EVALUATING A QUESTIONABLE NETWORK COMMUNICATION

US 20130333038A1
Filed: 08/14/2013
Published: 12/12/2013
Est. Priority Date: 09/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method in a computing system for controlling communication, comprising:

in a computing system, evaluating a network communication, by;

receiving a predefined white list of trusted network addresses that does not include addresses for any unauthenticated network nodes and that includes, for each trusted network address, one or more indications of allowable communication properties;

determining a first internet protocol (IP) address corresponding to the network communication;

determining a first communication property that is associated with the network communication;

determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the first IP address;

evaluating the network communication with respect the white list, by determining whether or not the first communication property is encompassed by the second communication property;

in response to determining that the first communication property is not encompassed by the second communication property, setting an indicator that the network communication is not allowed; and

in response to determining that the first communication property is encompassed by the second communication property, setting an indicator that the network communication is allowed.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Identifying a questionable network address from a network communication. In an embodiment, a network device receives an incoming or outgoing connection request, a web page, an email, or other network communication. An evaluation module evaluates the network communication for a corresponding network address, which may be for the source or destination of the network communication. The network address generally includes an IP address. The evaluation module determines one or more properties of the network communication, such as time of day, content type, directionality, or the like. The evaluation module then determines whether the properties match or are otherwise allowed based on properties specified in the white list in association with the IP address.

126 Citations

20 Claims

1. A method in a computing system for controlling communication, comprising:
- in a computing system, evaluating a network communication, by;
  
  receiving a predefined white list of trusted network addresses that does not include addresses for any unauthenticated network nodes and that includes, for each trusted network address, one or more indications of allowable communication properties;
  
  determining a first internet protocol (IP) address corresponding to the network communication;
  
  determining a first communication property that is associated with the network communication;
  
  determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the first IP address;
  
  evaluating the network communication with respect the white list, by determining whether or not the first communication property is encompassed by the second communication property;
  
  in response to determining that the first communication property is not encompassed by the second communication property, setting an indicator that the network communication is not allowed; and
  
  in response to determining that the first communication property is encompassed by the second communication property, setting an indicator that the network communication is allowed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of an allowable geographic location, and further comprising:
    - determining, by querying a geo-location information provider, a geographic location associated with the first IP address; and
      
      determining whether the geographic location associated with the first IP address matches or is encompassed by the geographic location indicated as allowable by the entry in the white list.
  - 3. The method of claim 1, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of a program that is allowed to communicate via the network address, and further comprising:
    - determining a communicating program that is executing on the computing system and that is participating in the network communication; and
      
      determining whether the communicating program matches the program indicated as allowable by the entry in the white list.
  - 4. The method of claim 3, wherein the indication of the program includes a program name and/or a hash of the program code.
  - 5. The method of claim 1, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of allowable access times, and further comprising:
    - determining a time at which the network communication is occurring; and
      
      determining whether the determined time matches or is encompassed by the access times indicated as allowable by the entry in the white list.
  - 6. The method of claim 1, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of an allowable user, and further comprising:
    - determining a user associated with the network communication; and
      
      determining whether the determined user matches or is encompassed by the user indicated as allowable by the entry in the white list.
  - 7. The method of claim 1, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of an allowable data type, and further comprising:
    - determining a data type corresponding to data transferred via the network connection; and
      
      determining whether the determined data type matches the data type indicated as allowable by the entry in the white list.
  - 8. The method of claim 7, wherein the white list includes indications of multiple allowable data types, including executable code, script, macro, audio, video, image, and text.
  - 9. The method of claim 1, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of whether non-interactive programs are allowed to communicate via the network address, and further comprising:
    - determining a communicating program that is executing on the computing system and that is participating in the network communication; and
      
      determining whether the communicating program is operating in interactive or non-interactive mode.
  - 10. The method of claim 1, further comprising evaluating authenticity of an email message having a RECEIVED header field that is inserted by a recipient SMTP server and a FROM header field specifying a source email address that is inserted at a sender system, by:
    - determining the first IP address based on the RECEIVED header field;
      
      determining a second IP address by performing a domain name lookup based on the source email address; and
      
      determining whether the first and second IP addresses match, and if not, setting an indication that the email message has a forged source address.
  - 11. The method of claim 1, further comprisingreceiving from a TCP/IP stack of the computing system the first IP address and a port number;
    - receiving a uniform resource locator (URL)/uniform resource identifier (URI) associated with the network communication;
      
      determining a first name associated with the first IP address, by querying the first IP address received from the TCP/IP stack against an assignment database that associates owner names with IP addresses;
      
      determining a second name associated with the URL/URI, by querying a domain name of the URL/URI associated with the network resource against an assignment database that associates owner names with domain names; and
      
      setting an indicator that a communication operation is allowed or not allowed based on the whether the first IP address and port number are included in the predefined white list of trusted network addresses and on whether the first name matches the second name.
  - 12. The method of claim 1, wherein the network communication is initiated via an incoming TCP/IP connection request.
  - 13. The method of claim 1, wherein the network communication is initiated via an outgoing TCP/IP connection request.
  - 14. The method of claim 1, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of allowable user and access control, and further comprising:
    - determining a user associated with the network communication;
      
      determining a user access control privilege associated with the network communication;
      
      determining a user IP address and/or port number; and
      
      determining whether the determined user, user access control privilege, and user IP address/port number matches or is encompassed by the entry in the white list.
  - 15. A non-transitory computer readable medium, comprising executable instructions for causing a computing device to perform the method of claim 1.

16. A system for controlling communication, comprising:
- a communication interface for communication with a network resource, the communication interface including a TCP/IP stack;
  
  a memory for storing instructions; and
  
  a processor in communication with the communication interface and with the memory, wherein the processor is configured to evaluate a network communication, by;
  
  receiving a predefined white list of trusted network addresses that does not include addresses for any unauthenticated network nodes and that includes, for each trusted network address, one or more indications of allowable communication properties;
  
  determining a first internet protocol (IP) address corresponding to the network communication;
  
  determining a first communication property that is associated with the network communication;
  
  determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the first IP address;
  
  evaluating the network communication with respect the white list, by determining whether or not the first communication property is encompassed by the second communication property;
  
  in response to determining that the first communication property is not encompassed by the second communication property, setting an indicator that the network communication is not allowed; and
  
  in response to determining that the first communication property is encompassed by the second communication property, setting an indicator that the network communication is allowed.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the network communication occurs within an internal network, and wherein the first IP address is an IP address of the internal network.
  - 18. The system of claim 16, wherein the processor further configured to:
    - retrieve from the white list a first domain name associated with the first IP address;
      
      retrieve from a domain name server a second domain name associated with the first IP address; and
      
      evaluate the network communication based on a comparison of the first and second domain names.
  - 19. The system of claim 16, wherein the processor is further configured to:
    - based on the evaluation of the network communication, set the indicator to one of the following;
      
      the communication operation is not allowed;
      
      a warning is to be provided prior to allowing the communication operation; and
      
      an instruction is needed from a user to determine whether the communication operation is allowed.
  - 20. The system of claim 16, wherein the first IP address is an IP address associated with a customer computing device, and wherein evaluating the network communication includes:
    - determining whether the first IP address is associated by the white list with an identifier that corresponds to the customer; and
      
      determining whether a geographic location associated with the first IP address is encompassed by a geographic location that is associated by the white list with the first IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daniel Chien
Original Assignee
Daniel Chien
Inventors
Chien, Daniel

Granted Patent

US 9,015,090 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/645   using a third party

G06F 2221/2119   Authenticating web pages, e...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

EVALUATING A QUESTIONABLE NETWORK COMMUNICATION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EVALUATING A QUESTIONABLE NETWORK COMMUNICATION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links