FILTERING NETWORK DATA TRANSFERS

US 20180123955A1
Filed: 06/06/2017
Published: 05/03/2018
Est. Priority Date: 03/12/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computing system comprising memory and at least one processor, a plurality of packets, wherein the plurality of packets comprises a first portion of packets and a second portion of packets;

determining, based on a packet header field value, whether each packet of the plurality of packets comprises data corresponding to criteria specified by one or more packet-filtering rules;

responsive to a determination by the computing system that a packet header field value of the first portion of packets comprises data corresponding to criteria specified by the one or more packet-filtering rules configured to prevent a particular type of data transfer applying, by the computing system and to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer;

determining, based on an application header field value, whether the second portion of packets comprises data corresponding to criteria specified by one or more operators specified by the one or more packet-filtering rules; and

responsive to determining that the second portion of packets comprises data corresponding to the criteria specified by one or more operators, applying, by the computing system and to each packet in the second portion of packets, at least one packet transformation function configured to allow or block each packet in the second portion of packets from continuing toward its respective destination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.

17 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, by a computing system comprising memory and at least one processor, a plurality of packets, wherein the plurality of packets comprises a first portion of packets and a second portion of packets;
  
  determining, based on a packet header field value, whether each packet of the plurality of packets comprises data corresponding to criteria specified by one or more packet-filtering rules;
  
  responsive to a determination by the computing system that a packet header field value of the first portion of packets comprises data corresponding to criteria specified by the one or more packet-filtering rules configured to prevent a particular type of data transfer applying, by the computing system and to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer;
  
  determining, based on an application header field value, whether the second portion of packets comprises data corresponding to criteria specified by one or more operators specified by the one or more packet-filtering rules; and
  
  responsive to determining that the second portion of packets comprises data corresponding to the criteria specified by one or more operators, applying, by the computing system and to each packet in the second portion of packets, at least one packet transformation function configured to allow or block each packet in the second portion of packets from continuing toward its respective destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the first portion of packets comprises a packet header field value indicating a protocol type associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a protocol type not associated with the particular type of data transfer.
  - 3. The method of claim 1, wherein:
    - the first portion of packets comprises data indicating a first destination port number associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a second destination port number not associated with the particular type of data transfer.
  - 4. The method of claim 1, wherein the application header field value identifies one or more hypertext transfer protocol (HTTP) methods, wherein the second portion of packets comprise a plurality of HTTP packets, wherein the second portion of packets comprises a third portion of packets and a fourth portion of packets, and wherein each packet of the third portion of packets comprises at least one GET method value, and each packet of the fourth portion of packets comprises at least one of a PUT method value, a POST method value, or a CONNECT method value, the method further comprising:
    - allowing each packet of the third portion of packets to continue toward its respective destination; and
      
      blocking each packet of the fourth portion of packets from continuing toward its respective destination.
  - 5. The method of claim 1, the method further comprising:
    - allowing, based on a determination that the application header field value indicates a request for specified resource data, each packet of the second portion of packets indicating a request for specified resource data to continue toward its respective destination; and
      
      blocking, based on a determination that the application header field value indicates a request to submit data to be processed by a specified resource, each packet of the second portion of packets indicating a request to submit data to be processed by the specified resource from continuing toward its respective destination.
  - 6. The method of claim 1, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination that the first portion of packets comprises data corresponding to a particular transport layer security (TLS) version value.
  - 7. The method of claim 1, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination that the first portion of packets comprises data corresponding to a particular real-time transport protocol value.

8. An apparatus comprising:
- at least one processor; and
  
  memory storing instructions that, when executed by the at least one processor, cause the apparatus to;
  
  receive a plurality of packets, wherein the plurality of packets comprises a first portion of packets and a second portion of packets;
  
  determine, based on a packet header field value, whether the plurality of packets comprises data corresponding to criteria specified by one or more packet-filtering rules;
  
  responsive to a determination that a packet header field value of the first portion of packets comprises data corresponding to criteria specified by the one or more packet-filtering rules configured to prevent a particular type of data transfer, apply, to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer;
  
  determine, based on an application header field value, whether the second portion of packets comprises data corresponding to criteria specified by one or more operators specified by the one or more packet-filtering rules; and
  
  responsive to determining that the second portion of packets comprises data corresponding to the criteria specified by one or more operators, apply, to each packet in the second portion of packets, at least one packet transformation function configured to allow or block each packet in the second portion of packets from continuing toward its respective destination.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein:
    - the first portion of packets comprises a packet header field value indicating a protocol type associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a protocol type not associated with the particular type of data transfer.
  - 10. The apparatus of claim 8, wherein:
    - the first portion of packets comprises data indicating a first destination port number associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a second destination port number not associated with the particular type of data transfer.
  - 11. The apparatus of claim 8, wherein the application header field value identifies one or more hypertext transfer protocol (HTTP) methods, wherein the second portion of packets comprise a plurality of HTTP packets, wherein the second portion of packets comprises a third portion of packets and a fourth portion of packets, and wherein each packet of the third portion of packets comprising at least one GET method value, and each packet of the fourth portion of packets comprising at least one of a PUT method value, a POST method value, or a CONNECT method value, and wherein the instructions, when executed by the at least one processor cause the apparatus to:
    - allow each packet of the third portion of packets to continue toward its respective destination; and
      
      block each packet of the fourth portion of packets from continuing toward its respective destination.
  - 12. The apparatus of claim 8, wherein the instructions, when executed by the one or more computing devices, cause the apparatus to:
    - allow, based on a determination that the application header field value indicates a request for data from a specified resource, each packet of the second portion of packets indicating a request for data from a specified resource to continue toward its respective destination; and
      
      block, based on a determination that the application header field value indicates a request to submit data to be processed by a specified resource, each packet of the second portion of packets indicating a request to submit data to be processed by a specified from continuing toward its respective destination.
  - 13. The apparatus of claim 8, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination that the first portion of packets comprises data corresponding to a particular transport layer security (TLS) version value.
  - 14. The apparatus of claim 8, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination that the first portion of packets comprises data corresponding to a particular real-time transport protocol value.

15. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more computing devices, cause the one or more computing devices to:
- receive a plurality of packets, wherein the plurality of packets comprises a first portion of packets and a second portion of packets;
  
  determine, based on a packet header field value, whether the plurality of packets comprises data corresponding to criteria specified by one or more packet-filtering rules;
  
  responsive to a determination that a packet header field value of the first portion of packets comprises data corresponding to criteria specified by the one or more packet-filtering rules configured to prevent a particular type of data transfer, apply, to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer;
  
  determine, based on an application header field value, whether the second portion of packets comprises data corresponding to criteria specified by one or more operators specified by the one or more packet-filtering rules; and
  
  responsive to determining that the second portion of packets comprises data corresponding to the criteria specified by one or more operators, apply, to each packet in the second portion of packets, at least one packet transformation function configured to allow or block each packet in the second portion of packets from continuing toward its respective destination.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more non-transitory computer-readable media of claim 15, wherein:
    - the first portion of packets comprises a packet header field value indicating a protocol type associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a protocol type not associated with the particular type of data transfer.
  - 17. The one or more non-transitory computer-readable media of claim 15, wherein:
    - the first portion of packets comprises data indicating a first destination port number associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a second destination port number not associated with the particular type of data transfer.
  - 18. The one or more non-transitory computer-readable media of claim 15, wherein the application header field value identifies one or more hypertext transfer protocol (HTTP) methods, wherein the second portion of packets comprise a plurality of HTTP packets, wherein the second portion of packets comprises a third portion of packets and a fourth portion of packets, and wherein each packet of the third portion of packets comprising at least one GET method value, and each packet of the fourth portion of packets comprising at least one of a PUT method value, a POST method value, or a CONNECT method value, and wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to:
    - allow each packet of the third portion of packets to continue toward its respective destination; and
      
      block each packet of the fourth portion of packets from continuing toward its respective destination.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination that the first portion of packets comprises data corresponding to a particular transport layer security (TLS) version value.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination that the first portion of packets comprises data corresponding to a particular real-time transport protocol value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Moore, Sean

Granted Patent

US 10,567,343 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

FILTERING NETWORK DATA TRANSFERS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FILTERING NETWORK DATA TRANSFERS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links