System and method for preventing computer malware from exfiltrating data from a user computer in a network via the internet

US 8,631,244 B1
Filed: 08/11/2011
Issued: 01/14/2014
Est. Priority Date: 08/11/2011
Status: Active Grant

First Claim

Patent Images

1. A system for preventing computer malware from exfiltrating data from a user computer in a network via an internet, comprising:

a) a host-based network process monitor operably connected to the user computer configured to intercept network traffic information from said user computer and transmit a network request comprising user and application information including said network traffic information;

b) an authorization server operably connected to said host-based network process monitor containing a database of users and applications, said authorization server configured to cooperate with said host-based network process monitor for i) verifying whether the user and process in said network request should have network access, and ii) cryptographically signing said intercepted network traffic information with an authorization server key, to authorize network access for said intercepted network traffic information, wherein said authorization server provides said cryptographic signing by a decision making technique, by the process of;

i) receiving cryptographic signatures of said application and said network traffic information to provide received cryptographic signature and network traffic information;

ii) identifying a user authentication or host machine authentication of said received network traffic information and said received cryptographic signature to provide identified intercepted network traffic information and cryptographic signature of said application;

iii) computing a cryptographic signature of said identified traffic information including user authentication to provide computed cryptographic hash of said identified traffic information; and

,iv) comparing said computed cryptographic signature of said intercepted network traffic information and said cryptographic signature of said application against a whitelist and/or a blacklist database or comparing intercepted network information against a whitelist or backlist database to provide compared computed cryptographic signature of said identified intercepted information and said cryptographic signature of said application; and

v) digitally signing the received network traffic information only if said compared computed network information and compared computed cryptographic signature are contained in said database whitelist, and not contained in said blacklist; and

,c) a firewall system operably connected to said user computer and said authorization server, configured to inspect said intercepted network traffic information from said user computer and reject any traffic information not signed with said authorization server key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for preventing computer malware from exfiltrating data from a user computer in a network via the internet. A host-based network process monitor intercepts network traffic information from the user computer and transmits a network request including user and application information including the network traffic information. An authorization server cooperates with the host-based network process monitor for i) verifying whether the user and process in the network request should have network access, and ii) cryptographically signing the intercepted network traffic information with an authorization server key, to authorize network access for the intercepted network traffic information. A firewall system is operably connected to the user computer and the authorization server configured to inspect the network traffic information from the user computer and reject any traffic information not signed with the authorization server key.

29 Citations

View as Search Results

19 Claims

1. A system for preventing computer malware from exfiltrating data from a user computer in a network via an internet, comprising:
- a) a host-based network process monitor operably connected to the user computer configured to intercept network traffic information from said user computer and transmit a network request comprising user and application information including said network traffic information;
  
  b) an authorization server operably connected to said host-based network process monitor containing a database of users and applications, said authorization server configured to cooperate with said host-based network process monitor for i) verifying whether the user and process in said network request should have network access, and ii) cryptographically signing said intercepted network traffic information with an authorization server key, to authorize network access for said intercepted network traffic information, wherein said authorization server provides said cryptographic signing by a decision making technique, by the process of;
  
  i) receiving cryptographic signatures of said application and said network traffic information to provide received cryptographic signature and network traffic information;
  
  ii) identifying a user authentication or host machine authentication of said received network traffic information and said received cryptographic signature to provide identified intercepted network traffic information and cryptographic signature of said application;
  
  iii) computing a cryptographic signature of said identified traffic information including user authentication to provide computed cryptographic hash of said identified traffic information; and
  
  ,iv) comparing said computed cryptographic signature of said intercepted network traffic information and said cryptographic signature of said application against a whitelist and/or a blacklist database or comparing intercepted network information against a whitelist or backlist database to provide compared computed cryptographic signature of said identified intercepted information and said cryptographic signature of said application; and
  
  v) digitally signing the received network traffic information only if said compared computed network information and compared computed cryptographic signature are contained in said database whitelist, and not contained in said blacklist; and
  
  ,c) a firewall system operably connected to said user computer and said authorization server, configured to inspect said intercepted network traffic information from said user computer and reject any traffic information not signed with said authorization server key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 19)
- - 2. The system of claim 1, wherein said authorization server provides said cryptographic signing by signing individual network packets.
  - 3. The system of claim 1, wherein said authorization server provides said cryptographic signing by signing individual network packets, by applying internet protocol (IP) encapsulation by adding a cryptographic hash field to said intercepted network traffic information.
  - 4. The system of claim 1, wherein said authorization server provides said cryptographic signing by signing individual network packets, by applying an Internet Protocol header field to said intercepted network traffic information.
  - 5. The system of claim 1, wherein said authorization server provides said cryptographic signing by signing individual network packets, by applying a transport layer wrapping protocol to said intercepted network traffic information.
  - 6. The system of claim 1, wherein said authorization server provides said cryptographic signing by adding a token.
  - 7. The system of claim 1, wherein said authorization server provides said cryptographic signing by adding a token, by adding a tag-value pair to an application layer protocol.
  - 8. The system of claim 1, wherein said authorization server provides said cryptographic signing by adding a token, by providing a tag-value pair matched to the application layer protocol via an out-of-band transport.
  - 9. The system of claim 1, wherein said authorization server provides said cryptographic signing by computing a cryptographic signature of said identified traffic information including user host OS configuration to provide said computed cryptographic hash of said identified intercepted traffic information.
  - 10. The system of claim 1, wherein said host-based network process monitor provides monitoring of said network traffic information by the process of:
    - a) intercepting said transmitted network request or said network traffic information to provide an intercepted transmit network request or intercepted network traffic information;
      
      b) identifying the user computer and application information of said intercepted network request or intercepted network traffic information to provide identified said user computer and application information;
      
      c) computing a cryptographic hash of said identified application information to provide computed cryptographic hash of said identified application information; and
      
      ,d) forwarding said intercepted transmit network request or said network traffic information, with said computed cryptographic hash of said identified application information, to said authorization server.
  - 12. The system of claim 2, wherein said firewall system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed individual network packets;
      
      b) testing validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said validated signature to restore said signed individual network packets to provide original state prior to interception by host process monitor, andd) forwarding said intercepted network traffic information to an internet destination only if said signature is valid.
  - 13. The system of claim 3, wherein said firewall system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed individual network packets;
      
      b) testing validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said validated signature to restore said signed individual network packets to provide original state prior to interception by host process monitor, andd) forwarding said intercepted network traffic information to an internet destination only if said signature is valid.
  - 14. The system of claim 4, wherein said firewall system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed individual network packets;
      
      b) testing validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said validated signature to restore said signed individual network packets to provide original state prior to interception by host process monitor, andd) forwarding said intercepted network traffic information to an internet destination only if said signature is valid.
  - 15. The system of claim 5, wherein said firewall system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed individual wrapped network packets;
      
      b) testing validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said validated signature and transport layer wrapper to restore said signed individual network packets to provide original state prior to interception by host process monitor, andd) forwarding said intercepted network traffic information to an internet destination only if said signature is valid.
  - 16. The system of claim 6, wherein said firewall system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed token and network traffic information;
      
      b) testing validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said validated signature to restore network traffic information to provide original state prior to interception by host process monitor, andd) forwarding said intercepted network traffic information to an internet destination only if said signature is valid.
  - 17. The system of claim 7, wherein said firewall system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed token within said application layer protocol;
      
      b) testing validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said validated signature to restore said application layer request to provide original state prior to interception by host process monitor, andd) forwarding said intercepted network traffic information to internet destination only if signature is valid.
  - 19. The system of claim 1, wherein said authorization server provides said cryptographic signing by computing said cryptographic signature of said identified traffic information including user host OS configuration.

11. A system for preventing computer malware from exfiltrating data from a user computer in a network via an internet, comprising:
- a) a host-based network process monitor operably connected to the user computer configured to intercept network traffic information from said user computer and transmit a network request comprising user and application information including said network traffic information;
  
  b) an authorization server operably connected to said host-based network process monitor containing a database of users and applications, said authorization server configured to cooperate with said host-based network process monitor for i) verifying whether the user and process in said network request should have network access, and ii) cryptographically signing said intercepted network traffic information with an authorization server key, to authorize network access for said intercepted network traffic information; and
  
  ,c) a firewall system operably connected to said user computer and said authorization server, configured to inspect said intercepted network traffic information from said user computer and reject any traffic information not signed with said authorization server key, wherein said firewall system provides inspection of said network traffic information by the process of;
  
  receiving said cryptographically signed network traffic information;
  
  testing the validity of said cryptographic signature to provide validated cryptographic signature;
  
  stripping said validated signature to restore said request to provide original state prior to interception by host process monitor, andforwarding said original intercepted network traffic information to an internet destination only if said signature is valid.

18. A method for preventing computer malware from exfiltrating data from a user computer in a network via an internet, comprising:
- a) intercepting network traffic information from said user computer utilizing a host-based network process monitor operably connected to the user computer and transmitting a network request comprising user and application information including said network traffic information;
  
  b) verifying whether the user and process in said network request should have network access utilizing an authorization server operably connected to said host-based network process monitor containing a database of users and applications;
  
  c) cryptographically signing said intercepted network traffic information with an authorization server key, to authorize network access for said intercepted network traffic information, wherein said authorization server provides said cryptographic signing by a decision making technique, by the process of;
  
  i) receiving cryptographic signatures of said application and said network traffic information to provide received cryptographic signature and network traffic information;
  
  ii) identifying a user authentication or host machine authentication of said received network traffic information and said received cryptographic signature to provide identified network traffic information and cryptographic signature of said application;
  
  iii) computing a cryptographic signature of said identified traffic information including user authentication to provide computed cryptographic hash of said identified traffic information; and
  
  ,iv) comparing said computed cryptographic signature of said intercepted network traffic information and said cryptographic signature of said application against a whitelist and/or a blacklist database or comparing intercepted network information against a whitelist or backlist database to provide compared computed cryptographic signature of said identified intercepted information said cryptographic signature of said application; and
  
  v) digitally signing the received network traffic information only if said compared computed network information and compared computed cryptographic signature are contained in said database whitelist, and not contained in said blacklist; and
  
  ,d) inspecting said intercepted network traffic information from said user computer and rejecting any traffic information not signed with said authorization server key utilizing a firewall system operably connected to said user computer and said authorization server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Original Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Inventors
Potts, James N., Crosmer, Julianne R., Hoech, Karl F., Kim, Sung J.
Primary Examiner(s)
Rahman, Mohammad L

Application Number

US13/207,651
Time in Patent Office

887 Days
Field of Search

713/182, 713/188
US Class Current

713/188
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/123   received data contents, e.g...

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

System and method for preventing computer malware from exfiltrating data from a user computer in a network via the internet

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for preventing computer malware from exfiltrating data from a user computer in a network via the internet

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links