Filtering network data transfers

DC CAFC

US 9,686,193 B2
Filed: 02/18/2015
Issued: 06/20/2017
Est. Priority Date: 03/12/2013
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method comprising:

receiving, by a computing system and from a computing device located in a first network, a plurality of packets, wherein the plurality of packets comprises a first portion of packets and a second portion of packets;

responsive to a determination by the computing system that the first portion of packets comprises data corresponding to criteria specified by one or more packet-filtering rules configured to prevent a particular type of data transfer from the first network to a second network, wherein the data indicates that the first portion of packets is destined for the second network;

applying, by the computing system and to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer; and

dropping, by the computing system, each packet in first portion of packets; and

responsive to a determination by the computing system that the second portion of packets comprises data that does not correspond to the criteria wherein the data indicates that the second portion of packets is destined for a third network;

applying, by the computing system and to each packet in the second portion of packets, and without applying the one or more packet-filtering rules configured to prevent the particular type of data transfer from the first network to the second network, a second operator configured to forward packets not associated with the particular type of data transfer toward the third network; and

forwarding, by the computing system, each packet in the second portion of packets toward the third network.

View all claims

4 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Reexamination

Accused Products

Abstract

Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.

Citations

20 Claims

1. A method comprising:
- receiving, by a computing system and from a computing device located in a first network, a plurality of packets, wherein the plurality of packets comprises a first portion of packets and a second portion of packets;
  
  responsive to a determination by the computing system that the first portion of packets comprises data corresponding to criteria specified by one or more packet-filtering rules configured to prevent a particular type of data transfer from the first network to a second network, wherein the data indicates that the first portion of packets is destined for the second network;
  
  applying, by the computing system and to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer; and
  
  dropping, by the computing system, each packet in first portion of packets; and
  
  responsive to a determination by the computing system that the second portion of packets comprises data that does not correspond to the criteria wherein the data indicates that the second portion of packets is destined for a third network;
  
  applying, by the computing system and to each packet in the second portion of packets, and without applying the one or more packet-filtering rules configured to prevent the particular type of data transfer from the first network to the second network, a second operator configured to forward packets not associated with the particular type of data transfer toward the third network; and
  
  forwarding, by the computing system, each packet in the second portion of packets toward the third network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 20)
- - 2. The method of claim 1, whereinthe first portion of packets comprises data indicating:
    - a protocol type associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a protocol type not associated with the particular type of data transfer.
  - 3. The method of claim 1, wherein:
    - the first portion of packets comprises data indicating a first destination port number associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a second destination port number not associated with the particular type of data transfer.
  - 4. The method of claim 1, wherein:
    - the first portion of packets comprises data associated with hypertext transfer protocol (HTTP), and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets does not comprise data associated with HTTP.
  - 5. The method of claim 1, wherein:
    - the first portion of packets comprises data associated with hypertext transfer protocol secure (HTTPS), and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets does not comprise data associated with HTTPS.
  - 6. The method of claim 1, wherein:
    - the first portion of packets comprises data associated with file transfer protocol (FTP), and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets does not comprise data associated with FTP.
  - 7. The method of claim 1, wherein:
    - the first portion of packets comprises data associated with real-time transport protocol (RTP), and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets does not comprise data associated with RTP.
  - 9. The method of claim 1, wherein:
    - receiving the plurality of packets comprises receiving packets comprising data associated with hypertext transfer protocol (HTTP);
      
      the first portion of packets comprises a first type of data associated with HTTP;
      
      the second portion of packets comprises a second type of data associated with HTTP; and
      
      applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination by the computing system that the first portion of packets comprises the first type of data.
  - 10. The method of claim 9, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination by the computing system that the first portion of packets comprises data corresponding to an HTTP POST method.
  - 11. The method of claim 9, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination by the computing system that the first portion of packets comprises data corresponding to an HTTP PUT method.
  - 12. The method of claim 9, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination by the computing system that the first portion of packets comprises data corresponding to an HTTP DELETE method.
  - 13. The method of claim 9, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination by the computing system that the first portion of packets comprises data corresponding to an HTTP CONNECT method.
  - 14. The method of claim 9, wherein applying the first operator configured to forward packets not associated with the particular type of data transfer toward the second network is performed responsive to a determination by the computing system that the second portion of packets comprises the second type of data.
  - 15. The method of claim 9, wherein applying the first operator configured to forward packets not associated with the particular type of data transfer toward the second network is performed responsive to a determination by the computing system that the second portion of packets comprises data corresponding to an HTTP GET method.
  - 16. The method of claim 1, wherein applying the first operator configured to drop packets associated with the particular type of data transfer is performed responsive to a determination by the computing system that the first portion of packets comprises data corresponding to a particular transport layer security (TLS) version value.
  - 17. The method of claim 1, wherein applying the first operator configured to forward packets not associated with the particular type of data transfer toward the second network is performed responsive to a determination by the computing system that the second portion of packets comprises data corresponding to a particular transport layer security (TLS) version value.
  - 20. The method of claim 1, wherein:
    - the first portion of packets comprises data indicating;
      
      a first source port number associated with the particular type of data transfer, and corresponding to the criteria specified by the one or more packet-filtering rules; and
      
      the second portion of packets comprises data indicating a second source port number not associated with the particular type of data transfer.

8. A method comprising:
- receiving, by a computing system and from a computing device located in a first network, a plurality of packets;
  
  responsive to a determination by the computing system that a first packet of the plurality of packets comprises data associated with eXtensible messaging and presence protocol (XMPP) and the data corresponds to criteria specified by one or more packet-filtering rules configured to prevent a particular type of data transfer from the first network to a second network;
  
  applying, by the computing system and to the first packet, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer; and
  
  dropping, by the computing system, the first packet; and
  
  responsive to a determination by the computing system that a second packet of the plurality of packets does not comprise data associated with XMPP;
  
  applying, by the computing system, to the second packet, and without applying the one or more packet-filtering rules configured to prevent the particular type of data transfer from the first network to the second network, a second operator configured to forward packets not associated with the particular type of data transfer toward the second network; and
  
  forwarding, by the computing system, the second packet toward the second network.

18. A system comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the system to;
  
  receive, from a computing device located in a first network, a plurality of packets wherein the plurality of packets comprises a first portion of packets and a second portion of packets;
  
  responsive to a determination that the first portion of packets comprises data corresponding to criteria specified by one or more packet-filtering rules configured to prevent a particular type of data transfer from the first network to a second network, wherein the data indicates that the first portion of packets is destined for the second network;
  
  apply, to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer; and
  
  drop each packet in the first portion of packets; and
  
  responsive to a determination that the second portion of packets comprises data that does not correspond to the criteria, wherein the data indicates that the second portion of packets is destined for a third network;
  
  apply, to each packet in the second portion of packets, and without applying the one or more packet-filtering rules configured to prevent the particular type of data transfer from the first network to the second network, a second operator configured to forward packets not associated with the particular type of data transfer toward the third network; and
  
  forward each packet in the second portion of packets toward the third network.

19. One or more non-transitory computer-readable media comprising instructions that when executed by one or more computing devices cause the one or more computing devices to:
- receive, from a computing device located in a first network, a plurality of packets wherein the plurality of packets comprises a first portion of packets and a second portion of packets;
  
  responsive to a determination that the first portion of packets comprises data corresponding to criteria specified by one or more packet-filtering rules configured to prevent a particular type of data transfer from the first network to a second network, wherein the data indicates that the first portion of packets is destined for the second network;
  
  apply, to each packet in the first portion of packets, a first operator, specified by the one or more packet-filtering rules, configured to drop packets associated with the particular type of data transfer; and
  
  drop each packet in the first portion of packets; and
  
  responsive to a determination that the second portion of packets comprises data that does not correspond to the criteria, wherein the data indicates that the second portion of packets is destined for a third network;
  
  apply, to each packet in the second portion of packets, and without applying the one or more packet-filtering rules configured to prevent the particular type of data transfer from the first network to the second network, a second operator, configured to forward packets not associated with the particular type of data transfer toward the third network; and
  
  forward each packet in the second portion of packets toward the third network.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Moore, Sean
Primary Examiner(s)
NGUYEN, ANH NGOC M

Application Number

US14/625,486
Publication Number

US 20160072709A1
Time in Patent Office

853 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

Filtering network data transfers

First Claim

4 Assignments

Litigations

2 Petitions

Reexamination

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering network data transfers

First Claim

4 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links