Data scanning network security technique

US 6,119,231 A
Filed: 10/31/1997
Issued: 09/12/2000
Est. Priority Date: 10/31/1997
Status: Expired due to Term

First Claim

Patent Images

1. In a computer network configured to receive data, a method of checking data as the data is received and before the data is transmitted to a node on the computer network, the method including the steps of:

determining whether an external source is attempting to establish a mail connection with a computer network wherein the computer network is receptive to one or more recognized protocols;

receiving the data from the external source;

determining whether the data from the external source is formatted according to one of the recognized protocols;

scanning the data for acceptable content and format as determined by a rule set established by one of the recognized protocols such that the data is scanned in subdivisions set by a recognized protocol as the data is received by the computer network;

determining whether the data is passed to a node on the computer network;

translating the data before transmitting it to the node on the computer network; and

transmitting the data to the node on the computer network soon after the data is scanned.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for providing enhanced computer network security by scanning data, specifically electronic mail messages, sent to the network before the data is received and transmitted by the network'"'"'s mail server. An e-mail message is received by a computer network configured to receive data and is checked as the data is received and before it is transmitted to a node on the computer network. The method includes determining whether an external source is attempting to establish a mail connection with the computer network configured to include a data scanning device that recognizes one or more data transfer protocols. Once the data is received the data scanning device begins evaluating the data by first determining whether the data is formatted according to one of the recognized protocols. The data scanning device begins scanning the data for acceptable content and format according to a rule set established by one of the recognized protocols. This is done at the same time as the data is received by the data scanning device. It is then determined whether the data should be sent to its destination on the computer network. If necessary, the data is translated before being passed to its destination on the computer network.

Citations

46 Claims

1. In a computer network configured to receive data, a method of checking data as the data is received and before the data is transmitted to a node on the computer network, the method including the steps of:
- determining whether an external source is attempting to establish a mail connection with a computer network wherein the computer network is receptive to one or more recognized protocols;
  
  receiving the data from the external source;
  
  determining whether the data from the external source is formatted according to one of the recognized protocols;
  
  scanning the data for acceptable content and format as determined by a rule set established by one of the recognized protocols such that the data is scanned in subdivisions set by a recognized protocol as the data is received by the computer network;
  
  determining whether the data is passed to a node on the computer network;
  
  translating the data before transmitting it to the node on the computer network; and
  
  transmitting the data to the node on the computer network soon after the data is scanned.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A method as recited in claim 1 wherein the external source is the publicly accessible world-wide computer network known as the Internet.
  - 3. A method as recited in claim 1 wherein the recognized protocols include SMTP, ICMP, FTP, and H.323.
  - 4. A method as recited in claim 1 wherein the step of determining whether the data from the external source is formatted according to one of the recognized protocols further includes the step of rejecting the data if the data is not formatted according to one of the recognized protocols.
  - 5. A method as recited in claim 4 further including the step of sending a rejection message to a source if the protocol is not one of the recognized protocols.
  - 6. A method as recited in claim 1 wherein the node on the computer network is a mail server.
  - 7. A method as recited in claim 1 wherein the step of determining whether the data should be transmitted to a node on the computer network further includes the step of passing the data to the node if a command contained within the data is acceptable.
  - 8. A method as recited in claim 1 wherein the step of scanning the data for acceptable content and format further includes the step of beginning the scan by searching for a command.
  - 9. A method as recited in claim 1 wherein the step of determining whether the data is passed to a node on the computer network further includes the step of passing the data to the node if the data has acceptable content and format.
  - 10. A method as recited in claim 1 wherein the step of translating the data before passing it to a node on the computer network is performed as the data is received.
  - 11. A method as recited in claim 1 wherein the step of receiving the data from the external source further includes the step of determining a port address to which the data is being sent.
  - 12. A method as recited in claim 1 wherein the step of scanning the data further includes the step of separating the data into portions wherein a portion of the data includes message-data or a plurality of commands.
  - 13. A method as recited in claim 12 wherein a command is a flag.
  - 14. A method as recited in claim 1 wherein the step of scanning the data further includes the step of pausing the scan when a message-data portion is detected and resuming the scan when a command portion is detected.
  - 15. A method as recited in claim 14 wherein the step of resuming the data scan further includes the step of detecting an end-of-data receipt from a node on the computer network indicating that the message-data portion has been received.
  - 16. A method as recited in claim 1 wherein the rule set is set according to the Simple Mail Transfer Protocol and includes a HELO command, a MAIL command, a RCPT command, a NOOP command, a QUIT command, a DATA command, and a RSET command.
  - 17. A method as recited in claim 16 wherein the rule set further includes a group of special characters.
  - 18. A method as recited in claim 16 wherein the step of translating the data further includes the step of replacing a command not contained within the rule set with the NOOP command.
  - 19. A method as recited in claim 1 wherein the step of scanning the data further includes the step of using a string compare instruction.

20. A data security apparatus for use in a computer network for checking data as the data is received and before the data is transmitted to a node on the computer network, the apparatus comprising:
- a mail detector for determining whether an external source is attempting to establish a mail connection with a computer network wherein the computer network is receptive to one or more recognized protocols;
  
  a data receiver for receiving data from the external source;
  
  a protocol evaluator for evaluating the protocol used by the external source in sending the data and for determining whether the data from the external source is formatted based on one or more of the recognized protocols;
  
  a data scanner for scanning the data for acceptable content and format as determined by a rule set established by one of the recognized protocols wherein the data is scanned in subdivisions set by the recognized protocol as the data is received by the computer network;
  
  a data translator for translating the data before it is passed to the node on the computer network;
  
  a device for determining whether the data should be transmitted to the node on the computer network; and
  
  a network data transmitter for transmitting the data to the node on the computer network soon after the data is scanned.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. A data security apparatus as recited in claim 20 wherein the recognized protocols acceptable to the protocol evaluator include SMTP, ICMP, FTP, and H.323.
  - 22. A data security apparatus as recited in claim 20 wherein the protocol evaluator further includes a data rejecter that rejects the data and sends a rejection message to a source if the protocol evaluator does not accept the protocol in which the data is being sent.
  - 23. A data security apparatus as recited in claim 20 wherein the data translator includes a data intake component that translates the data as the data is received by the data translator.
  - 24. A data security apparatus as recited in claim 20 wherein the mail detector further includes a port address detector for determining a port address to which the data is being sent.
  - 25. A data security apparatus as recited in claim 20 wherein the data scanner further includes a data separator for separating the data into portions of data such that a portion of data includes at least one of message-data and a command.
  - 26. A data security apparatus as recited in claim 20 wherein the data scanner further includes a scan pauser for pausing the data scanner when a message-data portion is detected and resuming the scan when a command portion is detected.
  - 27. A data security apparatus as recited in claim 20 wherein the data scanner further includes an end-of-data detector for detecting an end-of-data receipt from a node on the computer network indicating that the message-data portion has been received.

28. A data security apparatus for use in a computer network for checking data as the data is received and before the data is transmitted to a node on the computer network, the apparatus comprising:
- means for determining whether an external source is attempting to establish a mail connection with a computer network wherein the computer network is receptive to one or more recognized protocols;
  
  means for receiving the data from the external source;
  
  means for determining whether the data from the external source is formatted according to one of the recognized protocols;
  
  means for scanning the data for acceptable content and format as determined by a rule set established by one of the recognized protocols such that the data is scanned in subdivisions set by a recognized protocol as the data is received by the computer network;
  
  means for determining whether the data is passed to a node on the computer network;
  
  means for translating the data before transmitting the data to the node on the computer network; and
  
  means for transmitting the data to the node on the computer network such that the data is transmitted soon after the data is scanned.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 29. A data security apparatus as recited in claim 28 further comprising means for rejecting the data if the data is not formatted according to a recognized protocol.
  - 30. A data security apparatus as recited in claim 29 further comprising means for sending a rejection message to a source if the protocol is not a recognized protocol.
  - 31. A data security apparatus as recited in claim 28 further comprising means for passing the data to the node if a command contained within the data is acceptable.
  - 32. A data security apparatus as recited in claim 28 further comprising means for beginning the scan by searching for a command.
  - 33. A data security apparatus as recited in claim 28 further comprising means for passing the data to the node if the data has acceptable content and format.
  - 34. A data security apparatus as recited in claim 28 further comprising means for determining a port address to which the data is being sent.
  - 35. A data security apparatus as recited in claim 28 further comprising means for separating the data into portions wherein a portion of the data includes message-data or a plurality of commands.
  - 36. A data security apparatus as recited in claim 28 further comprising means for pausing the scan when a message-data portion is detected and resuming the scan when a command portion is detected.
  - 37. A data security apparatus as recited in claim 28 further comprising means for detecting an end-of-data receipt from a node on the computer network indicating that the message-data portion has been received.
  - 38. A data security apparatus as recited in claim 28 further comprising means for comparing character strings.

39. A computer-readable medium containing programmed instructions arranged to check data as the data is received and before the data is transmitted to a node in a computer network configured to receive data, the computer-readable medium including programmed instructions for:
- determining whether an external source is attempting to establish a mail connection with a computer network wherein the computer network is receptive to one or more recognized protocols;
  
  receiving the data from the external source;
  
  determining whether the data from the external source is formatted according to one of the recognized protocols;
  
  scanning the data for acceptable content and format as determined by a rule set established by one of the recognized protocols such that the data is scanned in subdivisions set by a recognized protocol as the data is received by the computer network;
  
  determining whether the data is passed to a node on the computer network;
  
  translating the data before transmitting it to a node on the computer network; and
  
  transmitting the data to the node on the computer network soon after the data is scanned.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
- - 40. A computer-readable medium as recited in claim 39, wherein the programmed instructions for determining whether the data from the external source is formatted according to one of the recognized protocols further comprises programmed instructions for rejecting the data if the data is not formatted according to one of the recognized protocols.
  - 41. A computer-readable medium as recited in claim 39, wherein the programmed instructions for determining whether the data should be transmitted to a node on the computer network further comprises programmed instructions for passing the data to the node if a command contained within the data is acceptable.
  - 42. A computer-readable medium as recited in claim 39, wherein the programmed instructions for scanning the data for acceptable content and format further comprises programmed instructions for beginning the scan by searching for a command.
  - 43. A method as recited in claim 39 wherein the programmed instructions for determining whether the data is passed to a node on the computer network further comprises programmed instructions for passing the data to the node if the data has acceptable content and format.
  - 44. A method as recited in claim 39 wherein the programmed instructions for translating the data before passing it to a node on the computer network further comprises programmed instructions for performing the translation as the data is received.
  - 45. A method as recited in claim 39 wherein the programmed instructions for scaning the data further comprises programmed instructions for pausing the scan when a message-data portion is detected and resuming the scan when a command portion is detected.
  - 46. A method as recited in claim 45 wherein the programmed instructions for resuming the data scan further comprises programmed instructions for detecting an end-of-data receipt from a node on the computer network indicating that the message-data portion has been received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wu, Johnson, Lowe, Ricky K., Foss, Andrew L.
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
ELISCA, PIERRE E

Application Number

US08/962,045
Time in Patent Office

1,047 Days
Field of Search

713/200, 713/201, 713/202, 380/3, 380/4, 380/25, 709/206, 709/229, 714/26, 714/39
US Class Current

726/14
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Data scanning network security technique

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Data scanning network security technique

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links