Evaluating a questionable network communication
First Claim
1. A method in a computing system for controlling communication, comprising:
- in a computing system, evaluating a network communication that is transported at least in part by one or more network packets each having a header section and a payload section, the network packets received from a questionable network node, by;
receiving a predefined white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of a program that is allowed to communicate via the network address, the indication of the program including a program name and/or a hash of the program code;
determining a first internet protocol (IP) address corresponding to the network communication, wherein the first IP address is based on contents of the payload section of a first one of the network packets received from the questionable network node;
determining a first communication property that is associated with the network communication;
determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the first IP address;
evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property;
determining a communicating program that is executing on the computing system and that is participating in the network communication;
determining whether the communicating program matches the program indicated as allowable by the entry in the white list; and
in response to determining that the first communication property is not encompassed by the second communication property, setting an indicator that the network communication is not allowed.
0 Assignments
0 Petitions
Accused Products
Abstract
Identifying a questionable network address from a network communication. In an embodiment, a network device receives an incoming or outgoing connection request, a web page, an email, or other network communication. An evaluation module evaluates the network communication for a corresponding network address, which may be for the source or destination of the network communication. The network address generally includes an IP address, which may be obtained from the payload section of a network packet. The evaluation module determines one or more properties of the network communication, such as time of day, content type, directionality, or the like. The evaluation module then determines whether the properties match or are otherwise allowed based on properties specified in the white list in association with the IP address.
-
Citations
19 Claims
-
1. A method in a computing system for controlling communication, comprising:
in a computing system, evaluating a network communication that is transported at least in part by one or more network packets each having a header section and a payload section, the network packets received from a questionable network node, by; receiving a predefined white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of a program that is allowed to communicate via the network address, the indication of the program including a program name and/or a hash of the program code; determining a first internet protocol (IP) address corresponding to the network communication, wherein the first IP address is based on contents of the payload section of a first one of the network packets received from the questionable network node; determining a first communication property that is associated with the network communication; determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the first IP address; evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property; determining a communicating program that is executing on the computing system and that is participating in the network communication; determining whether the communicating program matches the program indicated as allowable by the entry in the white list; and in response to determining that the first communication property is not encompassed by the second communication property, setting an indicator that the network communication is not allowed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. A non-transitory computer readable medium, comprising executable instructions for causing a computing device to perform a method comprising:
by the computing system, evaluating a network communication that is transported at least in part by one or more network packets each having a header section and a payload section, the network packets received from a questionable network node, by; receiving a predefined white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties, wherein the allowable communication properties in the white list include, for each network address in the white list, and indication of allowable access times, an allowable user, and allowable data type, the white list including indications of multiple allowable data types, including executable code, script, macro, audio, video, image, and text; determining a first internet protocol (IP) address corresponding to the network communication, wherein the first IP address is based on contents of the payload section of a first one of the network packets received from the questionable network node; determining a first communication property that is associated with the network communication; determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the first IP address; evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property; determining a time at which the network communication is occurring; determining a user associated with the network communication; determining a data type corresponding to data transferred via the network connection; determining whether the determined time matches or is encompassed by the access times indicated as allowable by the entry in the white list; determining whether the determined user matches or is encompassed by the user indicated as allowable by the entry in the white list; determining whether the determined data type matches the data type indicated as allowable by the entry in the white list; and in response to determining that the first communication property is not encompassed by the second communication property, setting an indicator that the network communication is not allowed.
-
18. A system for controlling communication, comprising:
-
a communication interface for communication with a network resource, the communication interface including a TCP/IP stack; a memory for storing instructions; and a processor in communication with the communication interface and with the memory, wherein the processor is configured to evaluate a network communication that is transported at least in part by one or more network packets each having a header section and a payload section, the network packets received from a questionable network node, by; receiving a predefined white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties, wherein the allowable communication properties in the white list include, for each network address in the white list, an indication of a program that is allowed to communicate via the network address, the indication of the program including a program name and/or a hash of the program code; determining a first internet protocol (IP) address corresponding to the network communication, wherein the first IP address is based on contents of the payload section of a first one of the network packets received from the questionable network node; determining a first communication property that is associated with the network communication; determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the first IP address; evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property; determining a communicating program that is executing on the computing system and that is participating in the network communication; determining whether the communicating program matches the program indicated as allowable by the entry in the white list; and in response to determining that the first communication property is not encompassed by the second communication property, setting an indicator that the network communication is not allowed. - View Dependent Claims (19)
-
Specification