Evaluating a questionable network communication

US 9,912,677 B2
Filed: 02/03/2016
Issued: 03/06/2018
Est. Priority Date: 09/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method in a computing system for controlling communication, comprising:

in a computing system, evaluating a network communication that is transported at least in part by network packets each having a header section and a payload section, by;

receiving one or more indications of allowable communication properties;

receiving an indication that a listening port has been opened on the computing system;

receiving an indication that the network communication has been established via the listening port; and

determining a first communication property that is associated with the network communication;

determining a second communication property that is one of the one or more allowable communication properties;

determining whether the network communication is allowable based on whether the first communication property is encompassed by the second communication property, including one or more of;

a property of a program that is using the listening port, including the identity of the program and/or whether the program is an interactive program, a batch program, or a system service;

a first IP address and/or port associated with the network communication;

a geographic location associated with the first IP address;

a connection limit based on the first IP address or the geographic location, the first IP address being a source or destination IP address;

a time of day; and

a network interface that is associated with the network communication; and

in response to determining that the network communication is not allowable, setting an indicator that the network communication is not allowed.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for evaluating a questionable network communication are disclosed. In some implementations, an evaluation module determines whether a network communication is allowable based on one or more factors, including the listening port, a geographic location, time of day, or the like. In some cases, utilization of a listening port may be limited, such as by restricting the number of network connections that can be opened via the listening port.

Citations

20 Claims

1. A method in a computing system for controlling communication, comprising:
- in a computing system, evaluating a network communication that is transported at least in part by network packets each having a header section and a payload section, by;
  
  receiving one or more indications of allowable communication properties;
  
  receiving an indication that a listening port has been opened on the computing system;
  
  receiving an indication that the network communication has been established via the listening port; and
  
  determining a first communication property that is associated with the network communication;
  
  determining a second communication property that is one of the one or more allowable communication properties;
  
  determining whether the network communication is allowable based on whether the first communication property is encompassed by the second communication property, including one or more of;
  
  a property of a program that is using the listening port, including the identity of the program and/or whether the program is an interactive program, a batch program, or a system service;
  
  a first IP address and/or port associated with the network communication;
  
  a geographic location associated with the first IP address;
  
  a connection limit based on the first IP address or the geographic location, the first IP address being a source or destination IP address;
  
  a time of day; and
  
  a network interface that is associated with the network communication; and
  
  in response to determining that the network communication is not allowable, setting an indicator that the network communication is not allowed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the first communication property is a total number of current connections opened via the listening port, wherein the second communication property is a maximum allowed number of connections that can be opened via the listening port, and wherein determining whether the network communication is allowable includes:
    - determining whether the total number of current connections is less than the maximum allowed number of connections.
  - 3. The method of claim 2, further comprising determining the maximum number of allowed connections based on the first IP address.
  - 4. The method of claim 2, further comprising determining the maximum number of allowed connections based on a geographic location associated with the first IP address.
  - 5. The method of claim 1, wherein the connection limit is expressed as one of:
    - a maximum number of current connections established via the listening port, a maximum number of connections opened via the listening port during a time interval, a maximum bandwidth utilization by connections established via the listening port.
  - 6. The method of claim 1, wherein the first communication property includes a name or type of program that is communicating via the network communication, wherein the second communication property includes a name or type of program that is allowed to communicate via the listening port, and wherein determining whether the network communication is allowable includes:
    - determining whether the name or type of the communicating program matches the name or type of program that is allowed to communicate via the listening port.
  - 7. The method of claim 6, wherein the type of program that is allowed to communicate is one or more of an interactive program, a batch program, and a system service.
  - 8. The method of claim 7, further comprising determining whether the communicating program is operating in interactive or non-interactive mode by checking whether the communicating program has is an active console, user interface window, or interactive input device.
  - 9. The method of claim 1, further comprising:
    - determining that a denial of service attack is in progress, based on a number of connections opened during a time interval, wherein all of the connections are to a same destination address; and
      
      refusing to open additional connections to the destination address.
  - 10. The method of claim 1, further comprising:
    - determining the first IP address, wherein the first IP address is based on contents of the payload section of a network packet received via the network communication.
  - 11. The method of claim 10, wherein the first IP address is an IP address stored in a source address field of an IP packet encapsulated in the payload section of the network packet.
  - 12. The method of claim 10, wherein determining the first IP address includes:
    - translating a domain name into the first IP address, wherein the domain name is stored in the payload section of the first network packet.
  - 13. The method of claim 10, wherein the network communication is an HTTP communication, wherein the first IP address is obtained based on an IP address value located in an X-Forwarded-For field located in the payload section of the first network packet.
  - 14. The method of claim 1, wherein the network communication is an INVITE request of a SIP communication, wherein the first IP address is obtained based on a FROM or CONTACT field located in the payload section of the first network packet.
  - 15. The method of claim 1, wherein the network packets are VPN packets, wherein the first IP address is an IP source address located in a header section of a packet encapsulated in the payload section of the first network packet, wherein the packet is encapsulated according to one of PPTP, IPsec, and L2TP.
  - 16. The method of claim 15, wherein the packet encapsulated in the payload section of the first network packet is encrypted.
  - 17. The method of claim 1, wherein the allowable communication properties in the white list include, for each of multiple network addresses in the white list, an indication of an allowable geographic location, and further comprising:
    - determining, by querying a geo-location information provider, a geographic location associated with the first IP address; and
      
      determining whether the geographic location associated with the first IP address matches or is encompassed by the geographic location indicated as allowable by the entry in the white list.
  - 18. The method of claim 1, wherein the allowable communication properties in the white list include an indication of allowable access times, an allowable user, and allowable data type, the white list including indications of multiple allowable data types, including executable code, script, macro, audio, video, image, and text, and further comprising:
    - determining a time at which the network communication is occurring;
      
      determining a user associated with the network communication;
      
      determining a data type corresponding to data transferred via the network connection; and
      
      determining whether the determined time matches or is encompassed by the access times indicated as allowable by the entry in the white list;
      
      determining whether the determined user matches or is encompassed by the user indicated as allowable by the entry in the white list; and
      
      determining whether the determined data type matches the data type indicated as allowable by the entry in the white list.
  - 19. A non-transitory computer readable medium, comprising executable instructions for causing a computing device to perform the method of claim 1.

20. A system for controlling communication, comprising:
- a communication interface for communication with a network resource, the communication interface including a TCP/IP stack;
  
  a memory that stores instructions; and
  
  a processor in communication with the communication interface and with the memory, wherein the processor is configured to evaluate a network communication that is transported at least in part by network packets each having a header section and a payload section, by;
  
  receiving one or more indications of allowable communication properties;
  
  receiving an indication that a listening port has been opened on the computing system;
  
  determining a first communication property that is associated with the network communication;
  
  determining a second communication property that is one of the one or more allowable communication properties, the second communication property including;
  
  a property of a program that is using the listening port, including the identity of the program and/or whether the program is an interactive program, a batch program, or a system service; and
  
  /ora connection limit based on a first IP address and a geographic location associated with the first IP address, the first IP address being a source or destination IP address determined based on the payload of a network packet;
  
  determining whether the network communication is allowable based on whether the first communication property is encompassed by the second communication property; and
  
  in response to determining that the network communication is not allowable, setting an indicator to one of the following;
  
  the communication operation is not allowed;
  
  a warning is to be provided prior to allowing the communication operation; and
  
  an instruction is needed from a user to determine whether the communication operation is allowed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daniel Chien
Original Assignee
Daniel Chien
Inventors
Chien, Daniel
Primary Examiner(s)
ALGIBHAH, HAMZA N

Application Number

US15/014,906
Publication Number

US 20160248795A1
Time in Patent Office

762 Days
Field of Search

709229
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2119   Authenticating web pages, e...

G06Q 30/06   Buying, selling or leasing ...

G06Q 40/00   Finance; Insurance; Tax str...

H04L 2101/663   Transport layer addresses, ...

H04L 43/0876   Network utilisation, e.g. v...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1483   service impersonation, e.g....

H04L 67/52   specially adapted for the l...

Evaluating a questionable network communication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Evaluating a questionable network communication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links