FILTERING NETWORK DATA TRANSFERS

US 20150237012A1
Filed: 05/03/2015
Published: 08/20/2015
Est. Priority Date: 03/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computing system provisioned with a plurality of packet-filtering rules, a first packet and a second packet;

responsive to a determination by the computing system that the first packet comprises data corresponding to a transport layer security (TLS)-version value for which one or more packet-filtering rules of the plurality of packet-filtering rules indicate packets should be forwarded toward their respective destinations, forwarding, by the computing system, the first packet toward its destination; and

responsive to a determination by the computing system that the second packet comprises data corresponding to a TLS-version value for which the one or more packet-filtering rules indicate packets should be blocked from continuing toward their respective destinations, dropping, by the computing system, the second packet.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.

66 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, by a computing system provisioned with a plurality of packet-filtering rules, a first packet and a second packet;
  
  responsive to a determination by the computing system that the first packet comprises data corresponding to a transport layer security (TLS)-version value for which one or more packet-filtering rules of the plurality of packet-filtering rules indicate packets should be forwarded toward their respective destinations, forwarding, by the computing system, the first packet toward its destination; and
  
  responsive to a determination by the computing system that the second packet comprises data corresponding to a TLS-version value for which the one or more packet-filtering rules indicate packets should be blocked from continuing toward their respective destinations, dropping, by the computing system, the second packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, comprising:
    - receiving, by the computing system, a plurality of packets comprising a first portion of packets and a second portion of packets, the first portion comprising the first packet and the second packet;
      
      applying, by the computing system and to each packet in the first portion of packets, at least one of the one or more packet-filtering rules to determine whether the packet should be forwarded by the computing system toward its destination or blocked by the computing system from continuing toward its destination; and
      
      determining, by the computing system, for each packet in the second portion of packets, and without applying the one or more packet-filtering rules, whether the packet should be forwarded by the computing system toward its destination or blocked by the computing system from continuing toward its destination.
  - 3. The method of claim 2, wherein:
    - determining, for each packet in the second portion of packets, whether the packet should be forwarded by the computing system toward its destination or blocked by the computing system from continuing toward its destination comprises applying, by the computing system and to each packet in the second portion of packets, one or more other packet-filtering rules of the plurality of packet-filtering rules; and
      
      applying the at least one of the one or more packet-filtering rules comprises applying, to each packet in the first portion of packets, the at least one of the one or more packet-filtering rules responsive to a determination by the computing system that the packet corresponds to one or more criteria specified by the one or more other packet-filtering rules.
  - 4. The method of claim 3, wherein applying the at least one of the one or more packet-filtering rules comprises applying, to each packet in the first portion of packets, the at least one of the one or more packet-filtering rules responsive to at least one of a determination by the computing system that the packet comprises a network address indicated by the one or more criteria, a determination by the computing system that the packet comprises a port number indicated by the one or more criteria, or a determination by the computing system that the packet comprises data corresponding to a protocol type indicated by the one or more criteria.
  - 5. The method of claim 1, comprising responsive to a determination by the computing system that the first packet comprises data corresponding to at least one of a hypertext transfer protocol (HTTP) PUT method, an HTTP POST method, an HTTP DELETE method, or an HTTP CONNECT method, applying, by the computing system and to the first packet, at least one of the one or more packet-filtering rules.
  - 6. The method of claim 1, comprising responsive to a determination by the computing system that the second packet comprises data corresponding to at least one of a hypertext transfer protocol (HTTP) PUT method, an HTTP POST method, an HTTP DELETE method, or an HTTP CONNECT method, applying, by the computing system and to the second packet, at least one of the one or more packet-filtering rules.
  - 7. The method of claim 1, comprising:
    - responsive to a determination by the computing system that the first packet comprises data associated with hypertext transfer protocol secure (HTTPS), applying, by the computing system and to the first packet, at least one of the one or more packet-filtering rules; and
      
      responsive to a determination by the computing system that the second packet comprises data associated with HTTPS, applying, by the computing system and to the second packet, at least one of the one or more packet-filtering rules.

8. A system comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the system to;
  
  receive data comprising a plurality of packet-filtering rules, a first packet, and a second packet;
  
  responsive to a determination that the first packet comprises data corresponding to a transport layer security (TLS)-version value for which one or more packet-filtering rules of the plurality of packet-filtering rules indicate packets should be forwarded toward their respective destinations, forward the first packet toward its destination; and
  
  responsive to a determination that the second packet comprises data corresponding to a TLS-version value for which the one or more packet-filtering rules indicate packets should be blocked from continuing toward their respective destinations, drop the second packet.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to:
    - receive a plurality of packets comprising a first portion of packets and a second portion of packets, the first portion comprising the first packet and the second packet;
      
      apply, to each packet in the first portion of packets, at least one of the one or more packet-filtering rules to determine whether the packet should be forwarded toward its destination or blocked from continuing toward its destination; and
      
      determine, for each packet in the second portion of packets, and without applying the one or more packet-filtering rules, whether the packet should be forwarded toward its destination or blocked from continuing toward its destination.
  - 10. The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system to:
    - apply, to each packet in the second portion of packets, one or more other packet-filtering rules of the plurality of packet-filtering rules to determine whether the packet should be forwarded toward its destination or blocked from continuing toward its destination; and
      
      for each packet in the first portion of packets, apply the at least one of the one or more packet-filtering rules responsive to determining that the packet corresponds to one or more criteria specified by the one or more other packet-filtering rules.
  - 11. The system of claim 10, wherein the instructions, when executed by the at least one processor, cause the system to, for each packet in the first portion of packets, apply the at least one of the one or more packet-filtering rules responsive to at least one of determining that the packet comprises a network address indicated by the one or more criteria, determining that the packet comprises a port number indicated by the one or more criteria, or determining that the packet comprises data corresponding to a protocol type indicated by the one or more criteria.
  - 12. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to apply at least one of the one or more packet-filtering rules to the first packet responsive to determining that the first packet comprises data corresponding to at least one of a hypertext transfer protocol (HTTP) PUT method, an HTTP POST method, an HTTP DELETE method, or an HTTP CONNECT method.
  - 13. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to apply at least one of the one or more packet-filtering rules to the second packet responsive to determining that the second packet comprises data corresponding to at least one of a hypertext transfer protocol (HTTP) PUT method, an HTTP POST method, an HTTP DELETE method, or an HTTP CONNECT method.
  - 14. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to:
    - apply at least one of the one or more packet-filtering rules to the first packet responsive to determining that the first packet comprises data associated with hypertext transfer protocol secure (HTTPS); and
      
      apply at least one of the one or more packet-filtering rules to the second packet responsive to determining that the second packet comprises data associated with HTTPS.

15. One or more non-transitory computer-readable media comprising instructions that when executed by one or more computing devices cause the one or more computing devices to:
- receive data comprising a plurality of packet-filtering rules, a first packet, and a second packet;
  
  responsive to a determination that the first packet comprises data corresponding to a transport layer security (TLS)-version value for which one or more packet-filtering rules of the plurality of packet-filtering rules indicate packets should be forwarded toward their respective destinations, forward the first packet toward its destination; and
  
  responsive to a determination that the second packet comprises data corresponding to a TLS-version value for which the one or more packet-filtering rules indicate packets should be blocked from continuing toward their respective destinations, drop the second packet.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to:
    - receive a plurality of packets comprising a first portion of packets and a second portion of packets, the first portion comprising the first packet and the second packet;
      
      apply, to each packet in the first portion of packets, at least one of the one or more packet-filtering rules to determine whether the packet should be forwarded toward its destination or blocked from continuing toward its destination; and
      
      determine, for each packet in the second portion of packets, and without applying the one or more packet-filtering rules, whether the packet should be forwarded toward its destination or blocked from continuing toward its destination.
  - 17. The one or more non-transitory computer-readable media of claim 16, wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to:
    - apply, to each packet in the second portion of packets, one or more other packet-filtering rules of the plurality of packet-filtering rules to determine whether the packet should be forwarded toward its destination or blocked from continuing toward its destination; and
      
      for each packet in the first portion of packets, apply the at least one of the one or more packet-filtering rules responsive to determining that the packet corresponds to one or more criteria specified by the one or more other packet-filtering rules.
  - 18. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to, for each packet in the first portion of packets, apply the at least one of the one or more packet-filtering rules responsive to at least one of determining that the packet comprises a network address indicated by the one or more criteria, determining that the packet comprises a port number indicated by the one or more criteria, or determining that the packet comprises data corresponding to a protocol type indicated by the one or more criteria.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to:
    - apply at least one of the one or more packet-filtering rules to the first packet responsive to determining that the first packet comprises data corresponding to at least one of a hypertext transfer protocol (HTTP) PUT method, an HTTP POST method, an HTTP DELETE method, or an HTTP CONNECT method; and
      
      apply at least one of the one or more packet-filtering rules to the second packet responsive to determining that the second packet comprises data corresponding to at least one of an HTTP PUT method, an HTTP POST method, an HTTP DELETE method, or an HTTP CONNECT method.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to:
    - apply at least one of the one or more packet-filtering rules to the first packet responsive to determining that the first packet comprises data associated with hypertext transfer protocol secure (HTTPS); and
      
      apply at least one of the one or more packet-filtering rules to the second packet responsive to determining that the second packet comprises data associated with HTTPS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Moore, Sean

Granted Patent

US 9,160,713 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

FILTERING NETWORK DATA TRANSFERS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FILTERING NETWORK DATA TRANSFERS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links