System and method for controlling access to network resources

US 8,209,740 B1
Filed: 09/20/2011
Issued: 06/26/2012
Est. Priority Date: 06/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a computer network, the method comprising:

intercepting by a network access controller a data transmission to or from a computer, wherein the network access controller includes a device associated with the network that has the highest performance rating among a plurality of computers in the network, and wherein the performance rating is determined based on the device'"'"'s configuration and network topology;

identifying by the network access controller a network access policy associated with said computer;

if there is a network access policy associated with said computer, allowing the data transmission to or from said computer based on the associated network access policy;

if there is no network access policy associated with said computer, deploying on said computer an administration agent configured to collect configuration information from said computer and information about topology of said network and send the collected information to the network access controller;

determining by the network access controller a network access policy for said computer based on the collected information;

redirecting the intercepted data transmission based on the network access policy;

activating via the administrative agent of said computer an antivirus software on said computer, the antivirus software configured to perform antivirus analysis of said computer, and, if a malicious activity is detected on said computer, report about said activity to the network access controller; and

limiting by the network access controller data transmissions to or from said computer until the malicious activity is eliminated by the antivirus software to prevent spread of the malicious activity to other computers in the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for controlling access to a computer network. An example network access controller is configured to intercept data transmission to or from a computer and identify a network access policy associated with said computer. If there is no network access policy associated with said computer, the controller deploys on said computer an administration agent configured to collect configuration information from said computer and information about topology of said network. The controller determines a network access policy for said computer based on the collected information. The controller also activates antivirus software on said computer, to detect any malicious activity on said computer. If malicious activity is detected, the controller limits data transmissions to or from said computer until the malicious activity is eliminated by the antivirus software to prevent spread of the malicious activity to other computers in the network.

39 Citations

View as Search Results

15 Claims

1. A method for controlling access to a computer network, the method comprising:
- intercepting by a network access controller a data transmission to or from a computer, wherein the network access controller includes a device associated with the network that has the highest performance rating among a plurality of computers in the network, and wherein the performance rating is determined based on the device'"'"'s configuration and network topology;
  
  identifying by the network access controller a network access policy associated with said computer;
  
  if there is a network access policy associated with said computer, allowing the data transmission to or from said computer based on the associated network access policy;
  
  if there is no network access policy associated with said computer, deploying on said computer an administration agent configured to collect configuration information from said computer and information about topology of said network and send the collected information to the network access controller;
  
  determining by the network access controller a network access policy for said computer based on the collected information;
  
  redirecting the intercepted data transmission based on the network access policy;
  
  activating via the administrative agent of said computer an antivirus software on said computer, the antivirus software configured to perform antivirus analysis of said computer, and, if a malicious activity is detected on said computer, report about said activity to the network access controller; and
  
  limiting by the network access controller data transmissions to or from said computer until the malicious activity is eliminated by the antivirus software to prevent spread of the malicious activity to other computers in the network.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - collecting by a plurality of administration agents deployed on the plurality of computers in the network configuration information of each of the plurality of computers and information about topology of said network;
      
      transmitting the collected information to an administration server for selecting from the plurality of computers in the network the network access controller for the network and determining network access policies for each of the plurality of computers; and
      
      receiving by the selected network access controller a plurality of network access policies for the plurality of computers, wherein the network access controller uses the network access policies to regulate access to and from the plurality of the computers to the network.
  - 3. The method of claim 1, wherein intercepting by the network access controller a data transmission to or from a computer further comprises:
    - receiving by the network access controller a broadcast message from said computer, wherein the broadcast message is an Address Resolution Protocol (ARP) request message addressed to another computer in the network;
      
      transmitting by the network access controller an ARP response message to said computer, wherein the ARP response message containing an IP address of the computer to which the ARP request message was addressed and MAC address of the network access controller; and
      
      transmitting by the network access controller an ARP response message to the computer to which the ARP request message was addressed, wherein the ARP response message containing an IP address of said computer and MAC address of the network access controller.
  - 4. The method of claim 1, wherein intercepting by the network access controller a data transmission to or from a computer further comprises:
    - receiving by the network access controller a broadcast message from said computer, wherein the broadcast message is an ARP announce message;
      
      transmitting by the network access controller a plurality of ARP response messages to said computer, wherein the number of ARP response messages corresponds to the number of computers in the network, and wherein each ARP response message contains an IP address of a computer in the network and MAC address of the network access controller; and
      
      transmitting by the network access controller an ARP response message to each of the plurality of computers in the network, wherein said ARP response message containing an IP address of said computer and MAC address of the network access controller.
  - 5. The method of claim 1, wherein redirecting the intercepted data transmission based on the network access policy further comprises:
    - transmitting by the network access controller a plurality of ARP response messages to said computer, wherein the number of ARP response messages corresponds to the number of computers in the network to which access by said computer is allowed, and wherein each ARP response message contains an IP address and MAC address of a computer in the network to which access by said computer is allowed; and
      
      transmitting by the network access controller an ARP response message to each of the plurality of computers to which access by said computer is allowed, the ARP response message containing an IP address and MAC address of said computer.

6. A system for controlling access to a computer network, the system comprising:
- a network access controller comprising a processor and a memory, wherein the network access controller includes a device associated with the network that has the highest performance rating among a plurality of computers in the network, and wherein the performance rating is determined based on the device'"'"'s configuration and network topology;
  
  wherein the memory is configured to store a plurality of network access policies for a plurality of computers in the network; and
  
  wherein the processor is configured to;
  
  intercept a data transmission to or from a computer;
  
  identify a network access policy associated with said computer;
  
  if there is a network access policy associated with said computer, allow the data transmission to or from said computer based on the associated network access policy;
  
  if there is no network access policy associated with said computer, deploy on said computer an administration agent configured to collect configuration information from said computer and information about topology of said network and send the collected information to the network access controller;
  
  determine a network access policy for said computer based on the collected information;
  
  redirect the intercepted data transmission based on the network access policy;
  
  activate via the administrative agent of said computer an antivirus software on said computer, the antivirus software configured to perform antivirus analysis of said computer, and, if a malicious activity is detected on said computer, report about said activity to the network access controller; and
  
  limit data transmissions to or from said computer until the malicious activity is eliminated by the antivirus software to prevent spread of the malicious activity to other computers in the network.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, further comprising an administration server, wherein the administration server configured to:
    - receive from a plurality of administration agents deployed on the plurality of computers in the network configuration information of each of the plurality of computers and information about topology of said network;
      
      select from the plurality of computers in the network the network access controller for the network;
      
      determine a network access policy for each of the plurality of computers; and
      
      transmit to the selected network access controller a plurality of network access policies for the plurality of computers, whereby the network access controller uses the network access policies to regulate access to and from the plurality of the computers to the network.
  - 8. The system of claim 6, wherein to intercept a data transmission to or from a computer, the processor further configured to:
    - receive a broadcast message from said computer, wherein the broadcast message is an ARP request message addressed to another computer in the network;
      
      transmit an ARP-response message to said computer, wherein the ARP response message containing an IP address of the computer to which the ARP request message was addressed and MAC address of the network access controller; and
      
      transmit an ARP response message to the computer to which the ARP-request message was addressed, wherein the ARP response message containing an IP address of said computer and MAC address of the network access controller.
  - 9. The system of claim 6, wherein to intercept a data transmission to or from a computer, the processor further configured to:
    - receive a broadcast message from said computer, wherein the broadcast message is an ARP announce message;
      
      transmit a plurality of ARP response messages to said computer, wherein the number of ARP-response messages corresponds to the number of computers in the network, and wherein each ARP-response message contains an IP address of a computer in the network and MAC address of the network access controller; and
      
      transmit an ARP response message to each of the plurality of computers in the network, wherein the ARP response message containing an IP address of said computer and MAC address of the network access controller.
  - 10. The system of claim 6, wherein to redirect the intercepted data transmission based on the network access policy, the processor further configured to:
    - transmit a plurality of ARP response messages to said computer, wherein the number of ARP-response messages corresponds to the number of computers in the network to which access by said computer is allowed, and wherein each ARP response message contains an IP address and MAC address of a computer in the network to which access by said computer is allowed; and
      
      transmit an ARP-response message to each of the plurality of computers to which access by said computer is allowed, the ARP-response message containing an IP address and MAC address of said computer.

11. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for controlling access to a computer network, the medium comprises instructions for:
- intercepting by a network access controller a data transmission to or from a computer, wherein the network access controller includes a device associated with the network that has the highest performance rating among a plurality of computers in the network, and wherein the performance rating is determined based on the device'"'"'s configuration and network topology;
  
  identifying by the network access controller a network access policy associated with said computer;
  
  if there is a network access policy associated with said computer, allowing the data transmission to or from said computer based on the associated network access policy;
  
  if there is no network access policy associated with said computer, deploying on said computer an administration agent configured to collect configuration information from said computer and information about topology of said network and send the collected information to the network access controller;
  
  determining by the network access controller a network access policy for said computer based on the collected information;
  
  redirecting the intercepted data transmission based on the network access policy;
  
  activating via the administrative agent of said computer an antivirus software on said computer, the antivirus software configured to perform antivirus analysis of said computer, and, if a malicious activity is detected on said computer, report about said activity to the network access controller; and
  
  limiting by the network access controller data transmissions to or from said computer until the malicious activity is eliminated by the antivirus software to prevent spread of the malicious activity to other computers in the network.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The product of claim 11 further comprising instructions for:
    - collecting by a plurality of administration agents deployed on the plurality of computers in the network configuration information of each of the plurality of computers and information about topology of said network;
      
      transmitting the collected information to an administration server for selecting from the plurality of computers in the network the network access controller for the network and determining network access policies for each of the plurality of computers; and
      
      receiving by the selected network access controller a plurality of network access policies for the plurality of computers, wherein the network access controller uses the network access policies to regulate access to and from the plurality of the computers to the network.
  - 13. The product of claim 11, wherein instructions for intercepting by the network access controller a data transmission to or from a computer further comprise instructions for:
    - receiving by the network access controller a broadcast message from said computer, wherein the broadcast message is an Address Resolution Protocol (ARP) request message addressed to another computer in the network;
      
      transmitting by the network access controller an ARP response message to said computer, wherein the ARP response message containing an IP address of the computer to which the ARP request message was addressed and MAC address of the network access controller; and
      
      transmitting by the network access controller an ARP response message to the computer to which the ARP request message was addressed, wherein the ARP response message containing an IP address of said computer and MAC address of the network access controller.
  - 14. The product of claim 11, wherein instructions for intercepting by the network access controller a data transmission to or from a computer further comprise instructions for:
    - receiving by the network access controller a broadcast message from said computer, wherein the broadcast message is an ARP announce message;
      
      transmitting by the network access controller a plurality of ARP response messages to said computer, wherein the number of ARP response messages corresponds to the number of computers in the network, and wherein each ARP response message contains an IP address of a computer in the network and MAC address of the network access controller; and
      
      transmitting by the network access controller an ARP response message to each of the plurality of computers in the network, wherein said ARP response message containing an IP address of said computer and MAC address of the network access controller.
  - 15. The product of claim 11, wherein instructions for redirecting the intercepted data transmission based on the network access policy further comprise instructions for:
    - transmitting by the network access controller a plurality of ARP response messages to said computer, wherein the number of ARP response messages corresponds to the number of computers in the network to which access by said computer is allowed, and wherein each ARP response message contains an IP address and MAC address of a computer in the network to which access by said computer is allowed; and
      
      transmitting by the network access controller an ARP response message to each of the plurality of computers to which access by said computer is allowed, the ARP response message containing an IP address and MAC address of said computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Tarasenko, Alexander S., Shiyafetdinov, Damir R., Vasilyev, Sergey A., Kulaga, Andrey A.
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US13/237,627
Time in Patent Office

280 Days
Field of Search

726/1, 726/3, 726/27, 726/12, 726/4, 726/24, 713/156
US Class Current

726/1
CPC Class Codes

H04L 41/0853   by actively collecting conf...

H04L 41/12   Discovery or management of ...

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

System and method for controlling access to network resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for controlling access to network resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links