System and method for preventing computer malware from exfiltrating data from a user computer in a network via the internet
First Claim
1. A system for preventing computer malware from exfiltrating data from a user computer in a network via an internet, comprising:
- a) a host-based network process monitor operably connected to the user computer configured to intercept network traffic information from said user computer and transmit a network request comprising user and application information including said network traffic information;
b) an authorization server operably connected to said host-based network process monitor containing a database of users and applications, said authorization server configured to cooperate with said host-based network process monitor for i) verifying whether the user and process in said network request should have network access, and ii) cryptographically signing said intercepted network traffic information with an authorization server key, to authorize network access for said intercepted network traffic information, wherein said authorization server provides said cryptographic signing by a decision making technique, by the process of;
i) receiving cryptographic signatures of said application and said network traffic information to provide received cryptographic signature and network traffic information;
ii) identifying a user authentication or host machine authentication of said received network traffic information and said received cryptographic signature to provide identified intercepted network traffic information and cryptographic signature of said application;
iii) computing a cryptographic signature of said identified traffic information including user authentication to provide computed cryptographic hash of said identified traffic information; and
,iv) comparing said computed cryptographic signature of said intercepted network traffic information and said cryptographic signature of said application against a whitelist and/or a blacklist database or comparing intercepted network information against a whitelist or backlist database to provide compared computed cryptographic signature of said identified intercepted information and said cryptographic signature of said application; and
v) digitally signing the received network traffic information only if said compared computed network information and compared computed cryptographic signature are contained in said database whitelist, and not contained in said blacklist; and
,c) a firewall system operably connected to said user computer and said authorization server, configured to inspect said intercepted network traffic information from said user computer and reject any traffic information not signed with said authorization server key.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for preventing computer malware from exfiltrating data from a user computer in a network via the internet. A host-based network process monitor intercepts network traffic information from the user computer and transmits a network request including user and application information including the network traffic information. An authorization server cooperates with the host-based network process monitor for i) verifying whether the user and process in the network request should have network access, and ii) cryptographically signing the intercepted network traffic information with an authorization server key, to authorize network access for the intercepted network traffic information. A firewall system is operably connected to the user computer and the authorization server configured to inspect the network traffic information from the user computer and reject any traffic information not signed with the authorization server key.
29 Citations
19 Claims
-
1. A system for preventing computer malware from exfiltrating data from a user computer in a network via an internet, comprising:
-
a) a host-based network process monitor operably connected to the user computer configured to intercept network traffic information from said user computer and transmit a network request comprising user and application information including said network traffic information; b) an authorization server operably connected to said host-based network process monitor containing a database of users and applications, said authorization server configured to cooperate with said host-based network process monitor for i) verifying whether the user and process in said network request should have network access, and ii) cryptographically signing said intercepted network traffic information with an authorization server key, to authorize network access for said intercepted network traffic information, wherein said authorization server provides said cryptographic signing by a decision making technique, by the process of; i) receiving cryptographic signatures of said application and said network traffic information to provide received cryptographic signature and network traffic information; ii) identifying a user authentication or host machine authentication of said received network traffic information and said received cryptographic signature to provide identified intercepted network traffic information and cryptographic signature of said application; iii) computing a cryptographic signature of said identified traffic information including user authentication to provide computed cryptographic hash of said identified traffic information; and
,iv) comparing said computed cryptographic signature of said intercepted network traffic information and said cryptographic signature of said application against a whitelist and/or a blacklist database or comparing intercepted network information against a whitelist or backlist database to provide compared computed cryptographic signature of said identified intercepted information and said cryptographic signature of said application; and v) digitally signing the received network traffic information only if said compared computed network information and compared computed cryptographic signature are contained in said database whitelist, and not contained in said blacklist; and
,c) a firewall system operably connected to said user computer and said authorization server, configured to inspect said intercepted network traffic information from said user computer and reject any traffic information not signed with said authorization server key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 19)
-
-
11. A system for preventing computer malware from exfiltrating data from a user computer in a network via an internet, comprising:
-
a) a host-based network process monitor operably connected to the user computer configured to intercept network traffic information from said user computer and transmit a network request comprising user and application information including said network traffic information; b) an authorization server operably connected to said host-based network process monitor containing a database of users and applications, said authorization server configured to cooperate with said host-based network process monitor for i) verifying whether the user and process in said network request should have network access, and ii) cryptographically signing said intercepted network traffic information with an authorization server key, to authorize network access for said intercepted network traffic information; and
,c) a firewall system operably connected to said user computer and said authorization server, configured to inspect said intercepted network traffic information from said user computer and reject any traffic information not signed with said authorization server key, wherein said firewall system provides inspection of said network traffic information by the process of; receiving said cryptographically signed network traffic information; testing the validity of said cryptographic signature to provide validated cryptographic signature; stripping said validated signature to restore said request to provide original state prior to interception by host process monitor, and forwarding said original intercepted network traffic information to an internet destination only if said signature is valid.
-
-
18. A method for preventing computer malware from exfiltrating data from a user computer in a network via an internet, comprising:
-
a) intercepting network traffic information from said user computer utilizing a host-based network process monitor operably connected to the user computer and transmitting a network request comprising user and application information including said network traffic information; b) verifying whether the user and process in said network request should have network access utilizing an authorization server operably connected to said host-based network process monitor containing a database of users and applications; c) cryptographically signing said intercepted network traffic information with an authorization server key, to authorize network access for said intercepted network traffic information, wherein said authorization server provides said cryptographic signing by a decision making technique, by the process of; i) receiving cryptographic signatures of said application and said network traffic information to provide received cryptographic signature and network traffic information; ii) identifying a user authentication or host machine authentication of said received network traffic information and said received cryptographic signature to provide identified network traffic information and cryptographic signature of said application; iii) computing a cryptographic signature of said identified traffic information including user authentication to provide computed cryptographic hash of said identified traffic information; and
,iv) comparing said computed cryptographic signature of said intercepted network traffic information and said cryptographic signature of said application against a whitelist and/or a blacklist database or comparing intercepted network information against a whitelist or backlist database to provide compared computed cryptographic signature of said identified intercepted information said cryptographic signature of said application; and v) digitally signing the received network traffic information only if said compared computed network information and compared computed cryptographic signature are contained in said database whitelist, and not contained in said blacklist; and
,d) inspecting said intercepted network traffic information from said user computer and rejecting any traffic information not signed with said authorization server key utilizing a firewall system operably connected to said user computer and said authorization server.
-
Specification