Network communications

US 8,255,465 B2
Filed: 09/22/2006
Issued: 08/28/2012
Est. Priority Date: 09/23/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a network processor connected to a local network, intercepting a network communication message originating from a user processor that is different from the network processor connected to the local network and which network communication message is destined for a remote processor connected to the local network via an external network;

creating a unique message appendix for the intercepted network communication message to prevent replay attacks on the intercepted network communication message using;

message attributes extracted directly from the intercepted network communication message,externally derived attributes derived by querying services external to an encoding agent of the network processor using the extracted message attributes as query parameters, andinternally derived attributes derived by querying services internal to the network processor using message attributes as query parameters,wherein the unique message appendix contains information associated with the local network that is available at the local network;

encrypting the unique message appendix using a combination of an asymmetric encryption technique that does not require key exchanges and a symmetric encryption technique that is different from the asymmetric encryption technique so that the information in the unique message appendix associated with the local network may be transmitted securely over a public network;

encoding the encrypted unique message appendix to allow the unique message appendix to be added to the network communication message without altering the contents of the network communication message; and

appending the encoded, encrypted unique message appendix to the network communication message for transmission between the network processor connected to the local network and the remote processor.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for communicating information between computer networks in which the information to be communicated is required at one location (e.g. for processing) but only available at another location. The information may be absent deliberately (for privacy reasons) or may simply be unavailable as an artifact of the computer network(s) involved. The required information, such as the internal client IP address, is inserted into the outgoing network communication in a manner that does not to materially affect the normal transit or utility of the network communication (e.g. as custom headers). The information is preferably inserted in an encrypted form, so that it may pass over a public network and be invulnerable to unauthorised scrutiny.

65 Citations

View as Search Results

32 Claims

1. A method comprising:
- at a network processor connected to a local network, intercepting a network communication message originating from a user processor that is different from the network processor connected to the local network and which network communication message is destined for a remote processor connected to the local network via an external network;
  
  creating a unique message appendix for the intercepted network communication message to prevent replay attacks on the intercepted network communication message using;
  
  message attributes extracted directly from the intercepted network communication message,externally derived attributes derived by querying services external to an encoding agent of the network processor using the extracted message attributes as query parameters, andinternally derived attributes derived by querying services internal to the network processor using message attributes as query parameters,wherein the unique message appendix contains information associated with the local network that is available at the local network;
  
  encrypting the unique message appendix using a combination of an asymmetric encryption technique that does not require key exchanges and a symmetric encryption technique that is different from the asymmetric encryption technique so that the information in the unique message appendix associated with the local network may be transmitted securely over a public network;
  
  encoding the encrypted unique message appendix to allow the unique message appendix to be added to the network communication message without altering the contents of the network communication message; and
  
  appending the encoded, encrypted unique message appendix to the network communication message for transmission between the network processor connected to the local network and the remote processor.
- View Dependent Claims (2, 5, 10, 11, 17, 18, 19, 20, 21, 22, 23, 27, 28, 29, 30)
- - 2. The method of claim 1, wherein creating comprises creating the unique message appendix with information associated with the local network that includes a user'"'"'s user ID, group membership, phone number, location, address and other information obtained from a local network directory or directories.
  - 5. The method of claim 1, wherein creating comprises creating the unique message appendix for the network communication message including information comprising:
    - local network information obtained from a directory or directories associated with the local network;
      
      state information about the local network, a network user, or a network user group; and
      
      tally information indicating a number of connections made at the local network by the user or the network user group.
  - 10. The method of claim 1, further comprising executing an encoding agent at the network processor connected to the local network to perform the creating, encrypting, encoding and appending.
  - 11. The method of claim 10, and further comprising the encoding agent intercepting the network communication message in order to append the encrypted appendix.
  - 17. The method of to claim 1, wherein the network communication message is an HTTP request, an email communication or an Instant Messaging communication.
  - 18. The method of claim 1, wherein the unique message appendix is incorporated in the network communication message as header information.
  - 19. The method of claim 1, wherein the local network is a corporate network.
  - 20. The method or system according to claim 1, wherein the external network is the Internet.
  - 21. The method of claim 1, wherein intercepting, creating, encrypting, encoding and appending are performed at an Internet-level network processor.
  - 22. The method of claim 21, wherein intercepting, creating, encrypting, encoding and appending are performed at the Internet-level network processor for a web security service.
  - 23. The method of claim 22, wherein intercepting, creating, encrypting, encoding and appending are performed at the Internet-level network processor for any one or more of web virus scanning, web filtering and web spyware screening.
  - 27. The method of claim 1, wherein creating comprises creating the unique message appendix by combining separate data items of a message into a single parseable message and wherein encrypting comprises encrypting the parseable message using a symmetric session key which is itself encrypted using a public key of a service provider proxy server.
  - 28. The method of claim 1, wherein encrypting comprises encrypting the unique message appendix using a Session Key.
  - 29. The method of claim 28, wherein encrypting the unique message appendix using the Session Key comprises using a Decoding Agent Public Key.
  - 30. The method of claim 28, further comprising encoding the Session Key.

3. A method comprising:
- at a remote processor connected to a local network via an external network, receiving a network communication message from a network processor connected to the local network, wherein the network communication message includes an encoded and encrypted unique message appendix used to prevent replay attacks on the intercepted network communication message;
  
  decrypting the unique message appendix using a combination of an asymmetric decryption technique that does not require key exchanges and a symmetric decryption technique that is different form the asymmetric decryption technique;
  
  extracting the unique message appendix that was generated from;
  
  message attributes extracted directly from the network communication message,externally derived attributes derived by querying services external to an encoding agent of the network processor using the extracted message attributes as query parameters, andinternally derived attributes derived by querying services internal to the network processor using message attributes as query parameters; and
  
  processing the unique message appendix to obtain local network information available at the network processor from which the communication message originated.
- View Dependent Claims (4, 6, 7, 8, 9, 26)
- - 4. The method of claim 3, further comprising removing the unique message appendix from the network communication message once received by the remote processor.
  - 6. The method of claim 3, wherein processing comprises processing the network communication message based on information comprising:
    - local network information obtained from a directory or directories associated with the local network;
      
      state information about the local network, a network user, or a network user group; and
      
      tally information indicating a number of connections made at the local network by the user or the network user group.
  - 7. The method of claim 6, further comprising removing the unique message appendix from the network communication message once received by the remote processor.
  - 8. The method according to claim 6, wherein the local network information includes:
    - user or group level information, a user'"'"'s user ID, group membership, phone number, location, address and other information obtained from a local network directory or directories.
  - 9. The method according to claim 6, wherein the state information includes other data associated with the network communication message, derived data associated with the network communication message, and/or other information independent of the specific network communication message.
  - 26. The method of claim 3, further comprising:
    - executing a decoding agent at the remote processor connected to the local network via the external network to perform the receiving, decrypting and extracting; and
      
      executing a processing agent at the remote processor to perform the processing.

12. An apparatus comprising:
- a network processor configured to connect to a local network, the network processor executing an encoding agent that is configured to;
  
  intercept a network communication message that originates from a user processor connected to the local network and that is destined for a remote processor connected to the local network via an external network;
  
  create a unique message appendix for the intercepted network communication message using;
  
  message attributes extracted directly from the intercepted network communication message,externally derived attributes derived by querying services external to an encoding agent of the network processor using the extracted message attributes as query parameters, andinternally derived attributes derived by querying services internal to the network processor using message attributes as query parameters,wherein the unique message appendix contains information associated with the local network that is available at the local network;
  
  encrypt the unique message appendix using a combination of an asymmetric encryption technique that does not require key exchanges and a symmetric encryption technique that is different from the asymmetric encryption technique so that the information in the unique message appendix associated with the local network may be transmitted securely over a public network;
  
  encode the encrypted unique message appendix to allow the unique message appendix to be added to the network communication message without altering the contents of the network communication message; and
  
  append the encoded, encrypted unique message appendix to the network communication message for transmission between the network processor connected to the local network and the remote processor.
- View Dependent Claims (15, 16, 24, 25, 31, 32)
- - 15. The apparatus of claim 12, wherein the network processor executes the encoding agent to create the unique message appendix for the network communication message including information comprising:
    - local network information available from a directory or directories associated with the local network;
      
      state information about the local network, a network user, or a network user group; and
      
      tally information indicating a number of connections made at the local network by the user or the network user group.
  - 16. The apparatus of claim 15, wherein the network processor executes the encoding agent to intercept the network communication in order to append the unique message appendix.
  - 24. The apparatus of claim 12, wherein the network processor executes the encoding agent in order to forward the network communication message to the remote processor.
  - 25. The apparatus of claim 24, wherein the network communication message does not originate from the encoding agent and the network processor executes the encoding agent in order to intercept the network communication.
  - 31. The apparatus of claim 12, wherein the encoding agent is configured to encrypt the unique message appendix using a Session Key.
  - 32. The apparatus of claim 31, wherein the encoding agent is configured to encrypt the unique message appendix using a Decoding Agent Public Key.

13. An apparatus comprising:
- a network processor configured to connect to a local network via an external network, the network processor executing a decoding agent that is configured to;
  
  receive a network communication message from another network processor connected to the local network, wherein the network communication message includes an encoded and encrypted unique message appendix used to prevent replay attacks on the intercepted network communication message; and
  
  decrypt the unique message appendix using a combination of an asymmetric decryption that does not require key exchanges and a symmetric decryption technique that is different from the asymmetric decryption technique;
  
  extract the unique message appendix that was generated from;
  
  message attributes extracted directly from the network communication message,externally derived attributes derived by querying services external to an encoding agent of the network processor using the extracted message attributes as query parameters, andinternally derived attributes derived by querying services internal to the network processor using message attributes as query parameters; and
  
  the network processor executing a processing agent that is configured to process the unique message appendix to obtain local network information available at the network processor from which the communication message originated.
- View Dependent Claims (14)
- - 14. The apparatus of claim 13, wherein the network processor is configured to execute the processing agent in order to process the network communication based on information comprising:
    - local network information available from a directory or directories associated with the local network;
      
      state information about the local network, a network user, or a network user group; and
      
      tally information indicating a number of connections made at the local network by the user or the network user group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.), Network Communication
Original Assignee
ScanSafe Ltd. (Cisco Systems, Inc.)
Inventors
Edwards, John
Primary Examiner(s)
Follansbee, John
Assistant Examiner(s)
Daftuar, Saket K

Application Number

US11/534,604
Publication Number

US 20070074018A1
Time in Patent Office

2,167 Days
Field of Search

709246-247, 709/202, 709206-207, 713/150, 713/168, 713/181, 713/176, 713/200, 713/171, 713/152, 380/270, 380/285, 455/410, 455/411, 726/3, 726/4, 726/5, 726/6, 726/21, 726/22, 726/23, 726/24, 726/26, 726/28, 726/29, 726/30
US Class Current

709/206
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 67/561   Adding application-function...

Network communications

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Network communications

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links