistant.
  - 15. The medium of claim 12, wherein the information determined about the attempted communication includes at least one from the group of:
    - information useful for identifying the first application;
      
      information useful for identifying the external application;
      
      information useful for identifying a second application executing on the host machine;
      
      information useful for identifying the host machine;
      
      a user identifier;
      
      a port number to which the communication is intended to be assigned;
      
      information about the state of the first application;
      
      information about the state of the second application; and
      
      the type of information to be conveyed by the communication between the first application and the external application.
  - 16. The medium of claim 12, wherein the security element includes one from the group of:
    - a firewall, a proxy server and a security policy server.

17. A method for regulating communications between a first application executing on a host machine and an external application executing on an external machine, including:
- receiving information about an attempted communication between the first application and the external application;
  
  making a security decision with respect to the attempted communication based upon the information received about the attempted communication; and
  
  performing a security action with respect to the attempted communication.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The method of claim 17, wherein the information about the attempted communication is received from a trusted agent.
  - 19. The method of claim 17, wherein making the security decision includes determining if the attempted communication is to be permitted.
  - 20. The method of claim 17, wherein the security action includes permitting at least part of the attempted communication.
  - 21. The method of claim 17, wherein the security action includes blocking at least part of the attempted communication.
  - 22. The method of claim 17, wherein the security action includes sending a message to the trusted agent to permit or block at least part of the attempted communication.
  - 23. The method of claim 17, wherein the security action includes sending a message to a firewall to permit or block at least part of the attempted communication.
  - 24. The method of claim 17, wherein the security action includes sending a message to the first application to permit or block at least part of the attempted communication.
  - 25. The method of claim 17, wherein the security action includes sending a message to the external application to permit or block at least part of the attempted communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
RICHARDSON, John W., Chouinard, David A., Chouinard, Karen

Granted Patent

US 8,307,419 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

G06F 21/606   by securing the transmissio...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/029   Firewall traversal, e.g. tu...

SYSTEM AND METHOD FOR REGULATING COMMUNICATIONS TO OR FROM AN APPLICATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR REGULATING COMMUNICATIONS TO OR FROM AN APPLICATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others