Methods, software, and apparatus for secure communication over a computer network

US 6,192,477 B1
Filed: 02/02/1999
Issued: 02/20/2001
Est. Priority Date: 02/02/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method of performing secure communication between a first computer under a user'"'"'s control and a second remote computer over a computer network to maintain the integrity of data stored on said first computer, said method comprising the steps of:

a. partitioning the data space of said first computer into a first secure portion and a second network interface portion;

b. establishing communication between said first and said second computers over said computer network;

c. initializing a redirection mechanism and a filter mechanism on said first computer;

d. receiving an instruction or data on said first computer;

e. if an instruction is received on said first computer, then analyzing said instruction or data with said redirection mechanism and passing said instruction to said filter mechanism if said instruction is a protected instruction;

f. verifying said protected instruction using said filter mechanism; and

g. processing said protected instruction using said second network interface portion if said protected instruction is verified successfully by said filter mechanism.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for performing secure communication between a first user'"'"'s computer and second remote computer over a computer network is described. According to one embodiment of this aspect, the data space of the first computer is partition into a first secure portion and a second network interface portion. Communication is established between the first and a second computer, and redirection and filter mechanisms are initialized. An instruction is received by the first computer, analyzed by the redirection mechanism, and passed to the filter if the instruction is a protected instruction. The protected instruction is verified by the filter and processed if the verification is successful.

86 Citations

View as Search Results

33 Claims

1. A method of performing secure communication between a first computer under a user'"'"'s control and a second remote computer over a computer network to maintain the integrity of data stored on said first computer, said method comprising the steps of:
- a. partitioning the data space of said first computer into a first secure portion and a second network interface portion;
  
  b. establishing communication between said first and said second computers over said computer network;
  
  c. initializing a redirection mechanism and a filter mechanism on said first computer;
  
  d. receiving an instruction or data on said first computer;
  
  e. if an instruction is received on said first computer, then analyzing said instruction or data with said redirection mechanism and passing said instruction to said filter mechanism if said instruction is a protected instruction;
  
  f. verifying said protected instruction using said filter mechanism; and
  
  g. processing said protected instruction using said second network interface portion if said protected instruction is verified successfully by said filter mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein said step of partitioning includes determining which data and instructions maintained in said secure portion of said data space of said first computer are necessary for performing said communication between said first and said second computers and copying said files to said network interface portion.
  - 3. The method of claim 2, further including the step of disconnecting said first computer from said computer network and comparing the files stored in said network interface portion of said data space with files stored in said first secure portion.
  - 4. The method of claim 3, further including the step of restoring any files that were changed during said communication to their original state.
  - 5. The method of claim 1, further including the step of passing said instruction to the operating system of said first computer if said instruction is not a protected instruction.
  - 6. The method of claim 1, further including the step of notifying said user of said first computer that said received instruction is a protected instruction.
  - 7. The method of claim 6, further including the step of providing said user an option to allow execution of said protected instruction.
  - 8. The method of claim 7, further including the step of disallowing said received instruction if said received instruction is not verified by said filter mechanism.
  - 9. The method of claim 1, further including the step of disallowing said received instruction if said received instruction is not verified by said filter mechanism.
  - 10. The method of claim 1, wherein said step of partitioning further includes the sub-step of tagging or marking data and instructions associated with said data space of said first computer.
  - 11. The method of claim 10, wherein said step of verifying further includes the step of determining whether said instruction or data is tagged or marked.
  - 12. The method of claim 1, wherein said step of receiving an instruction or data further includes the sub-step of tagging or marking said instruction or data received by said first computer.
  - 13. The method of claim 12, wherein said step of verifying further includes the step of determining whether said received data or instruction is tagged or marked.

14. A system for performing secure communication between a first computer containing secure data in a data space associated with said first computer and a second remote computer over a computer network, said system comprising:
- a. a first data space partition configured to store data such that said data cannot be modified during said communication between said first and second computers;
  
  b. a second data space partition configured to store data to enable communication between said first and second computers over said network;
  
  c. a redirection mechanism configured to receive data and instructions from said second computer over said computer network, said redirection mechanism being configured to determine whether said received data and instructions include instructions to perform protected operations;
  
  said redirection mechanism being coupled with d. a filter mechanism configured to receive said instructions to perform protected operation from said redirection mechanism and verify said instructions.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein said second data space partition includes images of files stored in said first data space partition, said images including operating system files for enabling images of executable files stored in said second data space partition to function.
  - 16. The system of claim 15, wherein said filter is further coupled to forward verified instructions to said images to execute said verified instructions in said second data space partition.
  - 17. The system of claim 16, wherein the operating system of said first computer is stored in said first data space partition, and said redirection mechanism is further coupled with said operating system such that non-protected instructions can be passed from said redirection mechanism to said operating system directly.
  - 18. The system of claim 15, further including a comparator configured to compare files stored in said first data space partition with image files stored in said second data space partition to determine if said image files have been altered.
  - 19. The system of claim 14, wherein said filter mechanism is further configured to abort protected instructions that are not verified.
  - 20. The system of claim 19, wherein said filter mechanism is further configured to alert said user to a non-verified instruction and wherein said system further includes an override mechanism configured to allows said user to enable the execution of said non-verified instruction and cancel said abortion of said non-verified instruction.

21. A computer-readable medium having computer-readable program code devices embodied thereon, said computer-readable program code devices being configured to cause a computer to perform the steps of:
- a. partitioning the data space of said first computer into a first secure portion and a second network interface portion;
  
  b. establishing communication between said first and said second computers over said computer network;
  
  c. initializing a redirection mechanism and a filter mechanism on said first computer;
  
  d. receiving an instruction or data on said first computer;
  
  e. if an instruction is received on said first computer, then analyzing said instruction with said redirection mechanism and passing said instruction to said filter mechanism if said instruction is a protected instruction;
  
  f. verifying said protected instruction using said filter mechanism; and
  
  g. processing said protected instruction using said second network interface portion if said protected instruction is verified successfully by said filter mechanism.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 22. The computer-readable medium of claim 21, wherein said step of partitioning includes determining which data and instructions maintained in said secure portion of said data space of said first computer are necessary for performing said communication between said first and said second computers and copying said files to said network interface portion.
  - 23. The computer-readable medium of claim 22, further including the step of disconnecting said first computer from said computer network and comparing the files stored in said network interface portion of said data space with files stored in said first secure portion.
  - 24. The computer-readable medium of claim 23, further including the step of restoring any files that were changed during said communication to their original state.
  - 25. The computer-readable medium of claim 21, further including the step of passing said instruction to the operating system of said first computer if said instruction is not a protected instruction.
  - 26. The computer-readable medium of claim 21, further including the step of notifying said user of said first computer that said received instruction is a protected instruction.
  - 27. The computer-readable medium of claim 26, further including the step of providing said user an option to allow execution of said protected instruction.
  - 28. The computer-readable medium of claim 27, further including the step of disallowing said received instruction if said received instruction is not verified by said filter mechanism.
  - 29. The computer-readable medium of claim 21, further including the step of disallowing said received instruction if said received instruction is not verified by said filter mechanism.
  - 30. The computer-readable medium of claim 21, wherein said step of partitioning further includes the sub-step of tagging or marking data and instructions associated with said data space of said first computer.
  - 31. The computer-readable medium of claim 30, wherein said step of verifying further includes the step of determining whether said instruction is tagged or marked.
  - 32. The computer-readable medium of claim 21, wherein said code devices are further configured to perform tagging or marking of said instruction or data received by said first computer.
  - 33. The computer-readable medium of claim 32, wherein said step of verifying further includes the step of determining whether said instruction or data is tagged or marked.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DAGG LLC
Original Assignee
DAGG LLC
Inventors
Corthell, David
Primary Examiner(s)
Iqbal, Nadeem

Application Number

US09/243,097
Time in Patent Office

749 Days
Field of Search

713/201, 713/200, 713/202, 380/4, 380/23, 380/25, 380/30, 380/42, 380/49, 340/825.31, 340/825.34
US Class Current

726/11
CPC Class Codes

G06F 21/53 by executing in a restricte...

Methods, software, and apparatus for secure communication over a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, software, and apparatus for secure communication over a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links