METHOD AND APPARATUS FOR APPLICATION AWARENESS IN A NETWORK

US 20160380972A1
Filed: 09/12/2016
Published: 12/29/2016
Est. Priority Date: 02/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing a network policy on an application executing within a first context, the method comprising:

intercepting, by an agent executing in the first context, a network socket event request from the application before the network socket event request reaches a transport layer located between a network layer and the application in a network stack of the first context;

sending, by the agent to a security server executing in a second context, a request for a decision on whether to allow or deny the intercepted network socket event, the request for the decision including application information comprising one or more of the following;

an application file name, an application executable hash, and an application identifier;

receiving, by the agent, the decision from the security server, the decision being an allowance or a denial of the network socket event request, the decision being based at least in part on the application information; and

preventing, by the agent, the network socket request from reaching the transport layer in the first context when the decision is the denial of the network socket event request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy. The agent blocks the network socket event from reaching the transport layer when the denial is received from the security server. In one embodiment, the method is implemented using a machine readable medium embodying software instructions executable by a computer.

5 Citations

20 Claims

1. A method for enforcing a network policy on an application executing within a first context, the method comprising:
- intercepting, by an agent executing in the first context, a network socket event request from the application before the network socket event request reaches a transport layer located between a network layer and the application in a network stack of the first context;
  
  sending, by the agent to a security server executing in a second context, a request for a decision on whether to allow or deny the intercepted network socket event, the request for the decision including application information comprising one or more of the following;
  
  an application file name, an application executable hash, and an application identifier;
  
  receiving, by the agent, the decision from the security server, the decision being an allowance or a denial of the network socket event request, the decision being based at least in part on the application information; and
  
  preventing, by the agent, the network socket request from reaching the transport layer in the first context when the decision is the denial of the network socket event request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1,wherein the application identifier is based on data received from an interface of the transport layer on the first context.
  - 3. The method of claim 1, further comprising:
    - sending the network socket event request from the application in the first context to the transport layer in the first context.
  - 4. The method of claim 1,wherein the security module makes decisions on allowing or denying network socket events in multiple contexts.
  - 5. The method of claim 1, further comprising:
    - collecting statistics about data flow through the network socket of the first context;
      
      sending the statistics from the first context, to a data collection module that receives statistics about data flows through multiple network sockets of multiple contexts; and
      
      generating a report of the statistics about the data flows through the multiple network sockets of the multiple contexts.
  - 6. The method of claim 1, wherein the network event is any of:
    - opening the network socket, closing the network socket, and listening to the network socket.
  - 7. The method of claim 1, wherein the application identifier is based on at least a process identifier that identifies (i) a process created when an operating system loads and runs an executable file of the application, and (ii) the executable file of the application.
  - 8. The method of claim 1, wherein a transport layer interface located between the transport layer and the application intercepts the network socket event, and the transport layer interface is a Transport Driver Interface.
  - 9. The method of claim 1, wherein a transport layer interface located between the transport layer and the application intercepts the network socket event, and the transport layer is a Windows Filtering Platform.

10. A non-transitory computer-readable medium with computer readable instructions executable by a context, comprising:
- instructions that perform, intercepting, by an agent executing in the first context, a network socket event request from the application before the network socket event request reaches a transport layer located between a network layer and the application in a network stack of the first context;
  
  instructions that perform, sending, by the agent to a security server executing in a second context, a request for a decision on whether to allow or deny the intercepted network socket event, the request for the decision including application information comprising one or more of the following;
  
  an application file name, an application executable hash, and an application identifier;
  
  instructions that perform, receiving, by the agent, the decision from the security server, the decision being an allowance or a denial of the network socket event request, the decision being based at least in part on the application information; and
  
  instructions that perform, preventing, by the agent, the network socket request from reaching the transport layer in the first context when the decision is the denial of the network socket event request.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The non-transitory computer-readable medium of claim 10,wherein the application identifier is based on data received from an interface of the transport on the first context.
  - 12. The non-transitory computer-readable medium of claim 10, further comprising:
    - instructions sending the network socket event request from the application in the first context to the transport layer in the first context.
  - 13. The non-transitory computer-readable medium of claim 10, wherein the security module makes decisions on whether to allow or deny network socket events in multiple contexts.
  - 14. The non-transitory computer-readable medium of claim 10, wherein the network event is any of:
    - opening the network socket, closing the network socket, and listening to the network socket.
  - 15. The non-transitory computer-readable medium of claim 10, wherein a transport layer interface located between the transport layer and the application intercepts the network socket event, and the transport layer interface is one of a Transport Driver Interface or a Windows Filtering Platform.
  - 16. The non-transitory computer-readable medium of claim 12, further comprising:
    - instructions collecting statistics about data flow through the network socket of the first context; and
      
      instructions sending the statistics from the first context, to a data collection module that receives statistics about data flows through multiple network sockets of multiple contexts; and
      
      instructions generating a report of the statistics about the data flows through the multiple network sockets of the multiple contexts.

17. A computer system, comprising:
- a processor and memory with a context, the context executing;
  
  instructions that perform, intercepting, by an agent executing in the context, a network socket event request from the application before the network socket event request reaches a transport layer layer located between a network layer and the application in a network stack of the context;
  
  instructions that perform, sending, by the agent to a security server executing in a second context, a request for a decision on whether to allow or deny the intercepted network socket event the request for the decision including application information;
  
  instructions that perform, receiving, by the agent, the decision from the security server, the decision being an allowance or a denial of the network socket event request, the decision being based at least in part on the application information; and
  
  instructions that perform, preventing, by the agent, the network socket request from reaching the transport layer in the first context when the decision is the denial of the network socket event request.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the application information comprises one or more of the following:
    - an application file name, an application executable hash, and an application identifier.
  - 19. The system of claim 17, wherein the context further executes instructions that perform sending the network socket event request from the application in the context to the transport layer in the context.
  - 20. The system of claim 17, wherein a transport layer interface located between the transport layer and the application intercepts the network socket event, and the transport layer is one of a Transport Driver Interface or a Windows Filtering Platform.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Feroz, Azeem, Chen, Binyuan, Chopra, Amit

Granted Patent

US 10,454,895 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/554   involving event detection a...

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

METHOD AND APPARATUS FOR APPLICATION AWARENESS IN A NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

5 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR APPLICATION AWARENESS IN A NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links