System, apparatuses, methods and computer-readable media for determining the security status of a computer before establishing a network connection

US 7,591,001 B2
Filed: 05/05/2005
Issued: 09/15/2009
Est. Priority Date: 05/14/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising the steps of:

(a) receiving from a first computer at a second computer via a network a request message from the first computer to establish a network connection;

(b) retrieving security state data at the second computer;

(c) incorporating the security state data into a response message at the second computer;

(d) transmitting the response message including the security state data from the second computer to the first computer via the network;

(e) receiving the response message including the security state data from the second computer at the first computer via the network;

(f) determining at the first computer if security activation data stored at the first computer indicates that the security state data is to be processed in order to determine if network connection to the second computer is to be permitted; and

if the determining in step (f) establishes that the security activation data indicates that the security state data is to be processed,(g) determining at the first computer if the network connection to the second computer is permitted based on security policy data stored in the first computer and the security state data received from the second computer;

(h) proceeding with establishing the network connection if the determining of step (g) establishes that connection to the second computer is permitted; and

(i) terminating further processing to establish the network connection if the determining of step (a) establishes that the connection to the second computer is not permitted.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed system, apparatuses, methods, and computer-readable media can be used by a computer to establish the security status of another computer before establishing a network connection to it. Responsive to a request message, security state data indicating this status can be incorporated into a response message as one of the first few packets exchanged by computers to establish a network connection. This enables a computer to determine whether the other computer'"'"'s security status is compliant with its security policy before establishing the network connection, reducing risk of infection by a virus, worm, or the like.

Citations

16 Claims

1. A method comprising the steps of:
- (a) receiving from a first computer at a second computer via a network a request message from the first computer to establish a network connection;
  
  (b) retrieving security state data at the second computer;
  
  (c) incorporating the security state data into a response message at the second computer;
  
  (d) transmitting the response message including the security state data from the second computer to the first computer via the network;
  
  (e) receiving the response message including the security state data from the second computer at the first computer via the network;
  
  (f) determining at the first computer if security activation data stored at the first computer indicates that the security state data is to be processed in order to determine if network connection to the second computer is to be permitted; and
  
  if the determining in step (f) establishes that the security activation data indicates that the security state data is to be processed,(g) determining at the first computer if the network connection to the second computer is permitted based on security policy data stored in the first computer and the security state data received from the second computer;
  
  (h) proceeding with establishing the network connection if the determining of step (g) establishes that connection to the second computer is permitted; and
  
  (i) terminating further processing to establish the network connection if the determining of step (a) establishes that the connection to the second computer is not permitted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as claimed in claim 1 wherein the security state data comprises data generated by an anti-virus application running on the second computer.
  - 3. The method as claimed in claim 1 wherein the security state data comprises data generated by a firewall application running on the second computer.
  - 4. The method as claimed in claim 1 wherein the security state data comprises data generated by an operating system running on the second computer.
  - 5. The method as claimed in claim 1 wherein the security state data comprises data received via the Internet from a website of a developer of one or more of an anti-virus application, firewall application, and operating system.
  - 6. The method as claimed in claim 1 wherein the security state data comprises data indicating whether an anti-virus application running on the second computer is active to protect the first computer.
  - 7. The method as claimed in claim 6 wherein the security state data comprises data indicating whether the anti-virus application is up-to-date.
  - 8. The method as claimed in claim 1 wherein the security state data comprises data indicating whether a firewall application is running on the second computer.
  - 9. The method as claimed in claim 8 wherein the security state data comprises data indicating whether the firewall application is up-to-date.
  - 10. The method as claimed in claim 1 wherein the security state data comprises data indicating whether an operating system patch has been installed to close a vulnerability in the operating system running on the second computer.
  - 11. The method as claimed in claim 10 wherein the security state data comprises data indicating whether the operating system patch is up-to-date.
  - 12. The method as claimed in claim 1 wherein the response message is a TCP SYNACK packet.
  - 13. The method as claimed in claim 12 wherein the security state data is incorporated in a field in the header of the TCP SYNACK packet.
  - 14. The method as claimed in claim 13 wherein the field is the urgent pointer field.
  - 15. The method as claimed in claim 1 wherein the security state data is incorporated in the header of the response message.
  - 16. The method as claimed in claim 1 wherein the network is the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liquidware Labs, Inc.
Original Assignee
Liquidware Labs, Inc.
Inventors
Shay, A. David
Primary Examiner(s)
Song; Hosuk

Application Number

US11/123,546
Publication Number

US 20050257249A1
Time in Patent Office

1,594 Days
Field of Search

726 1- 4, 726 11- 15, 726 22- 25, 713150-154, 709223-225, 709/229
US Class Current

726/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/1095   Replication or mirroring of...

System, apparatuses, methods and computer-readable media for determining the security status of a computer before establishing a network connection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatuses, methods and computer-readable media for determining the security status of a computer before establishing a network connection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links