Filtering network data transfers

US 10,735,380 B2
Filed: 02/14/2020
Issued: 08/04/2020
Est. Priority Date: 03/12/2013
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of detecting a potential network exfiltration comprising:

receiving, by a packet security gateway that interfaces at a boundary of a protected network, a plurality of outbound in-transit packets departing the protected network, wherein the plurality of outbound in-transit packets comprises first packets destined for a first destination;

determining, by the packet security gateway and based on one or more packet-filtering rules, that the first destination comprises a destination outside of the protected network;

identifying, based on a determination that the first destination comprises a destination outside of the protected network, at least one application packet contained in the first packets;

determining that the identified at least one application packet is associated with a data transfer protocol associated with the one or more packet-filtering rules;

identifying a data transfer request field within a header region of the identified at least one application packet;

determining whether a value of the identified data transfer request field indicates that the data transfer protocol comprises one or more network exfiltration methods associated with the one or more packet-filtering rules; and

applying one or more operators, specified by the one or more packet-filtering rules and based on a determination that the identified data transfer request field indicates one or more network exfiltration methods, to the first packets, wherein applying the one or more operators causes the first packets to be dropped.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Accused Products

Abstract

Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.

276 Citations

30 Claims

1. A method of detecting a potential network exfiltration comprising:
- receiving, by a packet security gateway that interfaces at a boundary of a protected network, a plurality of outbound in-transit packets departing the protected network, wherein the plurality of outbound in-transit packets comprises first packets destined for a first destination;
  
  determining, by the packet security gateway and based on one or more packet-filtering rules, that the first destination comprises a destination outside of the protected network;
  
  identifying, based on a determination that the first destination comprises a destination outside of the protected network, at least one application packet contained in the first packets;
  
  determining that the identified at least one application packet is associated with a data transfer protocol associated with the one or more packet-filtering rules;
  
  identifying a data transfer request field within a header region of the identified at least one application packet;
  
  determining whether a value of the identified data transfer request field indicates that the data transfer protocol comprises one or more network exfiltration methods associated with the one or more packet-filtering rules; and
  
  applying one or more operators, specified by the one or more packet-filtering rules and based on a determination that the identified data transfer request field indicates one or more network exfiltration methods, to the first packets, wherein applying the one or more operators causes the first packets to be dropped.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the determining that the value of the data transfer request field indicates one or more network exfiltration methods comprises determining that the value of the data transfer request field indicates a POST method.
  - 3. The method of claim 1, wherein the determining that the value of the data transfer request field indicates one or more network exfiltration methods comprises determining that the value of the data transfer request field indicates a PUT method.
  - 4. The method of claim 1, wherein the determining that the value of the data transfer request field indicates one or more network exfiltration methods comprises determining that the value of the data transfer request field indicates a GET method.
  - 5. The method of claim 1, wherein the determining that the value of the data transfer request field indicates one or more network exfiltration methods comprises determining that the value of the data transfer request field indicates a CONNECT method.
  - 6. The method of claim 1, wherein the plurality of outbound in-transit packets comprises second packets destined for a second destination.
  - 7. The method of claim 6, further comprising:
    - determining, by the packet security gateway and based on the one or more packet-filtering rules, that the second destination comprises a trusted network; and
      
      applying one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the second destination comprises a trusted network, to the second packets, wherein applying the one or more second operators cause the second packets to be forwarded toward the second destination.
  - 8. The method of claim 6, further comprising:
    - determining, by the packet security gateway and based on the one or more packet-filtering rules, that the second destination comprises a destination outside of the protected network;
      
      identifying, based on a determination that the second destination comprises a destination outside of the protected network, at least one second application packet contained in the second packets;
      
      determining, based on the one or more packet-filtering rules, that the identified at least one second application packet is associated with a second data transfer protocol;
      
      identifying a second data transfer request field within a second header region of the identified at least one second application packet;
      
      determining, based on the one or more packet-filtering rules, that a second value of the identified second data transfer request field does not indicate that the second data transfer protocol comprises one or more network exfiltration methods; and
      
      applying one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the identified second data transfer request field does not indicate one or more network exfiltration methods, to the second packets, wherein applying the one or more second operators cause the second packets to be forwarded toward the second destination.
  - 9. The method of claim 8, further comprising:
    - determining that the second packets comprise data corresponding to a particular transport layer security (TLS) version value; and
      
      applying the one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the second packets comprise data corresponding to a particular TLS version value, to the second packets, wherein applying the one or more second operators cause the second packets to be forwarded toward the second destination.
  - 10. The method of claim 6, further comprising:
    - determining, by the packet security gateway and based on the one or more packet-filtering rules, that the second destination comprises an untrusted network; and
      
      applying one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the second destination comprises an untrusted network, to the second packets, wherein applying the one or more second operators cause the second packets to be dropped.
  - 11. The method of claim 1, further comprising:
    - receiving, from a security policy management server, a dynamic security policy that comprises the one or more packet-filtering rules.
  - 12. The method of claim 11, wherein the security policy management server is external to the protected network.
  - 13. The method of claim 1, wherein the data transfer protocol comprises a messaging protocol.
  - 14. The method of claim 1 wherein the data transfer protocol comprises extensible messaging and presence protocol (XMPP).
  - 15. The method of claim 1, further comprising:
    - determining that the first packets comprise data corresponding to a particular transport layer security (TLS) version value; and
      
      applying the one or more operators, specified by one or more packet-filtering rules and based on a determination that the first packets comprise data corresponding to the particular TLS version value, to the first packet, wherein the applied one or more operators cause the first packets to be dropped.

16. A packet security gateway that interfaces at a boundary of a protected network, the packet security gateway comprising:
- one or more processors; and
  
  memory comprising instructions that, when executed by the one or more processors, cause the packet security gateway to;
  
  receive a plurality of outbound in-transit packets departing the protected network, wherein the plurality of outbound in-transit packets comprises first packets destined for a first destination;
  
  determine, based on one or more packet-filtering rules, that the first destination comprises a destination outside of the protected network;
  
  identify, based on a determination that the first destination comprises a destination outside of the protected network, at least one application packet contained in the first packets;
  
  determine that the identified at least one application packet is associated with a data transfer protocol associated with the one or more packet-filtering rules;
  
  identify a data transfer request field within a header region of the identified at least one application packet;
  
  determine whether a value of the identified data transfer request field indicates that the data transfer protocol comprises one or more network exfiltration methods associated with the one or more packet-filtering rules; and
  
  apply one or more operators, specified by the one or more packet-filtering rules and based on a determination that the identified data transfer request field indicates one or more network exfiltration methods, to the first packets, wherein applying the one or more operators causes the first packets to be dropped.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The packet security gateway of claim 16, wherein the plurality of outbound in-transit packets comprises second packets destined for a second destination.
  - 18. The packet security gateway of claim 17, wherein the instructions cause the packet security gateway to:
    - determine, based on the one or more packet-filtering rules, that the second destination comprises a trusted network; and
      
      apply one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the second destination comprises a trusted network, to the second packets, wherein applying the one or more second operators cause the second packets to be forwarded toward the second destination.
  - 19. The packet security gateway of claim 17, wherein the instructions cause the packet security gateway to:
    - determine, based on the one or more packet-filtering rules, that the second destination comprises a destination outside of the protected network;
      
      identify, based on a determination that the second destination comprises a destination outside of the protected network, at least one second application packet contained in the second packets;
      
      determine, based on the one or more packet-filtering rules, that the identified at least one second application packet is associated with a second data transfer protocol;
      
      identify a second data transfer request field within a second header region of the identified at least one second application packet;
      
      determine, based on the one or more packet-filtering rules, that a second value of the identified second data transfer request field does not indicate that the second data transfer protocol comprises one or more network exfiltration methods; and
      
      apply one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the identified second data transfer request field does not indicate one or more network exfiltration methods, to the second packets, wherein applying the one or more second operators cause the second packets to be forwarded toward the second destination.
  - 20. The packet security gateway of claim 19, wherein the instructions cause the packet security gateway to:
    - determine that the second packets comprise data corresponding to a particular transport layer security (TLS) version value; and
      
      apply the one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the second packets comprise data corresponding to a particular TLS version value, to the second packets, wherein applying the one or more second operators cause the second packets to be forwarded toward the second destination.
  - 21. The packet security gateway of claim 17, wherein the instructions cause the packet security gateway to:
    - determine, by the packet security gateway and based on the one or more packet-filtering rules, that the second destination comprises an untrusted network; and
      
      apply one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the second destination comprises an untrusted network, to the second packets, wherein applying the one or more second operators cause the second packets to be dropped.
  - 22. The packet security gateway of claim 16, wherein the instructions cause the packet security gateway to:
    - receive, from a security policy management server, a dynamic security policy that comprises the one or more packet-filtering rules.
  - 23. The packet security gateway of claim 16, wherein the data transfer protocol comprises extensible messaging and presence protocol (XMPP).
  - 24. The packet security gateway of claim 16, wherein the instructions cause the packet security gateway to:
    - determine that the first packets comprise data corresponding to a particular transport layer security (TLS) version value; and
      
      apply the one or more operators, specified by one or more packet-filtering rules and based on a determination that the first packets comprise data corresponding to the particular TLS version value, to the first packet, wherein the applied one or more operators cause the first packets to be dropped.

25. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of a packet security gateway that interfaces at a boundary of a protected network, cause the packet security gateway to:
- receive a plurality of outbound in-transit packets departing the protected network, wherein the plurality of outbound in-transit packets comprises first packets destined for a first destination;
  
  determine, based on one or more packet-filtering rules, that the first destination comprises a destination outside of the protected network;
  
  identify, based on a determination that the first destination comprises a destination outside of the protected network, at least one application packet contained in the first packets;
  
  determine that the identified at least one application packet is associated with a data transfer protocol associated with the one or more packet-filtering rules;
  
  identify a data transfer request field within a header region of the identified at least one application packet;
  
  determine whether a value of the identified data transfer request field indicates that the data transfer protocol comprises one or more network exfiltration methods associated with the one or more packet-filtering rules; and
  
  apply one or more operators, specified by the one or more packet-filtering rules and based on a determination that the identified data transfer request field indicates one or more network exfiltration methods, to the first packets, wherein applying the one or more operators causes the first packets to be dropped.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The one or more non-transitory computer-readable media of claim 25, wherein the instructions cause the packet security gateway to:
    - receive, from a security policy management server, a dynamic security policy that comprises the one or more packet-filtering rules.
  - 27. The one or more non-transitory computer-readable media of claim 25, wherein the data transfer protocol comprises a messaging protocol.
  - 28. The one or more non-transitory computer-readable media of claim 25, wherein the data transfer protocol comprises extensible messaging and presence protocol (XMPP).
  - 29. The one or more non-transitory computer-readable media of claim 25, wherein the instructions cause the packet security gateway to:
    - determine that the first packets comprise data corresponding to a particular transport layer security (TLS) version value; and
      
      apply the one or more operators, specified by one or more packet-filtering rules and based on a determination that the first packets comprise data corresponding to the particular TLS version value, to the first packet, wherein the applied one or more operators cause the first packets to be dropped.
  - 30. The one or more non-transitory computer-readable media of claim 25, wherein the instructions cause the packet security gateway to:
    - determine second packets of the plurality of outbound in-transit packets comprise data corresponding to a particular transport layer security (TLS) version value; and
      
      apply one or more second operators, specified by the one or more packet-filtering rules and based on a determination that the second packets comprise data corresponding to a particular TLS version value, to the second packets, wherein applying the one or more second operators cause the second packets to be forwarded toward the second destination.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Moore, Sean
Primary Examiner(s)
Nguyen, Anh Ngoc M

Application Number

US16/791,044
Publication Number

US 20200186498A1
Time in Patent Office

172 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

Filtering network data transfers

First Claim

2 Assignments

Litigations

2 Petitions

Accused Products

Abstract

276 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering network data transfers

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

276 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links