Filtering network data transfers
DCFirst Claim
1. A method of detecting a potential network exfiltration comprising:
- receiving, by a packet security gateway that interfaces at a boundary of a protected network, a plurality of outbound in-transit packets departing the protected network, wherein the plurality of outbound in-transit packets comprises first packets destined for a first destination;
determining, by the packet security gateway and based on one or more packet-filtering rules, that the first destination comprises a destination outside of the protected network;
identifying, based on a determination that the first destination comprises a destination outside of the protected network, at least one application packet contained in the first packets;
determining that the identified at least one application packet is associated with a data transfer protocol associated with the one or more packet-filtering rules;
identifying a data transfer request field within a header region of the identified at least one application packet;
determining whether a value of the identified data transfer request field indicates that the data transfer protocol comprises one or more network exfiltration methods associated with the one or more packet-filtering rules; and
applying one or more operators, specified by the one or more packet-filtering rules and based on a determination that the identified data transfer request field indicates one or more network exfiltration methods, to the first packets, wherein applying the one or more operators causes the first packets to be dropped.
2 Assignments
Litigations
2 Petitions
Accused Products
Abstract
Aspects of this disclosure relate to filtering network data transfers. In some variations, multiple packets may be received. A determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule. Responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule. A further determination may be made that one or more of the portion of the packets have one or more application header field values corresponding to one or more application header field criteria specified by the operator. Responsive to such a determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.
276 Citations
30 Claims
-
1. A method of detecting a potential network exfiltration comprising:
-
receiving, by a packet security gateway that interfaces at a boundary of a protected network, a plurality of outbound in-transit packets departing the protected network, wherein the plurality of outbound in-transit packets comprises first packets destined for a first destination; determining, by the packet security gateway and based on one or more packet-filtering rules, that the first destination comprises a destination outside of the protected network; identifying, based on a determination that the first destination comprises a destination outside of the protected network, at least one application packet contained in the first packets; determining that the identified at least one application packet is associated with a data transfer protocol associated with the one or more packet-filtering rules; identifying a data transfer request field within a header region of the identified at least one application packet; determining whether a value of the identified data transfer request field indicates that the data transfer protocol comprises one or more network exfiltration methods associated with the one or more packet-filtering rules; and applying one or more operators, specified by the one or more packet-filtering rules and based on a determination that the identified data transfer request field indicates one or more network exfiltration methods, to the first packets, wherein applying the one or more operators causes the first packets to be dropped. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A packet security gateway that interfaces at a boundary of a protected network, the packet security gateway comprising:
-
one or more processors; and memory comprising instructions that, when executed by the one or more processors, cause the packet security gateway to; receive a plurality of outbound in-transit packets departing the protected network, wherein the plurality of outbound in-transit packets comprises first packets destined for a first destination; determine, based on one or more packet-filtering rules, that the first destination comprises a destination outside of the protected network; identify, based on a determination that the first destination comprises a destination outside of the protected network, at least one application packet contained in the first packets; determine that the identified at least one application packet is associated with a data transfer protocol associated with the one or more packet-filtering rules; identify a data transfer request field within a header region of the identified at least one application packet; determine whether a value of the identified data transfer request field indicates that the data transfer protocol comprises one or more network exfiltration methods associated with the one or more packet-filtering rules; and apply one or more operators, specified by the one or more packet-filtering rules and based on a determination that the identified data transfer request field indicates one or more network exfiltration methods, to the first packets, wherein applying the one or more operators causes the first packets to be dropped. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of a packet security gateway that interfaces at a boundary of a protected network, cause the packet security gateway to:
-
receive a plurality of outbound in-transit packets departing the protected network, wherein the plurality of outbound in-transit packets comprises first packets destined for a first destination; determine, based on one or more packet-filtering rules, that the first destination comprises a destination outside of the protected network; identify, based on a determination that the first destination comprises a destination outside of the protected network, at least one application packet contained in the first packets; determine that the identified at least one application packet is associated with a data transfer protocol associated with the one or more packet-filtering rules; identify a data transfer request field within a header region of the identified at least one application packet; determine whether a value of the identified data transfer request field indicates that the data transfer protocol comprises one or more network exfiltration methods associated with the one or more packet-filtering rules; and apply one or more operators, specified by the one or more packet-filtering rules and based on a determination that the identified data transfer request field indicates one or more network exfiltration methods, to the first packets, wherein applying the one or more operators causes the first packets to be dropped. - View Dependent Claims (26, 27, 28, 29, 30)
-
Specification