Method and apparatus for effecting secure communications

US 8,140,694 B2
Filed: 03/15/2004
Issued: 03/20/2012
Est. Priority Date: 03/15/2004
Status: Active Grant

First Claim

Patent Images

1. A method of effecting secure communications between a server and a client, the server executed in a server computer, the method comprising:

detecting, at the server computer, a client connection at a first port;

providing, by the server computer, the client with a decoy port number; and

providing, by the server computer, services to the client on a second port having a second port number that is mapped to the decoy port number, wherein the second port number is different from the decoy port number; and

maintaining, in the server computer, a table of available decoy port numbers that are mapped to valid port numbers wherein the table maintained in the server computer corresponds to a second table maintained at a client computer on which the client is executed, the second table mapping decoy numbers to valid port numbers at the client computer;

monitoring the second port for a connection by the client, andif there is no connection by the client within a predetermined time interval, terminating execution of the server on the second port.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique to effect secure communications with a server application, such as server applications that are accessible on the Internet. In one embodiment, a client connection is detected at a first port. The client is provided with a decoy port number. A server provides services to the client on a second port that is mapped to the decoy port number.

38 Citations

View as Search Results

22 Claims

1. A method of effecting secure communications between a server and a client, the server executed in a server computer, the method comprising:
- detecting, at the server computer, a client connection at a first port;
  
  providing, by the server computer, the client with a decoy port number; and
  
  providing, by the server computer, services to the client on a second port having a second port number that is mapped to the decoy port number, wherein the second port number is different from the decoy port number; and
  
  maintaining, in the server computer, a table of available decoy port numbers that are mapped to valid port numbers wherein the table maintained in the server computer corresponds to a second table maintained at a client computer on which the client is executed, the second table mapping decoy numbers to valid port numbers at the client computer;
  
  monitoring the second port for a connection by the client, andif there is no connection by the client within a predetermined time interval, terminating execution of the server on the second port.
- View Dependent Claims (2, 3, 4, 19)
- - 2. A method as defined in claim 1, wherein the decoy port number is provided to the client by the operation of a routine that is associated with the server, the routine executed in the server computer.
  - 3. A method as defined in claim 2, further comprising:
    - launching the server on the second port; and
      
      monitoring the second port for a connection by the client.
  - 4. A method as defined in claim 3, further comprising;
    - if there is no connection by the client within a predetermined time interval, terminating execution of the server on the second port.
  - 19. The method as defined in claim 1, wherein providing the decoy port number comprises providing the decoy port number that has no meaning to an unauthorized client computer, but the decoy port number is mappable to the second port number by an authorized client computer.

5. A computer system comprising:
- a plurality of ports, each port having a respective port number;
  
  a server application; and
  
  a routine that, if executed, is operative to;
  
  detect a client connection at a fast port;
  
  provide the client with a decoy port number; and
  
  provide services to the client on a second port having a second port number that is mapped to the decoy port number, wherein the second port number is different from the decoy port number;
  
  maintaining, in the server computer, a table of available decoy port numbers that are mapped to valid port numbers wherein the tablemaintained in the server computer corresponds to a second table maintained at a client computer on which the client is executed, the second table mapping decoy numbers to valid port numbers at the client computer;
  
  monitoring the second port for a connection by the client, andif there is no connection by the client within a predetermined time interval, terminating execution of the server on the second port.
- View Dependent Claims (6, 7, 20, 21)
- - 6. A computer system as defined in claim 5, wherein the routine, if executed, is operative to:
    - launch the server application on the second port; and
      
      monitor the second port for a connection by the client.
  - 7. A computer system as defined in claim 5, wherein the routine, if executed, is operative to:
    - launch the server application on the second port subsequent to providing the decoy port number to the client.
  - 20. The computer system as defined in claim 5, wherein the decoy port number provided to the client enables the client to map, using a second table associated with the client, the decoy port number to the second port number such that the client can connect to the computer system at the second port number.
  - 21. The computer system as defined in claim 5, wherein the decoy port number has no meaning to an unauthorized client computer, but the decoy port number is mappable to the second port number by an authorized client computer.

8. A server computer system comprising:
- a plurality of ports, each port having a respective port number;
  
  a first server application; and
  
  a first routine that is associated with the first server application and that, if executed, is operative to;
  
  detect a client connection at a first port;
  
  transmit a decoy port number to the client;
  
  terminate the connection to the first port; and
  
  provide services to the client on a second port having a second port number that is mapped to the decoy port number, the second port number being a valid port number that is different from the decoy port number;
  
  a second server application; and
  
  a second routine that is associated with the second server application and that, if executed, is operative to;
  
  detect a client connection at a third port;
  
  transmit a second decoy port number to the client;
  
  terminate the connection to the third port; and
  
  provide services to the client on a fourth port having a fourth port number that is mapped to the second decoy port number, the fourth part number being another valid port number that is different from the second decoy port number;
  
  maintaining, in the server computer, a table of available decoy port numbers that are mapped to valid port numbers wherein the table maintained in the server computer corresponds to a second table maintained at a client computer on which the client is executed, the second table mapping decoy numbers to valid port numbers at the client computer;
  
  monitoring the second port for a connection by the client, andif there is no connection by the client within a predetermined time interval, terminating execution of the server on the second port.
- View Dependent Claims (9)
- - 9. A server computer system as defined in claim 8, wherein the first routine and the second routine, if executed are operable, respectively, to:
    - terminate execution of the first server application on the second port if there is no client connection within a predetermined time interval; and
      
      terminate execution of the second server application on the fourth port if there is no client connection within a predetermined time interval.

10. A method executed by a client computer, comprising:
- attempting to access a server application on a first port of a server computer;
  
  receiving, from the server computer, a decoy port number that is an invalid port number;
  
  translating the decoy port number to a valid port number; and
  
  connecting to the server application on the valid port number; and
  
  maintaining, in the server computer, a table of available decoy port numbers that are mapped to valid port numbers wherein the table maintained in the server computer corresponds to a second table maintained at a client computer on which the client is executed, the second table mapping decoy numbers to valid port numbers at the client computer;
  
  monitoring the second port for a connection by the client, andif there is no connection by the client within a predetermined time interval, terminating execution of the server on the secondport.
- View Dependent Claims (11, 12, 13)
- - 11. A method as defined in claim 10, wherein the decoy port number is translated using a wrapper script associated with a client application in the client computer.
  - 12. A method as defined in claim 10, wherein the decoy pot number is translated using code embedded in a client application in the client computer.
  - 13. A method as defined in claim 10, further comprising:
    - mapping the decoy port number to an intermediate port number; and
      
      effecting an offset to the intermediate port number to produce the valid port number.

14. A computer system comprising:
- a plurality of ports, each port having a respective port number;
  
  an application; and
  
  means for effecting secure access to the application by redirecting a client from a first port to a second port, wherein the means for effecting secure access comprises;
  
  a routine that, if executed, is operable to provide the client with a decoy port number that maps to a second port number of the second port, wherein the decoy port number is an invalid port number and the second port number is valid port number; and
  
  maintaining, in the server computer, a table of available decoy port numbers that are mapped to valid port numbers wherein the tablemaintained in the server computer corresponds to a second table maintained at a client computer on which the client is executed, the second table mapping decoy numbers to valid port numbers at the client computer;
  
  monitoring the second port for a connection by the client, andif there is no connection by the client within a predetermined time interval, terminating execution of the server on the second port.

15. An article comprising a non-transitory machine-readable storage medium that comprises instructions that, if executed, cause n server computer to:
- detect a connection at a first port of the server computer by a client application;
  
  transmit, to the client application, a decoy port number, wherein the decoy port number is an invalid port number; and
  
  cause a server application in the server computer to be launched at a second port that has a second port number mapped to the decoy port number, the second port number being a valid port number; and
  
  maintaining, in the server computer, a table of available decoy port numbers that are mapped to valid port numbers wherein the table maintained in the server computer corresponds to a second table maintained at a client computer on which the client is executed, the second table mapping decoy numbers to valid port numbers at the client computer;
  
  monitoring the second port for a connection by the client, andif there is no connection by the client within a predetermined time interval, terminating execution of the server on the second port.
- View Dependent Claims (22)
- - 22. The article of claim 15, wherein the decoy port number is meaningless to an unauthorized client computer, but the decoy port number is mappable to the valid port number by an authorized client computer.

16. A client/server system comprising:
- a server computer system; and
  
  a server application installed on the sever computer system and comprising instructions that, if executed on the server computer system, are effective to;
  
  detect a connection at a first port by a client application;
  
  transmit, to the client application, a decoy port number, wherein the decoy portnumber is an invalid port number;
  
  terminate the connection on the first port; and
  
  provide services to the client application on a second port having a second port number that is mapped to the decoy port number; and
  
  maintaining, in the server computer, a table of available decoy port numbers that are mapped to valid port numbers wherein the tablemaintained in the server computer corresponds to a second table maintained at a client computer on which the client is executed, the second table mapping decoy numbers to valid port numbers at the client computer;
  
  monitoring the second port for a connection by the client, andif there is no connection by the client within a predetermined time interval, terminating execution of the server on the second port.
- View Dependent Claims (17, 18)
- - 17. A client/server system as defined in claim 16, further comprising:
    - a client computer system; and
      
      a client application installed on the client computer system and comprising instructions that, if executed on the client computer system, are effective to;
      
      attempt to access the server application on the first port;
      
      translate the decoy port number to the second port number; and
      
      connect to the server application on the second port.
  - 18. A client/server system as defined in claim 17, wherein the client application further comprises instructions that, if executed on the client computer system, are effective to:
    - map the decoy port number to an intermediate port number, andimpart an offset to the intermediate port number so as to derive the second port number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Johnson, Ted C.
Primary Examiner(s)
Bayard, Djenane M
Assistant Examiner(s)
Cheema, Umar

Application Number

US10/800,828
Publication Number

US 20050204157A1
Time in Patent Office

2,927 Days
Field of Search

709/203, 709223-226, 709227-229
US Class Current

709/230
CPC Class Codes

H04L 63/1491 using deception as counterm...

H04L 67/563 Data redirection of data ne...

Method and apparatus for effecting secure communications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for effecting secure communications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others