Device for preventing, detecting and responding to security threats

US 9,485,218 B2
Filed: 03/23/2010
Issued: 11/01/2016
Est. Priority Date: 03/23/2010
Status: Active Grant

First Claim

Patent Images

1. A device to prevent, detect, and respond to one or more security threats between a controlled host and one or more services used by the controlled host, the device comprising:

a processing resource;

one or more communication ports for connecting the device to the controlled host and for connecting the one or more services directly to the device such that communications between the one or more services and the controlled host are examined by the device,wherein the one or more services are one or more of a display unit, a keyboard, and a mousememory for storing;

information pertaining to one or more users permitted to use the controlled host; and

one or more communication protocols associated with controlling the communications between the one or more services and the controlled host;

an input device for collecting, at the device, information pertaining to a user; and

a user authenticator for;

comparing the information pertaining to the user with the information pertaining to the one or more user permitted to use the controlled host; and

designating the user as one of;

an authorized user of the controlled host if the information pertaining to the user matches the information pertaining to one or more users permitted to use the controlled host; and

an unauthorized user of the controlled host if the information pertaining to the user does not match the information pertaining to one or more users permitted to use the controlled host,wherein, prior to the user authenticator designating the user as one of the authorized user and the unauthorized user, attempted communications from the one or more services to the controlled host are monitored by the device and are prevented from being received by the controlled host,wherein, responsive to the user authenticator designating the user as the authorized user, attempted communications from the one or more services are allowed to be received by the controlled host,wherein, responsive to the user authenticator designating the user as the unauthorized user, attempted communications from the one or more services are prevented from being received by the controlled host,wherein a characteristic of attempted communications from the one or more services to the controlled host is stored in the memory; and

wherein the one or more communication protocols;

in response to the user authenticator designating the user as the authorized user, authorize the communications between the one or more services and the controlled host; and

in response to the user authenticator designating the user as the unauthorized user, prevent the communications from the one or more services from being received by the controlled host;

log content of the attempted communications from the one or more services; and

analyze the logged content.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device to prevent, detect and respond to one or more security threats between one or more controlled hosts and one or more services accessible from the controlled host. The device determines the authenticity of a user of a controlled host and activates user specific configurations under which the device monitors and controls all communications between the user, the controlled host and the services. As such, the device ensures the flow of only legitimate and authorized communications. Suspicious communications, such as those with malicious intent, malformed packets, among others, are stopped, reported for analysis and action. Additionally, upon detecting suspicious communication, the device modifies the activated user specific configurations under which the device monitors and controls the communications between the user, the controlled host and the services.

Citations

17 Claims

1. A device to prevent, detect, and respond to one or more security threats between a controlled host and one or more services used by the controlled host, the device comprising:
- a processing resource;
  
  one or more communication ports for connecting the device to the controlled host and for connecting the one or more services directly to the device such that communications between the one or more services and the controlled host are examined by the device,wherein the one or more services are one or more of a display unit, a keyboard, and a mousememory for storing;
  
  information pertaining to one or more users permitted to use the controlled host; and
  
  one or more communication protocols associated with controlling the communications between the one or more services and the controlled host;
  
  an input device for collecting, at the device, information pertaining to a user; and
  
  a user authenticator for;
  
  comparing the information pertaining to the user with the information pertaining to the one or more user permitted to use the controlled host; and
  
  designating the user as one of;
  
  an authorized user of the controlled host if the information pertaining to the user matches the information pertaining to one or more users permitted to use the controlled host; and
  
  an unauthorized user of the controlled host if the information pertaining to the user does not match the information pertaining to one or more users permitted to use the controlled host,wherein, prior to the user authenticator designating the user as one of the authorized user and the unauthorized user, attempted communications from the one or more services to the controlled host are monitored by the device and are prevented from being received by the controlled host,wherein, responsive to the user authenticator designating the user as the authorized user, attempted communications from the one or more services are allowed to be received by the controlled host,wherein, responsive to the user authenticator designating the user as the unauthorized user, attempted communications from the one or more services are prevented from being received by the controlled host,wherein a characteristic of attempted communications from the one or more services to the controlled host is stored in the memory; and
  
  wherein the one or more communication protocols;
  
  in response to the user authenticator designating the user as the authorized user, authorize the communications between the one or more services and the controlled host; and
  
  in response to the user authenticator designating the user as the unauthorized user, prevent the communications from the one or more services from being received by the controlled host;
  
  log content of the attempted communications from the one or more services; and
  
  analyze the logged content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 15, 16)
- - 2. The device of claim 1, wherein the one or more communication protocols:
    - monitor attempted communications from the one or more services to the controlled host between the controlled host and the one or more services;
      
      filter the attempted communications based on media access control addresses;
      
      proxy address resolution protocol;
      
      apply security protocol to the attempted communications; and
      
      include;
      
      a cryptographic engine;
      
      a stateful internet protocol firewall;
      
      a network intrusion detection system; and
      
      a proxy server.
  - 3. The device of claim 2, wherein the security protocol is the Internet Protocol Security (IPSec).
  - 4. The device of claim 3, wherein the cryptographic engine:
    - negotiates cryptographic keys between the controlled host and the one or more services;
      
      encrypts the attempted communications between the controlled host and the one or more services; and
      
      ensures privacy and integrity of the attempted communications.
  - 5. The device of claim 1, wherein the one or more communication protocols comprise one or more of:
    - filtering rules;
      
      monitoring rules;
      
      authorization rules; and
      
      proxy configurations.
  - 6. The device of claim 1, wherein the one or more communication protocols:
    - compare one or more activated communication protocols with attempted communications from the one or more services to the controlled host between the controlled host and the one or more services;
      
      authorize the attempted communications if the attempted communications are in compliance with the one or more activated communication protocols;
      
      prevent the attempted communications if the attempted communications are is not in compliance with the one or more activated communication protocols; and
      
      change the one or more activated communication protocols upon detecting the attempted communications comprising one or more of;
      
      malicious intent; and
      
      malformed packets.
  - 7. The device of claim 1, wherein responsive to the user authenticator designating the user as the unauthorized user, the one or more communication protocols prevent the user from accessing the controlled host via the one or more services.
  - 8. The device of claim 1, wherein the one or more communication ports comprise one or more of:
    - a universal serial bus connection;
      
      a serial cable connection;
      
      a parallel cable connection; and
      
      a wireless connection.
  - 9. The device of claim 1, wherein the input device comprises one or more of:
    - a smart card reader;
      
      a biometric device;
      
      a retina scanner;
      
      a finger print scanner;
      
      a palm print scanner; and
      
      a face scanner.
  - 15. The device of claim 1, wherein the device is external to the controlled host.
  - 16. The device of claim 1, wherein the user authenticator is for:
    - analyzing the characteristic of the attempted communications; and
      
      reporting the analysis to a network security and monitoring component.

10. A method for preventing, detecting, and responding to one or more security threats between a controlled host and one or more services connected to the controlled host, the method comprising:
- collecting, at a device, information pertaining to a user;
  
  comparing the information pertaining to the user with information for one or more users permitted to use the controlled host;
  
  designating the user as one of;
  
  an authorized user if the information pertaining to the user matches the information pertaining to the one or more users permitted to use the controlled host; and
  
  an unauthorized user if the information pertaining to the user does not match the information pertaining to the one or more users permitted to use the controlled host;
  
  prior to the user being designated as one of the authorized user and the unauthorized user, monitoring attempted communications from the one or more services to the controlled host,wherein the one or more services are connected directly to the device and include one or more of a display unit, a keyboard, and a mouse;
  
  responsive to the user being designated as the authorized user, allowing attempted communications from the one or more services to be received by the controlled host; and
  
  responsive to the user being designated as the unauthorized user, preventing attempted communications from the one or more services to the controlled host from being received by the controlled host;
  
  logging content of the attempted communications from the one or more services to the controlled host; and
  
  analyzing the logged content.
- View Dependent Claims (11, 12, 17)
- - 11. The method of claim 10, further comprising:
    - negotiating cryptographic keys between the controlled host and the one or more services;
      
      monitoring attempted communications from the one or more services to the controlled host;
      
      configuring the attempted communications into one or more packets;
      
      evaluating internet protocol tables;
      
      filtering media access control address;
      
      applying address resolution protocol;
      
      checking for network intrusion detection;
      
      evaluating the one or more packets with a proxy server; and
      
      applying security protocol to the communication.
  - 12. The method of claim 10, further comprising:
    - comparing one or more configurations with attempted communications from the one or more services and the controlled host wherein the one or more configurations comprise;
      
      a configuration associated with the user prior to being designated as one of the authorized user and the unauthorized user;
      
      a configuration associated with the authorized user;
      
      a configuration associated with the unauthorized user; and
      
      a configuration for preventing malicious intent of the authorized user and the unauthorized user;
      
      authorizing the attempted communications from the one or more services and the controlled host if the attempted communications are in compliance with the configuration associated with the authorized user;
      
      preventing the attempted communications if the attempted communications are in compliance with the configuration associated with the unauthorized user; and
      
      changing the one or more configurations upon detecting the attempted communications comprising one or more of;
      
      malicious intent; and
      
      malformed packets.
  - 17. The method of claim 10, further comprising:
    - receiving communications from the controlled host;
      
      evaluating the communications to determine whether the communications conform to a set of rules; and
      
      delivering the communications to the one or more services on behalf of the controlled host if the communications conform to the set of rules.

13. A device to prevent, detect, and respond to one or more security threats between a controlled host and one or more services used by the controlled host, the device comprising:
- a processing resource in communication with a memory resource, wherein the memory resource includes instructions stored thereon and executable by the processing resource to;
  
  collect, at the device, information pertaining to a user;
  
  compare the information pertaining to the user with information for one or more users permitted to use the controlled host;
  
  designate the user as one of;
  
  an authorized user if the information pertaining to the user matches the information pertaining to the one or more users permitted to use the controlled host; and
  
  an unauthorized user if the information pertaining to the user does not match the information pertaining to the one or more users permitted to use the controlled host; and
  
  prior to the user being designated as one of the authorized user and the unauthorized user, monitor attempted communications from the one or more services to the controlled host, log content of the attempted communications from the one or more services to the controlled host, and analyze the logged content;
  
  responsive to the user being designated as the authorized user, allow attempted communications from the one or more services to be received by the controlled host; and
  
  responsive to the user being designated as the unauthorized user, prevent attempted communications from the one or more services from being received by the controlled host,wherein the one or more services are connected directly to the device and include one or more of a display unit, a keyboard, and a mouse.
- View Dependent Claims (14)
- - 14. The device of claim 13, further comprising instructions executable by the processing resource to:
    - negotiate cryptographic keys between the controlled host and the one or more services;
      
      configure the attempted communications into one or more packets;
      
      evaluate internet protocol tables;
      
      filter media access control addresses;
      
      apply an address resolution protocol;
      
      check for a network intrusion;
      
      evaluate the one or more packets with a proxy server;
      
      apply a security protocol to the attempted communications;
      
      activate one or more communication protocols for communication between the controlled host and the one or more services through the devicecompare the one or more activated communication protocols with attempted communications from the one or more services to the controlled host;
      
      authorize attempted communications if the attempted communications are in compliance with the one or more activated communication protocols;
      
      prevent attempted communications if the attempted communications are not in compliance with the one or more activated communication protocols; and
      
      change the one or more activated communication protocols upon detecting attempted communications comprising one or more of;
      
      malicious intent; and
      
      malformed packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adventium Enterprises, Adventium Enterprises LLC
Original Assignee
Adventium Enterprises LLC
Inventors
Haigh, J Thomas, Gohde, Johnathan A, O'Brien, Richard C, Payne, Charles N Jr., VanRiper, Ryan A, Harp, Steven Alex
Primary Examiner(s)
LANIER, BENJAMIN E

Application Number

US12/730,201
Publication Number

US 20110238979A1
Time in Patent Office

2,415 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/0853   using an additional device,...

H04L 63/102   Entity profiles

H04L 63/1441   Countermeasures against mal...

H04L 63/164   at the network layer

Device for preventing, detecting and responding to security threats

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Device for preventing, detecting and responding to security threats

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links