System, apparatuses, methods, and computer-readable media using identification data in packet communications

US 7,552,323 B2
Filed: 08/19/2003
Issued: 06/23/2009
Est. Priority Date: 11/18/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for restricting access to one or more resources within a computer network, comprising the steps of:

assigning a unique user identifier to each authorized human user of the computer network;

retrieving the unique user identifier associated with a respective authorized human user logged into a source node;

upon initiation of a TCP/IP communication attempt at the source node, wherein the TCP/IP communication attempt is associated with a request by the respective authorized human user for access to a specific resource within the computer network, wherein the TCP/IP communication attempt includes a synchronization packet having a header, inserting the unique user identifier assigned to the respective authorized human user logged into the source node into the header of the synchronization packet;

intercepting the synchronization packet within the computer network without allowing the TCP/IP communication attempt to proceed;

extracting the unique user identifier from the header of the synchronization packet;

identifying the respective authorized human user logged into the source node based on the extracted unique user identifier;

determining whether the respective authorized human user is authorized to access the specific resource; and

if the respective authorized human user is authorized to access the specific resource, allowing the TCP/IP communication attempt to proceed and granting the respective authorized human user access to the specific resource at a destination node within the computer network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and computer-readable data storage media for authentication and/or access authorization in a communications network. A source node initiates a request for network services, such as session establishment, database access, or application access. Known network resources, authorized user, and/or source information are stored in a database at a network portal along with access policy rules that can be device and/or user dependent. A source node can construct a packet header including a user identifier indicating the user originating the request, and/or a source identifier indicating the hardware from which the request is originated. At least one of these identifiers are included with a synchronization packet for transmission to a destination node. An appliance or firewall in the communications network receives, authenticates, and determines whether resource access is authorized before releasing the packet to its intended destination.

126 Citations

View as Search Results

57 Claims

1. A method for restricting access to one or more resources within a computer network, comprising the steps of:
- assigning a unique user identifier to each authorized human user of the computer network;
  
  retrieving the unique user identifier associated with a respective authorized human user logged into a source node;
  
  upon initiation of a TCP/IP communication attempt at the source node, wherein the TCP/IP communication attempt is associated with a request by the respective authorized human user for access to a specific resource within the computer network, wherein the TCP/IP communication attempt includes a synchronization packet having a header, inserting the unique user identifier assigned to the respective authorized human user logged into the source node into the header of the synchronization packet;
  
  intercepting the synchronization packet within the computer network without allowing the TCP/IP communication attempt to proceed;
  
  extracting the unique user identifier from the header of the synchronization packet;
  
  identifying the respective authorized human user logged into the source node based on the extracted unique user identifier;
  
  determining whether the respective authorized human user is authorized to access the specific resource; and
  
  if the respective authorized human user is authorized to access the specific resource, allowing the TCP/IP communication attempt to proceed and granting the respective authorized human user access to the specific resource at a destination node within the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 54)
- - 2. The method of claim 1 wherein the unique user identifier is included in a sequence number field of the header of the synchronization packet.
  - 3. The method of claim 1 wherein the unique user identifier is included in an acknowledgement field of the header of the synchronization packet.
  - 4. The method of claim 3 wherein data in the acknowledgement field has a non-zero value.
  - 5. The method of claim 1 wherein the unique user identifier comprises a user name of the specific authorized human user.
  - 6. The method of claim 1 further comprising the step of encrypting the unique user identifier prior to inserting the unique user identifier into the header of the synchronization packet.
  - 7. The method of claim 6 further comprising the step of decrypting the unique user identifier after intercepting the synchronization packet.
  - 8. The method of claim 1 further comprising the step of recording the TCP/IP communication attempt in a database.
  - 9. The method of claim 1 further comprising the step of notifying a network administrator if the TCP/IP communication attempt is not granted.
  - 10. The method of claim 1 further comprising the step of logging the TCP/IP communication attempt.
  - 11. The method of claim 1 wherein the specific resource is a database.
  - 12. The method of claim 1 wherein the specific resource is an application.
  - 13. The method of claim 1 wherein the specific resource is an authorized computer within the computer network.
  - 14. The method of claim 1 wherein the specific resource is the destination node.
  - 54. The method of claim 1 further comprising the step of if the respective authorized human user is not authorized to access the specific resource, blocking the TCP/IP communication attempt from proceeding.

15. A method for preventing unauthorized access to one or more resources within a computer network, wherein the computer network includes a plurality of authorized human users and wherein a unique user identifier is assigned to each of the plurality of authorized human users, comprising the steps of:
- maintaining the plurality of unique user identifiers in a database;
  
  intercepting a TCP/IP communication attempt from an undetermined user, wherein the TCP/IP communication attempt includes a synchronization packet having a header and wherein the TCP/IP communication represents a request for access to a specific resource within the computer network;
  
  obtaining data from the header of the synchronization packet;
  
  comparing the data obtained from the header with the plurality of unique user identifiers maintained in the database to determine if the undetermined user is one of the plurality of authorized human users logged into an authorized computer of the computer network; and
  
  denying the request for access to the specific resource if the data obtained from the header does not match one of the plurality of unique user identifiers in the database.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 55)
- - 16. The method of claim 15 wherein the unique user identifier is included in a sequence number field of the header of the synchronization packet.
  - 17. The method of claim 15 wherein the unique user identifier is included in an acknowledgement field of the header of the synchronization packet.
  - 18. The method of claim 17 wherein data in the acknowledgement field has a non-zero value.
  - 19. The method of claim 15 wherein the unique user identifier comprises a user name of a specific authorized human user.
  - 20. The method of claim 15 further comprising the step of recording the TCP/IP communication attempt in a database.
  - 21. The method of claim 15 further comprising the step of notifying a network administrator if the TCP/IP communication attempt is denied.
  - 22. The method of claim 15 further comprising the step of logging the TCP/IP communication attempt if the TCP/IP communication attempt is denied.
  - 23. The method of claim 15 wherein the specific resource is a database.
  - 24. The method of claim 15 wherein the specific resource is an application.
  - 25. The method of claim 15 wherein the specific resource is an authorized computer within the computer network.
  - 26. The method of claim 15 wherein the unique user identifier indicates an authorized human user associated with a source node.
  - 27. The method of claim 26 wherein the specific resource is a destination node.
  - 55. The method of claim 15 further comprising the step of granting the request for access to the specific resource if the data obtained from the header matches one of the plurality of unique user identifiers in the database.

28. A method for managing communications within a computer network, comprising the steps of:
- assigning a unique user identifier to each authorized human user of the computer network;
  
  retrieving the unique user identifier associated with a respective authorized human user accessing a specific source node of the computer network;
  
  upon initiation of a TCP/IP communication attempt by the respective authorized human user accessing the specific source node of the computer network, wherein the TCP/IP communication attempt is targeted to a destination node of the computer network and wherein the TCP/IP communication attempt includes a synchronization packet having a header, inserting the unique user identifier assigned to the respective authorized human user accessing the specific source node into the header of the synchronization packet;
  
  intercepting the synchronization packet within the computer network prior to receipt by the destination node;
  
  extracting the unique user identifier from the header of the synchronization packet to identify the respective authorized human user initiating the TCP/IP communication attempt;
  
  determining if the respective authorized human user is allowed to communicate with the destination node; and
  
  if the respective authorized human user is allowed to communicate with the destination node, allowing the TCP/IP communication between the specific source node and the destination node to proceed.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 56)
- - 29. The method of claim 28 wherein the unique user identifier is included in a sequence number field of the header of the synchronization packet.
  - 30. The method of claim 28 wherein the unique user identifier is included in an acknowledgement field of the header of the synchronization packet.
  - 31. The method of claim 30 wherein data in the acknowledgement field has a non-zero value.
  - 32. The method of claim 28 further comprising the step of encrypting the unique user identifier prior to inserting the unique user identifier into the header of the synchronization packet.
  - 33. The method of claim 32 further comprising the step of decrypting the unique user identifier after intercepting the synchronization packet.
  - 34. The method of claim 28 further comprising the step of recording the TCP/IP communication attempt in a database.
  - 35. The method of claim 28 further comprising the step of notifying a network administrator if the TCP/IP communication attempt is not allowed.
  - 36. The method of claim 28 further comprising the step of logging the TCP/IP communication attempt.
  - 37. The method of claim 28 wherein the destination node is being accessed by another respective authorized human user of the computer network.
  - 56. The method of claim 28 further comprising the step of if the respective authorized human user is not allowed to communicate with the destination node, dropping the TCP/IP communication attempt between the specific source node and the destination node.

38. A method for authorizing communications within a computer network, comprising the steps of:
- assigning a unique user identifier to each authorized human user of the computer network;
  
  assigning a unique source identifier to each authorized computer within the computer network;
  
  upon initiation of a TCP/IP communication attempt initiated by a specific authorized human user logged in to a specific authorized computer, wherein the TCP/IP communication attempt is targeted to a destination node in the computer network and wherein the TCP/IP communication attempt includes a synchronization packet having a header, retrieving and inserting the unique user identifier assigned to the specific authorized human user and the unique source identifier assigned to the specific authorized computer into the header of the synchronization packet;
  
  intercepting the synchronization packet within the computer network prior to receipt by the destination node;
  
  extracting the unique user identifier and unique source identifier from the header of the synchronization packet to identify the specific authorized human user and the specific authorized computer initiating the TCP/IP communication attempt;
  
  determining whether the specific authorized human user and specific authorized computer are each authorized to communicate with the destination node; and
  
  if the specific authorized human user and specific authorized computer are each authorized to communicate with the destination node, allowing the TCP/IP communication attempt with the destination node to continue.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 57)
- - 39. The method of claim 38 wherein the unique user identifier is included in a sequence number field of the header of the synchronization packet.
  - 40. The method of claim 38 wherein the unique user identifier is included in an acknowledgement field of the header of the synchronization packet.
  - 41. The method of claim 40 wherein data in the acknowledgement field has a non-zero value.
  - 42. The method of claim 38 wherein the unique source identifier is included in an acknowledgement field of the synchronization packet.
  - 43. The method of claim 42 wherein data in the acknowledgement field has a non-zero value.
  - 44. The method of claim 38 wherein the unique user identifier comprises a user name of the specific authorized human user.
  - 45. The method of claim 38 further comprising the step of encrypting the unique user identifier prior to inserting the unique user identifier into the header of the synchronization packet.
  - 46. The method of claim 45 further comprising the step of decrypting the unique user identifier after intercepting the synchronization packet.
  - 47. The method of claim 38 wherein the unique source identifier is assigned based on one or more constant identifiers obtained from hardware associated with a respective authorized computer.
  - 48. The method of claim 38 further comprising the step of encrypting the unique source identifier prior to inserting the unique source identifier into the header of the synchronization packet.
  - 49. The method of claim 48 further comprising the step of decrypting the unique source identifier after intercepting the synchronization packet.
  - 50. The method of claim 38 further comprising the step of recording the TCP/IP communication attempt in a database.
  - 51. The method of claim 38 further comprising the step of notifying a network administrator if the TCP/IP communication attempt is not allowed.
  - 52. The method of claim 38 further comprising the step of logging the TCP/IP communication attempt if the TCP/IP communication attempt is not allowed.
  - 53. The method of claim 38 wherein the destination node is an authorized computer within the computer network.
  - 57. The method of claim 38 further comprising the step of if the specific authorized human user and specific authorized computer are not authorized to communicate with the destination node, preventing the TCP/IP communication attempt with the destination node from continuing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liquidware Labs, Inc.
Original Assignee
Liquidware Labs, Inc.
Inventors
Shay, A. David
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US10/644,632
Publication Number

US 20040098620A1
Time in Patent Office

2,135 Days
Field of Search

713153-154, 713/160, 726 2- 3, 726 28- 30
US Class Current

713/160
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/162   at the data link layer

System, apparatuses, methods, and computer-readable media using identification data in packet communications

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatuses, methods, and computer-readable media using identification data in packet communications

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links