SECURE LABELING OF NETWORK FLOWS

US 20170310708A1
Filed: 04/22/2016
Published: 10/26/2017
Est. Priority Date: 04/22/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for managing network flows at an endpoint, computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:

receiving a network message from a process executing on the endpoint, wherein the process is based on an application and wherein the network message includes a payload and a header, the network message addressed to a remote location accessible from the endpoint through a data network;

generating a label for the network message, the label including information about a source of the network message on the endpoint;

cryptographically signing the label to provide a signed label verifying an identity of the endpoint;

adding the signed label to the header of the network message; and

transmitting the network message from the endpoint to the remote location through the data network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.

Citations

20 Claims

1. A computer program product for managing network flows at an endpoint, computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- receiving a network message from a process executing on the endpoint, wherein the process is based on an application and wherein the network message includes a payload and a header, the network message addressed to a remote location accessible from the endpoint through a data network;
  
  generating a label for the network message, the label including information about a source of the network message on the endpoint;
  
  cryptographically signing the label to provide a signed label verifying an identity of the endpoint;
  
  adding the signed label to the header of the network message; and
  
  transmitting the network message from the endpoint to the remote location through the data network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer program product of claim 1 wherein the label includes an identifier for the application.
  - 3. The computer program product of claim 1 wherein the label includes an identifier for the endpoint.
  - 4. The computer program product of claim 1 wherein the label includes an identifier of a user of the process on the endpoint.
  - 5. The computer program product of claim 1 further comprising code that performs the step of encrypting information within the label.
  - 6. The computer program product of claim 1 wherein the label includes a health status of the endpoint.

7. A method for managing network flows at an endpoint, the method comprising:
- receiving a network message from a process executing on the endpoint, wherein the process is based on an application and wherein the network message includes a payload and a header, the network message addressed to a remote location accessible from the endpoint through a data network;
  
  generating a label for the network message, the label including information about a source of the network message on the endpoint;
  
  encrypting the label with a cryptographic key, thereby providing an encrypted label;
  
  adding the encrypted label to the header of the network message; and
  
  transmitting the network message from the endpoint to the remote location through the data network.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 wherein the label includes an identifier for the application.
  - 9. The method of claim 7 wherein the label includes an identifier for the endpoint.
  - 10. The method of claim 7 wherein the label includes an identifier of a user of the process on the endpoint.
  - 11. The method of claim 7 wherein encrypting the label includes cryptographically signing the label.
  - 12. The method of claim 7 wherein the label includes a health status of the endpoint.

13. A system comprising:
- an endpoint including a network interface configured to couple the endpoint in a communicating relationship with a data network;
  
  a memory on the endpoint; and
  
  a processor on the endpoint, the processor configured to execute instructions stored in the memory to perform the steps of receiving a network message from a process executing on the endpoint, wherein the process is based on an application and wherein the network message includes a payload and a header, the network message addressed to a remote location accessible from the endpoint through a data network;
  
  generating a label for the network message, the label including information about a source of the network message on the endpoint;
  
  encrypting the label with a cryptographic key, thereby providing an encrypted label;
  
  adding the encrypted label to the header of the network message; and
  
  transmitting the network message from the endpoint to the remote location through the data network.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13 wherein the label includes an identifier for the application.
  - 15. The system of claim 13 wherein encrypting the label includes cryptographically signing the label.

16. A method for managing network flows at a network device, the method comprising:
- receiving a network message from an endpoint at the network device, the network message including a source address for the endpoint, a destination address for an intended recipient of the network message, an encrypted label that identifies an application that generated the network message on the endpoint, and a payload of data;
  
  processing the network message on the network device to extract the label;
  
  decrypting the encrypted label with a cryptographic key to provide a decrypted label; and
  
  routing the network message based on the decrypted label.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 wherein the encrypted label is signed to enable cryptographic verification of a source of the encrypted label.
  - 18. The method of claim 16 further comprising receiving an indication that the application is compromised and preventing routing of additional network traffic for the application through the network device.
  - 19. The method of claim 16 further comprising detecting an absence of an expected heartbeat from the endpoint for the application and preventing routing of additional network traffic for the application through the network device until the expected heartbeat is received.
  - 20. The method of claim 16 wherein the network device includes at least one of a gateway, a firewall, a router, and a threat management facility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Schiappa, Daniel Salvatore, Thomas, Andrew J., Ray, Kenneth D., Levy, Joseph H.

Granted Patent

US 10,938,781 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0428   wherein the data content is...

H04L 63/126   the source of the received ...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 9/3247   involving digital signatures

SECURE LABELING OF NETWORK FLOWS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE LABELING OF NETWORK FLOWS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links