SOC-based device for packet filtering and packet filtering method thereof

US 8,726,362 B2
Filed: 03/16/2012
Issued: 05/13/2014
Est. Priority Date: 03/16/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A device comprising:

a chip comprising a firewall engine;

a driver;

a storage unit that stores a rule database (DB); and

at least one application which uses at least one process associated with at least one packet,wherein the rule DB stores a rule for each process,wherein an owner process uses the packet by transmitting the packet to an external device or receiving the packet from an external device,wherein, if the packet is to be transmitted to a chip, the driver identifies the owner process of the packet, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device based on a rule for the owner process stored in the rule DB, andwherein the chip filters the packet received from the driver by applying a rule for packet filtering,wherein a rule for a process defines a packet as being allowed or blocked according to the process associated with the packet, andwherein, if the packet is to be transmitted, the driver obtains an owner process identification (ID) included in the packet and determines whether a process having the owner process ID is allowed to transmit the packet to the external device by referring to the rule DB for each process, and transmits the packet to the chip only if the process is allowed to transmit the packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a device including a chip that includes a firewall engine, and a driver, wherein the driver identifies an owner process of a packet to be transmitted, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device, wherein the chip performs filtering by applying a rule for packet filtering to the packet received from the driver.

34 Citations

View as Search Results

22 Claims

1. A device comprising:
- a chip comprising a firewall engine;
  
  a driver;
  
  a storage unit that stores a rule database (DB); and
  
  at least one application which uses at least one process associated with at least one packet,wherein the rule DB stores a rule for each process,wherein an owner process uses the packet by transmitting the packet to an external device or receiving the packet from an external device,wherein, if the packet is to be transmitted to a chip, the driver identifies the owner process of the packet, and transmits the packet to the chip only if the owner process is allowed to transmit the packet to an external device based on a rule for the owner process stored in the rule DB, andwherein the chip filters the packet received from the driver by applying a rule for packet filtering,wherein a rule for a process defines a packet as being allowed or blocked according to the process associated with the packet, andwherein, if the packet is to be transmitted, the driver obtains an owner process identification (ID) included in the packet and determines whether a process having the owner process ID is allowed to transmit the packet to the external device by referring to the rule DB for each process, and transmits the packet to the chip only if the process is allowed to transmit the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The device as claimed in claim 1, wherein, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device, the driver does not transmit the packet to the chip.
  - 3. The device as claimed in claim 2, wherein, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device, the driver stops executing the owner process.
  - 4. The device as claimed in claim 1, wherein the chip further comprises a network interface card, and the chip determines whether or not to transmit a packet received through the network interface card to the driver by applying the rule to the packet.
  - 5. The device as claimed in claim 4, wherein the driver identifies an owner process of the packet received from the chip and transmits the packet to the owner process only if the owner process of the packet received from the chip is allowed to receive the packet from an external device.
  - 6. The device as claimed in claim 1, further comprising a firewall user interface that provides a rule setting screen comprising an area for a user to input information identifying at least one from among an internet protocol (IP), a protocol, and a port,wherein the device converts the information from the user into a rule,wherein the firewall user interface transmits the rule to the chip, andwherein the chip performs packet filtering using the rule received from the firewall user interface.
  - 7. The device as claimed in claim 6, wherein the rule setting screen further comprises a configuration helper,wherein the configuration helper provides a list of network applications, and, if at least one of the network applications is selected by the user, the configuration helper determines if at least one from among an IP, a protocol, and a port is necessary for executing the selected network application and inputs the necessary IP, protocol, or port into the area.
  - 8. The device as claimed in claim 6, wherein the rule setting screen comprises an area to input a process and a rule, andif a process and a rule are inputted, the rule governs all packets generated by the process.

9. A packet filtering method, the packet filtering method comprising:
- storing a rule for each process in a rule database (DB),identifying, by a device, an owner process of a packet to be transmitted, and transmitting the packet to a system-on-chip (SOC) only if the owner process of the packet to be transmitted is allowed to transmit the packet to an external device based on a rule for the owner process stored in the rule DB; and
  
  filtering, by the SOC, the packet transmitted from the device by applying a rule for packet filtering,wherein a rule for a process defines a packet as being allowed or blocked according to a process associated with the packet, andwherein if the packet is to be transmitted, the device obtains an owner process identification (ID) included in the packet and determines whether a process having the owner process ID is allowed to transmit the packet to the external device by referring to the rule DB for each process, and transmits the packet to the SOC only if the process is allowed to transmit the packet.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The packet filtering method as claimed in claim 9, wherein, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device, the device does not transmit the packet to the SOC.
  - 11. The packet filtering method as claimed in claim 10, wherein, if the owner process of the packet to be transmitted is not allowed to transmit the packet to the external device, the device stops executing the owner process.
  - 12. The packet filtering method as claimed in claim 9, wherein the SOC further comprises a network interface card, and the SOC performs packet filtering by applying the rule to a packet received through the network interface card.
  - 13. The packet filtering method as claimed in claim 12, wherein the device identifies an owner process of the packet received from the SOC and transmits the packet to the owner process only if the owner process of the packet received from the SOC is allowed to receive the packet.
  - 14. The packet filtering method as claimed in claim 9, further comprising:
    - providing, by the device, a rule setting screen comprising an area to for a user to input information identifying at least one of an internet protocol (IP), a protocol, and a port;
      
      converting, by the device, the information into a rule; and
      
      transmitting, by the device, the rule to the SOC; and
      
      filtering, by the SOC, the packet using the rule transmitted from the device.
  - 15. The packet filtering method as claimed in claim 14, wherein the rule setting screen further comprises a configuration helper,wherein the configuration helper provides a list of network applications, and, if at least one of the network applications is selected by the user, the configuration helper determines if at least one of an IP, a protocol, and a port is necessary for executing the selected network application and inputs the necessary IP, protocol, or port into the area.
  - 16. The packet filtering method as claimed in claim 15, wherein the rule setting screen comprises an area to input a process and a rule, andif a process and a rule are inputted, the rule governs all packets generated by the first process.

17. A non-transitory computer readable storing medium that stores a program for enabling a computer to perform a method, the method comprising:
- storing a rule for each process in a rule database (DB),identifying an owner process of a packet to be transmitted to an external device; and
  
  only if the owner process of the packet to be transmitted is allowed to transmit the packet to the external device based on a rule for the owner process stored in the rule DB, transmitting the packet to a chip,wherein the chip is mounted on the computer and has a packet filtering function,wherein a rule for a process defines a packet as being allowed or blocked according to a process associated with the packet, andwherein if the packet is to be transmitted, obtaining an owner process identification (ID) included in the packet and determining whether a process having the owner process ID is allowed to transmit the packet to the external device by referring to the rule DB for each process, and transmitting the packet to the chip only if the process is allowed to transmit the packet.

18. A device comprising:
- a chip that comprises a firewall engine,a driver, anda storage unit that stores a rule database (DB),wherein the rule DB stores a rule for each process,wherein the driver obtains an owner process identification (ID) of a packet to be transmitted to an external device and transmits the packet and the owner process ID of the packet to the chip based on a rule for the owner process stored in the rule DB, andwherein the firewall engine of the chip filters the packet transmitted from the driver using a rule DB for packet filtering,wherein a rule for a process defines a packet as being allowed or blocked according to a process associated with the packet, andwherein if the packet is to be transmitted, the device determines whether a process having the owner process ID is allowed to transmit the packet to the external device by referring to the rule DB for each process, and transmits the packet to the chip only if the process is allowed to transmit the packet.
- View Dependent Claims (19, 20)
- - 19. The device as claimed in claim 18, wherein the firewall engine of the chip determines whether a process having the owner process ID transmitted from the driver is allowed to transmit the packet to the external device by applying the rule DB for packet filtering.
  - 20. The device as claimed in claim 18, further comprising a network interface card,wherein the driver obtains an owner process ID of a packet received through the network interface card and transmits the owner process ID and the packet to the chip.

21. A non-transitory computer readable storing medium that stores a program for enabling a computer to perform a method, the method comprising:
- storing a rule for each process in a rule database (DB),identifying an owner process of a packet to be transmitted to an external device;
  
  obtaining an owner process identification (ID) of the packet to be transmitted to the external device; and
  
  transmitting the packet and the owner process ID to a chip based on a rule for the owner process stored in the rule DB,wherein the chip is mounted on the computer and has a packet filtering function,wherein a rule for a process defines a packet as being allowed or blocked according to a process associated with the packet, andwherein if the packet is to be transmitted, determining whether a process having the owner process ID is allowed to transmit the packet to the external device by referring to the rule DB for each process, and transmitting the packet to the chip only if the process is allowed to transmit the packet.
- View Dependent Claims (22)
- - 22. The non-transitory computer readable storing medium as claimed in claim 21, wherein the method further comprises obtaining an owner process ID of a packet received through a network interface card and transmitting the owner process ID and the packet to the chip.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Original Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Inventors
Yoo, InSeon
Primary Examiner(s)
Zee, Edward

Application Number

US13/422,672
Publication Number

US 20120240215A1
Time in Patent Office

788 Days
Field of Search

726/13, 726/11, 726/22, 726/1, 713/153, 713/154
US Class Current

726/13
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

H04L 63/0263 Rule management

SOC-based device for packet filtering and packet filtering method thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

SOC-based device for packet filtering and packet filtering method thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others