System and method for intrusion prevention in a communications network

US 7,386,889 B2
Filed: 11/18/2002
Issued: 06/10/2008
Est. Priority Date: 11/18/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for preventing unauthorized access to a specific resource within a computer network, comprising:

assigning a unique, non-dynamic system identifier (SID) to each authorized computer within the network;

assigning a unique user identifier (UID) to each authorized user of the network;

defining policy profiles for authorized computers and for authorized users of the network, wherein each policy profile identifies rights of access to resources within the network for the authorized users and the authorized computers;

upon initiation of a TCP/IP communication attempt for access to the specific resource, wherein the communication attempt is initiated by a specific authorized user logged into a specific authorized computer and wherein the communication attempt includes a synchronization packet having a SEQ and an ACK field, inserting the UID of the specific authorized user and the SID of the specific authorized computer into the SEQ and ACK fields of the synchronization packet;

intercepting the synchronization packet within the computer network;

extracting the UID and SID from the SEQ and ACK fields of the synchronization packet to identify the specific authorized user and the specific authorized computer initiating the communication attempt; and

allowing the communication attempt with the specific resource as a function of the policy profile of the specific authorized user and of the policy profile of the specific authorized computer.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and program for preventing intrusion in a communications network. A source node initiates a request for network services, such as session establishment, database access, or application access. Known network resources and authorized user information is stored in a database at a network portal along with access policy rules that are device and user dependent. Identification of the source node is required before the source node can construct a transformed packet header that is included with a synchronization packet before transmission to a destination node. An appliance or firewall in the communications network receives and authenticates the synchronization packet before releasing the packet to its, intended destination. The authentication process includes verification of the access policy associated with the source node. Once received at the destination node, the transformed packet header is reformed by extracting a key index value. The extracted key index is subsequently used to transform the packet header in the response transmitted to the source node.

109 Citations

View as Search Results

29 Claims

1. A method for preventing unauthorized access to a specific resource within a computer network, comprising:
- assigning a unique, non-dynamic system identifier (SID) to each authorized computer within the network;
  
  assigning a unique user identifier (UID) to each authorized user of the network;
  
  defining policy profiles for authorized computers and for authorized users of the network, wherein each policy profile identifies rights of access to resources within the network for the authorized users and the authorized computers;
  
  upon initiation of a TCP/IP communication attempt for access to the specific resource, wherein the communication attempt is initiated by a specific authorized user logged into a specific authorized computer and wherein the communication attempt includes a synchronization packet having a SEQ and an ACK field, inserting the UID of the specific authorized user and the SID of the specific authorized computer into the SEQ and ACK fields of the synchronization packet;
  
  intercepting the synchronization packet within the computer network;
  
  extracting the UID and SID from the SEQ and ACK fields of the synchronization packet to identify the specific authorized user and the specific authorized computer initiating the communication attempt; and
  
  allowing the communication attempt with the specific resource as a function of the policy profile of the specific authorized user and of the policy profile of the specific authorized computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein the SID is assigned based on one or more constant identifiers obtained from hardware associated with the respective authorized computer.
  - 3. The method of claim 1 further comprising the step of encrypting the SID prior to inserting the SID into the synchronization packet.
  - 4. The method of claim 3 further comprising the step of decrypting the SID after intercepting the synchronization packet.
  - 5. The method of claim 3 wherein the SID is encrypted using at least one transformation key.
  - 6. The method of claim 5 wherein the transformation key is selected dynamically from a table of transformation keys.
  - 7. The method of claim 1 further comprising the step of encrypting the UID prior to inserting the UID into the synchronization packet.
  - 8. The method of claim 7 further comprising the step of decrypting the UID after intercepting the synchronization packet.
  - 9. The method of claim 7 wherein the UID is encrypted using at least one transformation key.
  - 10. The method of claim 9 wherein the transformation key is selected dynamically from a table of transformation keys.
  - 11. The method of claim 1 further comprising the step of recording the communication attempt in a database.
  - 12. The method of claim 1 further comprising the step of notifying a network administrator if the communication attempt is not allowed.
  - 13. The method of claim 1 further comprising the step of logging the communication attempt if the communication attempt is not allowed.
  - 14. The method of claim 1 wherein the specific resource is a database.
  - 15. The method of claim 1 wherein the specific resource is an application.
  - 16. The method of claim 1 wherein the specific resources is another authorized computer of the network.

17. A method of monitoring a TCP/IP communication attempt within a computer network, comprising:
- assigning a unique, non-dynamic system identifier (SID) to each authorized computer within the network;
  
  assigning a unique user identifier (UID) to each authorized user of the network;
  
  defining policy profiles for authorized computers and for authorized users of the network, wherein each policy profile identifies rights of access to resources within the network for the authorized users and the authorized computers;
  
  upon initiation of a TCP/IP communication attempt with a requested resource within the network by a specific authorized user logged into a specific authorized computer, inserting the UID of the specific authorized user and the SID of the specific authorized computer into SEQ and ACK fields of a synchronization packet associated with the TCP/IP communication attempt;
  
  intercepting the synchronization packet within the computer network and prior to access of the requested resource;
  
  extracting the UID and SID from the SEQ and ACK fields of the synchronization packet to identify the specific authorized user and the specific authorized computer initiating the communication attempt;
  
  allowing the communication attempt with the requested resource to proceed; and
  
  logging the communication attempt in a database to maintain a record of the specific authorized user and the specific authorized computer initiating the communication attempt.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The method of claim 17 wherein the SID is assigned based on one or more constant identifiers obtained from hardware associated with the respective authorized computer.
  - 19. The method of claim 17 further comprising the step of encrypting the SID prior to inserting the SID into the synchronization packet.
  - 20. The method of claim 19 further comprising the step of decrypting the SID after intercepting the synchronization packet.
  - 21. The method of claim 19 wherein the SID is encrypted using at least one transformation key.
  - 22. The method of claim 21 wherein the transformation key is selected dynamically from a table of transformation keys.
  - 23. The method of claim 17 further comprising the step of encrypting the UID prior to inserting the UID into the synchronization packet.
  - 24. The method of claim 23 further comprising the step of decrypting the UID after intercepting the synchronization packet.
  - 25. The method of claim 23 wherein the UID is encrypted using at least one transformation key.
  - 26. The method of claim 25 wherein the transformation key is selected dynamically from a table of transformation keys.
  - 27. The method of claim 17 wherein the requested resource is a database.
  - 28. The method of claim 17 wherein the requested resource is an application.
  - 29. The method of claim 17 wherein the specific resources is another authorized computer of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liquidware Labs, Inc.
Original Assignee
Trusted Network Technologies, Inc. (Liquidware Labs, Inc.)
Inventors
Shay, A. David
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Brown; Christopher J

Application Number

US10/065,775
Publication Number

US 20050160289A1
Time in Patent Office

2,031 Days
Field of Search

713/153, 713/182, 726/22, 726/13, 726/26
US Class Current

726/26
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/162   at the data link layer

System and method for intrusion prevention in a communications network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

System and method for intrusion prevention in a communications network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others