Method and apparatus for geographically regulating inbound and outbound network communications

US 8,584,226 B2
Filed: 01/26/2007
Issued: 11/12/2013
Est. Priority Date: 01/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method for a geographic country of origin filter of information transmitting on a network:

a) a network object on which the method is embodied, which extracts a network address from Internet traffic routed or collected by said network object; and

performs at least one data lookup operation to obtain country of origin geographic information pertaining to said Internet network address;

b) configuring said geographic country of origin filter by;

Sending or receiving information used to generate a set of persistent geographic country of origin associations comprising a plurality of Internet address blocks;

Performing at least one data processing operating to associate a geographic country of origin location pertaining to each block; and

Generating at least one geographic country of origin security assertion wherein a device action is defined for at least one geographic country of origin association wherein the device action is triggered for any Internet address belonging to a defined network address block having an estimated country of origin geographic location, wherein the device action either;

Allows Internet traffic to be sent or received from said Internet address to the desired destination;

Disallows Internet traffic to be sent or received from said Internet address to the desired destination;

orMows Internet traffic to be sent or received from said Internet address to an undesired destination determined by said geographic filter;

c) Optimizing said geographic country of origin information pertaining to Internet network addresses in accordance with at least one algorithm, wherein an algorithm is applied to the plurality of geographic country of origin associations between IP address blocks and geographic country of origin locations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for regulating and analyzing inbound and outbound communications in and between computer networks on the basis of geographic security assertions are provided. Geographic information is collected, optimized, and shared between network objects to enforce network access control on the basis of configurable security assertions. Security assertions are configured and metrics displayed using maps and other geographic data in a graphical user interface.

Citations

27 Claims

1. A method for a geographic country of origin filter of information transmitting on a network:
- a) a network object on which the method is embodied, which extracts a network address from Internet traffic routed or collected by said network object; and
  
  performs at least one data lookup operation to obtain country of origin geographic information pertaining to said Internet network address;
  
  b) configuring said geographic country of origin filter by;
  
  Sending or receiving information used to generate a set of persistent geographic country of origin associations comprising a plurality of Internet address blocks;
  
  Performing at least one data processing operating to associate a geographic country of origin location pertaining to each block; and
  
  Generating at least one geographic country of origin security assertion wherein a device action is defined for at least one geographic country of origin association wherein the device action is triggered for any Internet address belonging to a defined network address block having an estimated country of origin geographic location, wherein the device action either;
  
  Allows Internet traffic to be sent or received from said Internet address to the desired destination;
  
  Disallows Internet traffic to be sent or received from said Internet address to the desired destination;
  
  orMows Internet traffic to be sent or received from said Internet address to an undesired destination determined by said geographic filter;
  
  c) Optimizing said geographic country of origin information pertaining to Internet network addresses in accordance with at least one algorithm, wherein an algorithm is applied to the plurality of geographic country of origin associations between IP address blocks and geographic country of origin locations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein the network object is a personal computer.
  - 3. The method of claim 1, wherein the network object is a network gateway.
  - 4. The method of claim 1, wherein the network object is a server.
  - 5. The method of claim 4, wherein the network object is an application gateway.
  - 6. The method of claim 4, wherein the protected network object is a mail server.
  - 7. The method of claim 1, wherein the network object is a web proxy server.
  - 8. The method of claim 1, wherein the protected network object includes other network services utilizing the Internet Protocol for communication.
  - 9. The method of claim 1, wherein a geographic security assertion is at least one Resource Identifier and a Device Action.
  - 10. The method of claim 1, wherein said optimization algorithm comprises a conversion algorithm.
  - 11. The method of claim 1, wherein the compact representation of geographic security assertions is a memory structure.
  - 12. The method of claim 1, wherein the contextual property of a memory structure is a whitelist.
  - 13. The method of claim 1 wherein the contextual property of a memory structure is a blacklist.
  - 14. The method of claim 1, wherein a communication protocol attribute is an IP address field within a protocol header.
  - 16. The method of claim 1, wherein the configuring is based on geographic security assertions provided by an automated remote process.
  - 17. The method of claim 1, wherein the information used to generate a set of persistent geographic associations is retrieved by an automated process.
  - 18. The method of claim 1, wherein logging information is displayed using textual and graphical depictions of Device Actions and Resource Identifiers.
  - 19. The method of claim 1, wherein configuration and logging information is shared between network objects and geographic filter devices via a separate remote service.
  - 20. The method of claim 16, wherein the automated remote process is a threat feed.
  - 21. The method of claim 1, wherein said country of origin geographic information is a country code.
  - 22. The method of claim 1, wherein said conversion algorithm translates a dotted-quad IP Address into an IP Address representation, comprising a 32-bit integer representation.
  - 23. The method of claim 1, wherein said conversion algorithm is applied to lists, such as converting a list denoted by two Dotted-Quad network addresses denoting a start address and an end address into another format, as comprising a single 32-bit Integer followed by a number indicating the number of contiguous IP addresses that follow.
  - 24. The method of claim 1, wherein said encoding algorithm is applied to lists, such as converting a list denoted by two Dotted-Quad network addresses denoting a start address and an end address into another format, comprising a single 32-bit Integer followed by a number indicating the number of contiguous IP addresses that follow.
  - 25. The method of claim 1, wherein said IP addresses are converted into or out of CIDR (Classless Inter-Domain Routing) notation.
  - 26. The method of claim 1, wherein said optimizing is compression into as large continuous blocks as possible.
  - 27. The method of claim 1, wherein said optimizing results are stored into memory structures.

15. A computer program product implementing the method of blocking incoming and outgoing network traffic from countries, geographic regions, and other entities associated with geographic regions, constituting a geographic filter, the method comprising:
- a) Network device on which the method is embodied;
  
  b) Executing computer code for collecting geographic information in which IP address groups are associated with countries and with entities affiliated with countries;
  
  c) Executing computer code for utilizing security assertions that define network object access privileges for said countries;
  
  d) Executing computer code for redefining security assertions into a list of IP addresses that are used to enforce access control;
  
  e) Executing computer code for storing said list of IP addresses within a persistent memory structure;
  
  f) Executing computer code for examining IP network traffic, extracting IP addresses, and comparing the extracted IP addresses to a list of IP addresses and other information sources;
  
  g) Executing computer code to respond to network traffic based on the locating of an IP address within a table; and
  
  h) Executing computer code for Logging, Aggregating, and Displaying the operational attributes of a given geographic filter device and its peers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ioRhythm, Inc.
Original Assignee
ioRhythm, Inc.
Inventors
Cain, Shelby, Stracener, Tom, Kudla, Aaron J., Luck, Marce Wayne
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US11/698,624
Publication Number

US 20070300296A1
Time in Patent Office

2,482 Days
Field of Search

455/456.3, 709/238
US Class Current

726/13
CPC Class Codes

G06F 2203/04806   Zoom, i.e. interaction tech...

G06F 3/0484   for the control of specific...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/101   Access control lists [ACL]

H04L 63/107   wherein the security polici...

H04L 67/52   specially adapted for the l...

Method and apparatus for geographically regulating inbound and outbound network communications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for geographically regulating inbound and outbound network communications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links