FILE MANIFEST FILTER FOR UNIDIRECTIONAL TRANSFER OF FILES

US 20140020109A1
Filed: 01/23/2013
Published: 01/16/2014
Est. Priority Date: 07/16/2012
Status: Active Grant

First Claim

Patent Images

1. A manifest transfer engine comprising:

a send side configured to receive and store a file manifest table having a list of file characteristics from an administrator server, to receive a file from a user and compare an identifying characteristic of the received file with the list of file characteristics in the file manifest table, and, only if there is a match between the received file characteristic and an entry in the list, to allow transfer of the file on an output;

a one-way data link having an input coupled to the output of the send side and an output, and configured to enforce unidirectional data flow only from the input to the output; and

a receive side having an input coupled to the output of the one-way data link and configured to receive files via the input.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A manifest transfer engine for a one-way file transfer system is disclosed. The manifest transfer engine comprises a send side, a receive side, and a one-way data link enforcing unidirectional data flow from the send side to the receive side. The send side receives and stores a file manifest table from an administrator server. The send side also receives a file from a user and compares it with the file manifest table. Transfer of the file to the receive side via the one-way data link is allowed only when there is a match between the file and the file manifest table. In an alternative embodiment, the receive side instead receives and stores the file manifest table from the administrator server and compares it with the file received from the send side via the one-way data link to determine whether to allow transfer of the file.

66 Citations

View as Search Results

60 Claims

1. A manifest transfer engine comprising:
- a send side configured to receive and store a file manifest table having a list of file characteristics from an administrator server, to receive a file from a user and compare an identifying characteristic of the received file with the list of file characteristics in the file manifest table, and, only if there is a match between the received file characteristic and an entry in the list, to allow transfer of the file on an output;
  
  a one-way data link having an input coupled to the output of the send side and an output, and configured to enforce unidirectional data flow only from the input to the output; and
  
  a receive side having an input coupled to the output of the one-way data link and configured to receive files via the input.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The manifest transfer engine of claim 1, wherein the file manifest table comprises a list of registered hash numbers;
    - and wherein the send side compares the received file characteristic with the list of file characteristics in the file manifest table by computing a hash number for the received file and comparing the computed hash number with the registered hash numbers in the list of file characteristics in the file manifest table.
  - 3. The manifest transfer engine of claim 2, wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of MD5 128-bit checksum, SHA 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 4. The manifest transfer engine of claim 1, wherein the file manifest table is an ASCII text file.
  - 5. The manifest transfer engine of claim 2, wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 6. The manifest transfer engine of claim 1, wherein the send side is further configured to apply a filter to the file manifest table upon receiving it from the administrator server and prior to storing it.
  - 7. The manifest transfer engine of claim 1, further comprising a USB interface configured to transfer the user file from a USB memory device coupled to the USB interface to the send side.
  - 8. The manifest transfer engine of claim 1, wherein the send side is further configured to delete or quarantine the user file if there is no match between the received file characteristic and the list of file characteristics in the file manifest table.
  - 9. The manifest transfer engine of claim 1, wherein the file manifest table is not accessible by the user transferring the file.

10. A system for one-way transfer of files, comprising:
- an administrator server configured to create and output a file manifest table having a list of file characteristics; and
  
  a manifest transfer engine comprising a send side, a receive side, and a one-way data link enforcing unidirectional data flow from the send side to the receive side;
  
  wherein the send side is configured to receive and store a file from a file source client, to receive and store the file manifest table, to compare an identifying characteristic of the received file with the list of file characteristics in the file manifest table, and, only if there is a match between the received file characteristic and an entry in the list of file characteristics in the file manifest table, to transfer the file to the receive side via the one-way data link; and
  
  wherein the receive side is configured to forward received files to the file destination server.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 11. The system of claim 10, wherein:
    - the administrator server and the file source client are located in a same network; and
      
      the send side of the manifest transfer engine receives the file manifest table from the administrator server and the file from the file source client via different dedicated TCP ports to prevent commingling of the file and the file manifest table during the transfer.
  - 12. The system of claim 10, wherein the administrator server and the file source client are located on different networks.
  - 13. The system of claim 10, further comprising a second one-way data link coupled between the administrative server and the send side of the manifest engine;
    - and wherein the administrator server is connected to an insecure network, and the send side of the manifest transfer engine receives the file manifest table from the administrator server via the second one-way data link.
  - 14. The system of claim 13, wherein the insecure network is a cloud network or the Internet.
  - 15. The system of claim 10, wherein the administrative server is further configured to create and output a second file manifest table having a second list of file characteristics and further comprising:
    - a second manifest transfer engine comprising a second send side, a second receive side, and a second one-way data link enforcing unidirectional data flow from the second send side to the second receive side; and
      
      wherein the second send side is configured to receive and store a file from a second file source client, to receive and store the second manifest filter table, to compare an identifying characteristic of the received file with the second list of file characteristics in the second file manifest table, and, only if there is a match between the received file characteristic and an entry in the second list of file characteristics in the second file manifest table, to transfer the file to the second receive side via the second one-way data link; and
      
      wherein the second receive side is configured to forward received files to the second file destination server.
  - 16. The system of claim 10, wherein the file manifest table comprises a list of registered hash numbers;
    - and wherein the send side compares the received file characteristic with the list of file characteristics in the file manifest table by computing a hash number for the received file and comparing the computed hash number with the registered hash numbers in the list of file characteristics in the file manifest table.
  - 17. The system of claim 16, wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of MD5 128-bit checksum, SHA 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 18. The system of claim 10, wherein the file manifest table is an ASCII text file.
  - 19. The system of claim 16, wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 20. The system of claim 10, wherein the send side is further configured to apply a filter to the file manifest table upon receiving it from the administrator server and prior to storing it.
  - 21. The system of claim 10, wherein the send side is further configured to delete or quarantine the user file if there is no match between the received file characteristic and the list of file characteristics in the file manifest table.

22. A method of file manifest filtering for file transfer across a one-way data link, comprising the steps of:
- maintaining a file manifest table containing a list of file characteristics;
  
  receiving a file from a user;
  
  computing an identifying characteristic for the received file;
  
  comparing the computed characteristic with the list of file characteristics in the file manifest table; and
  
  transferring the file across a one-way data link only if there is a match between the computed and an entry in the list of file characteristics in the file manifest table.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The method of claim 22, further comprising the step of deleting the received file if there is no match between the computed characteristic and an entry in the list of file characteristics in the file manifest table.
  - 24. The method of claim 22, further comprising the step of quarantining the file if there is no match between the computed characteristic and an entry in the list of file characteristics in the file manifest table.
  - 25. The method of claim 22, wherein the step of maintaining a file manifest table comprises:
    - receiving the file manifest table from an administrator server;
      
      applying a filter to the received file manifest table; and
      
      storing the received file manifest table if validated by the filter.
  - 26. The method of claim 22, wherein the step of maintaining a file manifest table comprises receiving the file manifest table from an administrative server via a second one-way data link.
  - 27. The method of claim 22, wherein the computed characteristic comprises a file hash number and wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of MD5 128-bit checksum, SHA 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 28. The method of claim 22, wherein the file manifest table is an ASCII text file.
  - 29. The method of claim 27, wherein the computed characteristic comprises a file hash number and wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 30. The method of claim 22, wherein the step of receiving a file from a user comprises downloading the file from a USB memory device.

31. A manifest transfer engine comprising:
- a send side configured to receive a file from a user and transfer the user file on an output;
  
  a one-way data link having an input coupled to the output of the send side and an output and configured to enforce unidirectional data flow from the input to the output; and
  
  a receive side having an input coupled to the output of the one-way data link and configured to receive and store a file manifest table having a list of file characteristics from an administrator server, to receive the user file on the input and to compare an identifying characteristic of the received user file with the list of file characteristics in the file manifest table, and, only if there is a match between the received file characteristic and an entry in the list, to allow release of the received user file.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The manifest transfer engine of claim 31, wherein the file manifest table comprises a list of registered hash numbers;
    - and wherein the receive side compares the received file characteristic with the list of file characteristics in the file manifest table by computing a hash number for the received file and comparing the computed hash number with the registered hash numbers in the list of file characteristics in the file manifest table.
  - 33. The manifest transfer engine of claim 32, wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of MD5 128-bit checksum, SHA 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 34. The manifest transfer engine of claim 31, wherein the file manifest table is an ASCII text file.
  - 35. The manifest transfer engine of claim 32, wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 36. The manifest transfer engine of claim 31, wherein the receive side is further configured to apply a filter to the file manifest table upon receiving it from the administrator server and prior to storing it.
  - 37. The manifest transfer engine of claim 31, further comprising a USB interface configured to transfer the user file from a USB memory device coupled to the USB interface to the send side.
  - 38. The manifest transfer engine of claim 31, wherein the receive side is further configured to delete or quarantine the file if there is no match between the received file characteristic and the list of file characteristics in the file manifest table.
  - 39. The manifest transfer engine of claim 31, wherein the file manifest table is not accessible by the user transferring the file.

40. A system for one-way transfer of files, comprising:
- an administrator server configured to create and output a file manifest table having a list of file characteristics; and
  
  a manifest transfer engine comprising a send side, a receive side, and a one-way data link enforcing unidirectional data flow from the send side to the receive side;
  
  wherein the send side is configured to receive a file from a file source client and forward the received file to the receive side via the one-way data link; and
  
  wherein the receive side is configured to receive and store a file from the one-way data link, to receive and store the file manifest table, to compare an identifying characteristic of the received file with the list of file characteristics in the file manifest table, and, only if there is a match between the received file characteristic and an entry in the list of file characteristics in the file manifest table, to transfer the file to a file destination server.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 41. The system of claim 40, wherein:
    - the administrator server and the file source client are located in a same network; and
      
      the receive side of the manifest transfer engine receives the file manifest table from the administrator server and the file from the file source client via different dedicated TCP ports to prevent commingling of the file and the file manifest table during the transfer.
  - 42. The system of claim 40, wherein the administrator server and the file source client are located in different networks.
  - 43. The system of claim 40, further comprising a second one-way data link coupled between the administrative server and the receive side of the manifest engine;
    - and wherein the administrator server is connected to an insecure network, and the receive side of the manifest transfer engine receives the file manifest table from the administrator server via the second one-way data link.
  - 44. The system of claim 43, wherein the insecure network is a cloud network or the Internet.
  - 45. The system of claim 40, wherein the administrative server is further configured to create and output a second file manifest table having a second list of file characteristics and further comprising:
    - a second manifest transfer engine comprising a second send side, a second receive side, and a second one-way data link enforcing unidirectional data flow from the second send side to the second receive side, andwherein the second send side is configured to receive a file from a second file source client and forward the received file to the second receive side via the second one-way data link; and
      
      wherein the second receive side is configured to receive and store a file from the second one-way data link, to receive and store the second file manifest table, to compare an identifying characteristic of the received file with the second list of file characteristics in the second file manifest table, and, only if there is a match between the received file characteristic and an entry in the second list of file characteristics in the second file manifest table, to transfer the file to a second file destination server.
  - 46. The system of claim 40, wherein the file manifest table comprises a list of registered hash number;
    - and wherein the receive side compares the received file characteristic with the list of file characteristics in the file manifest table by computing a hash number for the received file and comparing the computed hash number with the registered hash numbers in the list of file characteristics in the file manifest table.
  - 47. The system of claim 46, wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of MD5 128-bit checksum, SHA 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 48. The system of claim 40, wherein the file manifest table is an ASCII text file.
  - 49. The system of claim 46, wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 50. The system of claim 40, wherein the receive side is further configured to apply a filter to the file manifest table upon receiving it from the administrator server and prior to storing it.
  - 51. The system of claim 40, wherein the receive side is further configured to delete or quarantine the file if there is no match between the received file characteristic and the list of file characteristics in the file manifest table.

52. A method of file manifest filtering for file transfer across a one-way data link, comprising the steps of:
- maintaining a file manifest table containing a list of file characteristics;
  
  receiving a file from a user;
  
  transferring the file across the one-way data link;
  
  computing an identifying characteristic for the transferred file;
  
  comparing the computed characteristic with the list of file characteristics in the file manifest table; and
  
  releasing the file to a recipient only if there is a match between the computed characteristic for the transferred file and an entry in list of file characteristics in the file manifest table.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60)
- - 53. The method of claim 52, further comprising the step of deleting the file if there is no match between the computed characteristic and an entry in list of file characteristics in the file manifest table.
  - 54. The method of claim 52, further comprising the step of quarantining the file if there is no match between the computed characteristic and an entry in list of file characteristics in the file manifest table.
  - 55. The method of claim 52, wherein the step of maintaining a file manifest table comprises:
    - receiving the file manifest table from an administrator server;
      
      applying a filter to the received file manifest table; and
      
      storing the received file manifest table if validated by the filter.
  - 56. The method of claim 52, wherein the step of maintaining a file manifest table comprises receiving the file manifest table from an administrative server via a second one-way data link.
  - 57. The method of claim 52, wherein the computed characteristic comprises a file hash number and wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of MD5 128-bit checksum, SHA 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 58. The method of claim 52, wherein the file manifest table is an ASCII text file.
  - 59. The method of claim 57, wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 60. The method of claim 52, wherein the step of receiving a file from a user comprises transferring the file from a USB memory device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OWL Cyber Defense Solutions LLC
Original Assignee
Owl Computing Technologies, Inc.
Inventors
Mraz, Ronald, Hope, James

Granted Patent

US 9,736,121 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/0428 wherein the data content is...

FILE MANIFEST FILTER FOR UNIDIRECTIONAL TRANSFER OF FILES

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

FILE MANIFEST FILTER FOR UNIDIRECTIONAL TRANSFER OF FILES

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links