Method and apparatus for regulating data flow between a communications device and a network

US 7,890,612 B2
Filed: 05/07/2007
Issued: 02/15/2011
Est. Priority Date: 05/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method of screening data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;

at least one communication device port coupled to the data object memory;

a network communication port coupled to the data object memory;

a processor coupled to the data object memory;

a permanent memory store for storage of rules, coupled to the processor;

a dynamic memory store coupled to the processor;

a physical interface coupled to the processor; and

a plurality of rules stored in the permanent memory store;

the method comprising;

a) receiving a data object at a communication device port or at the network communication port, the network security device being invisible to any communication device and the network;

b) storing the data object into the data object memory;

c) processing the data object in accordance with the plurality of rules stored in the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed; and

d) if the data object is not in violation of at least one of the plurality of rules, transmitting the data object by the network communication port if the data object was received from a communication device port or transmitting the data object by a communication device port if the data object was received from the network communication port.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security device which acts as an “airlock” for traffic between a communications device and a network. Data is screened using rules based analysis by the security device to counter various threats, including viruses, phishing, attempts to “hijack” communications, communications with known malicious addresses or unknown addresses, and transmission of sensitive information. Data packets can be reassembled into files for screening, and decoded or expanded as necessary, but is never executed. The data path for the data being screened is kept separate from the operations of the network security device itself, so that the device is incorruptible—its programming cannot be compromised from outside sources. Updates for rules and entry of sensitive data for screening, etc., must be done through a physical interface, not via the normal data communications channel. The device is invisible—it cannot be “seen” by the network, and thus cannot be attacked.

445 Citations

68 Claims

1. A method of screening data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
  
  a network communication port coupled to the data object memory;
  
  a processor coupled to the data object memory;
  
  a permanent memory store for storage of rules, coupled to the processor;
  
  a dynamic memory store coupled to the processor;
  
  a physical interface coupled to the processor; and
  
  a plurality of rules stored in the permanent memory store;
  
  the method comprising;
  
  a) receiving a data object at a communication device port or at the network communication port, the network security device being invisible to any communication device and the network;
  
  b) storing the data object into the data object memory;
  
  c) processing the data object in accordance with the plurality of rules stored in the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed; and
  
  d) if the data object is not in violation of at least one of the plurality of rules, transmitting the data object by the network communication port if the data object was received from a communication device port or transmitting the data object by a communication device port if the data object was received from the network communication port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 37, 38, 39, 42, 43)
- - 2. The method of claim 1, in which the network security device further comprises a device identification, the method further comprising the steps of identifying the network security device to a secure server through the network, and establishing secure communication with the secure server through the network.
  - 3. The method of claim 2, in which the step of processing the data object comprisesperforming a DNS lookup to retrieve a first IP address associated with a destination address of the data object,performing a DNS lookup using the secure server to retrieve a second IP address associated with the destination address of the data object, andcomparing the first IP address to the second IP address, andin step d the data object is determined to be in violation of a rule if the if the first IP address does not match the second IP address.
  - 4. The method of claim 3, further comprising the step of informing the secure server if the first IP address does not match the second IP address.
  - 5. The method of claim 2, further comprising the steps of communicating with the secure server if a data object is determined to be in violation of a rule, receiving at least one item of information from the secure server, and determining the data object to be in violation of a rule based on the at least one item of information received from the secure server.
  - 6. The method of claim 2, further comprising the steps of communicating with the secure server, receiving at least one item of information from the secure server, and stopping all transmission of data objects based on the at least one item of information received from the secure server.
  - 7. The method of claim 1, further comprising the step of alerting a third party if a data object is determined to be in violation of a rule stored in the permanent memory store.
  - 8. The method of claim 7, in which the third party comprises at least one network security device.
  - 9. The method of claim 8, in which the step of alerting a third party comprises sending at least one rule to the other network security device comprising the third party.
  - 10. The method of claim 1, further comprising the step, after the step of storing the data object, of determining if the data object comprises a plurality of files in simple file formats, and if the data object is determined to comprise a plurality of files in simple file formats, parsing the data object to extract the plurality of files in simple file formats, and in which step c of processing the data object comprises processing each of the plurality of files in simple formats separately.
  - 11. The method of claim 10, in which, if the data object cannot be parsed, the method further comprises the step of logging the data object.
  - 12. The method of claim 11, further comprising the step of transmitting the logged data object to a secure server.
  - 13. The method of claim 1, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses, and the step of processing the data object further comprises comparing a destination address of the data object to the addresses in the URL database.
  - 14. The method of claim 13, in which a plurality of the network addresses in the URL database comprise a whitelist, and in step d the data object is determined to be in violation of a rule unless the destination address of the data object matches one of the network addresses on the whitelist.
  - 15. The method of claim 13, in which a plurality of the network addresses in the URL database comprise a blacklist, and in step d the data object is determined to be in violation of a rule if the destination address of the data object matches one of the network addresses on the blacklist.
  - 16. The method of claim 1, in which the plurality of rules in the permanent memory store comprise a sensitive information database comprising at least one item of information, and the step of processing the data object comprises comparing a body of the data object to the at least one item of information in the sensitive information database.
  - 17. The method of claim 16, in which in step d the data object is determined to be in violation of a rule if at least part of the body of the data object matches at least one item of information in the sensitive information database.
  - 18. The method of claim 16, in which the at least one item of information in the sensitive information database is selected from a group consisting of social security numbers, credit card numbers, bank account numbers, brokerage account numbers, specific passwords, and brokerage codes.
  - 19. The method of claim 1, further comprising the step of assembling a data object in the data object memory from a plurality of packets before the step of processing the data object.
  - 20. The method of claim 1, in which the plurality of rules in the permanent memory store comprise a URL database comprising a plurality of network addresses and a sensitive information database comprising at least one item of information, and the step of processing comprises comparing a destination address of the data object to the plurality of addresses in the URL database and comparing a body of the data object to the at least one item of information in the sensitive information database, and in step d the data object is determined to be in violation of a rule if at least part of the body of the data object matches at least one item of information in the sensitive information database and the destination address of the data object does not match one of the plurality of network addresses in the URL database.
  - 21. The method of claim 1, in which the step of processing the data object comprises detecting malware present in the data object, and in step d the data object is determined to be in violation of a rule if malware is detected in the object.
  - 22. The method of claim 1, in which step d further comprises the step of substituting decoy data for at least part of the data object before transmitting the data object.
  - 23. The method of claim 1, in which the plurality of rules comprise a plurality of patterns, and in step d the data object is determined to be in violation of a rule if at least part of the body of the data object match at least one of the plurality of patterns.
  - 24. The method of claim 1, further comprising the step of stopping all transmission of data objects if a data object is determined to be in violation of a rule in the permanent memory store.
  - 25. The method of claim 1, in which the step of processing the data object comprises scanning the data object for metadata indicating that the data object comprises data subject to copyright, and if metadata indicating that the data object comprises data subject to copyright is found, determining if a user of the data object is authorized to use or view the data subject to copyright, and in step d the data object is determined to be in violation of a rule if a the user of the data object is not authorized to use or view the data subject to copyright.
  - 26. The method of claim 1, in which the method only accepts data objects in step a from specified communication devices or networks.
  - 27. The method of claim 1, in which the data object is a request for a website, and the step of processing the data object comprises the steps of:
    - retrieving an image of the website;
      
      retrieving identifying information about the website;
      
      combining the image of the website and the identifying information about the website into a site fingerprint;
      
      retrieving a cached fingerprint for the website;
      
      comparing the site fingerprint to the cached fingerprint for the website; and
      
      in step d the data object is determined to be in violation of a rule if the site fingerprint does not match the cached fingerprint for the website.
  - 28. The method of claim 27, in which the step of retrieving the cached fingerprint for the website comprises retrieving the cached fingerprint for the website from a secure server.
  - 37. The network security device of claim 1, in which the rules in the permanent memory store comprise a sensitive information database comprising at least one item of information, and at least one of the rules causes the data object in the data object memory to be processed to compare a body of the data object to the information in the sensitive information database.
  - 38. The network security device of claim 37, in which at least one rule prevents transmission of a data object if at least part of the body of the data object matches an item of information in the sensitive information database.
  - 39. The network security device of claim 37, in which the items of information in the sensitive information database are selected from a group consisting of social security numbers, credit card numbers, bank account numbers, brokerage account numbers, specific passwords, and brokerage codes.
  - 42. The network security device of claim 1, further comprising a keypad.
  - 43. The network security device of claim 42, in which the processor is programmed to accept changes to the rules in the permanent memory store from the keypad.

29. A network security device for screening data objects flowing between a network and at least one communication device, comprising:
- a) a data object memory;
  
  b) at least one communication device port coupled to the data object memory;
  
  c) a network communication port coupled to the data object memory;
  
  d) a processor coupled to the data object memory;
  
  e) a permanent memory store for storage of rules, coupled to the processor;
  
  f) a dynamic memory store coupled to the processor;
  
  g) a physical interface coupled to the processor;
  
  h) a plurality of rules stored in the permanent memory store;
  
  the processor being programmed such that a data object received at one of the at least one communication device port or at the network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, and if the data object is not in violation of a rule, the data object is transmitted by the network communication port if the data object was received at the at least one communication device port, and the data object is transmitted by at least one communication device port if the data object was received at the network communication port;
  
  the device being configured such that the rules are not affected by the processing of data objects in the data object memory;
  
  the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the device is incorruptible by the data objects being processed; and
  
  in receiving, processing and transmitting the data objects, the network security device is not visible to the network or the at least one communication device.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 40, 41, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 30. The network security device of claim 29, in which the network security device further comprises a device identification, such that the device can be identified to a secure server communicating through the network communication port, and the processor is programmed such that the network security device can establish secure communication with the secure server through the network communication port.
  - 31. The network security device of claim 30, in which at least one of the rules causes the data object in the data object memory to be processed to perform a DNS lookup to retrieve a first IP address associated with a destination address of the data object, and also to do a DNS lookup using the secure server to retrieve a second IP address associated with the destination address of the data object, and the rule causes the processor to compare the first IP address to the second IP address, and the data object is transmitted only if the first IP address matches the second IP address.
  - 32. The network security device of claim 31, in which the rule further causes the network security device to inform the secure server if the first IP address does not match the second IP address.
  - 33. The network security device of claim 30, in which the processor is programmed to accept changes to the rules in the permanent memory store from the secure server.
  - 34. The network security device of claim 29, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses, and at least one of the rules causes the data object in the data object memory to be processed to compare a destination address of the data object to the network addresses in the URL database.
  - 35. The network security device of claim 34, in which a plurality of the network addresses in the URL database comprise a whitelist, and at least one rule prevents transmission of a data object unless the destination address of the data object matches one of the network addresses on the whitelist.
  - 36. The network security device of claim 34, in which a plurality of the network addresses in the URL database comprise a blacklist, and at least one rule prevents transmission of a data object if the destination address of the data object matches one of the network addresses on the blacklist.
  - 40. The network security device of claim 29, further comprising a physical input device for coupling with the physical interface of the network security device.
  - 41. The network security device of claim 40, in which the processor is programmed to accept changes to the rules in the permanent memory store from the physical input device coupled to the physical interface.
  - 44. The network security device of claim 29, in which the processor is programmed to assemble a data object in the data object memory from a plurality of packets before processing the data object.
  - 45. The network security device of claim 29, in which the permanent memory store is read-only memory.
  - 46. The network security device of claim 29, in which the rules in the permanent memory store comprise a URL database comprising a plurality of network addresses and a sensitive information database comprising at least one item of information, and at least one of the rules causes the data object in the data object memory to be processed to compare a destination address of the data object to the network addresses in the URL database and causes the data object in the data object memory to be processed to compare a body of the data object to the information in the sensitive information database, and at least one rule prevents transmission of the data object if at least part of the body of the data object matches an item of information in the sensitive information database unless the destination address of the data object matches one of the network addresses in the URL database.
  - 47. The network security device of claim 29, further comprising a display.
  - 48. The network security device of claim 29, further comprising a tamper lock.
  - 49. The network security device of claim 29, in which the permanent memory store is encrypted.
  - 50. The network security device of claim 29, in which the dynamic memory store and the data object memory are separate memories.
  - 51. The network security device of claim 29, in which the permanent memory store and the data object memory are separate memories.
  - 52. The network security device of claim 29, in which the permanent memory store is a write-protected partition of memory.
  - 53. The network security device of claim 29, in which the rules in the permanent memory store can only be changed at a determined time.

54. A method of monitoring data objects flowing between a network and at least one communication device using a network security device comprising a data object memory;
- at least one communication device port coupled to the data object memory;
  
  a network communication port coupled to the data object memory;
  
  a processor coupled to the data object memory;
  
  a permanent memory store for storage of rules, coupled to the processor;
  
  a dynamic memory store coupled to the processor;
  
  a physical interface coupled to the processor; and
  
  a plurality of rules stored in the permanent memory store;
  
  the method comprising;
  
  a) receiving a data object at a communication device port or at the network communication port, the network security device being invisible to any communication device and the network;
  
  b) storing the data object into the data object memory;
  
  c) processing the data object in accordance with the plurality of rules stored in the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, without executing any code in the data object such that the operation of the device is incorruptible by the data objects being processed;
  
  d) copying the data object;
  
  e) transmitting the data object by the network communication port if the data object was received from a communication device port or transmitting the data object by a communication device port if the data object was received from the network communication port; and
  
  f) storing the copied data object from step d in a database.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 55. The method of claim 54, further comprising the step of stamping identifying indicia on the copied data object.
  - 56. The method of claim 55, in which the identifying indicia comprise date and time.
  - 57. The method of claim 54, further comprising the step of alerting a third party if a data object is determined to be in violation of at least one rule stored in the permanent memory store.
  - 58. The method of claim 57, further comprising the step of substituting decoy data for at least part of the data object before transmitting the data object in step e.
  - 59. The method of claim 57, in which the third party comprises at least one network security device.
  - 60. The method of claim 59, in which the step of alerting the third party comprises sending at least one rule to one of the at least one other network security device.
  - 61. The method of claim 54, further comprising the step of transmitting the copied data object to an offsite logging server.
  - 62. The method of claim 54, further comprising the step of assembling a data object in the data object memory from a plurality of packets before the step of processing the data object.
  - 63. The method of claim 54, in which the plurality of rules in the permanent memory store comprise a URL database comprising a plurality of network addresses, the method further comprises the step, before step b, of comparing a destination address of the data object to the plurality of network addresses in the URL database, and steps d and f of copying the data object and storing the copied data object in a database are performed only if the destination address of the data object matches at least one address in the URL database.
  - 64. The method of claim 54, in which the plurality of rules in the permanent memory store comprise a URL database comprising a plurality of network addresses, the method further comprises the step, before step b, of comparing a source address of the data object to the plurality of network addresses in the URL database, and steps d and f of copying the data object and storing the copied data object in a database are performed only if the source address of the data object matches at least one address in the URL database.

65. A system for network security comprising:
- a secure server connected to a network; and
  
  a plurality of network security devices for screening data objects flowing between a network and at least one communication device, each network security device comprising;
  
  a) a data object memory;
  
  b) at least one communication device port coupled to the data object memory;
  
  c) a network communication port coupled to the data object memory;
  
  d) a processor coupled to the data object memory;
  
  e) a permanent memory store for storage of rules, coupled to the processor;
  
  f) a dynamic memory store coupled to the processor;
  
  g) a physical interface coupled to the processor;
  
  h) a plurality of rules stored in the permanent memory store;
  
  i) a device identification, such that the device can be identified to a secure server communicating through the network communication port, and the processor is programmed such that the network security device can establish secure communication with the secure server through the network communication port;
  
  the processor being programmed such that a data object received at one of the at least one communication device port or at the network communication port is stored into the data object memory and processed by the processor in accordance with the rules from the permanent memory store, determining if the data object is in violation of at least one of the plurality of rules, and if the data object is not in violation of a rule, the data object is transmitted by the network communication port if the data object was received at the at least one communication device port, and the data object is transmitted by at least one communication device port if the data object was received at the network communication port;
  
  the device being configured such that the rules are not affected by the processing of data objects in the data object memory;
  
  the processor being programmed such that a data object in the data object memory is not permitted to interact with the dynamic memory store or the permanent memory store, such that the operation of the network security device is incorruptible by the data objects being processed; and
  
  in receiving, processing and transmitting the data objects, the network security device is not visible to the network or the at least one communication device.
- View Dependent Claims (66, 67, 68)
- - 66. The network security device of claim 65, in which at least one of the rules causes the data object in the data object memory to be processed to perform a DNS lookup to retrieve a first IP address associated with a destination address of the data object, and also to do a DNS lookup using the secure server to retrieve a second IP address associated with the destination address of the data object, and the rule causes the processor to compare the first IP address to the second IP address, and the data object is transmitted only if the first IP address matches the second IP address.
  - 67. The network security device of claim 66, in which the rule further causes the network security device to inform the secure server if the first IP address does not match the second IP address.
  - 68. The network security device of claim 65, in which the processor is programmed to accept changes to the rules in the permanent memory store from the secure server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electro Guard Corporation
Original Assignee
Electro Guard Corporation
Inventors
Todd, John, Sivanesan, Sai, Cann, David
Primary Examiner(s)
Harrell; Robert B

Application Number

US11/745,068
Publication Number

US 20070261112A1
Time in Patent Office

1,380 Days
Field of Search

709/220
US Class Current

709/220
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0272   Virtual private networks

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Method and apparatus for regulating data flow between a communications device and a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

445 Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for regulating data flow between a communications device and a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

445 Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links