Methods, systems, and computer program products for automatically configuring firewalls

US 7,877,795 B2
Filed: 10/30/2006
Issued: 01/25/2011
Est. Priority Date: 10/30/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of automatically configuring a firewall, the method comprising:

automatically detecting an attempt by a software application executing on a user device to communicate through the firewall, wherein the firewall has blocked the communication attempt;

automatically collecting information about the attempt detected;

automatically assessing a danger level of allowing the software application to communicate through the firewall based upon the information collected, comprising determining at least one of the following;

whether the software application is attempting to communicate sensitive and private data from the user device, whether the software application is using a stealth communication method, whether the software application is executing at a root directory level of the user device, whether the software application is executing at an administrator level directory of the user device, whether the software application is attempting to access sensitive memory portions of the user device, whether the software application is attempting to access hard drive portions of the user device including sensitive directories, whether the software application is attempting to execute at a highly privileged operator level of the user device, and whether the software application is attempting to communicate with a suspicious web site; and

automatically reconfiguring the firewall to allow the software application to communicate through the firewall if the assessed danger level is below a threshold danger level, wherein the threshold danger level is variable and further comprising increasing the threshold danger level as a number of blocked software application communication attempts increases, and decreasing the threshold danger level as the number of blocked software application communication attempts decreases.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products that automatically configure firewalls are provided. An blocked attempt by a software application executing on a user device to communicate through a firewall is detected. Information about the detected communication attempt is collected. A danger level of allowing the software application to communicate through the firewall is assessed based upon the collected information. The blocking rules/policy of the firewall are automatically modified to allow the software application to communicate through the firewall if the assessed danger level is below a threshold level.

12 Citations

View as Search Results

15 Claims

1. A method of automatically configuring a firewall, the method comprising:
- automatically detecting an attempt by a software application executing on a user device to communicate through the firewall, wherein the firewall has blocked the communication attempt;
  
  automatically collecting information about the attempt detected;
  
  automatically assessing a danger level of allowing the software application to communicate through the firewall based upon the information collected, comprising determining at least one of the following;
  
  whether the software application is attempting to communicate sensitive and private data from the user device, whether the software application is using a stealth communication method, whether the software application is executing at a root directory level of the user device, whether the software application is executing at an administrator level directory of the user device, whether the software application is attempting to access sensitive memory portions of the user device, whether the software application is attempting to access hard drive portions of the user device including sensitive directories, whether the software application is attempting to execute at a highly privileged operator level of the user device, and whether the software application is attempting to communicate with a suspicious web site; and
  
  automatically reconfiguring the firewall to allow the software application to communicate through the firewall if the assessed danger level is below a threshold danger level, wherein the threshold danger level is variable and further comprising increasing the threshold danger level as a number of blocked software application communication attempts increases, and decreasing the threshold danger level as the number of blocked software application communication attempts decreases.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein collecting information comprises collecting at least one of the following types of information:
    - source and destination addresses of the communication, source and destination ports, communication protocol type and number, software application name, software application version, software application size, software application date, software application format, software application source, and logged communications between the user device and other devices.
  - 3. The method of claim 1, wherein collecting information comprises determining whether the software application is an authorized software application for the user device.
  - 4. The method of claim 1, further comprising requesting information about the software application from a user of the device.
  - 5. The method of claim 4, wherein prior to requesting information from the user, reviewing a profile of the user to determine if the user wants to provide input on firewall configurations.
  - 6. The method of claim 1, wherein assessing a danger level of allowing the software application to communicate through the firewall comprises comparing how similar the detected software application is to at least one of the following known types of dangerous applications:
    - viruses, spyware, malware.
  - 7. The method of claim 1, wherein assessing a danger level of allowing the software application to communicate through the firewall comprises comparing how similar the detected software application communication is to known software application communications.
  - 8. The method of claim 1, wherein assessing a danger level of allowing the software application to communicate through the firewall comprises examining at least one of the following:
    - N-tuple information, data being carried or transported, sequence of types of communications attempted, and previous communications to the network and other devices.

9. A system that automatically configures a firewall, comprising:
- a processor;
  
  memory coupled to the processor; and
  
  a computer program code residing in the memory that, when executed by the processor, causes the processor to perform the following;
  
  automatically detect an attempt by a software application executing on a user device to communicate through the firewall, wherein the firewall has blocked the communication attempt;
  
  automatically collect information about the attempt detected;
  
  automatically assess a danger level of allowing the software application to communicate through the firewall based upon the information collected based on at least one of the following;
  
  whether the software application is attempting to communicate sensitive and private data from the user device, whether the software application is using a stealth communication method, whether the software application is executing at a root directory level of the user device, whether the software application is executing at an administrator level directory of the user device, whether the software application is attempting to access sensitive memory portions of the user device, whether the software application is attempting to access hard drive portions of the user device including sensitive directories, whether the software application is attempting to execute at a highly privileged operator level of the user device such as root, and whether the software application is attempting to communicate with a suspicious web site; and
  
  automatically reconfigure the firewall to allow the software application to communicate through the firewall if the assessed danger level is below a threshold danger level, wherein the threshold danger level is variable and wherein the processor is configured to increase the threshold danger level as a number of blocked software application communication attempts increases, and decrease the threshold danger level as the number of blocked software application communication attempts decreases.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the processor collects at least one of the following types of information:
    - source and destination addresses of the communication, source and destination ports, and communication protocol type and number, software application name, software application version, software application size, software application date, software application format, software application source, logged communications between the user device and other devices, data being carried or transported, sequence of types of communications attempted, and previous communications to the network and other devices.
  - 11. The system of claim 9, wherein the processor determines whether the software application is an authorized software application for the user device.
  - 12. The system of claim 9, wherein the processor requests information about the software application from a user of the device.
  - 13. The system of claim 12, wherein the processor reviews a profile of the user to determine if the user wants to provide input on firewall configurations.
  - 14. The system of claim 9, wherein the processor assesses a danger level of allowing the software application to communicate through the firewall by comparing how similar the detected software application is to at least one of the following known types of dangerous applications:
    - viruses, spyware, malware.
  - 15. The system of claim 9, wherein the processor compares how similar the detected software application communication is to known software application communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bellsouth Intellectual Property Corporation (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Aaron, Jeffrey
Primary Examiner(s)
Pyzocha, Michael
Assistant Examiner(s)
Abyaneh, Ali S

Application Number

US11/589,628
Publication Number

US 20080148381A1
Time in Patent Office

1,548 Days
Field of Search

726/11, 726/3, 726/22, 713/165, 709/220, 709/221, 709/223, 709/238
US Class Current

726/11
CPC Class Codes

H04L 63/029 Firewall traversal, e.g. tu...

H04L 63/1408 by monitoring network traff...

Methods, systems, and computer program products for automatically configuring firewalls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Methods, systems, and computer program products for automatically configuring firewalls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others