Private network request forwarding

US 9,930,012 B1
Filed: 01/05/2016
Issued: 03/27/2018
Est. Priority Date: 11/30/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for packet handling, the method comprising:

receiving, by a first delivery node of a public network having a public Internet Protocol (IP) address, one or more data packets from a user node via the public network;

determining, by the first delivery node, a risk level for a data packet based upon one or more characteristics of the data packet,wherein the risk level is determined based upon at least one of origin of the data packet, historical trends associated with the data packet, an expired token of the data packet, and missing header elements in the data packet;

upon the first delivery node of the content delivery network determining that the risk level of the data packet satisfies a risk threshold;

transmitting, by the first delivery node, the data packet to a second delivery node coupled to the public network and a private network, the second delivery node having a private IP address associated with the private network; and

upon the second delivery node determining that the request is compliant with a routing policy of the private network, transmitting, by the second delivery node, the data packet via the private network to a provider node of a content provider network,wherein the user node is logically external to the content delivery network and the content provider network, andwherein the routing policy defines one or more pre-determined paths associated with a request before that request is transmitted from the user node to the provider node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Private network request forwarding can include receiving a request from a user for Internet services over a public network. Private network request forwarding can include analyzing the request and determining whether the request is legitimate. Private network request forwarding can include forwarding the request to an entity through a private network when it is determined that the request is legitimate, wherein the user has access to the entity through a proxy.

25 Citations

View as Search Results

22 Claims

1. A computer-implemented method for packet handling, the method comprising:
- receiving, by a first delivery node of a public network having a public Internet Protocol (IP) address, one or more data packets from a user node via the public network;
  
  determining, by the first delivery node, a risk level for a data packet based upon one or more characteristics of the data packet,wherein the risk level is determined based upon at least one of origin of the data packet, historical trends associated with the data packet, an expired token of the data packet, and missing header elements in the data packet;
  
  upon the first delivery node of the content delivery network determining that the risk level of the data packet satisfies a risk threshold;
  
  transmitting, by the first delivery node, the data packet to a second delivery node coupled to the public network and a private network, the second delivery node having a private IP address associated with the private network; and
  
  upon the second delivery node determining that the request is compliant with a routing policy of the private network, transmitting, by the second delivery node, the data packet via the private network to a provider node of a content provider network,wherein the user node is logically external to the content delivery network and the content provider network, andwherein the routing policy defines one or more pre-determined paths associated with a request before that request is transmitted from the user node to the provider node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, further comprising:
    - receiving, by the first delivery node, from the provider node a response data packet via the private network; and
      
      transmitting, by the first delivery node, to the user node via the public network the response data packet.
  - 3. The method according to claim 2, further comprising:
    - receiving, by the first delivery node, a second data packet from the user node via the public network; and
      
      transmitting, by the first delivery node, the second data packet via the second delivery node via the private network to the provider node of the content provider network.
  - 4. The method according to claim 3, further comprising determining, by the first delivery node, the risk level for the second data packet based upon a set of one or more characteristics of the second data packet, upon the first delivery node receiving the second data packet from the user node via the public network.
  - 5. The method according to claim 1, wherein a characteristic of the data packet is selected from the group consisting of:
    - a source device identifier, a source user, a source device address, a source geographic location, a malicious code indicator, and a computing service request.
  - 6. The method according to claim 1, wherein each provider node of the content provider network is not directly addressable to each user node of the public network, wherein each user node is logically external to the content provider network and the content delivery network.
  - 7. The method according to claim 1, wherein determining the risk level further comprises:
    - determining, by at least one delivery node of the content delivery network, a threat value associated with a characteristic of the data packet; and
      
      calculating, by the delivery node, a risk score for the data packet indicating the risk level based upon at least one threat value for at least one characteristic of the data packet.
  - 8. The method according to claim 7, wherein the first delivery node transmits the data packet to the provider node via the second delivery node upon determining the risk score for the data packet satisfies a threshold score for the risk threshold.
  - 9. The method according to claim 1, further comprising:
    - forwarding, by the first delivery node, the data packet to a third delivery node to gather further information that is associated with the data packet when the first delivery node determines that the risk level for the data packet does not satisfy a risk threshold.

10. A content delivery network computing system comprising:
- at least one inbound data node having a public Internet Protocol (IP) address associated with a public network, and comprising a processor configured to receive one or more data packets from a user node via the public network and to determine a risk level for the data packet based upon a first characteristic of the data packet;
  
  at least one analysis node having a public IP address associated with the public network and a private IP address associated with the content delivery network, and comprising a processor configured to determine whether the one or more data packets are compliant with a routing policy of the content delivery network,wherein the risk level is determined based upon at least one of origin of the data packet, historical trends associated with the data packet, an expired token of the data packet, and missing header elements in the data packet, andwherein the routing policy defines one or more pre-determined paths associated with a request before that request is transmitted from the user node to a provider node of a content provider network; and
  
  at least one forwarding node having a private IP address of the content provider network associated with the content provider network, and comprising a processor configured to transmit the data packet to the provider node of the content provider network when the at least one inbound data node determines that the risk level for the data packet satisfies a risk threshold and the at least one analysis node determines that the data packet is compliant with the routing policy of the content delivery network,wherein the at least one forwarding node is not directly addressable to the user node, andwherein the content provider network is a private network.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system according to claim 10, further comprising a proxy server having a private IP address associated with the content provider network and a public IP address associated with the public network, and comprising a processor configured to:
    - receive a second data packet from the user node via the public network; and
      
      transmit the second data packet to the provider node of the content provider network.
  - 12. The system according to claim 11, wherein the proxy server transmits the second data packet to the provider node upon determining that the second data packet satisfies the risk threshold.
  - 13. The system according to claim 11, wherein the proxy server is further configured to:
    - receive a response data packet from at least one provider node of the provider network via the private network; and
      
      transmit the response data packet to the user node via the public network.
  - 14. The system according to claim 10, further comprising:
    - at least one network device logically segmenting each node of the content delivery network from each node the public network; and
      
      at least one network device logically segmenting each node of the content delivery network from each node of the content provider network,wherein each node of the content provider network is not directly addressable to each node of the public network, andwherein at least one node from the at least one inbound data node, the at least one analysis node, and the at least one forwarding node, is configured to prevent each data packet received from each user node from being transmitted directly to each provider node of the content provider network.
  - 15. The system according to claim 10, wherein an analysis node of the at least one analysis node is configured to determine a threat value associated with a characteristic of the data packet,wherein the at least one forwarding node transmits the data packet to the provider node of the provider network upon the analysis node determining that a risk score for the data packet satisfies a threshold score for the risk threshold, andwherein the risk score is determined according to at least one threat value for at least one characteristic of the data packet.
  - 16. The system according to claim 10, wherein a characteristic of the data packet is selected from the group consisting of:
    - a source device identifier, a source user, a source device address, a source geographic location, a malicious code indicator, and a computing service request.

17. A computing system for private packet handling, the system comprising:
- a content provider network comprising;
  
  a computing service node of a private network, the computing service node comprising a processor hosting a computing service, and configured to execute at least one routine associated with the computing service that generates a reply message in response to receiving a request for the computing service, wherein the computing service node is not directly addressable to a user node of a public network, and wherein the content provider network is a private network; and
  
  a content delivery network comprising;
  
  at least one inbound data node having a public Internet Protocol (IP) address associated with a public network, and comprising a processor configured to;
  
  receive one or more requests for the computing service from the user node via the public network, and to determine a risk level for the data packet based upon a first characteristic of the data packet, and wherein the risk level is determined based upon at least one of origin of the request, historical trends associated with the request, an expired token of the request, and missing header elements in the request; and
  
  at least one forwarding node comprising a processor and having a public IP address associated with the public network and a private IP address associated with the content provider network, and configured to transmit the request indicating the computing service received from the user node to one or more computing service nodes of the content provider network upon determining that the request is compliant with a routing policy of the content delivery network, upon the at least one inbound data node of the content delivery network determining that the request satisfies a risk threshold based upon one or more characteristics of the request, wherein the routing policy defines one or more pre-determined paths associated with a request before that request is transmitted from the user node to a provider node of a content provider network.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The system according to claim 17, further comprising:
    - a proxy server having a public IP address associated with the public network and a private IP address associated with the content provider network, and comprising a processor configured to;
      
      receive a second request from the user node via the public network; and
      
      transmit the second request to the provider of the content provider network upon determining that the second request satisfies the risk threshold.
  - 19. The system according to claim 18, wherein the proxy server is further configured to transmit the reply message to the user node via the public network, upon receiving the reply message from the computing service node.
  - 20. The system according to claim 17, wherein at least one node of the one or more nodes of the content delivery network is further configured to determine a threat value associated with a characteristic of the request,wherein the at least one forwarding node transmits the data packet to the computing service node of the content provider network upon determining that a risk score for the request satisfies a threshold score for the risk threshold, andwherein the risk score is determined according to at least one threat value for at least one characteristic of the request.
  - 21. The system according to claim 17, wherein a characteristic of the request is selected from the group consisting of:
    - a source device identifier, a source user, a source device address, a source geographic location, a malicious code indicator, and a computing service request.
  - 22. The system according to claim 17, further comprising:
    - forwarding, by the at least one inbound data node, the data packet to a different node to gather further information that is associated with the data packet when the at least one inbound data node determines that the risk level for the data packet does not satisfy a risk threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
United Services Automobile Association
Original Assignee
United Services Automobile Association
Inventors
Clemons, Jr., Donald E., Wilkinson, Christopher T.
Primary Examiner(s)
Bechtel, Kevin

Application Number

US14/988,449
Time in Patent Office

812 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4625   Single bridge functionality...

H04L 12/50   Circuit switching systems, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/561   Adding application-function...

Private network request forwarding

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Private network request forwarding

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links