File manifest filter for unidirectional transfer of files

US 9,736,121 B2
Filed: 01/23/2013
Issued: 08/15/2017
Est. Priority Date: 07/16/2012
Status: Active Grant

First Claim

Patent Images

1. A manifest transfer engine comprising:

a send side client computer configured to receive and store a file manifest table having a list of file characteristics from an administrator server computer via a first dedicated Transmission Control Protocol (TCP) port, to receive a file from a user via a second separate dedicated TCP port and compare an identifying characteristic of the received file with the list of file characteristics in the file manifest table, and, only if there is a match between the received file characteristic and an entry in the list, to transfer the file on an output;

a one-way data link having a single input coupled to the output of the send side client computer and a single output, and configured to enforce unidirectional data flow only from the single input to the single output;

a receive side server computer having an input coupled to the single output of the one-way data link and configured to receive transferred files via the input;

wherein the send side client computer is coupled to the receive side server computer only via the one-way data link such that no data or signals can be transmitted from the receive side server computer to the send side client computer;

wherein the receive side server computer has no communications path for transmitting TCP handshake signals to the send side server computer;

wherein send side server computer removes all internet protocol information from each file prior to transfer of that file on the output;

wherein the send side client computer deletes or quarantines any received file when there is no match between the received file characteristic for that received file and the list of file characteristics in the file manifest table; and

wherein the first dedicated TCP port and the second dedicated TCP port are each the same TCP port during operation.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A manifest transfer engine for a one-way file transfer system is disclosed. The manifest transfer engine comprises a send side, a receive side, and a one-way data link enforcing unidirectional data flow from the send side to the receive side. The send side receives and stores a file manifest table from an administrator server. The send side also receives a file from a user and compares it with the file manifest table. Transfer of the file to the receive side via the one-way data link is allowed only when there is a match between the file and the file manifest table. In an alternative embodiment, the receive side instead receives and stores the file manifest table from the administrator server and compares it with the file received from the send side via the one-way data link to determine whether to allow transfer of the file.

Citations

27 Claims

1. A manifest transfer engine comprising:
- a send side client computer configured to receive and store a file manifest table having a list of file characteristics from an administrator server computer via a first dedicated Transmission Control Protocol (TCP) port, to receive a file from a user via a second separate dedicated TCP port and compare an identifying characteristic of the received file with the list of file characteristics in the file manifest table, and, only if there is a match between the received file characteristic and an entry in the list, to transfer the file on an output;
  
  a one-way data link having a single input coupled to the output of the send side client computer and a single output, and configured to enforce unidirectional data flow only from the single input to the single output;
  
  a receive side server computer having an input coupled to the single output of the one-way data link and configured to receive transferred files via the input;
  
  wherein the send side client computer is coupled to the receive side server computer only via the one-way data link such that no data or signals can be transmitted from the receive side server computer to the send side client computer;
  
  wherein the receive side server computer has no communications path for transmitting TCP handshake signals to the send side server computer;
  
  wherein send side server computer removes all internet protocol information from each file prior to transfer of that file on the output;
  
  wherein the send side client computer deletes or quarantines any received file when there is no match between the received file characteristic for that received file and the list of file characteristics in the file manifest table; and
  
  wherein the first dedicated TCP port and the second dedicated TCP port are each the same TCP port during operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The manifest transfer engine of claim 1, wherein the file manifest table comprises a list of registered hash numbers;
    - and wherein the send side client computer compares the received file characteristic with the list of file characteristics in the file manifest table by computing a hash number for the received file and comparing the computed hash number with the registered hash numbers in the list of file characteristics in the file manifest table.
  - 3. The manifest transfer engine of claim 2, wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of Message-Digest 5 (MD5) 128-bit checksum, Secure Hash Algorithm (SHA) 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 4. The manifest transfer engine of claim 2, wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 5. The manifest transfer engine of claim 1, wherein the file manifest table is an American Standard Code for Information Interchange (ASCII) text file.
  - 6. The manifest transfer engine of claim 1, wherein the send side client computer is further configured to apply a filter to the file manifest table upon receiving it from the administrator server computer and prior to storing it.
  - 7. The manifest transfer engine of claim 1, further comprising a Universal Serial Bus (USB) interface configured to transfer the user file from a USB memory device coupled to the USB interface to the send side client computer.
  - 8. The manifest transfer engine of claim 1, wherein the file manifest table is not accessible by the user transferring the file.
  - 9. The manifest transfer engine of claim 1, wherein the one-way data link is formed from an optical transmitter having an input acting as the single input of the one-way data link and an output, an optical link having a first end coupled to the output of the optical transmitter and a second end, and an optical receiver having an input coupled to the second end of the optical link and an output acting as the single output of the one-way data link.

10. A system for one-way transfer of files, comprising:
- an administrator server computer configured to create and output a file manifest table having a list of file characteristics; and
  
  a manifest transfer engine comprising a send side client computer, a receive side server computer, and a one-way data link having a single input coupled to an output of the send side client computer and a single output coupled to an input of the receive side server computer, the one-way data link enforcing unidirectional data flow only from the single input to the single output;
  
  wherein the send side client computer is configured to receive and store a file from a file source client, to receive and store the file manifest table, to compare an identifying characteristic of the received file with the list of file characteristics in the file manifest table, and, only if there is a match between the received file characteristic and an entry in the list of file characteristics in the file manifest table, to transfer the file to the receive side server computer via the one-way data link;
  
  wherein the receive side server computer is configured to forward received files to a file destination server computer;
  
  wherein the send side client computer is coupled to the receive side server computer only via the one-way data link such that no data or signals can be transmitted from the receive side server computer to the send side client computer; and
  
  wherein the send side client computer of the manifest transfer engine receives the file manifest table from the administrator server computer via a first dedicated Transmission Control Protocol (TCP) port and the file from the file source client via a second separate dedicated TCP port;
  
  wherein the receive side server computer has no communications path for transmitting TCP handshake signals to the send side server computer;
  
  wherein send side server computer removes all internet protocol information from each file prior to transfer of that file on the output;
  
  wherein the send side client computer deletes or quarantines any received file when there is no match between the received file characteristic for that received file and the list of file characteristics in the file manifest table; and
  
  wherein the first dedicated TCP port and the second dedicated TCP port are each the same TCP port during operation.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The system of claim 10, wherein:
    - the administrator server computer and the file source client are located in a same network.
  - 12. The system of claim 10, wherein the administrator server computer and the file source client are located on different networks.
  - 13. The system of claim 10, further comprising a second one-way data link coupled between the administrator server computer and the send side client computer of the manifest engine;
    - and wherein the administrator server computer is connected to an insecure network, and the send side client computer of the manifest transfer engine receives the file manifest table from the administrator server computer via the second one-way data link.
  - 14. The system of claim 13, wherein the insecure network is a cloud network or the Internet.
  - 15. The system of claim 10, wherein the administrator server computer is further configured to create and output a second file manifest table having a second list of file characteristics and further comprising:
    - a second manifest transfer engine comprising a second send side client computer, a second receive side server computer, and a second one-way data link enforcing unidirectional data flow from the second send side client computer to the second receive side server computer; and
      
      wherein the second send side client computer is configured to receive and store a file from a second file source client, to receive and store the second manifest filter table, to compare an identifying characteristic of the received file with the second list of file characteristics in the second file manifest table, and, only if there is a match between the received file characteristic and an entry in the second list of file characteristics in the second file manifest table, to transfer the file to the second receive side server computer via the second one-way data link; and
      
      wherein the second receive side server computer is configured to forward received files to a second file destination server computer.
  - 16. The system of claim 10, wherein the file manifest table comprises a list of registered hash numbers;
    - and wherein the send side client computer compares the received file characteristic with the list of file characteristics in the file manifest table by computing a hash number for the received file and comparing the computed hash number with the registered hash numbers in the list of file characteristics in the file manifest table.
  - 17. The system of claim 16, wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of Message-Digest 5 (MD5) 128-bit checksum, Secure Hash Algorithm (SHA) 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 18. The system of claim 16, wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 19. The system of claim 10, wherein the file manifest table is an American Standard Code for Information Interchange (ASCII) text file.
  - 20. The system of claim 10, wherein the send side client computer is further configured to apply a filter to the file manifest table upon receiving it from the administrator server computer and prior to storing it.

21. A method of file manifest filtering for file transfer across a one-way data link coupling a send side client computer to a receive side server computer, the one-way data link having a single input coupled to an output of the send side client computer and a single output coupled to an input of the receive side client computer, the one-way data link configured to enforce unidirectional data flow only from the single input to the single output, the send side client computer coupled to the receive side server computer only via the one-way data link, the receive side server computer having no communications path for transmitting TCP handshake signals to the send side server computer, comprising the steps of:
- maintaining a file manifest table received via a first dedicated Transmission Control Protocol (TCP) port containing a list of file characteristics in the send side client computer;
  
  receiving a file from a user in the send side client computer via a second separate dedicated TCP port;
  
  computing an identifying characteristic for the received file in the send side client computer;
  
  comparing the computed characteristic with the list of file characteristics in the file manifest table in the send side client computer;
  
  only if there is a match between the computed characteristic and an entry in the list of file characteristics in the file manifest table, removing all internet protocol information from the file and transferring the file to the receive side server computer across the one-way data link;
  
  only if there is no match between the computed characteristic and an entry in the list of file characteristics in the file manifest table, deleting or quarantining the received file in the send side client computer; and
  
  wherein the first dedicated TCP port and the second dedicated TCP port are each the same TCP port during operation.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The method of claim 21, wherein the step of maintaining a file manifest table comprises:
    - receiving the file manifest table from an administrator server computer coupled to the send side client computer via the first dedicated TCP port;
      
      applying a filter to the received file manifest table in the send side client computer; and
      
      storing the received file manifest table in the send side client computer if validated by the filter.
  - 23. The method of claim 21, wherein the step of maintaining a file manifest table comprises receiving the file manifest table from an administrator server computer via a second one-way data link.
  - 24. The method of claim 21, wherein the computed characteristic comprises a file hash number and wherein the file manifest table supports at least one hash code algorithm selected from the group consisting of Message-Digest 5 (MD5) 128-bit checksum, Secure Hash Algorithm (SHA) 160 bit checksum, SHA 224 bit checksum, SHA 256 bit checksum, SHA 384 bit checksum, and SHA 512 bit checksum.
  - 25. The method of claim 24, wherein the computed characteristic comprises a file hash number and wherein the file manifest table is based on hash numbers provided by the user and/or hash numbers of software updates that are publicly available.
  - 26. The method of claim 21, wherein the file manifest table is an American Standard Code for Information Interchange (ASCII) text file.
  - 27. The method of claim 21, wherein the step of receiving a file from a user comprises downloading the file from a Universal Serial Bus (USB) memory device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OWL Cyber Defense Solutions LLC
Original Assignee
OWL Cyber Defense Solutions LLC
Inventors
Mraz, Ronald, Hope, James
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Baum, Ronald

Application Number

US13/747,771
Publication Number

US 20140020109A1
Time in Patent Office

1,665 Days
Field of Search

726 26
US Class Current
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/0428 wherein the data content is...

File manifest filter for unidirectional transfer of files

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

File manifest filter for unidirectional transfer of files

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links