Filtering network data transfers

DC CAFC

US 9,124,552 B2
Filed: 03/12/2013
Issued: 09/01/2015
Est. Priority Date: 03/12/2013
Status: Expired due to Fees

- Alert
- Pin

First Claim

Patent Images

1. A method, comprising:

at a computing device comprising at least one processor, a memory, and a communication interface;

receiving, via the communication interface, a plurality of hypertext transfer protocol secure (HTTPS) packets;

responsive to a determination by the at least one processor that at least a portion of the plurality of HTTPS packets have packet-header-field values corresponding to a packet filtering rule stored in the memory, applying, by the at least one processor, an operator specified by the packet-filtering rule to the at least a portion of the plurality of HTTPS packets, wherein the operator specifies one or more application-header-field-value criteria identifying one or more transport layer security (TLS)-version values for which packets should be blocked from continuing toward their respective destinations;

andresponsive to a determination by the at least one processor that one or more packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more TLS-version values of the one or more TLS-version values for which packets should be blocked from continuing toward their respective destinations, applying, by the at least one processor, at least one packet-transformation function specified by the operator to the one or more packets to block each packet of the one or more packets from continuing toward its respective destination.

View all claims

4 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.

Citations

21 Claims

1. A method, comprising:
- at a computing device comprising at least one processor, a memory, and a communication interface;
  
  receiving, via the communication interface, a plurality of hypertext transfer protocol secure (HTTPS) packets;
  
  responsive to a determination by the at least one processor that at least a portion of the plurality of HTTPS packets have packet-header-field values corresponding to a packet filtering rule stored in the memory, applying, by the at least one processor, an operator specified by the packet-filtering rule to the at least a portion of the plurality of HTTPS packets, wherein the operator specifies one or more application-header-field-value criteria identifying one or more transport layer security (TLS)-version values for which packets should be blocked from continuing toward their respective destinations;
  
  andresponsive to a determination by the at least one processor that one or more packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more TLS-version values of the one or more TLS-version values for which packets should be blocked from continuing toward their respective destinations, applying, by the at least one processor, at least one packet-transformation function specified by the operator to the one or more packets to block each packet of the one or more packets from continuing toward its respective destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the one or more application-header-field-value criteria identify one or more TLS-version values for which packets should be allowed to continue toward their respective destinations, the method comprising, responsive to a determination by the at least one processor that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more TLS-version values of the one or more TLS-version values for which packets should be allowed to continue toward their respective destinations, applying, by the at least one processor, a packet-transformation function specified by the operator to the one or more other packets to allow each packet of the one or more other packets to continue toward its respective destination.
  - 3. The method of claim 1, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods for which packets should be allowed to continue toward their respective destinations, the method comprising, responsive to a determination by the at least one processor that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more HTTP methods of the one or more HTTP methods for which packets should be allowed to continue toward their respective destinations, applying, by the at least one processor, a packet-transformation function specified by the operator to the one or more other packets to allow each packet of the one or more other packets to continue toward its respective destination.
  - 4. The method of claim 1, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods for which packets should be blocked from continuing toward their respective destinations, the method comprising, responsive to a determination by the at least one processor that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more HTTP methods of the one or more HTTP methods for which packets should be blocked from continuing toward their respective destinations, applying, by the at least one processor, a packet-transformation function specified by the operator to the one or more other packets to block each packet of the one or more other packets from continuing toward its respective destination.
  - 5. The method of claim 1, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods, and wherein the at least a portion of the plurality of HTTPS packets comprises a first portion of packets and a second portion of packets, each packet of the first portion comprising at least one GET method value, and each packet of the second portion comprising at least one of a PUT method value, a POST method value, or a CONNECT method value, the method comprising:
    - allowing each packet of the first portion of packets to continue toward its respective destination; and
      
      blocking each packet of the second portion of packets from continuing toward its respective destination.
  - 6. The method of claim 1, comprising, for each packet of the at least a portion of the plurality of HTTPS packets:
    - comparing a protocol of a data section of the packet to a protocol specified by the packet-filtering rule;
      
      comparing a source Internet Protocol (IP) address of the packet to one or more source IP addresses specified by the packet-filtering rule;
      
      comparing a source port of the packet to one or more source ports specified by the packet-filtering rule;
      
      comparing a destination IP address of the packet to one or more destination IP addresses specified by the packet-filtering rule; and
      
      comparing a destination port of the packet to one or more destination ports specified by the packet-filtering rule.
  - 7. The method of claim 1, comprising:
    - receiving, via the communication interface, a second plurality of HTTPS packets;
      
      andresponsive to a determination by the at least one processor that the second plurality of HTTPS packets does not have packet-header-field values corresponding to the packet-filtering rule, blocking, by the computing device and without applying the operator to the second plurality of HTTPS packets, each packet of the second plurality of HTTPS packets from continuing toward its respective destination.

8. An apparatus, comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the apparatus to;
  
  receive a plurality of hypertext transfer protocol secure (HTTPS) packets;
  
  responsive to a determination by the at least one processor that at least a portion of the plurality of HTTPS packets have packet-header-field values corresponding to a packet-filtering rule, apply an operator specified by the packet-filtering rule to the at least a portion of the plurality of HTTPS packets, wherein the operator specifies one or more application-header-field-value criteria identifying one or more transport layer security (TLS)-version values for which packets should be blocked from continuing toward their respective destinations;
  
  andresponsive to a determination by the at least one processor that one or more packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more TLS-version values of the one or more TLS-version values for which packets should be blocked from continuing toward their respective destinations, apply at least one packet-transformation function specified by the operator to the one or more packets to block each packet of the one or more packets from continuing toward its respective destination.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the one or more application-header-field-value criteria identify one or more TLS-version values for which packets should be allowed to continue toward their respective destinations, and wherein the instructions when executed by the at least one processor, cause the apparatus to, responsive to a determination by the at least one processor that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more TLS-version values of the one or more TLS-version values for which packets should be allowed to continue toward their respective destinations, apply a packet-transformation function specified by the operator to the one or more other packets to allow each packet of the one or more other packets to continue toward its respective destination.
  - 10. The apparatus of claim 8, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods for which packets should be allowed to continue toward their respective destinations, and wherein the instructions, when executed by the at least one processor, cause the apparatus to, responsive to a determination by the at least one processor that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more HTTP methods of the one or more HTTP methods for which packets should be allowed to continue toward their respective destinations, apply a packet-transformation function specified by the operator to the one or more other packets to allow each packet of the one or more other packets to continue toward its respective destination.
  - 11. The apparatus of claim 8, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods for which packets should be blocked from continuing toward their respective destinations, and wherein the instructions, when executed by the at least one processor, cause the apparatus to, responsive to a determination by the at least one processor that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more HTTP methods of the one or more HTTP methods for which packets should be blocked from continuing toward their respective destinations, apply a packet-transformation function specified by the operator to the one or more other packets to block each packet of the one or more other packets from continuing toward its respective destination.
  - 12. The apparatus of claim 8, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods, wherein the at least a portion of the plurality of HTTPS packets comprises a first portion of packets and a second portion of packets, each packet of the first portion comprising at least one GET method value, and each packet of the second portion comprising at least one of a PUT method value, a POST method value, or a CONNECT method value, and wherein the instructions, when executed by the at least one processor, cause the apparatus to:
    - allow each packet of the first portion to continue toward its respective destination; and
      
      block each packet of the second portion from continuing toward its respective destination.
  - 13. The apparatus of claim 8, wherein the instructions, when executed by the at least one processor, cause the apparatus to, for each packet of the at least a portion of the plurality of HTTPS packets:
    - compare a protocol of a data section of each of the packet to a protocol specified by the packet-filtering rule;
      
      compare a source Internet Protocol (IP) address of the packet to one or more source IP addresses specified by the packet-filtering rule;
      
      compare a source port of the packet to one or more source ports specified by the packet-filtering rule;
      
      compare a destination IP address of the packet to one or more destination IP addresses specified by the packet-filtering rule; and
      
      compare a destination port of the packet to one or more destination ports specified by the packet-filtering rule.
  - 14. The apparatus of claim 8, wherein the instructions, when executed by the at least one processor, cause the apparatus to:
    - receive a second plurality of HTTPS packets; and
      
      responsive to a determination by the at least one processor that the second plurality of HTTPS packets does not have packet-header-field values corresponding to the packet-filtering rule, block, without applying the operator to the second plurality of HTTPS packets, each packet of the second plurality of HTTPS packets from continuing toward its respective destination.

15. One or more non-transitory computer-readable media having instructions stored thereon that when executed by one or more computing devices cause the one or more computing devices to:
- receive a plurality of hypertext transfer protocol secure (HTTPS) packets;
  
  responsive to a determination by the one or more computing devices that at least a portion of the plurality of HTTPS packets have packet-header-field values corresponding to a packet-filtering rule, apply an operator specified by the packet-filtering rule to the at least a portion of the plurality of HTTPS packets, wherein the operator specifies one or more application-header-field-value criteria identifying one or more transport layer security (TLS)-version values for which packets should be blocked from continuing toward their respective destinations;
  
  andresponsive to a determination by the one or more computing devices that one or more packets, of the at least a portion of the plurality of HTTPS packets have one or more application-header-field values corresponding to one or more TLS-version values of the one or more TLS-version values for which packets should be blocked from continuing toward their respective destinations, apply at least one packet-transformation function specified by the operator to the one or more packets to block each packet of the one or more packets from continuing toward its respective destination.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The one or more non-transitory computer-readable media of claim 15, wherein the one or more application-header-field-value criteria identify one or more TLS-version values for which packets should be allowed to continue toward their respective destinations, and wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to, responsive to a determination by the one or more computing devices that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more TLS-version values of the one or more TLS-version values for which packets should be allowed to continue toward their respective destinations, apply a packet-transformation function specified by the operator to the one or more other packets to allow each packet of the one or more other packets to continue toward its respective destination.
  - 17. The one or more non-transitory computer-readable media of claim 15, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods for which packets should be allowed to continue toward their respective destinations, and wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to, responsive to a determination by the one or more computing devices that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more HTTP methods of the one or more HTTP methods for which packets should be allowed to continue toward their respective destinations, apply a packet-transformation function specified by the operator to the one or more other packets to allow each packet of the one or more other packets to continue toward its respective destination.
  - 18. The one or more non-transitory computer-readable media of claim 15, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods for which packets should be blocked from continuing toward their respective destinations, and wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to, responsive to a determination by the one or more computing devices that one or more other packets, of the at least a portion of the plurality of HTTPS packets, have one or more application-header-field values corresponding to one or more HTTP methods of the one or more HTTP methods for which packets should be blocked from continuing toward their respective destinations, apply a packet-transformation function specified by the operator to the one or more other packets to block each packet of the one or more other packets from continuing toward its respective destination.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein the one or more application-header-field-value criteria identify one or more hypertext transfer protocol (HTTP) methods, wherein the at least a portion of the plurality of HTTPS packets comprises a first portion of packets and a second portion of packets, each packet of the first portion comprising at least one GET method value, and each packet of the second portion comprising at least one of a PUT method value, a POST method value, or a CONNECT method value, and wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to:
    - allow each packet of the first portion to continue toward its respective destination; and
      
      block each packet of the second portion from continuing toward its respective destination.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to, for each packet of the at least a portion of the plurality of HTTPS packets:
    - compare a protocol of a data section of the packet to a protocol specified by the packet-filtering rule;
      
      compare a source Internet Protocol (IP) address of the packet to one or more source IP addresses specified by the packet-filtering rule;
      
      compare a source port of the packet to one or more source ports specified by the packet-filtering rule;
      
      compare a destination IP address of the packet to one or more destination IP addresses specified by the packet-filtering rule; and
      
      compare a destination port of the packet to one or more destination ports specified by the packet-filtering rule.
  - 21. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more computing devices, cause the one or more computing devices to:
    - receive a second plurality of HTTPS packets; and
      
      responsive to a determination by the one or more computing devices that the second plurality of HTTPS packets does not have packet-header-field values corresponding to the packet-filtering rule, block, without applying the operator to the second plurality of HTTPS packets, each packet of the second plurality of HTTPS packets from continuing toward its respective destination.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Moore, Sean
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/795,822
Publication Number

US 20140283004A1
Time in Patent Office

903 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

Filtering network data transfers

First Claim

4 Assignments

Litigations

1 Petition

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering network data transfers

First Claim

4 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links