Dynamic access control

US 9,602,505 B1
Filed: 04/30/2014
Issued: 03/21/2017
Est. Priority Date: 04/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method for securing data and computer systems, comprising:

receiving, at an intermediary network device, a request from a first client device to connect to a server;

verifying, by the intermediary network device, an identity of the server;

detecting, at the intermediary network device, that the server uses a one-time password (OTP) protocol, wherein detecting that the server uses an OTP protocol comprises comparing the identity of the server with a list of information identifying a plurality of servers that use the OTP protocol and associated user-defined policy protocol; and

performing, by the intermediary network device, an action according to the user-defined policy protocol based at least in part on the detecting, wherein performing the action comprises at least one of;

blocking, at the intermediary network device, a first connection between the first client device and a first computing device other than the server, the first computing device connected to the first client device via the intermediary network device; and

allowing, at the intermediary network device, a second connection between the first client device and a second computing device other than the server, the second computing device connected to the first client device via the intermediary network device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for securing data and computer systems is described. In one embodiment, a request to connect to a server is received at an intermediary network device. It is detected, at the intermediary network device, that the server uses a one-time password (OTP) protocol. Based at least in part on the detecting that the server uses an OTP protocol, an action is performed by the intermediary network device. The action may include blocking, at the intermediary network device, a connection other than the connection to the server that uses the OTP protocol.

21 Citations

View as Search Results

20 Claims

1. A method for securing data and computer systems, comprising:
- receiving, at an intermediary network device, a request from a first client device to connect to a server;
  
  verifying, by the intermediary network device, an identity of the server;
  
  detecting, at the intermediary network device, that the server uses a one-time password (OTP) protocol, wherein detecting that the server uses an OTP protocol comprises comparing the identity of the server with a list of information identifying a plurality of servers that use the OTP protocol and associated user-defined policy protocol; and
  
  performing, by the intermediary network device, an action according to the user-defined policy protocol based at least in part on the detecting, wherein performing the action comprises at least one of;
  
  blocking, at the intermediary network device, a first connection between the first client device and a first computing device other than the server, the first computing device connected to the first client device via the intermediary network device; and
  
  allowing, at the intermediary network device, a second connection between the first client device and a second computing device other than the server, the second computing device connected to the first client device via the intermediary network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 19)
- - 2. The method of claim 1, wherein the connection is blocked for a duration that is at least as long as a lifetime of an OTP used in the OTP protocol.
  - 3. The method of claim 1, further comprising:
    - allowing a connection between a second client device and a computing device other than the server, the second client being connected to the computing device via the intermediary network device.
  - 4. The method of claim 1, wherein detecting that the server uses OTP protocol comprises:
    - inspecting a secure socket layer (SSL) certificate received from the server.
  - 5. The method of claim 1, wherein detecting that the server uses OTP protocol comprises:
    - analyzing information preconfigured at the intermediary network device.
  - 6. The method of claim 1, wherein detecting that the server uses OTP protocol comprises:
    - detecting a keyword or pattern of characters in a uniform resource locator (URL) associated with the server.
  - 7. The method of claim 1, wherein the intermediary network device comprises at least one of a router, a switch, a modem, a firewall, a hub, a hotspot, a wireless access point, a server, a proxy server, a gateway device, an intrusion detection system (IDS) device, an intrusion prevention system (IPS) device, and an Internet service provider (ISP) device.
  - 8. The method of claim 1, further comprising:
    - receiving a request for credentials from the server; and
      
      providing, by the intermediary network device, a human-authentication challenge to control access to the server.
  - 9. The method of claim 1, further comprising:
    - upon verifying the identity of the server, allowing the request to connect to the server to proceed.
  - 19. The method of claim 3, further comprising:
    - performing one or more of the actions simultaneously.

10. A computing device configured for securing data and computer systems, comprising:
- a processor;
  
  memory in electronic communication with the processor;
  
  instructions stored in the memory, the instructions being executable by the processor to;
  
  receive, at an intermediary network device, a request from a first client device to connect to a server;
  
  verify, by the intermediary network device, an identity of the server;
  
  detect, at the intermediary network device, that the server uses a one-time password (OTP) protocol, wherein detecting that the server uses an OTP protocol comprises comparing the identity of the server with a list of information identifying a plurality of servers that use the OTP protocol and associated user-defined policy protocol; and
  
  perform, by the intermediary network device, an action according to the user-defined policy protocol based at least in part on the detecting, wherein performing the action comprises at least one of;
  
  blocking, at the intermediary network device, a first connection between the first client device and a first computing device other than the server, the first computing device connected to the first client device via the intermediary network device; and
  
  allowing, at the intermediary network device, a second connection between the first client device and a second computing device other than the server, the second computing device connected to the first client device via the intermediary network device.
- View Dependent Claims (11, 12, 13, 14, 20)
- - 11. The computing device of claim 10, wherein the connection is blocked for a duration that is at least as long as a lifetime of an OTP used in the OTP protocol.
  - 12. The computing device of claim 10, wherein the instructions are executable by the processor to:
    - allow a connection between a second client device and a computing device other than the server, the second client being connected to the computing device via the intermediary network device.
  - 13. The computing device of claim 10, wherein the instructions to detect that the server uses OTP protocol comprise instructions executable by the processor to:
    - inspect a secure socket layer (SSL) certificate received from the server; and
      
      analyze information preconfigured at the intermediary network device.
  - 14. The computing device of claim 10, wherein the instructions are executable by the processor to:
    - receive a request for credentials from the server; and
      
      provide, by the intermediary network device, a human-authentication challenge to control access to the server.
  - 20. The computing device of claim 12, wherein the instructions are executable by the processor to:
    - perform one or more of the actions simultaneously.

15. A computer-program product for securing data and computer systems, by a processor, the computer-program product comprising a non-transitory computer-readable medium storing instructions thereon, the instructions being executable by the processor to:
- receive, at an intermediary network device, a request from a first client device to connect to a server;
  
  verify, by the intermediary network device, an identity of the server;
  
  detect, at the intermediary network device, that the server uses a one-time password (OTP) protocol, wherein detecting that the server uses an OTP protocol comprises comparing the identity of the server with a list of information identifying a plurality of servers that use the OTP protocol and associated user-defined policy protocol; and
  
  perform, by the intermediary network device, an action according to the user-defined policy protocol based at least in part on the detecting, wherein performing the action comprises at least one of;
  
  blocking, at the intermediary network device, a first connection between the first client device and a first computing device other than the server, the first computing device connected to the first client device via the intermediary network device; and
  
  allowing, at the intermediary network device, a second connection between the first client device and a second computing device other than the server, the second computing device connected to the first client device via the intermediary network device.
- View Dependent Claims (16, 17, 18)
- - 16. The computer-program product of claim 15, wherein the connection is blocked for a duration that is at least as long as a lifetime of an OTP used in the OTP protocol.
  - 17. The computer-program product of claim 15, wherein the instructions are executable by the processor to:
    - allow a connection between a second client device and the computing device other than the server, the second client being connected to the computing device via the intermediary network device.
  - 18. The computer-program product of claim 17, wherein the instructions are executable by the processor to:
    - perform one or more of the actions simultaneously.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Schulman, Martin
Primary Examiner(s)
Abedin, Shanto M
Assistant Examiner(s)
LE, KHOI V

Application Number

US14/266,518
Time in Patent Office

1,056 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0838   using one-time-passwords

H04L 63/0884   by delegation of authentica...

H04L 63/20   for managing network securi...

Dynamic access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links