High-assurance file-driven content filtering for secure network server

US 8,185,944 B2
Filed: 02/28/2006
Issued: 05/22/2012
Est. Priority Date: 02/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method of transferring data between networks operating at different security levels, said data being a stream of messages, each message comprising fields having a field length selected from a plurality of different field lengths, comprising the following steps:

(a) establishing a Transmission Control Protocol (TCP) session in response to initiation of a connection of a source host to a secure network server, said source host having a first security level, and said establishing a TCP session comprising creating a receiving task group, creating a forwarding task group and creating a generic filtering task group;

(b) providing a filter file that specifies filtering rules for a port number for an interface with a destination host, said destination host having a second security level different than said first security level;

(c) establishing a connection between said forwarding task group and said destination host that allows said forwarding task group to send messages to said destination host;

(d) establishing a connection between said receiving task group and said source host that allows said receiving task group to receive a message transmitted by said source host;

(e) said receiving task group storing said message received from said source host in a file having a file name and then forwarding said file name to said filtering task group;

(f) said filtering task group receiving said filtering rules from said filter file during initialization, reading data of said message stored in said file having said file name, validating that said read data matches a preset order and content values of said filtering rules, and filtering the content of said read data in accordance with said filtering rules;

(g) after the steps recited in (f) have been completed, said filtering task group sending a message to said forwarding task group, said message including said file name of said file containing said filtered data; and

(h) said forwarding task group reading the filtered data from said file having said file name and forwarding the filtered data to said destination host,wherein each of said filtering rules comprises one of a plurality of file type values, each one of said plurality of file type values representing a respective type of message to be filtered, said message types comprising e-mail, extensible markup language (XML) messages and fixed-format messages, and wherein each of said filtering rules further comprises one of a plurality of action type values, each one of said plurality of action type values representing a respective type of action to be taken, said action types comprising checking that a value in a message field equals a value identified in the filtering rule being applied, checking that a value in a message field falls within a range of values identified in the filtering rule being applied, and checking that a value in a message field equals one of a list of values identified in the filtering rule being applied.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server for transferring data between networks. The server is programmed to perform the following steps: (a) creating a receiving process, a filtering process and a forwarding process, the filtering process being dictated by a file that specifies filtering rules, wherein: (b) the receiving process receives data transmitted from a source host; (c) the filtering process filters the transmitted data based on the filtering rules; and (d) the forwarding process forwards only filtered data to a destination host.

Citations

8 Claims

1. A method of transferring data between networks operating at different security levels, said data being a stream of messages, each message comprising fields having a field length selected from a plurality of different field lengths, comprising the following steps:
- (a) establishing a Transmission Control Protocol (TCP) session in response to initiation of a connection of a source host to a secure network server, said source host having a first security level, and said establishing a TCP session comprising creating a receiving task group, creating a forwarding task group and creating a generic filtering task group;
  
  (b) providing a filter file that specifies filtering rules for a port number for an interface with a destination host, said destination host having a second security level different than said first security level;
  
  (c) establishing a connection between said forwarding task group and said destination host that allows said forwarding task group to send messages to said destination host;
  
  (d) establishing a connection between said receiving task group and said source host that allows said receiving task group to receive a message transmitted by said source host;
  
  (e) said receiving task group storing said message received from said source host in a file having a file name and then forwarding said file name to said filtering task group;
  
  (f) said filtering task group receiving said filtering rules from said filter file during initialization, reading data of said message stored in said file having said file name, validating that said read data matches a preset order and content values of said filtering rules, and filtering the content of said read data in accordance with said filtering rules;
  
  (g) after the steps recited in (f) have been completed, said filtering task group sending a message to said forwarding task group, said message including said file name of said file containing said filtered data; and
  
  (h) said forwarding task group reading the filtered data from said file having said file name and forwarding the filtered data to said destination host,wherein each of said filtering rules comprises one of a plurality of file type values, each one of said plurality of file type values representing a respective type of message to be filtered, said message types comprising e-mail, extensible markup language (XML) messages and fixed-format messages, and wherein each of said filtering rules further comprises one of a plurality of action type values, each one of said plurality of action type values representing a respective type of action to be taken, said action types comprising checking that a value in a message field equals a value identified in the filtering rule being applied, checking that a value in a message field falls within a range of values identified in the filtering rule being applied, and checking that a value in a message field equals one of a list of values identified in the filtering rule being applied.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein said filtering step comprises checking for a presence of dirty words in text fields of said message.
  - 3. The method as recited in claim 1, wherein said filtering step comprises stripping out a field of said message.
  - 4. The method as recited in claim 1, wherein said filtering step comprises zeroing a field of said message.
  - 5. The method as recited in claim 1, further comprising the step of downgrading a sensitivity level of said message.
  - 6. The method as recited in claim 1, further comprising the step of upgrading a sensitivity level of said message.
  - 7. The method as recited in claim 1, wherein said filtering step comprises replacing a field of said message.

8. A secure network server system for transferring data between networks operating at different security levels, said data being a stream of messages, each message comprising a set of fields of transmitted data to be filtered, said secure network server system being programmed to perform the following steps:
- (a) establishing a Transmission Control Protocol (TCP) session in response to initiation of a connection of a source host to said secure network server, said source host having a first security level, and said establishing a TCP session comprising creating a receiving task group, creating a forwarding task group and creating a generic filtering task group;
  
  (b) providing a filter file that specifies filtering rules for a port number for an interface with a destination host, said destination host having a second security level different than said first security level;
  
  (c) establishing a connection between said forwarding task group and said destination host that allows said forwarding task group to send messages to said destination host;
  
  (d) establishing a connection between said receiving task group and said source host that allows said receiving task group to receive a message transmitted by said source host;
  
  (e) said receiving task group storing said message received from said source host in a file having a file name and then forwarding said file name to said filtering task group;
  
  (f) said filtering task group receiving said filtering rules from said filter file during initialization, reading data of said message stored in said file having said file name, validating that said read data matches a preset order and content values of said filtering rules, and filtering the content of said read data in accordance with said filtering rules;
  
  (g) after the steps recited in (f) have been completed, said filtering task group sending a message to said forwarding task group, said message including said file name of said file containing said filtered data; and
  
  (h) said forwarding task group reading the filtered data from said file having said file name and forwarding the filtered data to said destination host,wherein each of said filtering rules comprises one of a plurality of file type values, each one of said plurality of file type values representing a respective type of message to be filtered, said message types comprising e-mail, extensible markup language (XML) messages and fixed-format messages, and wherein each of said filtering rules further comprises one of a plurality of action type values, each one of said plurality of action type values representing a respective type of action to be taken, said action types comprising checking that a value in a message field equals a value identified in the filtering rule being applied, checking that a value in a message field falls within a range of values identified in the filtering rule being applied, and checking that a value in a message field equals one of a list of values identified in the filtering rule being applied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Schnackenberg, Daniel D., Bunn, Kelly S., Donofrio, Thomas E., Arnold, Steven L., Reid, Travis S., Hammond, Ryan D.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Branske, Hilary

Application Number

US11/365,043
Publication Number

US 20070204337A1
Time in Patent Office

2,275 Days
Field of Search

726/11, 726/12, 726/13, 726/14, 726/26, 726/22, 713/153, 713/154, 713/151, 713/152, 707/E17.059
US Class Current

726/12
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/105 Multiple levels of security

High-assurance file-driven content filtering for secure network server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

High-assurance file-driven content filtering for secure network server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links